There’s nothing like the lens of 20-20 hindsight to spot and call out the biggest security failures over the past ten years. Some #FAILS are technologies that have outlived their usefulness, and others are shortsighted strategies or mindsets on which the bad guys ultimately capitalized.
In celebration of the 10th anniversary of Dark Reading and after vigorous debate, we have come up with a list of 10 of the biggest security fails since 2006. This is by no means a comprehensive list, nor are these in any particular order. We fully expect this to generate heated debate, so feel free to post your comments and thoughts below.
Meantime, a little perspective: many of the new security strategies and approaches we laud today also will become obsolete and in some cases, #FAILS. Here goes:
You know the mantra: The network perimeter is evaporating. Mobile devices, cloud, and now the Internet of Things, have sucked the life out of traditional, static “set it and forget it” network security, and the bad guys are bypassing the corporate firewall with spear phishing emails that land on the desktops or devices of end users.
Even so, firewalls remain a major force in enterprise security: a recent survey of IT security pros found that 91% say firewalls remain critical to their security and will for the next five years. And 61% say firewalls are among the top three security tools they run, according to the InformationWeek 2015 Strategic Security Survey. The good news is firewall technology is evolving, too, with application-layer and cloud-based options.
Traditional intrusion prevention and detection systems also carry much of the same signature-driven baggage. But clinging to the old castle/moat model has been a wakeup call for many enterprises, while others (mostly SMBs) are still in denial that their old-school firewall stops hackers.
Antivirus is dead. Well, sort of. Few security experts recommend uninstalling the old stand-by for catching known attacks, but the signature-based, reactionary model of security continues to fail organizations on a daily basis.
Traditional AV companies are distancing themselves from the old model, focusing more on layers of security, including a new generation of endpoint security that’s more dynamic and able to spot unusual behaviors -- endpoint detection and response (EDR). The tipping point toward the evolution of endpoint security away from pure blacklisting and signature-based technology was the series of massive and high-profile attacks over the past few years of big-name brands like Target, Home Depot and Sony, security experts say.
"A lot of things were slipping through the cracks [with AV] because there are a lot of behaviors that are not known as good or bad. We saw the need to see everything" with a lightweight footprint, Josh Applebaum, vice president of product strategy at Ziften Technologies, an EDR startup, said recently. "Home Depot didn't even deploy all of its AV to all endpoints because of the heavyweight aspect of it."
Candace Worley, senior vice president and general manager of endpoint security at Intel Security, described AV’s role this way: "AV will have a tertiary role at best going forward," Worley said. "It's a solution that does the janitorial work … it reduces significantly the amount of malware noise in the organization, and then you can focus on the unknown [threats]."
Users are the easiest target for both cyber attackers as well as frustrated security professionals looking to lay blame somewhere for data breaches and security incidents in their organizations. Social engineering experts say human nature is what backfires on end users: they’re trusting and want to be helpful, so they’ll open that attachment, or make that funds transfer purportedly requested by an executive via email.
You can’t patch users, so what’s left? Under-provisioning their access. The least privilege approach, where a user only has access to data he actually needs to do his job , is one strategy that’s been around for nearly a decade but not taken seriously until recently.
Then there’s the rogue end user, with Edward Snowden as the poster child, which showed that even the most secretive government agencies in the world could get 0wned by one of its own users who had too much data access.
"Up until this [Snowden] case, it was all about providing support, getting customers supported, and getting data to the right people. It was not about analyzing [the admin's] access," Bob Bigman, former CISO of the CIA, said in the wake of NSA breach. "To provide support, Snowden was given more access than he should have been given ... What exacerbated it was that not only did he have access to his systems there, but systems he had privileges on that were trusted to other systems within NSA. That enabled him to jump [among] various systems ... It was all done under the banner of customer support."
With mobile, cloud, and third-party contractors all accessing the corporate network, reining in the well-meaning and the potentially malicious end user has become a massive and vital job.
