For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion.
We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency (2012) by Parmy Olson
The Anonymous franchise really hit its stride between the years of 2010 and 2011. Hacktivism began earlier than that of course (1994 was the first documented case that I could find), but it did not strike fear into the hearts of CEOs, CSOs and government officials until that two year run.
It was the perfect storm of technology, disenfranchised young-ish people, “Internet Pranks as an Art Form” empowerment and the hacking culture that came together into a gigantic hairball of activity and energy that caused governments from around the world to double-clutch on some of their more severe policies and caused business leaders to actually fear the impact to their bottom line.
Trying to understand that phenomena is quite the task and Parmy Olson, in her 2012 book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency,” is an apt guide. Through unprecedented access to some of the core players on many of the more infamous operations, Olson is able to capture the essence of how the hacktivist movement got started in earnest, to describe the inevitable drama between competing factions and to provide insight into how this franchise operates. I think this will absolutely stay relevant; hacktivism is once again in the headlines, as we saw in the early November attacks on Asian government websites.
I call it a franchise because “Anonymous” is not a club. You do not pay dues. You do not register your name, e-mail account and twitter handle with anybody in power. There is no singular power. Anonymous is more of an idea than an organization. Hacktivists use that idea to get attention in the media and to get a reaction from the target they are pursuing.
For example, if I wanted to protest the US Senate’s inability to pass gun-control legislation this year (2013), I might write a scathing blog pointing out the dwarf-like physical characteristics of some of the key senators involved (if I was a law-abiding white-hat citizen). On the other hand, I might choose to go the other way and organize a Distributed Denial of Service (DDOS) attack against a few key senators’ web pages or compromise a senator’s email accounts and publish his or her messages on a public site somewhere (if I was willing to live on the lawless side wearing a black hat).
I could do those things, but nobody on the planet really knows who I am and all of those activities (white hat and black hat) would just register as part of the noise. But, if I wrap myself around the trappings of the Anonymous franchise – the imagery, the youtube videos with Matrix-like voiceovers and the Twitter public relations campaigns – I amplify the importance of my cause both to the general public and clueless media outlets. The Anonymous franchise has heft.. By claiming to be a leader in the group, regardless if I am or not, I get instant recognition and have all the assumed powers that the public thinks the group has. Genius!
How Anonymous Arrived
Ms. Olson walks the reader through the history of how this franchise was built and does a really good job explaining the culture. She does a good job walking through concepts such as 4Chan, troll bait, LOIC and SQL injection attacks. Along the way, she also scuttles a few of the Anonymous myths. The main one is that not all contributors are elite hackers. In fact, most are not. Many of the operation’s leaders are, for sure, and some of them are quite skilled. But most contributors that consider themselves part of the Anonymous movement are enthusiastic activists with a lot of Internet savvy. They can run circles around the average Joe in terms of Internet communication, but as Ms. Olson notes, not many have ever slung any real code.
Olson describes how the leaders of the more infamous operations (Chanology, Payback, Freedom Ops, etc) understood this and leveraged it. They treated these enthusiastic activists as trolls, in some kind of perverse recursive prank, and made them think they were more important than they really were. In the early days, leaders even provided the masses a tool, the Low Orbit Ion Cannon (LOIC), which allowed them to easily participate in a DDOS raid of choice. Of course, the developers of the LOIC did not initially protect the users from prying eyes like the FBI, and law enforcement did made many arrests. But the Anonymous PR machine kept churning; proclaiming the success of the hacktivist masses against evil governments and commercial empires.
The dirty secret though was that as the targets got bigger (PayPal, MasterCard, Visa), the effectiveness of the Low Orbit Ion Cannon, even with thousands of contributors, did not put a dent in the defenses of these targets. It was not until the leaders leveraged their own BotNets that these web sites were brought to their knees. Of course, that was not the message the PR machine generated. In order to completely leverage the Anonymous franchise and get the attention of the media and the intended targets, they had to proclaim that the damage was being done by the Anonymous masses. Olson calls this “… a mirage of power and scale.”
At the end of the book, Olson lists a comprehensive timeline of significant Hacktivist events, from a group called the Zippies launched a DDoS attack on UK government websites in November 1994, to the coining of the hacktivism term in 1996 to Operation Payback in 2010 and the LulzSec 50-day hacking spree in 2011.
