1. Beating Cybercriminals At Their Own Game
Let's just say the phony antivirus scammers dialed the wrong number.
2. Airplane Hack
The FAA's new air traffic control system has holes so big that a fake plane could fly through them.
3. Infiltrating The Smart Meter
All eyes have been on the smart grid, with its state-of-the-art technology and potentially more secure infrastructure than legacy critical infrastructure systems. But like any new technology, it has its flaws security-wise, and in one case, in the infrared "eye" in the smart meter itself.
4. RATs With Bugs
Remote access Trojans/tools -- a.k.a. RATs -- are a cybercriminal's best friend. A pair of interns for Matasano Security discovered that some popular RATs can actually be exploited to help turn the tables on the attackers behind them.
5. Videoconference Bugs The Boardroom
Renowned researcher and Metasploit creator HD Moore late last year scanned a snapshot of addressable Internet space in search of high-end videoconferencing systems that might be found in corporate boardrooms. What he found was unnerving: a quarter of a million systems that spoke H.323, the protocol used by videoconferencing systems.
If you use a Samsung "Smart TV" that's connected to the Internet, there's a good chance Luigi Auriemma can hack into the device and access files stored on connected USB drives.
The researcher with Malta-based security firm ReVuln says he has uncovered a vulnerability in most Samsung models that makes it easy for him to locate their IP address on the Internet. From there, he can remotely access the device and exercise the same control someone in the same room would have. That includes gaining root access and installing malicious software. The attack exploits bugs in features that allow end users to install Skype, Pandora, and other types of apps. The TVs can be controlled using smartphone and tablet apps and in some cases by voice commands.
ABC News Australia published a report this week about a small medical clinic in Queensland, Australia that discovered cybercriminals, apparently Russian in origin, had been able to break through both the clinic’s server firewall and password system and successfully encrypted all of the clinic’s patient electronic medical records. Thousands of patient files are now said to be inaccessible.
The cybercriminals reportedly are demanding the clinic pay A$4000 to decrypt the information, something that the clinic so far is refusing to do. The clinic's owner says that he is worried that if the clinic does pay, the cybercriminals will decrypt only a small number of patient records, and then demand additional ransom monies on promises to decrypt the remainder, and so on. Right now, the clinic is trying to determine how many patient records can be rebuilt from information retrievable from pharmacists and hospitals, but the owner admits it is “very, very, very difficult” to operate effectively without access to the clinic's patient records.
This incident seems to be just the latest in a trend that is following the increasing digitalization of electronic medical records. A Bloomberg story from August describes several incidents of similar extortion demands in the United States from clinics as well as thefts of electronic medical records.
Healthcare providers seem to be an especially good target of opportunity for cybercriminals. According to a new benchmark survey published by the Ponemon Institute, some 94% of U.S. healthcare organizations have suffered a data breach in the past two years, and 45 percent have admitted to experiencing five such breaches over the same period. In addition, Ponemon's survey reports that "54 percent of organizations have little or no confidence that they can detect all patient data loss or theft," which isn't surprising, given that 73 percent of healthcare providers surveyed admit that they "still have insufficient resources to prevent and detect data breaches... and 67 percent of organizations don’t have controls to prevent and/or quickly detect medical identity theft."
You may remember from a few years ago that the state of Virginia's Prescription Monitoring Program website containing prescription information on 530 000 patients was similarly attacked. A cybercriminal claimed to have stolen the patients’ prescription information, encrypted it in a file, and deleted the data. He (or she) demanded in a ransom note left on the website US $10 million for the information's safe return. While state officials (eventually) admitted the website was indeed breached and information likely taken, the state also said that it had all the patient information securely backed up. No ransom was ever paid, and the would be extortionist has never been caught.
As a story in NetworkWorld commenting on the Australian medical clinic situation noted, organizations which have securely stored sensitive information offline or in the cloud have been the most successful in keeping such extortionists at bay.
Summary: From a major malware attack on the Mac OS X to state-sponsored cyber-espionage attacks, IT security in 2012 will be remembered as the year that piqued the imagination.
1. Flashback hits Mac OS X
Although the Mac OS X Trojan Flashback/Flashfake appeared in late 2011, it wasn't until April 2012 that it became really popular. At its peak, Flashback infected more than 700,000 Macs, easily the biggest known MacOS X infection to date. How was this possible? Two main factors: a Java vulnerability CVE-2012-0507 and the general sense of apathy among the Mac faithful when it comes to security issues.
