What Can we Learn From Some of the Significant Hacks in 2011?
As we round the corner to the last quarter of 2011 and move into the busy holiday season (for hackers too), it’s a good time to look back at some of the hacks that made headlines this year. And 2011 was a monumental year for hackers. Businesses as well as consumers felt the brunt of cybercrime by the millions, some of them a few times over. Here’s a look at the top hacks from the last year, and what we can learn from them.
Just before tax day in America, WordPress.com was compromised at the root level, resulting in source code being exposed and copied. Eighteen million WordPress users were compromised.
Automattic is the name of the company that owns WordPress.com blogs. On April 13th, 2011, Automattic disclosed that it had been hacked and the attacker(s) had obtained root access to its servers. Approximately 18 million blogs were hosted on the rooted servers meaning the attackers could have stolen source code or database data off of any of those blogs. Among some of the affected customers were WordpPress.com VIP customers such as TechCrunch. Automattic/WordPress released only a brief statement about the breach:
Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.
We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.
Due to the nature of the application and the way in which it is used, Twitter passwords, API keys, other hardcoded passwords, and confidential data were likely stolen. From the information available and suggested security steps WordPress provided its users, the attack was most likely carried out by brute-force, credential theft or a Web application vulnerability.
What can we learn?
Password protection can’t be emphasized enough. All organizations should enforce the constant use of unique, strong passwords for every website and application that employees are given access to. And they should be changed often. For the most part, people still use the same one or two passwords for all of their online accounts. In the WordPress case, the compromised source code may have contained Twitter or Facebook passwords that once cracked, could allow the attacker to then access user bank accounts or other critical and confidential information. This can happen just as easily with business applications and websites. Software such as 1Passsword, Lastpass and Keypass can help you manage multiple passwords easily while keeping them secure.
Sony PlayStation Network
Also in April 2011, an estimated 100 million Sony PlayStation users were compromised. Data such as names, email addresses, home addresses, passwords, and possibly even credit card information were stolen. The hack led to Sony PSN being shut down for more than a month in some parts of the world – causing loss of revenue and brand reputation. And it didn’t just happen once. Sony PSN was continually hacked more than 10 times.
What’s interesting about this hack is how it may have been orchestrated. There’s speculation that the domino effect started when Sony decided to press charges against a hacker, George Hotz, who reverse-engineered Sony’s PlayStation 3 so that it could run unapproved third-party applications. Sony maintains that the hacks were highly sophisticated. Readers – you be the judge.
Information on how the breach occurred was released publicly by Sony during a congressional hearing. Dr. Eugene H. Spafford of Purdue University testified that Sony was using outdated software on its servers. Not only that, Sony allegedly knew about it months in advance of the recent security breaches that allowed hackers to get private information from over 100 million user accounts. Another point to consider is that Sony was PCI “compliant” at the time of the breach causing some to lobby for revocation of their PCI compliance status. Assuming Dr. Spafford was correct, exploiting a vulnerability in outdated software would be trivial to gain access to a remote server.
What can we learn?
It is paramount that all applications, especially public cloud applications, have the latest security and bug fixes applied in a timely manner. Additionally operating systems should constantly be updated, as well. According to the Verizon 2011 Data Breach Investigations Report, 83 percent of data breaches last year were byproducts of opportunity rather than a direct attack on a specific organization, 92 percent of which were carried out with methods considered to be very low to moderate difficulty.
Most attacks are not like the movies — brainiac masterminds writing custom applications and reverse engineering your applications to exploit heap stack overflows and override your flux capacitor. Security is an evolving response to a dynamic threat landscape.
This particular Sony PSN attack was an attack targeted directly at Sony. It’s been reported that the hackers used Amazon’s cloud hosting service to access the Sony PSN and cause the breach. Which takes us to our next notable hack of the year:
Citigroup disclosed in June of this year that 360,000 accounts were hacked. Customer names, account numbers and contact information were obtained. While this was less than two percent of its US customer base, this hack was significant for a few reasons, most notably of which, Citigroup is the third largest banking institution in the US.
The hack caused enough concern that the FDIC announced it is calling for new account security measures at banks, asking them to strengthen their authentication when a customer logs onto online accounts. It’s also been noted as the largest cyber attack on a US financial institution to date. But what got the media buzzing was the fact that the hack wasn’t publically disclosed until almost a month after it occurred.
This hack was a result of Web parameter tampering. This means attackers were able to modify parameter values in requests destined for the Citigroup server, ultimately exploiting a remedy in the Web application. This trivial attack can allow a malicious user to successfully carry out attacks such as cross-site scripting, SQL injection, remote file inclusion and other attacks. This attack takes advantage of input logical validation errors. Once breached, the hackers can obtain a variety of user credentials such as names, account info, etc., as was the case here.
Parameter tampering is actually quite common and considered a relatively low-level attack in most cases, as far as difficulty is concerned. There are always variables that can change per each specific attack, but most experts don’t consider parameter tampering to be difficult. This is another reason why it’s so troubling that this kind of attack was able to occur with an institution such as Citi. According to the 2011 Verizon Data Breach Investigation Report, most data breaches occur with an attack of low to medium difficulty.
What can we learn?
Sometimes we get so caught up in worrying about the really tricky attacks that we get complacent on the simpler ones. Organizations that manage sensitive customer data shouldn’t slack on Web application audits (I’ll claim I have no idea how Citigroup manages Web application audits). It’s a good idea to perform these monthly or even bi-weekly, and definitely with every code release, even the really minor ones. As you can see, even though parameter tampering is a low-level threat, the consequences can be quite damaging.
Finally, don’t hesitate to be transparent if you suffer a breach. It’s in your brand’s best interest, as well as your customers, to put out a public statement as soon as possible. A simple paragraph on your website, accompanied by a tweet letting customers know the breach has occurred and you’re doing all you can to remedy the situation can go a long way.