She also lists core LulzSec members and other anonymous supporters, and does a really good job explaining some of the technology used by Anonymous members, including Hashkiller.com,Gigaloader/JMeter, HideMyAss and the use of Second Life gaming worlds to launder money.
Conclusion:
This book is a must read for all cybersecurity professionals. It does not cover the entire Anonymous movement, but by focusing on the evolution of the Anonymous Franchise and the rise and fall of the LulzSec hacking group, Ms. Olson captures the essence of the hacktivist culture and what motivates its supporters. I would put this in my list of essential Cybersecurity books, especially for historical context.
1. A group of literary works that are generally accepted as representing a field: “the durable canon of American short fiction” (William Styron).
2. A list of writings officially recognized as genuine.
3. The list of works considered to be permanently established as being of the highest quality:“Hopkins was firmly established in the canon of English poetry.”
For the past decade, I have had this notion that there must be a cybersecurity canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. In my new role as Chief Security Officer of Palo Alto Networks, I have to stay visible and well-informed, and make sure I’m an evangelist for the company. To me, these are books no one in our field can do without.
To me, the Canon isn’t purely technical literature and includes both nonfiction and fiction. Books that are how-to-manuals for the inner workings of security protocols, coding practices, standard operating procedures and the like are important, but there are plenty of books in those categories that are covered by the various technical and security certification programs. And unless the book describes some timeless aspect of the community, it doesn’t really meet the definition.
What I am looking for in this list are books that make us human; books that not only tell us how something works but why. The Cybersecurity Canon should include books that explain how we got here and describe the people that drove the community down this path. These books can be novels if they capture the culture correctly and can illustrate and educate the general public about the true nature of cybersecurity. They need to illuminate our timeless thinking on different adversary motivations like crime, hacktivism, espionage and war. They also need to describe realistic hacking techniques and cyber operations.
I’ll be presenting on this topic at RSA 2014 in February, and at that time I’ll discuss my first candidates for inclusion into the Canon. Between now until then, Palo Alto Networks will post my discussions of each of these candidate books so that interested people can preview them before the presentation if they are so inclined and can decide for themselves if they belong in the Canon or not.
Check back later today for the first entry in my series. Perhaps you might like to take exception with my list and offer other books for consideration. I welcome the debate. This should be fun.
The massive data breach at TargetTGT -1.01% during the 2013 holiday shopping season which the retailer now admits affected 70 customers used an inexpensive “off the shelf” malware available online for as little as $1,800, reports Krebs on Security. This malware, known as BlackPOS is likely of Russian origin and may have also been involved in the Neiman Marcus attack—and others allegedly known but not confirmed.
The malware was surreptitiously installed on the embedded Windows OS computers on the point of sale (POS) terminals in all of Target’s U.S. stores. The company’s Canadian outlets apparently use a different software system and were not targeted in the attacks. Although the magnetic stripe information is encrypted on its way out of these POS terminals on its way to the financial institutions for verification, the data is briefly stored in plain text in the unit’s RAM (memory.) Thus, the malware “scrapes” this info from the RAM and stores it until it can be retrieved in batches through a persistent remote connection.
The real weakness, though, is not in the POS terminals but in Target’s central data network. The crooks apparently had an open channel to every POS terminal in every Target store for over two weeks! The price of the malware itself indicates that it’s not rocket science, but neither, I guess, is cracking the whole network.
The POS terminals themselves can be replaced with newer models that encrypt end to end. This will be expensive, but nothing, obviously, compared to the hit that Target has taken thus far. It is surprising that its overall network is so open. The same things that make for convenient remote administration also create huge security holes. WiFi networks have been implcated in previous larger retail breaches, but Target has not specified the vector of the attack. All that Target CEO Gregg Steinhafel was willing to tellCNBC in an interview on Saturday was that, ”We don’t know the full extent of what transpired, but what we do know is that there was malware installed on our point-of-sale registers. That much we’ve established.’”
According to Reuters, “smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target.” Brian Krebs of Krebs on Security says he is not ready to confirm this but assures that “when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first.” I’ll be looking for that any day now.
