Vulnerabilities out of control
The attack against Hacking Team over the summer was an eye-opener. The Milan-based company developed and sold surveillance software to government agencies around the world. The company relied on zero-day vulnerabilities to develop software that was difficult to detect and could intercept communications. When an unknown individual released more than 400GB of data stolen from Hacking Team, including email communications, business documents, and source code, security researchers uncovered proofs-of-concept for three different zero-day vulnerabilities in Adobe Flash Player. While Adobe scrambled to fix the flaws as quickly as possible, cyber criminals were able to create exploits and use them in large-scale attacks.
“Hoarding zero-day exploits at both the national and private level is dangerous for everyone. We can’t expect to come out on top if we are sitting on these types of vulnerabilities,” said Tom Gorup, security operations leader at security consulting firm Rook Security.
Not reporting the vulnerabilities to the vendor for fixes means someone else can come along and find the same bug. If it was found in the first place, it stands to reason someone else will eventually find it, too. As Hacking Team learned the hard way, anyone can be breached. And once the vulnerabilities are public, everyone is at risk. Zero-day exploits are not like physical weapons in that the original owner has control over how and when it is used. The weapon can be used right back, with devastating consequences.
“We need to refocus our cyber efforts to a defensive posture and let our infantry and airmen handle the offensive efforts,” Gorup said.
Government services leak too much info
As attacks against government agencies go, the IRS Transcript Service breach was small beans. Only 100,000 people had their information exposed through this breach, which is significantly less than the 21.5 million affected by the OPM breach. The attackers plugged in the victim’s name, address, and Social Security number into the IRS Get Transcript service to obtain detailed information such as income, employer name, and dependents.
More uniquely, attackers used legitimate services to convert basic personally identifiable information to determine detailed data that could be used to falsify tax returns and other forms of financial fraud. The same method can conceivably be used with the Department of Motor Vehicles' online renewal process or with a property appraisal site maintained by the county. With the information obtained through these services, identity theft becomes easier. It was especially effective, as attackers enjoyed a 50 percent success rate using the stolen data, noted Morey Haber, vice president of technology at BeyondTrust.
“Many sites like the Get IRS Transcript website exist all over the Internet for state, local, and federal governments. The IRS was an easy target, but so are the others,” Haber said.
Sign up for CIO Asia eNewsletters.