2. Flame and Gauss: nation-state cyber-espionage campaigns
In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. The malware responsible for the attacks, named “Wiper”, was never found – although several pointers indicated a resemblance to Duqu and Stuxnet. During the investigation, we stumbled upon a huge cyber-espionage campaign now known as Flame.
Of course, when Flame was discovered, people wondered how many other campaigns like this were being mounted. And it wasn’t long before others surfaced. The discovery of Gauss, another highly sophisticated Trojan that was widely deployed in the Middle East, added a new dimension to nation-state cyber campaigns.
3. The explosion of Android threats
During 2011, we witnessed an explosion in the number of malicious threats targeting the Android platform. We predicted that the number of threats for Android will continue to grow at an alarming rate. The number of samples continued to grow and peaked in June 2012, when we identified almost 7,000 malicious Android programs. Overall, in 2012, we identified more than 35,000 malicious Android programs, which is about six times more than in 2011. That’s also about five times more than all the malicious Android samples we received since 2005 altogether!
4. The LinkedIn, Last.fm, Dropbox and Gamigo password leaks
These attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions. We explored this last year during the Sony Playstation Network hack; there is perhaps no surprise such huge leaks and hacks continued in 2012.
5. The Adobe certificates theft and the omnipresent APT
On 27 September 2012, Adobe announced the discovery of two malicious programs that were signed using a valid Adobe code signing certificate. Adobe’s certificates were securely stored in an HSM, a special cryptographic device which makes attacks much more complicated. Nevertheless, the attackers were able to compromise a server that was able to perform code signing requests.
6. The DNSChanger shutdown
When the culprits behind the DNSChanger malware were arrested in November 2011 during the “Ghost Click” operation, the identity-theft infrastructure was taken over by the FBI. It was a large scale action that showed that success against cybercrime can be achieved through open cooperation and information sharing.
7. The Ma(h)di incident
During late 2011 and the first half of 2012, an ongoing campaign to infiltrate computer systems throughout the Middle East targeted individuals across Iran, Israel, Afghanistan and others scattered across the globe. In partnership with Seculert, Kaspersky Lab investigated this operation and named it “Madi”, based on certain strings and handles used by the attackers.
Although Madi was relatively unsophisticated, it did succeed in compromising many different victims around the globe through social engineering and Right-To-Left-Override tactics. The Madi campaign demonstrated yet another dimension to cyber-espionage operations in the Middle East and one very important thing: low investment operations, as opposed to nation-state sponsored malware with an unlimited budget, can be quite successful.
8. The Java 0-days
In the aftermath of the previously mentioned Mac OS X Flashback attack, Apple took a bold step and disabled Java across millions of Mac OS X users. It might be worth pointing out that although a patch was available for the vulnerability exploited by Flashback since February, Apple users were exposed for a few months because of Apple’s tardiness in pushing the patch to Mac OS X users. The situation was different on Mac OS X, because while for Windows, the patches came from Oracle, on Mac OS X, the patches were delivered by Apple.
In the middle of August, details appeared about a piece of highly destructive malware that was used in an attack against Saudi Aramco, one of the world’s largest oil conglomerates. According to reports, more than 30,000 computers were completely destroyed by the malware.
Detailed analysis of the Shamoon malware found that it contained a built-in switch which would activate the destructive process on 15 August, 8:08 UTC. Later, reports emerged of another attack of the same malware against another oil company in the Middle East.
Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it.
10. The DSL modems, Huawei banning and hardware hacks
In October 2012, researcher Fabio Assolini published the details of an attack which had been taking place in Brazil since 2011 using a single firmware vulnerability, two malicious scripts and 40 malicious DNS servers. This operation affected six hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems.
After it was discovered that more than six million LinkedIn passwords had been leaked as well as many at Last.fm and eHarmony, no one has stopped talking about password and passcode security.
Case in point, take a look at this new report from IT security consultant Mark Burnett. Self-described as someone who "loves writing about passwords," Burnett has compiled a list of the "top 500 worst (aka most common) passwords" based on a variety of methods he has detailed on his blog.
Here are the top 25, as extracted by antivirus solution provider ESET. Is yours one of them? If so, it's safe to say you should consider changing it to something stronger immediately.