It’s 2016, and we’re still talking about how lame passwords are as an authentication mechanism. It’s not just the fact that most users pick dictionary-guessable, weak passwords and then use their favorite one across multiple online accounts. It’s that even those users who try to create strong passwords and don’t reuse their P$sw&^Rd$ are still getting 0wned every day.
The new Verizon Data Breach Investigations Report (DBIR) says it all: 63% of all data breaches in 2015 used legitimate credentials, either weak, default, or stolen, ones. Stolen credentials topped the list of threat action types among attacks that used legitimate credentials, followed by malware, phishing, and keyloggers.
And of all reported data breach incidents worldwide, half exposed passwords and email addresses, according to a Risk Based Security study.
It’s not that there aren’t alternatives to passwords. There are stronger authentication options such as multi-factor authentication (MFA), biometrics, password managers, and the Fast Identity Online (FIDO) Alliance, for example. There are signs of change, at least in MFA: most social media sites offer MFA, and most recently, the PCI Data Security Standard (PCI DSS)’s new version 3.2 requires the use of MFA for anyone accessing cardholder data. “The PCI DSS has always required that any untrusted, remote access into the cardholder data environment use multi-factor authentication. With version 3.2 we’re taking it one step further to help organizations protect against both internal and external actors,” Emma Sutcliffe, senior director of data security standards for the PCI Security Standards Council, recently wrote in a piece for Dark Reading.
Even so, most organizations still use passwords alone as their primary method of authenticating users or visitors on their websites.
So the cycle of stolen passwords continues.
Retailers got a painful wakeup call in 2014 when a wave of point-of-sale (PoS) system hacks hit the biggest names: Target, Home Depot, Michael's, Dairy Queen, Kmart, and many others. At the heart of the majority of the breaches was payment card-stealing malware infecting their PoS systems, which took advantage of both the magnetic-stripe card payment model as well as vulnerable PoS terminals and systems.
In some cases, it was the retailer’s own PoS security model, and for others, it was that of the PoS vendor. PoS vendor Signature Systems, for example, was hit with a breach where an attacker stole the username and password used to remotely access its PoS systems: the attacker then installed malware that grabbed payment data from the PoS vendor’s retailer customers.
To date, there are multiple families of malware customized for PoS systems.
One of the most outspoken executives who’s been there – to the tune of 130 million US payment cards stolen in his company’s 2008 data breach -- was Heartland Payment Systems chairman and CEO Robert Carr.
Carr argues that retailers need to get on board not only with chip-and-pin card technology, but also end-to-end encryption and tokenization. The move to chip-and-pin payment card technology -- where smart cards with embedded microchips authenticate the user's identity -- "is forcing merchants to change out their hardware and thereby spend money to get the equipment they need to get the [card] data out of their systems," he said in an October 2014 interview with Dark Reading. "If you make that hardware change, [it's] insane if you don't also solve the encryption issue. Put tokenization in to protect yourself on the backend," as well.
Of the wave of record-breaking retail breaches, Carr said there was a common theme: "What's happening in the meantime is, even though solutions are being introduced, encryption being one we [adopted]… a lot of companies haven't implemented the basics, and they are paying the price for it."
Netscape first created Secure Sockets Layer (SSL) in 1994 for encrypting communication between a browser and a Web server. Since then, SSL has gone through various iterations and updates—including being renamed Transport Layer Security (TLS)—and plenty of security failures.
Given the post-Snowden era of Encrypt (Almost) All The Things, SSL’s shortcomings have been the source of much criticism and angst. The Internet Engineering Task Force (IETF) has been working to streamline the newest versions of TLS to cut out the fat that leaves unnecessary and potentially vulnerable features and functions in specification, and ultimately, in code. "Having options in there that are a smoking gun and one developer gets wrong… could lead to a huge security problem," Russ Housley, chair of the Internet Architecture Board (IAB), told Dark Reading in late 2014.
It was just that scenario that led to the infamous and pervasive Heartbleed vulnerability in the OpenSSL implementation of the encryption protocol. Heartbleed came out of an error in OpenSSL's deployment of the "heartbeat" extension in TLS. The bug, if exploited, could allow an attacker to leak the contents of the memory from the server to the client and vice versa. That could leave passwords and even the SSL server's private key potentially exposed in an attack.
