Security In 2016 – The Year In Review

As 2017 is already off to a flying start, it’s a good time to stop and take a look back at some of the security breaches and issues that happened throughout last year.
It’s time to appreciate that while we’ve come a long way, we still have a long way to go.

Yahoo!

Let’s start off by looking at what is probably the biggest breach of the year — actually two of the biggest breaches of the year.
During the year, firstly on September 22 and later on December 14, Yahoo! announced that they had suffered major, dare I say spectacular, security breaches.

The first one, according to Yahoo!’s security chief, Bob Lord, affected at least 500 million people. Specifically, it appears to have affected Yahoo! and Flickr accounts.

The second one was much larger.
This one, potentially, affected more than 1 billion accounts.
It needs to be noted that the more than 1 billion accounts compromised in the second attack are in addition to the original 500 million.
The first one Yahoo! claimed as being the work of a “state-sponsored” hacker.
The second one isn’t as clear.

What’s perhaps not surprising, is that while the information came to light this year, the breaches appear to date back as far as 2012 or 2013.
So, while the breaches didn’t happen this year, they publicly came to light this year, that’s why they’re included in the list.
What’s perhaps not surprising is that it happened in the first place.

According to security researcher, Brian Krebs:

For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.

And that leads us to how the hack happened. According to The Guardian:

The hackers used “forged ‘cookies'”….The cookies “could allow an intruder to access users’ accounts without a password” by misidentifying anyone using them as the owner of an email account. The breach may be related to the theft of Yahoo’s proprietary code, [Bob] Lord (Yahoo’s chief information security officer) said.

They go on to say:

…the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.

Let’s consider some of the key issues here.
To attempt to use cookies, whether that’s a personal or public one, in this way is extremely concerning.
To not attempt to secure security questions and answers, leaving them in the clear, indicates a clear case of professional negligence.

And using MD5 to secure anything suggests that these were breaches waiting to happen.
What’s more, it definitely lends credence to the Brian [Kreb’s] statement above, that they’re falling behind and implementing pseudo-security features.

Key Takeaway: Just because a company’s been around the internet for a long time, doesn’t mean that they’re keeping up with the times.

Hacking of The Democratic Party & Hilary Clinton’s Presidential Campaign

The next breach on the list is the leaking of more than 19,000 emails of the Democratic National Committee (DNC). According to The Guardian, the hack was conducted by two groups of hackers. They indicate that the first one is likely linked to FSB, Russia’s federal security service and the second to military intelligence.

In this case, you don’t have to rush out and change passwords or consider closing your account. As unless you’re a member of the DNC or the Republic National Convention (RNC), there’s likely nothing to concern you.

However, what it does bring to light is a lot of information that a large number of US politicians and their staffer’s likely wish had never come to light. For the rest of us, though, it does make for some juicy reading.

And very closely related to the DNC, is the hack of the email account of the chair of the Hilary Clinton campaign, John Podesta.
You might think that someone in his position was deliberately targeted, by an organized group of people.
He wasn’t.

In a report by Salon.com, Podesta was caught by a simple, though deliberate, phishing campaign.
To be fair, it is something that, save for some carelessness, likely could have been avoided.
The New York Times says that, while it might have been readily identified for what it was, was stated as a legitimate email, by a campaign aide, as you can see in the image below.

Courtesy of the NY Times

Given that, I can only assume that usual suspicion was set aside and the email was clicked.
When Podesta clicked the email, he was directed to what genuinely seemed like Google.

There, he typed in his credentials, which were later passed on to Wikileaks, which retrieved and compiled around 50,000 messages to and from the campaign chair.
Apparently, the details were also obtained by Russian intelligence, who created all kinds of havoc.

The leaked emails show a number of damning things about the Clinton campaign, including:

  • How the Democratic Party leadership attempted to undermine the campaign of Hilary Clinton’s rival Bernie Sanders
  • Details of paid speeches which Hilary Clinton gave to Wall Street banks

Again, while this story will likely affect very few of us personally, there are some people who have been very clearly affected.
The information surrounding both this and the DNC hack is likely to continue, piece by piece, throughout 2017.

Key Takeaway: Don’t be in such a hurry. Proceed with caution. If something seems too good to be true, then it likely is.

Ashley Madison

Now, let’s get back to talking about breaches that affected a large number of individuals; people who likely wish they’d never been involved.
Let’s discuss the breach of Canadian infidelity site Ashley Madison.
If you’ve not heard of the site, that’s likely a good thing, when you consider that the site provides a service that actively helps people cheat on their spouse.

The service is rather similar to AdultFriendFinder, who we’ll talk about next.
Back in July 2015, Ashley Madison was hacked, resulting in the details of some 35 million customers being exposed.
If you’re wondering how personal the information was, it included:

  • Usernames
  • Passwords
  • Email addresses
  • Even street addresses

And in the aftermath of the breach, people were blackmailed, scammers attempted to extort money from individuals affected — there were even reports of suicide.
You can only imagine the damage done and the lives ruined as a result.
For Ashley Madison’s parent company, Avid Life Media, they were ordered to pay a $17.5 million dollar fine.
They also agreed to 20 years of oversight on their network security practices.

