[David Strom's Web Informant] Favorite threats of the year in review

David Strom david at strom.com
Thu Dec 22 15:34:10 EST 2016


Web Informant, December 22, 2016: Favorite threats of the year in review

Since I began writing a series of newsletters for Inside Security
<http://inside.com/security> in June, I have covered some of the most
important data leaks or security threats each week. Here are my favorites:

*Yahoo for the Big Kahuna award*: Billions of emails served, thanks to
Yahoo. The gift that keeps on giving, and also taking shareholder value
too. My analysis and lots o' links here
<https://inside.com/campaigns/inside-security-2016-12-16-885>.

*In a class by itself is the Mirai botnet.* Dyn’s analysis of the Krebs'
attack
<http://hub.dyn.com/dyn-blog/recent-iot-based-attacks-what-is-the-impact-on-managed-dns-operators>
is
here. Then more than 900,000 customers of German ISP Deutsche Telekom were
knocked offline with new variant. It didn't help matters that DT allowed
the rest of the world to remotely manage these devices.

*Schneider Electric gets the two times the charm award*. Both Unity Pro and
PanelShock utility software programs of theirs were compromised in a matter
of days; both were attacks that could harm industrial control networks.
This could be the return of Stuxnet. The published advisory is here
<http://www.critifence.com/blog/panel_shock/>.

*The Australian Red Cross receives the bloodbath award*. A million or so
medical records of blood donors
<http://www.itnews.com.au/news/australias-biggest-data-breach-sees-13m-records-leaked-440305>
have,
ahem, leaked. Gotta love those Aussies: “This is a seriously egregious
cock-up,” said one researcher.

*Three Mobile (UK) receives the can you hear me now award. *Contact details
of six million of its customers has been exposed, which are about
two-thirds of their total. Hackers used an employee’s login credentials to
gain entry <http://thehackernews.com/2016/11/3-mobile-uk-hacked.html>.

The f*riends with benefits award goes to, naturally, *the *Friend Finder
Network. *They exposed more than 412 million accounts, including millions
of supposedly deleted accounts, thanks to a local file inclusion flaw.
Actually, this is their second such award: they were also breached in 2015.

*DailyMotion and Weebly both share the password is ‘password’ award.
DailyMotion* had more than 80 million of their account IDs and passwords
exposed. Only a fifth of these accounts had passwords and they were
fortunately encrypted. The company admitted the breach in a blog post
<http://blog.dailymotion.com/en/dailymotion-account-security-update/>. Leaked
Source <https://www.leakedsource.com/main/databaselist/> obtained the data
file. As for Weebly, they had m*ore than 40 million accounts compromised
earlier this year <https://www.leakedsource.com/blog/weebly/>.* Fortunately,
their stolen passwords were stored using the strong hashing function
BCrypt, making it difficult for hackers to initially obtain users' actual
passwords.

*Payday awards*. Criminals continue to figure out ways to make ATMs spit
out their cash drawers. Two this year are notable: Alice (discovered
recently by Trend Micro researchers
<http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware>)
and Cobalt, where Group IB has named the organization behind the thefts.
<http://www.group-ib.com/cobalt.html> Both are very sophisticated attacks,
and we should expect more in 2017.

*The pixel perfect award goes to an attack called
<http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hid-attack-code-in-banner-pixels/>*
Steganos. Millions
of people visiting mainstream websites over the past two months have been
exposed to a *novel form of malicious ads that embed attack code in
individual pixels of the banners*. This exploit has been around for several
years
<https://blog.malwarebytes.com/cybercrime/exploits/2016/12/adgholas-malvertising-business-as-usual/>.
Its unusually stealthy operators scored a major coup by getting the ads
displayed on a variety of unnamed reputable news sites, each with millions
of daily visitors. It hides parts of its code in the parameters that
control the pixel colors used to display banner ads.

*Vera Bradley stores receive the attention shoppers award.* They notified
customers of a credit card exploit
<http://www.verabradley.com/custserv/custserv.jsp?pageName=notification>,
which affects *customers paying by credit cards in their stores from July
and September of this year.* Card numbers and names were captured by
malware found running in their data center. The company has 150 stores
selling fashion merchandise.

*Oops mom, no firewall award goes to a Finnish facilities manager. *Thanks
to no firewall and a DDoS-based DNS attack.  At least two housing blocks in
the city of Lappeenranta were affected and confirmed by the facilities
management company
<http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter>.
Hackers gained remote access to the HVAC systems. Luckily, outdoor
temperatures weren’t critical.

*The award for security starts in the home* goes to so many companies it is
hard to pick just one, but let's give the honor to the *Ameriprise
employee* who
had a home-based network storage device with no password whatsoever
<https://mackeeper.com/blog/post/310-ameriprise-data-breach>. The drive was
synchronized with one in his office, allowing anyone to view sensitive
client data. Expect more of these sorts of attacks as the line between home
and work continues to disappear.

And the *most zero days reported in the past year: Adobe Flash*, of course. No
week would be complete without one
<https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html>
!

What were your favorite breaches of the past year?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://list.webinformant.tv/pipermail/webinformant_list.webinformant.tv/attachments/20161222/5342925e/attachment-0002.html>


More information about the WebInformant mailing list