2017 Was A Nightmare Year For Security
January 3, 2018 • RBS
2017 has been a unique and tough year in many ways, plagued by natural and man-made disasters alike. Warm waters in the Caribbean and Gulf of Mexico spun up massive hurricanes, another major earthquake rocked Mexico City, and monsoon rains in South Asia caused immense damage and loss of life. Mother Nature wasn’t alone in wreaking havoc, as we continue to see political conflicts around the world causing mass displacement, unrest and even renewed fears military conflict is coming soon. That said, while we tend to focus on the negative events, there arewebsites that point out the great things happening worldwide, and there were positive events this past year including the captivating Great American Eclipse, a truly unique experience shared by millions.
Unfortunately, trying to find 2017’s positive news in the information security world has proven to be quite difficult. Plainly put, it has not been a good year when it comes to cyber security. While people are busy working on and publishing their 2018 predictions (which we tend to find quite useless for the most part), we thought it would make more sense to first reflect on 2017 and try to better understand the root cause for the many things that went wrong.
Just How Bad Was 2017?
- As of December 31, there were over 5,000 publicly disclosed data breaches in 2017. Without a doubt that makes it the worst year in terms of frequency, as the previous highest year was 4,190. This brings the all-time total up to over 28,800 data breaches.
- When we published our third quarter DataBreach QuickView Report it had already been the worst year ever recorded in terms of the amount of records exposed. There has been 7.8 Billion records exposed thus far. The previous highest was 2016 as well, and that was originally 4.3 Billion, but just recently upped to 6.3B due to Yahoo! updating their breach. This now brings us up over 19+ Billion records exposed all time.
- When looking at the software that organizations rely on, there were over 20,000 vulnerabilities disclosed in 2017.Last year there were 15,866 disclosed vulnerabilities, a 25.5% increase in reported weaknesses.
This means that 2017 was the worst year on record for frequency and severity of data breaches as well as the most vulnerabilities disclosed that we’ve ever seen.
2017 Security Events
To illustrate the point, we have curated some of the more significant and newsworthy events by month from 2017. While we do not intend for this to be a comprehensive list, we do consider these events as representative of the current state of the information security industry.
- Chinese Data Breaches
- There were two sizeable data breaches impacting Chinese organizations.
- EmailCar (Shanghai Spring Rain Information Technology Co., Ltd.)
- Date: 2017-01-01
- 267,693,854 email addresses and phone numbers exposed in an unsecure MongoDB installation and dumped on the Internet
- NetEase, Inc. dba 163.com
- Date: 2017-01-25
- 1,221,893,767 email addresses and passwords stolen by hackers and sold on the Dark Web by DoubleFlag
- EmailCar (Shanghai Spring Rain Information Technology Co., Ltd.)
- There were two sizeable data breaches impacting Chinese organizations.
- Kaspersky Arrest
- FTC v. D-Link
- The FTC sued D-Link over unsecure routers and webcams.
- With these complaints the commission has recognized the inherent danger in the growing number of connected devices, which can both leave consumers at risk and be used maliciously.
- While this was a another potential big step in the ongoing efforts of the FTC to address the growing consumer risk of insecure Internet of Things devices, 3 of the 6 complaints were later dismissed in September.
- WhatApp Backdoor
- A security researcher discovered a backdoor in WhatsApp’s method of end-to-end encryption.
- Concern was raised about the potential of a government agency being effectively granted access to read messages.
- Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare.
- This was a significant vulnerability leaking sensitive data in a cloud solution that at the time was protecting 6 million websites.
- Philippines List of Registered Voters Exposed
- Republic of the Philippines Commission on Elections (COMELEC)
- Date: 2017-02-16
- 55,195,674 voter records contained in the National List of Registered Voters (NLRV) and Voter Search application as well as an additional 58,346 biometric records belonging to Wao, Lanao del Sur voters held on stolen computer
- White House Cyber Security Shakeup
- The Chief Information Security Officer for the White House’s Executive Office of the President was removed from his position.
- ShadowBrokers Dump
- An anonymous group calling themselves the Shadow Brokers gained access to NSA hacking tools and exposed vulnerabilities including some significant exploits.
- Wikileaks Vault 7 – CIA Leak
- Wikileaks published CIA material with revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices.
- Cylance Layoffs
- Cylance, one of the strongest recent success stories in the security market was hit by a round of layoffs, multiple sources close to the company told CRN.
- Zero Days
- Four 0-days were discovered in the wild. One in Ghostscript, one in Microsoft Internet Explorer, and two in Microsoft Office. One of the Microsoft Office vulnerabilities have been very actively exploited since then (CVE-2017-0199).
- DU Group dba DU Caller Breach
- Date: 2017-05-13
- 2,000,000,000 user phone numbers, names, and addresses inappropriately made accessible to others through an uncensored public directory
- OneLogin Breach
- Date: 2017-05-31
- Single sign on service OneLogin has AWS keys snatched, giving persons unknown access to their AWS platform and for a few hours, access to database tables
- Petya / NotPeyta
- On the heels of WannaCry another ransomware event hit in June called NotPetya (dubbed NotPetya because it masquerades as the Petya ransomware)
- A firm called M.E.Doc’s accounting software was compromised and used to spread the ransomware.
