Verizon issues its insecurity hall of fame…apt in light of the Sony experience
December 19, 2014 |
Verizon in its The 2014 Data [In]Security Hall of Fame provides a (slightly) more light hearted look at the security issues over the last 12 months, more to the point the breaches and their consequences. Given the catastrophic end to the year for Sony arising out of a breach of cyber security perhaps a less maudlin look at cyber security is apt. –
The article provides:
Ahh the holidays. A time when we think about goodwill towards our fellow man, exchanging gifts, and of course making lists! All the good boys and girls know that one of our projects here at Verizon Security Labs is the VERIS Community Database (VCDB), a free repository of breach incident data available to the public. As we go through the year adding cases to the dataset, we mark some of them as being “Hall of Fame” (HOF) candidates. So this year, instead of making yet another set of predictions of what to expect in 2015, we decided to review our nominees for the 2014 Data Security Hall of Fame.
Now, this is not intended to be a list of the biggest breaches, and not all of them are supposed to be funny. Think of this as our curated list of the most interesting data security events of 2014 in the VCDB.
The law fought the law…and the law won
The first story of 2014 destined for the HOF goes to an event that actually happened in 2013, but was reported nationwide in January of 2014. A county sheriff in West Virginia was going through a divorce and wanted to get information about his wife’s suspected new love interest. So naturally he put a keylogger on her computer … at work … on a computer belonging to the West Virginia Supreme Court. This incident made the HOF because we honestly don’t see a lot of incidents involving physical keyloggers and we don’t see many incidents where a law man is the threat actor. That makes this a very rare and unusual incident indeed.
Honorable mention goes to an incident that was reported in December of 2013. We had to disqualify it from the 2014 Hall of Fame because it wasn’t even reported in 2014, but it’s still an interesting read. The American Civil Liberties Union had been trying to get a copy of an FBI interrogation manual but could not due to the manual being classified. However, in an ironic turnabout, the document had been checked into the Library of Congress (thus making it a public document) by an FBI agent that was attempting to register a copyright of the work.
Bringing A New Meaning to “Brute Force”
Lost and stolen devices have proven to be a major concern for the Healthcare industry. In fact, 52% of the IT security incidents affecting Healthcare in the VCDB Explore Interface are lost or stolen devices. Full disk encryption would have prevented the disclosure of data in almost all of these incidents.
We say “almost all” because of a story that made everyone immediately think of this comic. A doctor from Brigham and Women’s Hospital in Boston was robbed at gunpoint by two individuals who stole his mobile phone and laptop computer. The assailants tied the doctor to a tree and made him enter his password into the phone and laptop to get around the devices’ encryption. So much for all those breach notification letters that say the criminals are after the value of the asset, not the data inside it.
Public displays of hacking
Website defacement is often used as a means of spreading political messages. Groups like the Syrian Electronic Army and various factions of Anonymous have been prolific hackers that spread messages in support of (or opposition to) governments around the world. Let’s be honest, though, website defacement is getting a little boring. One group decided to step up their game in August. A group of hackers calling themselves the Anti-Communist Party Hackers managed to take over a Chinese television station and began to place pro-democracy overlays on top of the live news. It took several hours to eject the hackers and the Chinese government spent days purging the Internet of images and discussion about the event.
Heads up to all those corporate big-wig phishers–Anon Ghost is watching you. In March, the hacktivist group boasted about defacing a Yorkshire Banking site and striking back against fat cat bankers. The only problem was that the website they hacked turned out to be a phishing site that had been made to look like Yorkshire Bank. Still, phishing must be lucrative or it wouldn’t be so popular–clearly the CEOs of phishing sites should beware. Now that they’ve become part of the corporate establishment (dare we say the 1%’ers), they’re fair targets.
It’s easy to think of defacement as an important tool for the politically oppressed, but not all vandalism is the work of activists trying to spread a political message. In July the world’s worst superhero, Florida Man, hacked a road construction sign and changed it to an obscene message. This epic act of hacking really came down to an unlocked panel that provided physical access to a keyboard and a weak or missing password on the configuration console.
Best blunders of 2014
Miscellaneous errors are the root cause of more security incidents in the VERIS Community Database than any other pattern. They account for nearly a quarter of the dataset. Publishing errors are the second most common variety of error accounting for security incidents. Most of the time these publishing errors are just cases of documents being posted on a website accidentally, but in 2014 we saw a different twist on publishing errors; a blunder so nice we saw it thrice!
