SecWorX – InfoSec Year In Review – 2014

Hi folks, I’ve compiled some of the more popular InfoSec stories and links on each topic– just a quick year in review summary for you. This year has been extremely eventful and there are no signs of slowing down as we enter 2015. Read it and weep, or, if you work in InfoSec, read and smile that you are still employed with plenty of work on the horizon 🙂

Total PWNage

Sony Cyber Attack The biggest, baddest and juiciest story of them all broke in late November and will continue to be a treasure trove well into 2015. This cyber attack was reminiscent of an old school cheesy hacker movie. Here is the image of what many Sony employees saw showing up on their screens. Gotta love the scary skull pic! GOP

The FBI is pointing the proverbial finger at DPRK. I’m holding back judgment until the InfoSec community has had a chance to review the technical analysis. Seth Rogan is one person that must be pretty stoked about the Sony attack which was spun into an awesome promotional tool for “The Interview” movie going into the holiday season. I admit that I bought into the hype. My review…a few good laughs but far from a blockbuster!

The leak was BRUTAL!
– entire databases exfiltrated
– unpublished movie scripts
– contract negotiations
– data dump posted to torrent sites, pastebin and reddit (amongst others)
– full dump claimed to be 10s of Terabytes

Brian Krebs is covering this one pretty well!

Celebrity Nude Photo Leak This story broke over Labour Day which must have set records for female A-lister search queries looking for a download link for the files. The series of nude pics for allegedly 101 celebs (names below) are making the rounds on file sharing sites, referred to as ‘The Frappening’. The attack was a garden-variety brute force attempt against iCloud accounts: a huge breach in privacy where the attacker was able to steal nude photos from right under the nose of these celebrities straight off the cloud. The photographs were then posted to online forums and soon spread like wild fire. Reports suggest the hack consists of the cumulative use of a Python script named “iBrute” that was posted on Github, along with a vulnerability found in the ‘Find my iPhone’ app. The vulnerability provided unlimited chances for an attacker to brute force the passwords due to the lack of rate limiting or account lockout.

The alleged list:
AJ Michalka, Alyson ‘Aly’ Michalka, Allegra Carpenter, Abigail Spencer, Alana Blanchard, Alexa Jane, Angelina McCoy, Anna O’Neill, Ashley Blankenship, Aubrey Plaza, Abigail ‘Abby’ Elliott, AnnaLynne McCord, Avril Lavigne, Amber Heard, Rebecca ‘Becca’ Tobin, Brie Larson, Brittany Booker, Candace Smith, Candice Swanepoel, Cara Delevingne, Carley Pope, Carmella Carcia, Carrie Michalka, Cat Deeley, Carly Foulkes, Chloe Dykstra, Clare Bowen, Dove Cameron, Elena Satine, Elle Evans, Ellenore Scott, Emily Browning, Emily DiDonato, Emily Ratjkowski, Erin Cummings, Erin Heatherton, Farrah Abraham, Gabrielle Union, Gabi Grecko, Hayden Panettiere, Hope Solo, Heather Marks, Hilary Duff, Jacqueline Dunford, Janelle Ginestra, Jennifer Lawrence, Jessiqa Pace, Jessica Dunford, Jessica Riccardi, Jesse Golden, JoJo, Joanna Krupa, Jennifer ‘Jenny’ McCarthy, Josie Loren, Joy Corrigan, Kaley Cuoco, Kaime O’Teter, Kate Upton, Kate Bosworth, Kelly Brook, Lauren ‘Keke’ Palmer, Kim Kardashian West, Kirsten Dunst, Krysten Ritter, Lake Bell, Laura Ramsey, Lea Michele, Leelee Sobieski, Leven Rambin, Lisa Kelly, Lisalla Montenegro, Lindsay Clubine, Lizzy Caplan, Mary-Kate Olsen, Mary Elizabeth Winstead, McKayla Maroney, Melissa Benoist, Meagan Good, Megan Boone, Michelle Keegan, Mikayla Pierce, Misty Treanor, Nina Stavris, Rachel Nichols, Rihanna, Sarah Shahi, Sahara Ray, Sarah Schneider, ScarJo, Selena Gomez, Shannon McNally, Tameka Jacobs, Teresa Palmer, Uldouz, Vanessa Hudgens, Victoria Justice, Wailana Geisen, Winona Ryder, Yvonne Strahovski, Alison Brie, Dave Franco.

User lessons
1. Use strong passwords and enable two-step verification.
2. Review the contents that are copied to the cloud. Delete backups or whatever else that you do not want on there.
Business lessons
1. Always implement a rate limiting/account lockout feature on web apps.
2. Bug Bounty programs are a good thing.

I’m still waiting for a story to break that points to Kim Kardashian as being the real hacker for this one! Wouldn’t that make the gossip mags a fortune in 2015?

