Non-standard top events in the field of IT security 2015

So the time has come to repeat the exercise, which I performed for the first time exactly a year ago . Then I took the 10 most popular news from our Threatpost website and tried to find out why it was they, in fact, that attracted the attention of the public - both specialists and ordinary users. This method has obvious drawbacks - a lot of things affect the popularity of articles, and it is absolutely not necessary that the most popular news about incidents in the cyber world are simultaneously the most important. But there are advantages: there are a huge number of events in the field of information security, and each participant in their discussion, depending on their specialization and personal interests, will choose their own "very best" ones. And here - if not the most objective, then at least an independent assessment tool.

This year, the selection of the most visited news is successfully divided into five main categories:
- Low-tech threats for users
- “Vulnerabilities in unexpected places”: security of the “Internet of things”, home and industrial network devices,
- Data encryption problems
- Loud vulnerabilities in key platforms and High-tech cyberthreats - examples of the most advanced attacks
- Routine, but dangerous vulnerabilities in common software

Here we go through them.

User threats
January Trojan on Facebook (10th place)
News .

110 thousand Facebook users became infected with a trojan by clicking on a link on a social network! Do not you say!



While cyber army spaceships plow through digital space, in the ordinary world of ordinary people, an ordinary trojan masquerading as an Adobe Flash update installs a regular keylogger on victims' computers. We constantly monitor such incidents, but they rarely get to the top: nevertheless, our main audience is specialists for whom such incidents are of no interest. Nevertheless, what can be called “traditional attacks” was, is and will for a long time be a major headache for both users and companies. How to deal with them is, in general, understandable, the technologies are well-developed. But attacks like the January one successfully cover tens of thousands of users, which means that we still have to work on the spread of protection technologies.

Attacks on the Internet of Things, Home Routers, and Industrial Network Devices
What could be in common between a wireless garage door control panel and Cisco network software? They are equally poorly protected. Not even that: if thermostats, home webcams and routers are very well protected, a successful attack on them is in any case a surprise. The security strategy for both companies and users is usually focused on computers and other devices with which they interact directly. Everything else is a kind of black box, which at best works quietly and does not attract attention, at worst it becomes a hacking tool, untracked and usually not understood as working.

Most of our readers were interested in the following examples. Back in December 2014, Check Point Software researchers found a vulnerability affecting 12 million home routers ( News, 9th place). It was possible to get access to the web interface by sending a specially formed data packet. In June, default SSH keys were found in the security software for monitoring Cisco network traffic ( news , 8th place), not the first and not the last case of “bookmarking” in network devices and the corresponding software. Then, in June, researcher Sami Kamkar investigated very weak protection in the garage door opener systems popular in the USA ( news7th place). The keys to them can be picked up in half an hour by brute force, but a series of software miscalculations allowed him to reduce the time of hacking to 10 seconds.

Add to this the vulnerabilities in car computer systems. This summer, thanks to the work of researchers Charlie Miller and Chris Valasek, Fiat Chrysler released the first security patch for a car in history: a vulnerability allowed to hack a car control system remotely through an entertainment system and even seize control. Indeed, if vulnerabilities exist in software, in computer devices, in hotel keys and key rings for cars, why shouldn't they be in cars? I can not quote this revealing tweet :


My printer works more often than not, WiFi is buggy, but rarely, the Xbox usually recognizes me, and even Siri happens to work fine. But my autonomous car will work perfectly!

Computers, when instructed to do something on their own, usually make fewer mistakes and nonsense than people. It’s just that their people program, and more and more often very critical processes are given to computer systems - from the management of nuclear power plants to standing in traffic jams on Leningradka. Welcome to the brave new world!

Encryption
Complicated topic. It is possible to evaluate the effectiveness of a particular method of data encryption only within the framework of serious scientific activity, and sometimes the result is either not guaranteed or may change over time. A case in point is the SHA-1 cryptographic hashing algorithm, which was considered fairly reliable five years ago, but declared theoretically vulnerable in 2015 . The NSA has questioned the robustness of encryption algorithms using elliptic curves, and is already thinking (or pretending to think it is not completely clear) about encryption that can withstand even quantum computers.

But the topic of encryption is not limited to this. Extremely weak cryptography jeopardized the already actively used Open Smart Grid protocol (news , 6th place). OSGP is an implementation of the “Internet of things” for power grids, an attempt to integrate electricity meters and control systems into a single network, and it’s better not to joke with electricity. The complexity of the topic leads to the fact that the main criterion for a data encryption system is trust. TrueCrypt developers ’demarche that happened back in mid-2014 undermined the credibility of this popular information protection software, and in 2015 we saw several audits of the program’s source code, as well as the emergence of spin-offs that caused great interest - VeraCrypt and CipherShed ( news , 4 a place). The backdoor in Juniper routers has recently been revealed , and the encryption theme also plays an important role in this story.

Serious Vulnerabilities and Serious Attacks
If last year Shellshock and Heartbleed became the most resonant security breach , then the Stagefright vulnerability ( news , 5th place) in Android and the vulnerability in the function of determining the IP address, which is part of the GLIBC standard library on Linux systems ( news , 3rd place).


Linux vulnerability researcher. Artistic interpretation.

Any vulnerability passes through the "theoretical" and "practical" stages - in some cases, everything is limited to research proof-of-concept, but sometimes a post-factum is learned about a new hole by analyzing an already active attack. In 2015, a third was added to these two options: a data leak from the Hacking Team company, which specializes in selling exploits to government agencies, revealed a previously unknown vulnerability in Adobe Flash, which immediately began to be exploited by cybercriminals.

Of the real attacks, the two most notable were the operations Carbanak and The Equation disclosed by the researchers of the "Laboratory". If in the first case the damage estimate (billion dollars) was most impressive, then in the second - the perfection of the attack tools, including the ability to regain control of the victim’s computer using the modified hard drive firmware, as well as the duration of the operation: tens of years! Read more about the February studies in this post .

Routine vulnerabilities in popular software
There were a lot of such vulnerabilities . This is best seen on the example of patches for Adobe Flash: January 14 , 24 and 28 , March , June , July , September , December. On the one hand, it looks like bad news, on the other - patching of holes, at least with Adobe, is very active - vulnerabilities are closed in dozens in one update. It cannot be said that in general software has become safer, but an important trend of this year has become a more serious attitude of software developers to security, and this is good news.

Special attention is paid to software installed on the maximum number of computers, and each PC has at least one browser. Of the developers, they are forced not only to monitor self-defense, but also, if possible, to protect users from threats on other sites (often forcibly limiting functionality, as happened with the same Flash in Chrome). Browsers have two of the most popular Threatpost news for 2015. At the pwn2own hackathon in March, all major browsers were hacked - first Firefox and IE, and later - Chrome and Safari ( news , 2nd place).


Satisfied white hat hackers on pwn2own

Finally, the most popular news of the year (quite in the style of last year’s digest) was the blocking of the ancient NPAPI extension system in the Chrome browser ( news , 1st place). The April NPAPI blocking led to the inoperability of a huge number of plugins - from Java to Silverlight, and the corresponding problems for a large number of developers. The abandonment of legacy code is another important recent trend: at some point, such a legacy begins to bring more problems than good.

I doubt that in 2016 there will be less security problems, rather the opposite. I am sure that new methods of protection against cyber threats will also appear. In any case, we will definitely have something to discuss. As an additional reading, I recommend this yeara general overview of threats from the experts of the Laboratory, a separate analysis of cyber threats for business and predictions for 2016.