When hacking happens, it’s never something that you want to be caught up in.
The inconvenience of having to reset accounts is both times consuming and frustrating.
But if you were a client of Ashley Madison, inconvenience is the least of your worries.

While it’s not exactly clear how the hack occurred, what is clear is that:

  1. There appears to be a lack of appreciation of the impact on people’s lives by parent company Avid Life Media
  2. Users were not very tech savvy

Take this statement which they released:

No current or past members’ full credit card numbers were stolen from Avid Life Media. Any statements to the contrary are false. Avid Life Media has never stored members’ full credit card numbers.

If you’re using a service where you are engaged in an activity which you don’t want those closest to you to know anything about stolen credit card information is not your highest priority.
You expect that your activity will be and always remain private.

Key Takeaway: Just because a site makes a set of claims, doesn’t mean that they will be honored.

AdultFriendFinder

Let’s follow up with another adult service: AdultFriendFinder.
The name alone should be enough to tell you what the site does.

Back in November, it was made public that the site was hacked, and that details of around 412 million accounts were stolen.
The information contained names, passwords, addresses, and phone numbers, as well as credit card transactions.
What’s interesting about this case, is that the information included in the breach stretches over 20 years and across several companies.

AdultFriendFinder’s been around for a while and is part of a larger network.
As a result, information from some other sites within the group was breached.

As you can well assume, when information of this kind comes to light, no one’s going to feel comfortable about being involved.
But the most concerning part of the breach is that it shows what can only be described as a complete lack of awareness of security on the part of the technical team behind the site.
I say that because, as Tripwire summarized, the top 10 passwords, organized by frequency are:

  • 123456
  • 12345
  • 123456789
  • 12345678
  • 1234567890
  • password
  • qwerty
  • qwertyuiop
  • 987654321

As bizarre as this sounds, some, though not all, passwords were stored in plain text.
What’s more, they don’t enforce a password complexity policy.
As Tripwire went on to say, not all of the passwords were in plain text.
But a significant number of them were.

Key Takeaway: Just because a service is electronic and built by technical people, doesn’t mean that it’s sophisticated.

Telegram

Now let’s look at a different breach, one that you would expect it shouldn’t happen to.
Are you a user of the secure messaging service Telegram? If so, then the fact that they were breached in 2016 should be of real concern to you.
According to Wired, a group of Iranian hackers, called Rocket Kitten, compromised more than a dozen Iranian Telegram accounts.

On the surface of it, that may not sound like much.
But from those dozen or so accounts, the phone numbers of around 15 million Iranian users were accessed. Quoting Wired further, here’s how the hack happened:

…SMS messages Telegram sends to people when they activate a new device. The texts contain a verification code that Telegram asks people to enter to complete a new device setup. A hacker with access to someone’s text messages can obtain these codes and enter them to add their own devices to the person’s account, thus gaining access to their data including chat histories.

Now if accounts from Yahoo!, Ashley Madison, or private individuals are hacked, you can understand that.
But if a security breach happens at a company that touts itself as providing a secure service, then that’s concerning.

What makes it even more concerning, is that the service is used by people who have good reason to want to keep their activities and identities a secret.
This includes people such as journalists, and human rights activists, who have good reason to fear reprisals for their actions.

But, the breach isn’t the only thing to be concerned about with Telegram.
According to an article by Gizmodo, Telegram has other inherent flaws in their service.
These include:

  • Requiring users to enable secure encryption of all communication
  • They implemented their own security protocol, instead of using an existing one

That a company would require average users to enable secure communications in the modern era, when companies such as WhatsApp enable it as a matter of course, is certainly perplexing.

That they would create an encryption algorithm of their own, instead of using publicly available, verifiable, and testable algorithms is extremely disconcerting.
Unless that changes, I’d strongly encourage you to not use the service.

Key Takeaway: Don’t take statements at face value.

Comelec

Now, let’s move a bit further afield, specifically to the Philippines.
According to Malwarebytes, the anti-malware company, on the March 27, the COMELEC site, which is the Philippines’ Commission on Elections, was defaced and hacked, allegedly, by Anonymous Philippines.

The publicly stated reason for the hack was to motivate the government to implement greater security in the voting machines to be used in the 2016 general election.

The hack resulted in the details of up to 55 million registered voters in the Philippines being compromised.
Given that the total number of registered voters in the Philippines is 70 million, that’s a significant percentage of the population.

To give you an idea of what was in the breached data, the information stolen includes:

  • Passport numbers and expiry dates
  • Fingerprints
  • Names of people who’ve run for public office

After the group had notified the official authorities, they responded with a sadly all too familiar response, when events like these happen.
They, at least publicly, took no action, and even went so far as to say:

There is no sensitive information there

Despite an independent investigation by internet security firm Trend Micro, the relevant officials appeared to be largely unconcerned.
However, they have indicated that they will apply improved security measures before the election.