Here are links to three good posts on the story.
Sources: Forbes – Link1, Link2 Mail Online – Link  

Retail Card Breaches Cont’d This type of attack came on the radar a year ago with the disastrous Target breach but was soon trumped by Home Depot resulting in the largest breach of its kind on record. Cyber Criminals using custom-built malware that lingered on the network for approximately half a year (April to September) were able to steal card data and customer email addresses. The numbers speak for themselves:
– 56 Million customer credit/debit card accounts
– 53 Million customer email address

Krebs broke the story on Sep 2, 2014, and has done a fabulous job at posting detailed updates. Thanks again Brian!

Lesson learned: – Fear the phrase “PCI Compliant”!!!!


Heartbleed and ShellShock The two most popular bugs making the media rounds were tagged with the coolest monikers: Heartbleed & ShellShock.

Heartbleed is an OpenSSL bug disclosed in April, 2014 and hit the mainstream media with full force given the enormity of websites that use it. OpenSSL is the open-source implementation of SSL/TLS, used for communication security and privacy over the internet; for applications such as web, email, IM and some VPNs. Shall I now scream, “THIS IS IMPORTANT!”? Vulnerable versions of OpenSSL are open to data leakage by a coding flaw that allows for a buffer over-read by crafting a malformed heartbeat designed to access more data than what should be allowed. Major sites have since patched their servers, however rest assured there are many that still remain vulnerable.

The Sophos Naked Security news site posted my favorite technical article for Heartbleed.

Real World Example – Western University student charged with extracting data from the Canada Revenue Agency resulting in a major tax-time disruption

ShellShock is a GNU-Bash shell bug disclosed in September of 2014. The flaw dates back to versions of Bash from the early days circa 1989 through to v.4.3. While still widely publicized, it did not seem to garner the same coverage in the mainstream media as did Heartbleed. Shellshock is a far more significant vulnerability with a National Vulnerability Database severity rating of 10/10. The sheer length of time of the bug’s existence leaves many lingering questions such as, who knew of this vulnerability and for how long? Bash is an enormously popular *nix shell and is the default shell on popular operating systems such as Linux and Mac OS X. The sheer footprint of Bash found on public web servers and on internet of things (IoT) devices running embedded Linux with Bash (e.g., home routers and NAS gear) has cause for great concern with the seemingly limitless attack possibilities. The ShellShock bug allows for remote arbitrary code execution via a specially crafted environment. Many companies have since patched their critical servers, but relaying this message to the consumer will prove difficult. Getting the average consumer to take action and patch devices that sit on the shelf would be hard even if a one-click update option was available. Any fix or workaround requiring more technical savvy will go well beyond the comfort level of many customers who purchase these solutions without even realizing the impact or ramifications of security vulnerabilities.

Check out these four great articles to further your understanding about this very serious vulnerability. Sources: US-Cert, CloudFlare, FireEye, Troy Hunt

Real World Example – Several botnets have been leveraging the ShellShock bug. Botnet agents have been found with port scanning, backdoor and DDoS capabilities. One of the first reported botnet attacks was a DDoS against Akamai and US DoD networks.


Dark Markets Online marketplaces used for illegal activity are still active even with aggressive pursuit by law enforcement agencies worldwide. The infamous Silk Road is just one of many online underground markets that use the TOR network for anonymity and digital currencies such as Bitcoin to hide the money trail. Existing in what has been termed the ‘deep web’ or ‘darknet’, these sites have been used as a conduit for a wide range of illicit activities operating in a virtual black-market. Investigations have uncovered illegal vices such as moving contraband, money laundering, stolen credit cards, false identification, weapons dealing and contract killing, all linking back to various dark market sites. A massive international investigation was launched targeting these sites called ‘Operation Onymous’. The crackdown involving the FBI, Homeland Security and Europol lead to 17 arrests, asset seizures and took down many black market sites. There are still plenty of others that have managed to elude law enforcement and remain operational in the underground economy. The investigation has also caused a stir amongst TOR users leaving them to question the actual strength of providing true anonymity.

Snowdon Revelations 2014 Call him former government contractor, traitor, whistle-blower or patriot, but those in InfoSec call him, “the gift that keeps on giving”. Since Ed Snowdon fled the USA, stopping in Hong Kong and eventually landing in Russia, he has released a treasure trove of documents on privacy and surveillance that has left audiences captivated. He even landed a feature interview from abroad that aired on CBS’s 60 Minutes. The revelations kept coming strong throughout 2014. Al Jazeera created an amazing interactive timeline. You can scroll over to the beginning of 2014 if you want a recap. The collection reveals the NSA’s true power and vast international spy grid. Other articles cover the various techniques used by agencies like the NSA and GCHQ for tracking and data collection. Articles on facial recognition technologies and quantum computing provide readers a window into the future.

All of these stories give credence to the fact that InfoSec has some big challenges ahead. I could continue writing until the clock strikes midnight in 2015, but I am on holidays after all so I’ll sum it all up in just four words; Nothing can be trusted!!!