The only up note in Target’s disclosure is that it is highly unlikely that the perpetrators would have been able to crack the triple-encrypted PIN codes for the purloined card numbers. There is no known method for doing so but there have been reports of inquiries on message boards about such capabilities coinciding with this data breach. The PIN codes would allow the criminals to produce fake cards and use them to withdraw cash. Absent that, a source familiar with these matters tells me that the typical scenario for such stockpiles of credit card numbers is to use them to buy small electronics which can then be resold (new, in the box) on eBay, Amazon and other online marketplaces. This kind of “gray market” activity is responsible for the ability of certain sellers of such items to consistently price their goods just below market value (since they are not paying anything for them anyway!) Combating these kinds of mass outlets for goods purchased with stolen credit cards could make wholesale hoovering of financial data less liquid, and ostensibly less prevalent.
Cyber security is now a topic with implications for every major line of business and market segment.
Palo Alto Networks shares its 13 predictions for cyber security, the threat landscape, firewall and mobile security for 2014.
1. Securing the mobile device will be inextricably linked to securing the network
With freedom of choice comes risk. Megatrends like BYOD and the rise of the mobile workforce are providing fertile ground for cyber criminals and nation states looking to capitalise on devices operating over unprotected networks.
The scales have historically been tipped, leaving enterprises vulnerable to a new breed of advanced threats targeting mobile devices.
In 2014, threat intelligence gained within the enterprise network will offer new defence capabilities for mobile devices operating outside protected networks. Intelligence gained by mobile devices will offer new signature capabilities to further strengthen enterprise networks.
2. Cloud will get a security makeover
Innovations in network virtualisation are enabling automation and transparent network insertion of next-generation security services into the cloud. Security has remained one of the greatest barriers preventing cloud computing from reaching its full potential.
In 2014 next-generation network security and network virtualisation will come together to form a new paradigm for cloud security.
3. Detection times will decrease
Enterprise security has undergone a massive transformation since the introduction of the Next-Generation Firewall (NGFW). This has long since moved from an emerging technology to one that’s universally deployed.
Newer, advanced security services are letting enterprises gain new advantages in detecting unknown threats and gather that information into a threat intelligence cloud that’s developing an impressively high IQ. The net result will be a measurable reduction in the time it takes to detect a breach.
4. There will be a heightened need for better intelligence and sharing on cyber threats
The new era of network security is based on automated processes and building as much intelligence as possible into network security software. This is especially important in industries such as government, education and healthcare, in which there are staffing shortages.
Limited staff need maximum resources including security tools that give them the most visibility into their network traffic and don’t sacrifice business productivity.
5. Security will meet reliability as attacks target control systems
Companies may be able to apply tight network security to data centres and the information they manage. But if they’re not doing the same for certain data centre support systems such as HVAC, cooling and other automated systems that help power, clean and maintain a data centre, they’re leaving the whole data centre vulnerable.
Data centres are required to meet the highest levels of reliability which cannot be achieved unless all of its components, from uplinks and storage to chillers and HVAC systems, are fully fault tolerant and protected from vulnerability and cyber attacks.
These types of attacks, in which smart hackers target the weakest parts of a data centre support infrastructure, will continue.
6. The demand for cyber security and incident response (IR) skills will reach new highs
As more advanced threats have become commonplace, the demands on existing IR teams have begun to outstrip capacity, especially in enterprises and government entities.
A recent survey by the Ponemon Institute found that only 26 per cent of security professionals felt they had the security expertise needed to keep up with advanced threats. Computer science programs will continue to adapt to this trend with more focused training in cyber security disciplines.
7. Advanced attackers will move to mobile devices
A wave of crime ware and fraud has already begun to target mobile devices, which are ripe targets for new malware and a logical place for new threat vectors.
Mobile platforms will be uniquely leveraged by advanced persistent threats (APTs) thanks to the ability to use GPS location to pinpoint individual targets and use cellular connectivity to keep command and control away from enterprise security measures.
8. Financially motivated malware will make a comeback and the lines between APTs and organised crime will blur
The focus of enterprise security will again be on the attacks where money changes hands. Banking and fraud botnets will continue to be some of the most common types of malware. Meanwhile, attribution of APTs is becoming more of a focus in the industry, which means that more hacker groups will spend more time attempting to cover their tracks and hide any unique identifiers.
To do so, they will attempt to imitate, contract with or even infiltrate criminally-focused hacking organisations to provide cover for their operations.
9. Organisations will exert more control over remote access tools
The revelations of how commonly remote access tools such as RDP, SSH and TeamViewer are used to attack networks will force organisations to exert greater control over these tools.
