XcodeGhost showed people that Apple’s walled garden can be breached and at a wide scale. It forced app developers to clean up their systems, re-issue their applications, and be better about where they get their developer tools. In order to defend against similar attacks, iOS developers need to understand their dev systems and apps are valuable to attackers looking for ways to target iOS users.
“XcodeGhost was the first truly widespread malware that impacted non-jailbroken phones, it was a massive eye-opener for iOS users who had previously thought they were invulnerable to attack,” Olson said.
Juniper’s unauthorized backdoor scandal
Juniper Networks recently uncovered unauthorized code in its Juniper NetScreen firewalls that could allow attackers to decrypt VPN traffic. The issue arose from the fact that Juniper used Dual_EC_DRBG, a known flawed random-number generator, as the foundation for cryptographic operations in NetScreen's ScreenOS. Juniper claimed it used additional precautions to secure the random number generator. It turned out the safeguards were ineffective.
The backdoor in Dual EC can be viewed as two parts, where one adds a second keyhole that overrides the normal lock on a door, and the other is a specific lock cylinder that fits that keyhole, Matthew Green, a cryptographer and assistant professor at Johns Hopkins University, wrote on Twitter. The attackers replaced the NSA-approved lock cylinder with their own lock cylinder. They wouldn’t have been able to replace the cylinder if the door hadn’t been modified with the keyhole in the first place.
In the end, someone somewhere was able to decrypt Juniper traffic in the United States and around the world. The matter is currently under investigation by the FBI.
“NSA built in a powerful eavesdropping backdoor. The attackers simply repurposed it by changing a few bytes of code,” Green said. “I’ll be honest, while I’ve been worrying about something like this for a long time. Seeing it actually happen is staggering.”
In light of the mounting pressure from government officials on the tech industry over encryption backdoors, what happened to Juniper is a clear example of how backdoors can be abused. 2016 will tell whether law enforcement and government will learn the lesson and back off on those demands.
It’s clear from looking at the attacks and breaches this year that the IT security industry is not well-positioned to defend itself. Knowing is half the battle, but there’s a long road ahead for organizations that don’t follow the basics of security best practices. “Security isn’t cheap, and when you’ve historically underinvested in security, what it takes to catch up in both technology investment and human capital is expensive,” said James Carder, CISO at LogRhythm and vice president of LogRhythm Labs.
Sign up for CIO Asia eNewsletters.