1. What a year in security 2015 was: The biggest security stories of 2015 include - major
cyberespionage groups being uncovered, the most embarrassing data breach in
history, an unbelievable Android flaw, and incredibly stupid decisions from two
major PC makers. The top 10 are:
a.
Ashley
Madison: Hackers were able to
breach and steal sensitive data of many users of the infidelity service.
b.
VTech: Suffered a major data breach losing data records of
millions of children and their parents.
c.
OPM
Hack:
Office Of Personnel Management lost millions
of sensitive data records of federal employees.
d.
Hacking
Team:
Surveillance company lost 400GB data, exposed sensitive company data and
exposed unknown vulnerabilities that the company was using.
e.
Super
fishy security: Dell and Lenovo
messed around, Dell added root certificates that help impersonation of any site
while Lenovo's superfish left users vulnerable.
f.
Encrypt
everything, but leave the back door open: Govt wants backdoor
but that makes it possible for hackers to capitalize on. The industry v/s Govt.
debate continues.
h.
Flash
crash: When Flash vulnerabilities became public-Mozilla blocked Flash,
Facebook called for flash EoL, Amazon dropped it for ads, YouTube switched its
default to HTML5 video instead of Flash. Even if Adobe doesn’t kill Flash, the
web will.
i.
LastPass Breach: Browser-based password manager LastPass dealt with a
major breach. LastPass asked all of its users to reset their master passwords.
j.
Tor
hacking: It is believed that FBI paid Carnegie Mellon researchers
at least $1 million to hack users on the Tor network in order to reveal their
true identities.
2.
2015
Ransonware Wrap-Up:
a.
Pacman: The most highly
targeted ransomware attack, the Pacman ransomware only went after Danish
chiropractors. The malware was also very difficult to remove.
b.
Tox: Tox was the first to offer ransomware as a service, it
offered free toolkit but the site hosting the ransomware takes a 20 percent cut
of the profits.
c.
Chimera: Chimera also a ransomware-as-a-service, takes a 50 percent
cut of the profits and tries to recruit its victims as new ransomware
operators.
d.
CryptoWall
2.0:
Used TOR on command-and-control traffic and could execute 64-bit code from its
32-bit dropper.
f.
Cryptowall
4.0:
Nuclear & Angler Exploit Kit used to spread this, steals passwords before
encrypting files.
3.
Good
guys hacking - 8 Coolest Hacks Of 2015:
a.
Chrysler
Jeep hack: Hackers remotely controlled a car on highway by killing
its ignition, Chrysler recalled 1.4 million vehicles to fix the bug.
b.
Non smart
cars hackable too: Researchers inserted
rogue devices in the two police vehicles to reprogram car's electronic
operations & attack via mobile devices.
c.
Gun hack: A husband & wife
team in August demonstrated how they were able to hack a long-range,
precision-guided rifle.
d.
Car wash
hack: Web interface in a popular car
wash has weak passwords that allows an attacker to hijack the functions to
wreak physical damage or score a free wash.
e.
Gas gauge
hack: Gas tank monitoring systems at US
gas stations have no password protection making them vulnerable to attacks
& disrupt the fuel tank operations.
f.
Globalstar
hack: A
researcher was able to hack the Globalstar satellite data as it was not
encrypted, Globalstar has however shot down this work.
g.
GM
Onstar hack: A kit called Ownstar
that makes it possible to track, remotely unlock & start the engine of GM
vehicles that run the OnStar connected car system.
h.
Other cool
stuff: DEF
CON this year launched its first IoT Hacking Village, everything from Apple
network storage, toys, blood pressure monitors, Fitbits, and fridges fell to
white-hat hackers there.
4. 87 percent of employees take data they
created with them when they leave the company: According
to a recent survey - most employees believe they own their work, and take
strategy documents or intellectual property with them as they head out of the
door. The biggest driver is sense of ownership, 59 percent of them felt the
data was theirs while 77% thought the information would be useful in their new
job. The common methods used to take data was a Flash or external drive,
personal email accounts, hard copies & Dropbox. None of the respondents
believed their action will not harm the company. The Security teams have some
control on data when the employee is being laid off but when employees leave
voluntarily there is hardly any control. To a large extended these can be
prevented by using technologies to monitor user behavior -- like behavioral
analytics, data exfiltration monitoring -- and regular security awareness
programs.
5. Oracle settles with the FTC over
'deceptive' Java security promises: Oracle acquired Java in 2010
and has been aware of security issues. It promises customers that updates
would keep users' systems safe but in reality, those updates removed only the
most recent prior version of the software, leaving older ones intact -- and
vulnerable to attacks. Oracle will now be required to notify consumers during
the Java SE update process if they have outdated versions of the software on
their computer, notify them of the risk of having the older software, and give
them the option to uninstall it. In addition, the company will be required to
provide broad notice to consumers via social media and their website on how
consumers can remove older versions of the software.
6. Online broadcaster Livestream suffers
possible database breach:
Live video streaming platform Livestream has
discovered that an unauthorized person may have accessed its customer accounts
database. The database holds information such as a user's name, email address,
an encrypted version of their password, as well as phone numbers and the
customer's date of birth. Livestream has issued a warning to users to update
their passwords.
7. Millions of Hello Kitty fans' data
exposed by database hack:
A database used by Hello Kitty fans has
reportedly been found online after servers were hit last month. As many as 3.3
million records are said to be in the database. It's not immediately clear
where the database was leaked to, or if the database can be verified for
authenticity. The Hello Kitty toy brand has a major sway in far eastern Asian
countries, particularly Japan where it was invented. Its parent company Sanrio
generates more than $7 billion in revenue from the brand alone.
8. Yellow Alert Sounded For Juniper Vulns,
Feds Called In: The infosec alert level for Juniper backdoors was bumped
to yellow last week after the two crucial vulnerabilities rocked the infosec
world. As the industry scrambles to fill these gaping holes in its ScreenOS
platform, news continues to trickle in that FBI officials are investigating
potential nation-state actions that led to the insertion of an authentication
backdoor (whose password is public now) that impacts tens of thousands of
devices on the Internet. This fiasco is a major blow-up for government's
backdoor rhetoric and a shining example why backdoors are bad.
9. Yahoo now warns users if they're targets
of state-sponsored hackers:
The web giant is the latest firm, behind
Google, Facebook, and Twitter, to warn users of state attacks. In order to
prevent the hackers from learning about Yahoo's detection methods, Yahoo will
not share any details publicly about these attacks.
10. After UP, Maharashtra leads India in
cybercrime: In India, the rising cases of hacking, cyber bullying, IP
spoofing, credit card fraud has always kept the cyber security team on its
toes. As per a recent report - 3,049 people were put behind the bars for
committing cybercrime during 2010-2014. Mumbai being the financial capital has
seen a 295 per cent increase in cybercrime. Credit card fraud tops the list
with hackers using various methods like - Rigged ATM machines, Skimming devices
at POS, Phone and email frauds & Duplicate
websites. The good news is Banks are getting smarter by
issuing EMV cards (Chip and PIN Credit card), Banks are also looking at
contact-less credit cards with NFC (Near Field Communication) and RFID
technology which do not require swiping of card thereby lowering the chance of
any data leakage.