These applications provide support and development teams with powerful tools to simplify their jobs but they are used commonly by attackers. Employees also use these tools to mask what they’re doing on the corporate network as a means of protecting privacy.
Browser plugins such as Remote Desktop and uProxy for Google Chrome will make these tools more accessible and increase the challenge of controlling their use on the corporate network. User privacy is critically important, but users also need to understand that these applications can jeopardise the business.
The challenge will be how organisations can best implement controls without limiting productivity.
10. Cyber lockers and cloud-based file sharing will continue to grow, despite the risks
Palo Alto Networks has been watching browser-based file sharing applications since 2008, when it identified a pool of roughly 10 variants in this group.
As of this year, Palo Alto Networks is tracking more than 100 variants, and according to its research an average of 13 of these applications are found on networks it analyses. In many cases, there is no business use case for this many variants.
While there is business value for some of these applications they do present business and security risks if they’re used too casually. The risks will continue to escalate as vendors try to broaden their appeal to users and differentiate themselves by adding premium, always-on, always-synched features.
11. The mobile OS ecosystem is too big for patchwork protection
The mobile ecosystem is much more complicated and far-reaching than Windows. Too much of what’s being described as mobile security is based on buying add-ons for different devices running different operating systems – a scattershot model doomed to fail.
Rather than focus on securing individual devices, organisations need to look for security solutions that extend next-generation firewall policies across the full range of mobility use cases, independent of OS.
12. Mobile security issues turn security admins’ attention outside the firewall
Still too many mobile security solutions protect a user’s mobile device while they’re behind the corporate firewall but don’t enforce mobile security policy when users are outside it.
Facebook was hacked earlier this year, for example, when employees connected to a mobile developer’s compromised website, downloaded malware and then introduced it to Facebook’s internal servers when they were back behind the firewall.
Expect to hear similar stories in 2014, and hopefully a shifting debate on how to solve these challenges.
13. “Lock it down” just won’t play
Many organisations still take a “lock it down” approach to mobile security and have put policies into effect that are so strict they eliminate the productivity and flexibility benefits of BYOD.
The mushrooming popularity of smartphones and tablets means users will find a way to use them on networks whether admins like it or not.
In 2014, a majority of organisations will finally turn away from the “lock it down” approach in favour of a mobile security model that gives users some breathing room while preserving the secure enterprise network.
According to the Identity Theft Resource Center, as of December 3, 558 breaches have been reported in 2013, and we still have nearly a full month left for more potential breaches. These breaches hit across industries; no one is immune. In late November, BitSight Technologies released a report that investigated how well specific industries were doing in their security efforts. According to the survey, the financial industry has performed the best when it comes to security effectiveness.
At the bottom of the list was the technology industry.
Not surprisingly, a number of the worst security breaches of 2013 happened within the tech industry. In fact, when asked to list the top security breaches of the past year, security experts overwhelmingly named the Adobe breach, followed closely by the more recent Pony botnet attack that focused on companies like Google and Facebook.
One of the more surprising breaches named by experts was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and many other bombshells.
Other breaches were more predictable, involving stolen devices or phishing scams. Many of the breaches are blamed on foreign hackers and cyber criminals. But the end result is that all of these breaches caused significant damage to businesses and customers. As Costin Raiu, director, Global Research and Analysis Team, Kaspersky Lab, stated:
We predicted 2012 to be revealing and 2013 to be eye opening. That forecast proved correct – 2013 showed that everybody is in the same boat. In truth, any organization or person can become a victim. Not all attacks involve high profile targets, or those involved in ‘critical infrastructure’ projects. Those who hold data could be of value to cybercriminals, or they can be used as a ‘stepping-stones’ to reach other targets.
Here is a list of the worst data breaches of 2013.
Adobe: 150 million exposed account credentials, leading to secondary breaches all over the Internet
You can’t tell the story of 2013 without Adobe, said Scott Simkin, senior product marketing manager, Palo Alto Networks. It was a breach unique in both scale and, more interestingly, the asymmetric ripple effects across the security landscape. First disclosed by Brian Krebs, the story brought an official statement from Adobe, with research revealing that more than 150 million user IDs with hashed passwords were stolen, including at least 38 million active users. Second, it showed how lax security efforts can be, even in a large tech company. The breach reportedly occurred in August or September, but Adobe did not become aware until September 17 and then, it failed to notify the affected users for over two weeks.