This year during the media build up for the Super Bowl, CBS News aired a segment on the physical security in place for the event. At one point footage was shown from inside the command center, and clearly displayed was the wifi SSID and password that they were using. A few months later the exact same set of circumstances played out with the World Cup in Brazil. And then the next month, it happened to the Los Angeles Police Department. This was hardly a new phenomenon, though. Back on 2012 reporters covering Prince William’s service in the Royal Air Force published photos of their wifi passwords and even some sensitive documents.
Another incident in the Oops! category is from when the White House accidentally emailed reporters talking points about the (at the time) classified CIA Torture report. Now that the report has been released, we wonder if the talking points reflect any subsequent edits.
However, the award for biggest error of the year has to go to Emory University in Atlanta. Emory uses Microsoft System Center Configuration Manager (SCCM) to manage endpoint configuration and automate operating system deployments. Earlier this year, Emory’s SCCM server decided to reformat all university-owned machines and install a fresh copy of Windows 7 right before final exams. By the time anyone figured out that the server had initiated this action, it had already begun formatting itself. Full incident history over at The Wayback Machine.
Really, servers run so much faster without all that pesky data on them.
Meanest insider of 2014
Insiders account for about 42% of the incidents in VCDB. Most of these incidents are errors, but when the action is on purpose it’s usually motivated by personal gain. To be sure, stealing from people is bad, but the meanest insider of 2014 goes to the woman who admitted she forged 1300 mammogram reports because she had “personal issues that caused her to stop caring about her job.” When she fell behind in processing the stacks of mammogram films, her solution was to go into the hospital’s computer system, impersonate the doctors, and give each patient’s scan a clear reading. Sadly the result is that patients whose positive cancer diagnoses were delayed bore consequences in terms of pain, suffering and shortened life spans.
Most epic hack of 2014
Every year the Academy Awards saves the award for best picture for last, and even though this isn’t an awards show, we decided to do the same. Every year the hackers of the world produce so many truly epic hacks that it’s hard to pick a winner. And so, without further ado, here are the nominees for 2014’s most epic hack.
With all the attention being paid to Home Depot and the Sony hack in the latter part of 2014, it’s almost easy to forget that back in May eBay confirmed that it had been hacked and that 145,000,000 user credentials were compromised making it the fourth biggest hack by record count of all time. Adding insult to injury, their website was defaced as well. The Syrian Electronic Army (SEA) claimed credit for the hack, forever cementing their position as one of the most successful hacking groups ever. SEA gained access to the eBay network by sending phishing messages to a system administrator. eBay stock took a big hit after the announcement, but has largely recovered and is back on the same trend line it has been following since the beginning of 2013.
The Home Depot hack may not have been the biggest by record count, but it is one of the largest breaches of payment card data ever recorded at 56,000,000 cards exposed. That’s bigger than the 40 million cards stolen from Target in 2013. Speaking of the Target breach, the attackers that breach Home Depot gained initial entry with stolen credentials from a third-party vendor that serviced Home Depot; a tactic seen in the Target breach as well.
In December we learned that Sony Pictures Entertainment had been hacked. United States officials have blamed North Korea for launching the attack in retaliation for Sony’s release of the movie The Interview. The enormity of this hack is certain to be something we’ll be talking about for a long time. The attackers have released movies onto the Internet as well as internal email, salary data, employee health information, and also wiped data from Sony computers. Sony has gone on to cancel the release of the movie after the attackers made threats referencing September 11, 2001. This incident may become the poster child for worst-case (save for human injury or loss of life) impact of a data breach.
The final nominee goes to Clinkle, a startup in the mobile payments market. Although the size of the hack is nothing compared to the other nominees, it does hold the distinction of being hacked before it even launched. Hey, if you’re a 22 year old and someone hands you $25 million, the first thing you must do is take a selfie, right? That is what Clinkle CEO Lucas Duplan did, as evidenced by the picture that was leaked after the company was hacked. Clinkle was supposed to be the next hot thing in mobile payments, but instead, names, phone numbers and profile pictures of users were released on the internet. That doesn’t exactly inspire a lot of faith in a mobile payment provider.
[…] Verizon issues its insecurity hall of fame…apt in light of the Sony experience […]