informa
News

Tales of De-Crypt: 2011 Authentication And IAM Horror Stories

Who's scared of monsters under the bed when there's Lulzsec, Russian mobsters, and cybercrooks creeping out there?
It has been a banner year for authentication and identity and access management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month so far this year. We've seen a lot this year: targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts. Dark Reading takes a look at the most ghoulish hacks, vulnerabilities and screw-ups to hit the headlines in 2011.

1. RSA Token Terror
After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the company's network and hack into its SecurID servers. RSA confirmed that some "information related to the RSA SecurID product had been extracted." But industry speculation has run high that the token seeds were compromised in some way.

Lessons Learned: Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a company's most critical assets.

2. DigiNotar Dead as a Doornail
The trustworthiness of certificate authorities (CAs) has been thrown into tumult after a single black hat dubbed ComodoHacker managed to create a handful of fraudulent Comodo SSL certificates in March and followed that up by hacking CA DigiNotar to issue over 500 more rogue certs. He claims to have hit other certificate authorities as well. The fallout ended up sinking the company some weeks later.

Lessons Learned: Unlike the isolated Comodo incident, for which that company responded swiftly with notification and action, DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.

3. HBGary Federal Pwnage
After HBGary Federal's CEO claimed he was on the brink of releasing damaging information about Anonymous members, the group went on the offensive against the firm and spawned the LulzSec/AntiSec movement in the process. It was able to infiltrate the government contractor's network through SQL injection, steal stored passwords, and gradually own not just all the company's e-mail and internal accounts, but also its executives' social media accounts.

Lesson Learned: Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords' encryption because the firm used weak MD5 hashes to protect them.

4. LulzSec Lurks Everywhere
The members of LulzSec and AntiSec have kicked the poorly constructed security anthill at dozens of enterprises, government agencies and more by breaking into network and distributing unencrypted passwords and other sensitive information far and wide in an embarrassment campaign with lasting repercussions. Some of the biggest-impact breaches include the one at Sony Pictures, which exposed a million account details, Booz Allen Hamilton, for which a cache of tens of thousands of passwords and emails was published and even at the U.S. Senate Web property, for which some e-mails and passwords of users were released.

Lessons Learned: LulzSec owes much of its success to two key vulnerabilities that plague organizations over and over again. First is a lack of input validation or database monitoring that allows them to commit SQL injection attacks at will. And second is the propensity of organizations to store login information unencrypted and unprotected within network systems.

5. Hackers Guess Citi Account Numbers
Hackers were able to game Citgroup's online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers' accounts. The trick gave them access to customer names, account numbers, and transaction information.

Lessons Learned: Web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citi's online banking authentication engine.

6. Bank of America Rogue Employee
An employee who used access to Bank of America systems was able to leak information to an identity theft ring that used it to modify bank account information and create fake accounts under the names of victims, stealing $10 million before authorities caught up with them this year.

Lessons Learned: Role-based access controls and frequent reviews of privilege rights are critical to prevent rogue employees from engaging in unauthorized activity and access to information they can turn over to thieves.

7. Duqu Doom Descends
A refinement on the code foundation laid down originally by Stuxnet, Duqu has raised the hair on the back of the neck of many security researchers since it was discovered this month. This password- and data-stealing Trojan features a rogue certificate that's since been revoked, but it's able to fly under the detection radar by injecting itself into running processes.

Lessons Learned: Duqu scares folks because it has them questioning the security trust model on many levels. Not only is this another instance of hackers manipulating the certificate authority ecosystem, its lack of disk access should have security vendors looking for better ways to detect attacks like this in the future.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: