2015: The Year That Was in Information Security
We're wrapping up quite a year in the world of cybersecurity! As we entered 2015, the world was just winding down from the political drama surrounding the Sony Pictures breach, believed by some to be an act of cyberwarfare waged by North Korea. That news set the stage for the ensuing 12 months of high-profile stories, some attracting attention from the mass media and others quietly unfolding within the information security community. Let's take a look at 10 of the most impactful events that affected information security this year.
1. Office of Personnel Management Data Breach
News of the most serious known data breach in the history of the United States government hit the wire this summer. Once the final reports rolled in, the news became even more shocking. Government officials estimate that intruders stole the sensitive personal information of more than 21.5 million current, former and prospective government employees.
This was more than a run-of-the-mill breach of Social Security Numbers, however. Investigators believe that the intruders stole copies of background investigations performed on individuals with security clearances, fingerprints and other data with the potential for use in blackmail operations against government employees.
Perhaps the most shocking aspect of the breach was the fact that it may have been detected during a security product demonstration. Early government claims were that the breach was identified through use of the government's Einstein intrusion detection system (IDS). Later media reports, however, raised suspicion that the breach was actually discovered during a demonstration of security software by CyTech Services, a security consulting firm catering to government customers.
2. The Encryption Debate Rages
Last year, Apple and Google released major updates to their smartphone operating systems designed to significantly boost the strength of their encryption technology. The most significant development in these updates is that Apple and Google took away their own capability to assist with the decryption of a device that a user encrypted. This move stripped law enforcement agencies of their ability to obtain court orders demanding that the companies cooperate with investigations. That cooperation was no longer technically possible.
Over the past year, this debate raged on, with law enforcement agencies demanding a back door that would allow them to bypass encryption technology. Silicon Valley firms and privacy advocates responded strongly to these suggestions, declaring that the very presence of a back door would undermine device security. Reports that the Paris bombers used encryption technology to secretly coordinate operations brought this debate back to the forefront in November. Expect to see more over the coming months.
3. The EMV Rollout That Wasn't
October 2015 saw the passing of a long-anticipated deadline: the liability shift for credit card transactions. As of Oct. 1, 2015, point-of-sale merchants who failed to upgrade their technology to support cards bearing the new EMV security chip technology would be liable if those cards were used for fraudulent activity at their outlets.
Analysts expected to see a rapid uptake of the new technology as the deadline approached, but that really didn't happen. Target, the victim of a high profile data breach in 2013, did roll out the technology across their stores, but many other major retailers did not follow suit. In most cases, the new degree of risk does not justify the investment in technology required to upgrade immediately. Expect to see much slower EMV adoption as retailers will likely choose the new technology when performing scheduled upgrades of their point-of-sale systems.
4. Superfish Redux?
In February, Lenovo came under fire for including Superfish Visual Search software on their laptops. The software included a self-signed root certificate that allowed it to eavesdrop on any encrypted HTTPS communications that took place on the device. News of this vulnerability rocketed throughout the security community and Lenovo was vilified in the media for allowing the installation of dangerous software on its systems. Many considered the Superfish executable to be malware.
November brought news of a similar root certificate appearing on Dell devices. The certificate signed by a certificate authority named eDellRoot first appeared in media reports over Thanksgiving weekend. As this story went to press, Dell was still investigating the incident.
5. FBI Attacks Tor with a University's Help
The FBI makes no secret of its targeting of individuals engaged in criminal activity on the Dark Web. The agency's Operation Onymous specifically targeted Tor users involved in illegal drug sales and other criminal activity. The FBI's focus on the Dark Web shouldn't be very surprising, but a motion filed by a defense counsel in November 2015 rocked the security community when Motherboard quoted it, stating:
"On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0."
Circumstantial evidence connected the "university-based research institute" to Carnegie Mellon University, where researchers had prepared a talk on cracking Tor in 2014 that was abruptly cancelled before presentation at the infamous Black Hat security conference. The details of this one will likely continue to be sorted out.
6. Safe Harbor Ends
In response to allegations of National Security Agency surveillance of European communications, the European Court of Justice ruled in October that a 2000 Safe Harbor agreement with the United States was now invalid. This ruling rocked the privacy world, who had long depended on the agreement to facilitate the legal transfer of private information between Europe and the United States. Companies affected by the ruling continue to scramble to adopt other compliance practices to continue the routine exchanges of information that their businesses require.
7. Hackers Target Planes and Automobiles
The transportation industry made security news twice this year as researchers tested the security of their technology. Security researcher Chris Roberts made the news in April when the FBI accused him of hacking into the in-flight entertainment system on a commercial flight and caused the plane to briefly turn sideways.
This news was followed by a public demonstration by researchers Charlie Miller and Chris Valasek where they successfully hacked into a Jeep Cherokee by exploiting a cellular connection to the vehicle's entertainment system. The Miller/Valasek attack prompted a recall of over 1.4 million vehicles and could mark the beginning of a wave of similar vulnerabilities against Internet of Things devices.
8. Windows Server 2003 End-of-Life
Windows Server 2003 recently ended its twelve-year run as a popular server operating system when Microsoft officially ended support for the operating system on July 14, 2015. This marked an important deadline for security professionals, as Microsoft pledged that they would no longer release security updates for new vulnerabilities in the operating system. This lack of updates meant that companies could no longer consider servers running the operating system secure and those using it in regulated environments jeopardized their compliance status.
Despite this dire warning, there are still millions of systems running the deprecated operating system on the Internet today. Get ready for the next chapter in the end-of-life saga. SQL Server 2005 goes end-of-life in April 2016.
9. NSA Discloses Vulnerability Handling Practices
In an attempt to allay public fears that they were hoarding information about serious security vulnerabilities, the National Security Agency published an infographic providing details on their disclosure program. Unfortunately, the release raised more questions than it answered. It stated:
"Historically, the NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the United States."
The two big questions here are what happened to the other 9 percent of vulnerabilities and what vulnerabilities did they discover that have not gone through their "internal review process." The security community reacted with a predictably snarky response to this semi-disclosure.
10. Clinton Email Server
Perhaps the largest computer security story of the year involved a private email server used by Hillary Clinton during her term as U.S. Secretary of State. Political opponents used this server to vilify Clinton and claim that she had no regard for the security of sensitive government information.
The ironic thing about the Clinton email incident is that it's the only security incident on our list where there is no evidence that a breach actually occurred. Clinton opponents claim that the attack demonstrated a lack of regard for security, but nobody has yet brought forward any evidence that there was an actual breach of sensitive information. At the very least, this story serves as a cautionary tale for government officials regarding the use of unofficial email accounts to conduct government business.
The security community has certainly had an interesting year in 2015! We've seen some of the most significant data breaches in history along with intriguing news from government agencies and major developments on the compliance front. Many of these stories remain unresolved and promise to continue to make security headlines after we turn the pages on our calendar and get 2016 underway.