Initially, the breach was thought to be much smaller until people started getting their hands on the breached data that was published, according to AppRiver Security Analyst Jon French. The leaked file from the breach contained email addresses, encrypted passwords, and even password hints for Adobe users. Along with the user data breach, some source code was stolen for Adobe products as well. This code could be used for malware writers to program viruses to be more effective in attacks against that software.
Snowden Leaks
In SilverSky CTO Andrew Jaquith’s opinion, the worst data breach of 2013 was former NSA contractor Edward Snowden’s leaks about the extent of the U.S. intelligence community’s Internet surveillance. The data breach was significant for many reasons, he said, starting with what was revealed: pervasive signals intelligence, subversion of encryption standards, collaboration with overseas intelligence communities and other bombshells. He added:
The second reason the breach mattered — one that has not been explored nearly as much — is how Snowden was able to get his material, and what this says about the U.S. government’s ability to compartmentalize. Snowden didn’t work for one of the agencies. He worked for an outside defense contractor. He wasn’t even a full-time employee of that contractor either, but a part-timer who had only been there for a few months. You’ve got to ask how someone who is that far removed from the center of things could get so much top secret information so quickly. He’s either a world-class social engineer, or the NSA’s circle of trust was far too wide. I’m betting on the latter. The Manning case showed that the side-effect of “better intelligence sharing” between agencies resulted in millions of people having access to classified SIPRNET information. When millions of people have access to information, some of it is guaranteed to leak.
NSA’s Spying Program, MUSCULAR
The details of the NSA’s spying program, MUSCULAR, disclosed by Edward Snowden, may prove to have the greatest impact of any breach in 2013. According to J.J. Thompson, managing director and CEO of Rook Security, the MUSCULAR program involved intercepting data from Yahoo and Google private clouds where the data is unencrypted. The data collected included email, pictures, video, text documents, spreadsheets, and an array of other similar file types. And as Zack Whittaker pointed out in a ZDNet article:
In efforts to get “free access” to the traffic that flows between data centers, the NSA had to “circumvent gold standard security measures,” according to the [Washington] Post.
With this new revelation, Google has taken a considerably stronger stance against the NSA’s spying programs, Thompson stated, adding:
And, along with Microsoft, has begun encrypting its internal network traffic. These and other major tech companies are using every resource at their disposal to fight the NSA including public relations and lobbying efforts. It is likely the greatest level of national attention ever paid to a security incident.
Data-Broker Botnet
In September 2013, it was announced that several data aggregator companies, such as Dun & Bradstreet, LexisNexis, and Kroll Background American, were hacked by some very sophisticated attackers who placed botnet software on compromised servers. According to Michelle Johnson Cobb, vice president, Skybox Security, this allowed the attackers to work undetected for months to consolidate massive amounts of PII. The attackers then sold identifying information directly to anyone who wanted it, and it’s clear that the information could be used for years to come to commit identify theft crimes.
This botnet provided a good look at how attackers can target the reservoirs of consumer and business data, using both sophisticated attack methods and ‘Big Data’ aggregation and analytical methods for their nefarious purposes. Also, this kind of stolen data has a ripple effect for a long time. Cobb said that unlike a credit card number that can be cancelled, the names of an individual’s last three employers, previous addresses and so on will live forever, and Social Security numbers are not easily changed. So once the thieves have the information, it can be used again and again in a widening circle of breaches and fraud.
U.S. Government Breaches
The Department of Energy (DoE) breach in July leaked over 104,000 employees’ and contractors’ personal information, with huge implications in the cybersecurity world. Technically, this was the second major successful hack against the DoE this year, said Mark Vankempen, security research engineer, LogRhythm Labs:
The first one that occurred back in February left 14 servers and 20 workstations compromised. This earlier breach also led to the exposure of PII of hundreds of employees, not to mention leaving behind backdoors for future exploits. These types of breaches clearly affect the way people perceive the security of their personal information as well as federal agencies. A solid security posture that utilizes advanced security analytic techniques across the universe of data sources in your environment, combined with contextual emerging threat data, could have been the golden ticket to limiting the scope of the breach or even preventing it entirely.
The attack was made possible by leveraging a flaw in an Adobe product, most likely executed by an unsuspecting employee, added Paul Lipman, CEO of Total Defense. This highlights the need to offer employees protection while they are beyond the corporate firewall, with persistent endpoint protection.