Don’t even get us started on the certificate authority (CA) mess: one of the worst breaches was now-defunct CA DigiNotar, whose breach led to attackers issuing 500 fake SSL certificates.
Even one of the fathers of SSL, Taher Elgamal, has pointed to weaknesses in the old protocol which is now being used in ways not envisioned by its creators, and called for ways to shore up its weaknesses. In a 2011 blog post on Dark Reading, Elgamal wrote: “Each website can choose the authentication method it desires, as long as browser and client support can be established somehow. Alternatively, the strong authentication method desired could be used to “unlock” a private key with a digital certificate on the client side that can be used to provide the client authentication requested by the SSL server.”
Wide Open Ports
Remember when your grandparents would quip, “Do you live in a barn?” when you left a door open? Well, there are literally millions of sensitive networked devices sitting out on the public Internet with communications ports left wide open, just asking for bad guys to come on into the barn and take over the farm.
Renowned researcher HD Moore pioneered research here, with his now-Project Sonar, which scans the Internet for exposed devices and systems. Over the years, Moore has found major holes in embedded devices, home routers, corporate videoconferencing systems, web servers, and other equipment on the public Internet, all of which harbor weaknesses such as default backdoor-type access, default passwords, exposed ports, broken firewall rules, and other security holes ripe for the picking by bad guys.
In 2013, Moore and fellow researcher Dan Farmer found some 300,000 servers exposed on the public Net via the Intelligent Platform Management Interface (IPMI). Moore found that the IPMI protocol as well as the Baseband Management Controllers packaged with most servers for remote management purposes contained serious flaws that could allow an attacker to steal data from attached storage devices, install backdoors in the servers, alter the operating system, and launch denial-of-service attacks, among other things.
The issue of open ports is taking an even more sinister turn as networked consumer devices abound: the big zero-day bug in the 2014 Jeep Cherokee remotely hacked by Charlie Miller and Chris Valasek was a glaringly simple open communications port. The unnecessarily open port 6667 allowed them to gain control of the Jeep's steering, braking, high beams, turn signals, windshield wipers and fluid, and door locks, as well as reset the speedometer and tachometer, kill the engine, and disengage the transmission so the accelerator pedal failed. The flaw was via the Harman uConnect infotainment system’s built-in Sprint cellular connection, which Sprint later closed.
Java and Flash
Cybercriminals and nation-states notoriously pick on the easy mark for their client-side exploits: first it was Java, and now it’s Adobe Flash.
The attacks on Java got so bad in 2012 and 2013 that calls began to uninstall the client program; popular browsers also disabled it. Some 95% of endpoints running Java in March of 2013 were vulnerable to at least one Java exploit, according to a Websense report, and 75% were running a version of Java in their browsers that was at least six months out of date; two-thirds, a year out of date; and 50 percent, more than two years out of date.
Besides its security holes, Java’s other big problem was a lack of patching and updating that overrode older, less secure versions.
Many developers had written applications based on older versions of Java or to a specific version of Java that if upgraded to its latest iteration, wiped out some features or functions.
Then there’s Flash, which is the next Java when it comes to bugs and exploits in the wild. The new Symantec Internet Security Threat Report found that four of the top five most exploited zero-day bugs were found in Flash. "From a security perspective, we expect Adobe Flash will gradually fall out of common usage over the next year," Symantec said in the report.
In a sample of ransomware victims, Verizon found that more than half of browsers were running Flash versions that were a year or more old. The calls to uninstall and disable Flash are coming fast and furious now.
The Digital advertising space is a lucrative one, so it’s no shock that criminals are cashing in, big-time, to the tune of $7.2 billion in damages to digital advertisers, while the average brand has suffered $10 million in losses, according to a report by the Association of National Advertisers and WhiteOps.
