Non-standard top events in the field of IT-security 2015

So it's time to repeat the exercise, which I first performed exactly a year ago . Then I took the 10 most popular news from our site, Threatpost, and tried to find out why they, in fact, attracted the attention of the public — both professionals and ordinary users. This method has obvious drawbacks - the popularity of articles has a lot of effects, and it is not at all necessary that the most popular news about incidents in the cyberworld are at the same time the most important. But there are advantages: there are a huge number of events in the field of information security, and each participant in their discussion, depending on their specialization and personal interests, will choose their “very best”. And here - if not the most objective, then at least an independent assessment tool.

This year, the selection of the most visited news is successfully divided into five main categories:
- Low-tech threats to users
- “Vulnerabilities in unexpected places”: security of the “Internet of things”, home and industrial network devices,
- Data encryption problems
- Loud vulnerabilities in key platforms and high-tech cyber threats are examples of the most advanced attacks
- Routine, but dangerous vulnerabilities in common software

Here we go through them.

User threats
Facebook Facebook Trojan (10th place)
News
')
110 thousand Facebook users became infected with a trojan by clicking on the link in the social network! Do not you say!



While cyber-spacecraft spaceships are plying the digital space, in the ordinary world of ordinary people the usual Trojan disguised as an Adobe Flash update installs an ordinary keylogger on the victims' computers. We constantly monitor such incidents, but they rarely get to the top: yet our main audience is specialists for whom such incidents are of no interest. Nevertheless, what can be called "traditional attacks" has been, is and will be a major headache for users and companies for a long time to come. How to deal with them - in general, it is clear, the technology is well developed. But attacks like the January one successfully cover tens of thousands of users, which means that they still have to work on spreading protection technologies.

Attacks on the Internet of Things, home routers and industrial network devices
What can be common between a wireless garage door control and a Cisco network software? They are equally poorly protected. Even not so: if thermostats, home webcams and routers are very well protected, a successful attack on them in any case is a surprise. Security strategies for both companies and users usually focus on computers and other devices with which they directly interact. Everything else is a kind of black box, which at best, works inconspicuously and does not attract attention, at worst - it becomes a tool for hacking, untraceable and usually incomprehensible as working.

Most of our readers are interested in the following examples. Back in December 2014, Check Point Software researchers found a vulnerability affecting 12 million home routers ( News, 9th place). It was possible to access the web interface by sending a specially crafted data packet. In June, default SSH keys were found in security software for monitoring Cisco network traffic ( news , 8th place), not the first and not the last case of a “bookmark” in network devices and the corresponding software. Then, in June, researcher Sami Kamkar investigated a very weak protection in the systems of remote opening of garage doors, popular in the USA ( news , 7th place). The keys to them can be picked up in half an hour by brute force, but a whole series of software failures allowed him to reduce the hacking time to 10 seconds.

Add to this the vulnerabilities in car computer systems. This summer, thanks to the work of researchers Charlie Miller and Chris Valasek, the concern Fiat Chrysler has released the first security patch in the history of the car: the vulnerability made it possible to remotely hack the vehicle control system through the entertainment system and even intercept control. Indeed, if there are vulnerabilities in software, in computer devices, in hotel keys and key chains for cars, why not be in cars? I can not quote this illustrative tweet :


My printer works more often than not, WiFi is buggy, but rarely, the Xbox usually recognizes me, and even Siri happens to work fine. But my autonomous car will work perfectly!

Computers, when they are instructed to do something on their own, usually make fewer mistakes and folly than people. That's just people are programming them, and increasingly critical processes are being given to computer systems - from the management of nuclear power plants to standing in a traffic jam at Leningradka. Welcome to the brave new world!

Encryption
Difficult subject. It is possible to evaluate the effectiveness of one or another method of data encryption only within the framework of serious scientific activity, and the result is sometimes either not guaranteed or it may change with time. A case in point is the SHA-1 cryptographic hashing algorithm, which was considered fairly reliable five years ago, but in 2015 it was declared theoretically vulnerable. The NSA has questioned the robustness of encryption algorithms using elliptic curves, and is already thinking (or pretending to think, is not completely clear) about encryption, able to resist even to quantum computers.

But the topic of encryption is not limited to this. Extremely weak cryptography jeopardized the already actively used Open Smart Grid protocol ( news , 6th place). OSGP is the implementation of the “Internet of Things” for power grids, an attempt to unite electricity meters and control systems into a single network, and it’s better not to joke with electricity. The complexity of the topic also leads to the fact that trust is the main criterion for the data encryption system. TrueCrypt developers ’demarche, which happened back in mid-2014, undermined the credibility of this popular data protection software, and in 2015 we saw several audits of the program’s source code, as well as the appearance of spin-offs that caused great interest - VeraCrypt and CipherShed ( news , 4 a place). More recently, a backdoor was discovered in Juniper routers, and the encryption topic also plays an important role in this story.

Serious vulnerabilities and serious attacks
If last year the Shellshock and Heartbleed were the most resonant security holes, then the attention was drawn to the vulnerability of Stagefright ( news , 5th place) in Android and the vulnerability in the function of determining the IP address, which is part of the standard GLIBC library in Linux systems ( news , 3rd place).


Linux vulnerability researcher. Artistic interpretation.

Any vulnerability passes through the “theoretical” and “practical” stages - in some cases, everything is limited to the research proof-of-concept, but sometimes the post-factum will learn about the new hole, having analyzed the active attack already. In 2015, a third was added to these two options: a leak of data from the Hacking Team, a company specializing in selling exploits to government agencies, revealed a previously unknown vulnerability in Adobe Flash, which immediately began to be exploited by cybercrime.

Of the real attacks, the operations Carbanak and The Equation revealed by the researchers of the Laboratory became the two most visible. If in the first case the damage assessment (one billion dollars) was the most impressive, in the second case, the perfection of the attack tools, including the ability to regain control of the victim's computer with the help of a modified hard drive firmware, as well as the duration of the operation: decades! More information about the February studies - in this post .

Routine vulnerabilities in common software
There have been very many. This is best seen in the example of Adobe Flash patches: January 14 , 24 and 28 , March , June , July , September , December . On the one hand, it looks like bad news, on the other - patching holes, at least in Adobe, is very active - vulnerabilities are closed in dozens of times in one update. It cannot be said that, in general, software has become safer, but an important trend of this year has been a more serious attitude of software developers to security, and this is good news.

Special attention is paid to software installed on the maximum number of computers, and each PC has at least one browser. Of the developers are forced not only to monitor self-defense, but also, if possible, protect users from threats on other sites (often forcibly limiting functionality, as happened with the same Flash in Chrome). The two most popular Threatpost news for 2015 are associated with browsers. At the pwn2own hackathon in March, all major browsers were hacked — first, Firefox and IE, and later Chrome and Safari ( news , 2nd place).


Satisfied white hat hackers on pwn2own

Finally, the most popular news of the year (quite in the style of last year’s digest) was the blocking of the ancient system of NPAPI extensions in the Chrome browser ( news , 1st place). The April NPAPI blocking led to the inoperability of a huge number of plug-ins - from Java to Silverlight, and the corresponding problems of a large number of developers. The abandonment of legacy code is another important recent trend: at some point, such a legacy begins to bring more problems than good.

I doubt that in 2016 there will be less security problems, rather the opposite. I am sure that new methods of protection against cyber threats will appear. In any case, we will definitely have something to discuss. As an additional reading following this year, I recommend a general review of threats from the experts of the Laboratory, a separate analysis of cyber threats to business and predictions for 2016.