The Biggest Cyber Stories of 2015

What are the top 10 Cyber security breaches of 2015? originally appeared onQuora: The best answer to any question.

Answer by Sai Ramanan, Lead Quora’s Corporate Information Security, on Quora.

Data breaches have become a status quo considering how attackers keep finding paths to infiltrate networks and steal confidential information. Last year, we have seen big industry breaches such as Sony, JP Morgan Chase, Target, eBay etc. This year hasn’t changed much. The security industry has seen not just targeted attacks at these organizations but also there is this theme around the nation-state-sponsored hackers because they are generally resourced the best, and their collective motivations run across the spectrum. While the security breach barrage on one end continues, investments are pouring into security technologies on the other end and it’s clearly not enough.

Here are the top 10 cyber security breaches of 2015 categorized from least to most compromised records.


10. Slack
When it happened: March 2015
No of records compromised: 500,000 email addresses and other personal account data (phone number, Skype ID, etc.)
Slack’s blog confirmed that Slack’s hashing function is bcrypt with a randomly generated salt per-password. We have seen so many unauthorized database incidents before. Haven’t we? Think about HipChat and Twitch. It was not too long before they experienced similar breach.
Lesson Learned: For companies that are still relying on passwords, it’s a blow. Do not just use salting. Invest in technologies and people to prevent hackers getting access to your database in the first place. Overcome the post-breach mindset.


9. Hacking Team
When it happened: July 2015
No of records compromised: 1 million emails
The Hacking Team develops spy tools for government agencies, including those that can go around traditional anti-virus solutions.This breach published more than 1 million emails from the Italian surveillance company, revealing its involvement with oppressive governments as well as multiple Flash zero-day vulnerabilities and Adobe exploits. As a cyber security professional, this is definitely frightening. A full list of Hacking Team’s customers were leaked in the 2015 breach that included mostly military, police, federal and provincial governments.
Lesson Learned: Patch your systems and applications. Inventory your systems and applications. This has been extensively covered as part of NIST SP-800-137, SANS CSC and ASD.


8. Kaspersky
When it happened: June 2015
No of records compromised: Affected multiple customers
Kaspersky blog reported that “We’ve found that the group behind Duqu 2.0 also spied on several prominent targets, including participants in the international negotiations on Iran’s nuclear program and in the 70th anniversary event of the liberation of Auschwitz”.
If you don’t know about Duqu, it’s sometimes referred to as the stepbrother of Stuxnet. One of the most notable features of Duqu 2.0 was its lack of persistence, leaving almost no traces in the system. The malware made no changes to the disk or system settings: the malware platform was designed in such a way that it survives almost exclusively in the memory of infected systems. The technical details about this are published here.
Kaspersky’s breach just proves that some of the security-conscious organizations can fall victim to determined hackers.
Lessons Learned: Security teams have to adopt this as part of continuous monitoring strategy. Know your network. Train your teams to alert for any suspicious activity on the network. Do not just monitor inbound communications. Be watchful of all the security updates as a general best practice.


7. CareFirst BlueCross BlueShield
When it happened: May 2015
No of records compromised: 1.1 million records
1.1 million members had their names, birth dates, email addresses and subscriber information compromised, but member password encryption prevented cybercriminals from gaining access to Social Security numbers, medical claims, employment, credit card and financial data.
CareFirst discovered the breach as part of a Mandiant-led security review that found hackers had gained access to a database that members use to get access to the company’s website and services
Lesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy – unknown certificates, file names etc. Disclose and communicate data breaches in a timely manner.


6. LastPass
When it happened: July 2015
No of records compromised: 7 million users
The password management company LastPass revealed that it had been the victim of a cyberattack, compromising email addresses, password reminders, server per user salts and authentication hashes. “LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed”, the company said.
Salts are really not useful for preventing dictionary attacks or brute force attacks. One of the drawbacks of the hashing algorithm PBKDF2-SHA256 employed by LastPass is that it was not designed to protect passwords.
Lesson Learned: For end users, make sure you rotate master passwords periodically. Also ensure that you have password reminders/recovery questions different for every critical application.


5. Premera BlueCross BlueShield
When it happened: March 2015
No of records compromised: 11.2 million records
Premera BlueCross BlueShield said in March that it had discovered a breach in January that affected as many as 11.2 million subscribers, as well as some individuals who do business with the company. The breach compromised subscriber data, which includes names, birth dates, Social Security numbers, bank account information, addresses and other information. There were suits filed against Premera for waiting roughly six weeks to tell victims that their data might have been exposed. Pile of lawsuits filed against Premera– for being negligent, breached its contract with customers, violated the Washington Consumer Protection Act and failed to disclose the breach in a timely manner.
ThreatConnect blog indicates that the prennera[.]com domain may have been impersonating the Healthcare provider Premera Blue Cross, where the attackers used the same character replacement technique by replacing the “m” with two “n” characters within the faux domain.
It definitely looks like suspicious domain, which is likely a spoof of Premera, and a malicious payload signed with the same digital certificate as malware from the Anthem hack.
Lesson Learned: Enable DNS query logging to detect hostname lookup for known malicious C2 domains. Detect random string entropy – unknown certificates, file names etc. Monitor for overly short certificates, certificates with missing information, etc. Disclose and communicate data breaches in a timely manner.


4. Experian/T-Mobile
When it happened: October 2015
No of records compromised: 15 million people’s records
T-Mobile uses Experian to process its credit applications. Experian Plc (EXPN.L), the world’s biggest consumer credit monitoring firm disclosed a massive data breach that exposed sensitive personal data of some 15 million people who applied for service with T-Mobile US Inc.
Experian explained the details on its Web site:
The unauthorized access was in an isolated incident over a limited period of time. It included access to a server that contained personal information for consumers who applied for T-Mobile USA postpaid services or products, which require a credit check, from Sept. 1, 2013 through Sept. 16, 2015.
Brian Krebs reported in his blog that the Experian’s Decision Analysis credit information support portal allowed anyone to upload arbitrary file attachments of virtually any file type. Those experts said such file upload capabilities are notoriously easy for attackers to use to inject malicious files into databases and other computing environments, and that having such capability out in the open without at least first requiring users to supply valid username and password credentials is asking for trouble. Experian’s insecurity has dragged T-Mobile into its privacy scandal.
Lesson Learned: Bake security assessment as part of acquisition strategy. Also, do not open systems exposed to internet without any form of authentication.


3. Office of Personnel Management
When it happened: June 2015
No of records compromised: 21-25 million federal workers records (including both breaches)
On Sep23, OPM Press Secretary Sam Schumach stated that “Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million”.
These kind of breaches involving biometric data like fingerprints are unique and particularly concerning because you cannot rotate these unlike passwords. These are permanent identity of those people.
A report (PDF) by OPM’s Office of the Inspector General on the agency’s compliance with FISMA finds “significant” deficiencies in the department’s IT security. The report found OPM did not maintain a comprehensive inventory of servers, databases and network devices, nor were auditors able to tell if OPM even had a vulnerability scanning program. The audit also found that multi-factor authentication (the use of a token such as a smart card, along with an access code) was not required to access OPM systems. “We believe that the volume and sensitivity of OPM systems that are operating without an active Authorization represents a material weakness in the internal control structure of the agency’s IT security program,” the report concluded.
Lesson Learned: Implement multi-factor authentication for admins accessing sensitive systems, implement continous monitoring strategy. It is important to constantly fine-tune your logs and baseline your environment.
Read the full article here