Living Social Breach
This breach stood out in two unique ways. First, it was one of the first major breaches to hit a popular consumer site. As Paul Lipman, CEO of Total Defense, said:
Attackers having access to those users’ information (name, email, password, buying history), from a site where there is already a level of trust established, as well as urgency of message (timed deals), could lead to spear-phishing attempts in the future (such as purported emails from vendors of previous purchases, or fake new offers). This attack highlights the continued need for endpoint and email security, where any malware introduced has the chance to move laterally within a network.
The Living Social breach was also one of the first breaches that involved encrypted password theft. Encrypted passwords, Tom Cross of Lancope said in an IT Business Edge article, are valuable to bad guys:
Encrypted password hashes can be “cracked” with computer software that essentially tries millions of different possible passwords looking for a match. The bad guys will successfully crack the passwords of many Living Social users, and knowing the password, name, and email address for a person, they may be able to break into other accounts that those people maintain on other websites.
California-Based AHMC Hospitals Breach from Laptop Theft
Not all of the breaches were due to highly skilled hackers or government negligence. Sometimes terrible breaches happen because of low-tech carelessness.
In October, more than 729,000 patients were put in jeopardy when two unencrypted laptops were stolen from California-based AHMC hospitals. Private patient information, including patient names, Social Security numbers and diagnostic and procedure codes, was compromised in the theft, affecting six major health institutions overall. According to Darren Leroux, WinMagic senior director of product marketing, it took this breach for an encryption policy to be put into place at the AHMC hospital network. He said:
The damage had already been done and if you’re a person that was at risk because the data has been stolen, that’s a pretty scary situation. That health system had to answer to the people whose information was exposed and deal with the reputation and financial implications of such an event, something that could’ve been easily prevented by having a data encryption policy in place. Full disk encryption should be the foundation of any device security.
Hijacking Media Outlets
The Syrian Electronic Army (SEA) captured the “hacktivist” crown this year, with a series of defacements and hacks of major news organizations and Twitter handles, according to Scott Simkin, senior product marketing manager, Palo Alto Networks. The SEA made national headlines with its claim of an attack on President Obama from the Associated Press’ Twitter handle, causing a brief $136 billion dollar dive in the stock market. The SEA then went on to deface the New York Times, Washington Post, National Public Radio, Al-Jazeera and other major news outlets. How does this constitute a data breach? Simkin explained:
Data breaches are always about information, whether it is PII, accounts and passwords, or intellectual property. The SEA flipped this strategy on its head; marking the first time information distribution itself became the target. Social media and the news are primarily about connecting the right people with the information they want to find. When those stories come from a trusted source such as the AP’s Twitter handle or the New York Times, it is often inherently trusted itself. As we saw with the fake President Obama message, information is inherently valuable in its own right. The SEA learned that controlling the flow of information and message from a trusted source can have an outsized impact.
The Silent Breach
The scariest data breaches are the ones that companies don’t even know are happening or aren’t disclosing. In January, The New York Times revealed that its computers were stealthily compromised by Chinese hackers for a period of four months. According to a New York Times article:
The attackers first installed malware — malicious software — that enabled them to gain entry to any computer on The Times’s network. The malware was identified by computer security experts as a specific strain associated with computer attacks originating in China. More evidence of the source, experts said, is that the attacks started from the same university computers used by the Chinese military to attack United States military contractors in the past.
Yet, said Charles McColgan, CTO at TeleSign, what is even worse is the companies that don’t disclose when they have been attacked. Finance and health care companies have strict guidelines about disclosing data breaches. But many enterprise companies won’t disclose a data breach unless a legal or compliance issue forces them to do so, or unless the data has somehow already become public. If companies can get away without acknowledging a data breach, they will.
Pony Botnet
Even though the Pony botnet was first announced in early December, many security experts include it among the worst breaches of 2013. The botnet is responsible for the theft of 2 million passwords and user names from a number of different locations, including Google, Facebook, Twitter and Yahoo. According to CNN:
The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing login credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers.
According to Trustwave’s SpiderLab blog, while it looks like the attack came from the Netherlands, it is more likely that the Netherlands IP is a gateway or proxy for the infected machines. The security company believes that nearly 100 countries were hit by Pony, and that may make this breach, if not the largest in number of compromised accounts, the most international. If nothing else, the Pony botnet breach shows that way too many people are still using simple “12345” passwords.