Criminals operating big botnets have mastered the art of tricking advertisers with phony ad impressions: they either use phony sites that push ads to bots, or they employ other nefarious ways to boost traffic unethically using third party services that are either legit or shady.
The ad industry is painfully aware of the problem but has struggled to get a handle on it.
Bob Liodice, president and CEO of the ANA, whose membership includes more than 640 companies with 10,000 different brands that spend more than $250 billion in marketing and advertising, has raised the alarm about online ad fraud. "How fraudsters work and their incredible intelligence stunned me. I never realized the level of sophistication" they had, said Liodice, who has raised the alarm about online ad fraud for some time now. "They lowered their activity to diminish the findings of fraud" once word got out about the study, he said of last year’s report.
"It's frightening for everyone involved in this... We have to stop this. Every CMO that's doing any form of screen or digital advertising has to recognize that criminal activity is not a cost of doing business. There is an ethics and moral" responsibility to stopping advertisers from inadvertently enabling crime, Liodice says.
But cleaning up the online advertising fraud isn’t happening overnight: this year’s report was actually a $2.2 billion increase in losses to online ad fraud.
Law Enforcement and Legislation
The glass is half full for law enforcement if you consider the arrests and prosecution of some of the most notorious cybercriminals in the past ten years: TJX and retailer hacker Albert Gonzalez; members of LulzSec (including flipping “Sabu” as an FBI informant); Nikita Kuzmin, the mastermind behind Gozi; Arthur Budovsky, 42, founder of digital currency empire Liberty Reserve, who was just sentenced to 20 years in prison and fined $500,000 Friday for running a massive money laundering enterprise used by cybercriminals; and Vladimir Tsastsin, who was sentenced to 87 months in prison by a US court for hacking into 4 million computers in over 100 countries and infecting them with malware.
But then there are the other unknown number of cybercriminals and cyber espionage hackers who have gotten away and will never be brought to justice.
With extradition resistance from Russia and China -- which host the majority of the cybercrime (Russia) and cyber espionage (China) hackers -- law enforcement officials in the US and elsewhere have struggled to prosecute the bad guys behind the hacks.
So much of the focus has been on disrupting the hacker infrastructures, such as crippling their botnets or shuttering their domains. Those are mostly temporary fixes, of course, as these well-oiled and financed operations just rebuild somewhere else in many cases.
The FBI recently offered a $3 million bounty for information on the whereabouts of Evgeniy Mikhailovich Bogachev, who faces charges for his alleged role as head of the infamous GameOver Zeus botnet, which was disrupted by a multinational effort in 2014. Bogachev was named in a US Department of Justice indictment that year, but reportedly remains at large in Russia.
Meanwhile, the DOJ flexed its muscle at China in May of 2014, indicting five members of the Chinese military for allegedly hacking and stealing trade secrets of major American steel, solar energy, and other manufacturing companies, including Alcoa, Westinghouse Electric, and US Steel. None have been extradited to the US.
DOJ took a similar tack in March of this year against Iranian-backed hackers, with indictments of seven Iranians allegedly behind massive DDoS campaign from 2011 to 2013 against the US financial sector, and 2013 breach of Windows XP server at a dam. Iran hasn’t sent any of the defendants to the US, either.
Another missing element of the legal equation: comprehensive national data breach legislation. A deadlocked and highly partisan Congress over the past few years hampered efforts to get any real laws passed for cyberattack fallout, and there’s been plenty of debate over Obama administration efforts to crack down on cybercrime.
Security experts worry that bug bounty programs and other vulnerability research could inadvertently get swept up in any new legislation. “Cybersecurity legislation is a complex topic. I think the intention of the law is largely a good one: government wants to crack down on criminals who have the potential to cripple infrastructure that is vital not only to business but to the lives of citizens in general. Defining laws that would only target the bad guys, however, is a very tricky thing,” wrote security expert Jeremiah Grossman in a recent column on Dark Reading.
Read how it all started when Steve Stasiukonis, in 2006, turned a socially-engineered thumb drive giveaway into a serious internal threat. The piece was one of the most popular reads in Dark Reading history.