- The NotPetya event caused serious disruption to businesses around the world, reportedly costing TNT Express FedEx $300M USD and a similar amount for shipping giant Maersk, who was also got hit by the malware.
- Deep Root Analytics Breach
- Date: 2017-06-19
- Approximately 198,000,000 voter names, addresses, dates of birth, phone numbers, party affiliations, ethnicities, voter registration details, Do-Not-Call statuses, and policy preference scores left exposed in an unsecured Amazon S3 bucket.
- HBO Hack
- Hackers attack HBO and say that they have stolen and leaked a trove of HBO data onto the Internet, including a script for an upcoming episode of “Game of Thrones” as well as video of new episodes of shows such as “Ballers”, “Insecure”, and “Room 104”. And, they say, there’s more to come.
- Reliance Jio Infocomm Ltd Breach
- Date: 2017-07-09
- 120,000,000 customer names, phone numbers, email addresses, and SIM activation dates accessed by hackers using stolen login credentials
- Electronic Voting Machines Hacked @ DEF CON
- Participants were able to successfully breach the software of U.S. voting machines in less than two hours at a competition in Las Vegas.
- MalwareTech Arrested
- Marcus Hutchins, Cybersecurity expert hailed for stopping WannaCry attack was quietly arrested as the British resident prepared to fly out of Las Vegas, the site of DEF CON conference.
- The widely celebrated cybersecurity researcher was indicted on charges of developing software that has stolen banking credentials from an untold number of people.
- Abbott Pacemaker Recalls
- Medical device maker Abbott announces that it is voluntarily recalling some 465,000 pacemakers to install a firmware update to patch vulnerabilities in the devices.
- Unknown Organization Breach
- Date: 2017-08-29
- 711,000,000 email addresses, passwords, and SMTP credentials exposed on the Internet due to a misconfigured spambot database
- Bluetooth (Blueborne)
- New vulnerabilities were disclosed in computers and mobile devices that leaves them susceptible to attack via Bluetooth.
- The BlueBorne exploit doesn’t require user permission or to even pairing with devices, and it can simply connect over the air and access networks or install malware.
- Kaspersky Banned
- The US government bans federal agencies from using cybersecurity software made by Russian company Kaspersky Lab over fears that the firm has ties to state-sponsored spying programs
- Best Buy pulls Kaspersky Lab products after concerns over ties to the Russian government.
- Equifax Breach
- Equifax has a data breach that discloses 145,500,000 consumers’ names, dates of birth, Social Security numbers, addresses, and driver’s license numbers, as well as 209,000 credit or debit card numbers and 182,000 dispute documents containing unknown personal identifying information. The breach is caused by hackers exploiting a vulnerability known as Struts Shock in the Apache Struts framework, which Equifax had neglected to fix.
- Deloitte Breach
- While most were paying attention to the Equifax breach, Deloitte ends up having a substantial breach disclosed as well.
- It was reported that the hacker compromised the firm’s global email server through an “administrator’s account” that, in theory, gave them privileged, unrestricted “access to all areas”.
- WPA2 – Wireless Broken
- Introduction of Hack Back USA Regulation
- In the US, Tom Graves, R-Georgia, and Kyrsten Sinema, D-Arizona, introduce a revised version of the Active Cyber Defense Certainty Act (an update of a bill discussion draft that Graves proposed back in March) once again proposing the “use of limited defensive measures that exceed the boundaries of one’s network in order to monitor, identify and stop attackers.”
- Many cyber security professionals believe that the idea of legal hacking back is a horrible idea.
- Microsoft Internal Security Bugs DB Hacked
- It becomes public that, according to five former employees, Microsoft’s secret internal database for tracking bugs in its own software was broken into in 2013 by a highly sophisticated hacking group.
- Root9B RIP
- IT security may be a hot industry, but just because you say you do security doesn’t mean you will have a successful company.
- Root9B was the company that was listed as #1 Hottest Company by Cybersecurity Ventures 500 for 6 consecutive quarters until suddenly it wasn’t anymore (On Nov. 13, root9B Holdings issued a press releasesaying NASDAQ was de-listing the firm on Nov. 15 and that it was ceasing operations at the end of this year.).
- Infosec Community Sexual Harassment
- Tio Network Breach
- “Security vulnerabilities” force PayPal to shut down operations of the recently purchased subsidiary TIO Networks.
- Within days of announcing the breach, a proposed investor class action suit was filed, accusing PayPal of hiding the incident and causing the stock price to drop. PayPal acquired TIO Networks for 238M in a deal that closed in July of 2017 and chose to shutter the service in early November – a short 4 months after the acquisition was complete. While the scope of the event is still unfolding, the failure to fully vet TIO’s security posture ahead of the deal has the potential to cost PayPal as much, if not more, than the purchase price already paid.