For reasons not entirely known, another group of hackers, LulzSec Pilipinas, took the breached information and made it publicly available, on a fully searchable website called “wehaveyourdata.”
The site allowed for all the information to be searched, based on first name, last name, and maternal name.
To quote the statement published on the site:

The database contains a lot of sensitive information, including fingerprint data and passport information…Why are we doing this? …Maybe, at least now, government will start thinking about security of citizens’ personal data.

Whether you agree with the motivations of the hackers or not, a lot of people are potentially going to get hurt by this.
I agree that when any organization collects and stores information of this type, regardless of the number of people involved, it needs to be thoroughly protected, with as much diligence and professionalism as possible.

That, in this case, it appears to have been anything, but is very concerning.

Key Takeaway: Subject both private and public organizations to the same level of scrutiny. What’s more, hold public organizations, organizations which employ public funds, to higher standards.

Bitcoin Exchange BitFinex

The next most significant breach of the year, is the 119,756 bitcoin —or nearly $65 million dollars — from the Bitcoin exchange BitFinex in Hong Kong, on August 3rd.
Trading, withdrawals, and deposits on the exchange, were halted after the breach was publicly disclosed, pending further investigation from law enforcement.

How the breach happened is a little bit hard to tell. And a report from Quartz indicates that Bitfinex has released next to no information, but is “working with authorities” following the incident.
Yet, they don’t say who these authorities are, nor what has been discussed.

However, coindesk reports that the problem may have been as a result of a system which BitFinex and BitGo, a technology company technology dealing with security, compliance and architectural problems associated with blockchains, created.

The technology:

Is a new Bitcoin settlement and security architecture that for the first time ever offers complete segregation of all customer bitcoins

It’s, admittedly, quite opaque as to exactly: what happened, who was responsible, and most of all, when the stolen funds would — if at all — be returned.
Questions were raised about the validity of the security model, and the viability of the companies involved.
But most of all, people just wanted to know what was going on.
Sadly, the companies involved weren’t very forthcoming.

One other thing that’s quite interesting about this story, from a non-technical perspective, is that despite so much money being stolen, the value of Bitcoin rose shortly afterward.
While in a slow, but steady decline, and despite a sharp drop of around 15 percent, shortly afterward the value rebounded.

Key Takeaway: It’s hard to be specific here, but I’d suggest that, while technology can be both liberating and enabling, it still needs to be stress-tested.
What’s more, while being on the bleeding edge has its advantages, there’s a reason why it’s called the bleeding edge.

Mark Zuckerberg, Sundar Pichai, Jack Dorsey, And Friends

And now, let’s finish up with a smaller, simpler example. Engadget reported that, security hacker group, OurMine hacked the accounts of some prominent people.
You may be surprised by who’s on this list, as you’d expect that they should have known better.

Let’s work through what they did:

  • Facebook CEO Mark Zuckerberg’s Pinterest was hacked account twice
  • They hacked the Quora account of Google CEO Sundar Pichai
  • They hacked Twitter CEO and co-founder, Jack Dorsey’s Twitter account
  • They also hacked Netflix’s Twitter account

At least, in contrast to the previous list of hacks, in these cases the hacks were rather harmless.
OurMine seems to be a combination of hacker, hacktivist, and security research.
Commonly, all they seem to do is to update profiles, or write messages, such as:

Hey, its OurMine, we are testing your security.

So what they do is relatively innocuous.

Key Takeaway: the more exposed you are, the more attacked you get.

In Conclusion

After that roller coaster ride through some of the worst security breaches over the last 12 months, what can we do, as individuals, to better protect ourselves from being caught up in situations like these?
Here are three steps you can take to better protect yourself online.

Take Security Seriously

If the stories recounted above show anything, it’s that it’s essential to take security seriously.
Sure, at first — even for a long time — everything may seem to go swimmingly.
But that’s no guarantee that it will last forever.
Invariably, and with ever greater likelihood, your site will eventually be the subject of at least one hacking attempt.
So, do your research and develop using security-first principles.

Developers Should Take Ownership Of Security/Advocate For Security

Following on from the previous point, I encourage you to not only take security seriously in your own development but to begin (and to continue) advocating for it everywhere.
I invite you to do this both within your organization, as well as in all the projects you’re associated with; whether they’re open or closed source.
If we cast our minds back, it wasn’t that long ago that testing was considered an after-thought, an optional extra, in software development.
Yet, through continued advocacy, it’s now considered — by professional organizations – a core aspect of healthy software development.
Let’s do the same for security!

Security Threats Can Take More And More Various Forms

Let’s finish off with one, final, consideration; that security threats come in many forms, and will continue to come in ever more.
Perhaps this is an indictment of the lax, even non-existent attitude towards security, baked into the original specifications that underpin the internet.
Perhaps it’s an indictment of who we are as people.
But regardless, what we can never do is to become complacent and think that every threat vector has been both identified and addressed.
As people, we are, by our very nature, creative.
Compound that creativity with a malicious streak in some of us, and we have a combination where it’s possible to uncover ever more possibilities to breach the security of our applications.
So become aware of what’s out there, and then regularly maintain your knowledge.

About the Author

Matthew Setter is an independent software developer and technical writer. He specializes in creating test-driven applications and writing about modern software practices, including continuous development, testing, and security.