- Uber Breach / Bribe
- Uber announces that 57M customer contact details and another 600,000 drivers’ personal information was exposed in a 2016 breach. The late disclosure would have been bad enough, but details emerged that former employees of the company seemingly paid the perpetrators $100,000 to keep the incident quiet and delete the stolen data.
- It was later reported that Uber used the HackerOne bug bounty platform to pay this “bounty”.
- Apple High Sierra Password Vulnerability
- A major Apple security flaw grants admin access on macOS High Sierra without supplying a password.
- Boeing 757 Hack Disclosed
- It is announced publicly that in the previous year, DHS was able to hack a Boeing 757 via radio frequency communications without touching the plane.
- FCC Repeals Net Neutrality
- No one is really clear what this will actually mean for the Internet at this point, but there could also potentially be impacts for information security as well.
- Kaspersky Banned
- Trump signs into law the banning of Kaspersky products in the government.
- US Blames North Korea for Wannacry
- The Trump administration publicly blames North Korea for unleashing the WannaCry cyber attack that crippled hospitals, banks, and other companies across the globe earlier this year.
- Although the attack reportedly only generated about $50,000 in ransom for the perpetrators, payments were made in Bitcoin. Since the attack in May, the value of Bitcoin has increased from approximately $2,000 USD per coin to $13,000 USD by late December. If the attackers have held on to the coin, the value of the payoffs will have increased 5 times over.
- Wassenaar Arrangement
- A group of 41 nations gathered to officially update the language of the Wassenaar Arrangement, a voluntary agreement governing certain export controls for classified dual-use software and technology, otherwise known as “cyberweapons.”
While there are many more worldwide events that can be included in this list, a lot of the issues detailed above were quite serious, with substantial impact to organizations and their customers alike. What isn’t clear is that, of all of the security topics the media focused on in 2017, why these following events failed to make headlines.
Power Grid Issues/Attacks Imminent
- ICS/SCADA software continues to see critical vulnerabilities disclosed, as we tracked 359 in 2017 in our VulnDB platform.
- The DHS warned in October 2017 that they were seeing targeted attacks and “Based on malware analysis and observed [indicators of compromise], DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign,” DHS and FBI wrote in a joint technical alert in October.
- In May 2017, there were power outage concerns outlined in the cyber security order.
- The real question at this point is whether or not some of the media posts are intending to hype and scare readers or actually inform of very real scenarios that need to be addressed.
Airport / Airline Outages
- 2017 saw several substantial outages for the airline industry.
- Airports around the world suffered major technical problems in September 2017 connected to a temporary failure of a system for checking in passengers and luggage. Southwest said its reservations system provider Amadeus began experiencing outages starting, “impacting Southwest Airlines along with other airlines.”
- Delta outages in January 2017 due to a technology glitch that canceled hundreds of flights were smaller than other episodes in recent months that cost airlines tens of millions of dollars, but it still served as a reminder of fragile airline computers systems.
- The U.S. Government Accountability Office will launch an examination of airline IT outages and their impact on the traveling public, in the wake of massive technology glitches at Delta Air Lines and other carriers that have affected millions of travelers.
- In May 2017 British Airways canceled flights from London’s two biggest airports after “a major IT system failure” caused severe disruption to flight operations worldwide, the airline said.
- The issues here seem largely to be related to old IT infrastructure and applications outages, but it does highlight how aging IT infrastructure and third party failures can be just as disruptive as a major malicious attack.
Sex Robots May Kill
- It was reported in September 2017 that a cyber security buff has issued a bizarre warning that sex robots could one day rise up and kill their owners if hackers can get inside their heads.
- Another reported surfaced, saying that sex robots could be used to murder people.
- There were other reports of sexual toys hacked as well in 2017.
Car Wash Attacks
- At the DEF CON conference in August 2017, vulnerabilities were disclosed in car washes.
- There were reports that suggested that a vehicle could be trapped and repeatedly smashed by the doors as well as doused with water.
- “We believe this to be the first exploit of a connected device that causes the device to physically attack someone,” researchers presenting the proof-of-concept say.
The purpose of this post is more than a lament on the state of security. Rather, let it serve as a reminder to all organizations that there is value in understanding the underlying factors that caused major security issues these past 12 months before jumping full force into new improvement initiatives. When looking how data breaches have occurred there are already some clear common themes that should be factored into any risk-based approach to security improvement. When we finish our analysis of 2017, we will publish our Year End DataBreach QuickView that will provide much more information.
With loads of new technology constantly coming out, we need to be able to get grips on current assets, work to better secure them, and take time to fully evaluate the security of any new technology under consideration. At the same time we need to understand new and expanding challenges such as:
- Internet of Things
- Virtual Reality / Augmented Reality
- Self Driving Automobiles
- Artificial Intelligence (AI) and Machine Learning (ML)
While it may be fun to try to make predictions, the truth is that no one really knows what 2018 will bring, but we at Risk Based Security will commit to keep tracking and documenting them all, so we can continue to learn and improve information security efforts!
We hope everyone has a happy new year and that 2018 won’t be a repeat of 2017 when it comes to security issues!