4 Lessons We Should Never Forget From Historic Breaches Of Security
Editor's note: Jack Rhysider has been working as a Network Security Engineer for over 10 years, defending networks from intruders and attackers for numerous Fortune 1000 companies. He is the host for the podcast Darknet Diaries, which we highly recommend you check out.
Internet hacking and breaches of security have been a serious threat since people first got bored with writing "55378008" on calculators. But what lessons can we learn from historic breaches so we can avoid repeating these mistakes?
Lesson 1: The Oldest Known Vulnerability Is Still A Big Problem
According to Rapid 7 the oldest vulnerability they list in their database is the use of known default passwords. Specifically the username “admin” and password as “password”. This has been a widely used username and password combination since 1970. Surely by now we have learned our lesson not to ship devices that have this username and password right? Unfortunately, no.
Numerous botnets have taken advantage of this vulnerability that’s over 40 years old. The most interesting of these was the Carna Botnet, which incidentally, would make an awesome name for a robot fighting team. In 2012 this botnet was launched and found over 420,000 devices directly on the internet with public IPs that that allowed telnet and had default passwords like “password,” “root,” or “admin”. That means, a person writing a simple script to check every IP on the internet could gain full admin access to 420,000 computers.
Map of infected computers. On the upside, they're very pretty.
More sophisticated botnets exploit cutting edge vulnerabilities to get access to thousands of systems ... but just checking the internet for default passwords seems to be good enough. With a botnet this size, it can easily be used to flood and attack major websites and take companies offline. It's basically the internet's version of E. Honda's "Hundred Hand Slap".
While most of these problems can be fixed by ISPs and people who own these systems, you can't overlook the fact that the manufacturer is shipping devices with weak security. Devices should come fully secured by default, but they aren’t -- manufacturers continue to make and ship devices with weak passwords and telnet enabled.
The biggest lesson to be learned here, though, is to always change the default password of any device you own. In our ultra-connected world, we face a risk by having our devices online. Let’s not fall victim to an attack that is this well known and older than some of your parents.
Lesson 2: A Breach Of A Single Certificate Authority Undermines The Security Of The Entire Internet
Without getting into too many details on what a Certificate Authority (CA) does, just know this: it validates that the website you’re visiting is in fact genuine. In order for the website to be genuine, the website must get an identity certificate from a CA. When a website applies for a SSL certificate they have to prove they own that domain. After a CA confirms that person owns the domain they are applying for, a certificate is granted. But what happens if a CA grants a certificate to someone who doesn’t own that domain? Trouble. Big Trouble. And not just in Little China.
In 2011 a CA called DigiNotar was breached. The hacker broke in and issued themselves a bunch of certificates, including one for Google.com. They then set up a fake Google.com website and started directing traffic to it. Because browsers trusted that CA, and the hacker had a certificate from that CA, visitors were unaware they were actually visiting the rogue Google.
And when they found out what really happened ...
Because the hacker had a rogue Google.com server and poisoned a DNS server, tons of traffic went to theirs instead of Google’s. It’s estimated that over 300,000 people logged into their GMail account during this attack, and it’s likely that the hacker accessed these mailboxes. Which means they likely saw your many, many emails, professing your love for Adele and LMFAO, because 2011 was a weird year.
The takeaway lesson from all this is that if one CA were to be breached, it ruins the security for all CAs. Browser makers have to be very diligent at vetting and verifying that every CA is following good practices both by being both secure and ethical.
Another lesson to learn from the DigiNotar breach, is that a single hack can permanently shut down a company. DiginNotar responded to this incident in such a way that the public lost all trust in them as a company. There’s no way to recover from damage that bad, and they had to go out of business. We're pretty sure Adele wrote a song about it.
Lesson 3: The US Government Has Historically Pushed For Weak Encryption
Some of the early internet pioneers realized that traffic should be encrypted to prevent eavesdropping. The US Government had strict regulations on encryption and only allowed the 40-bit Data Encryption Standard (DES) as the maximum strength method. It's about the same level of security as covering a broken car window with plastic and duct tape.
Even though there were much stronger encryption methods, the government restricted those from being allowed online. They were either naive that DES was weak or they had a way to crack it and just wanted to eavesdrop on internet communications. Maybe they wanted to know how you secretly felt about LeAnn Rimes. MAN, nostalgia jokes are easy.
In 1998 the Electronic Frontier Foundation used off-the-shelf components to demonstrate that DES was easily crackable. They created a computer called the DES Cracker which could decipher a DES encrypted message in a few days.
You have to shake it until the messages fall out.
But in spite of the fact that it totally worked, the US government still kept DES as the standard, stating that a few days is too slow for this to be a threat. So the EFF beefed up their DES Cracker, improved its capability and was able to crack a DES message in under a day. Finally, the US government gave in and declared DES to be weak, allowing us to use higher encryption methods.
This is sort of a double edged sword for the US government: They have a duty to protect their citizens from harm. One way they do this is to always be listening for talk about upcoming threats. Now that the internet uses strong encryption, it makes it very hard for them to do that. So historically the government has sought ways of undermining the encryption, keeping it weak, or finding holes in it that they can exploit. After 9/11, the US began developing new ways to break the encryption standards in order to protect the home soil. It’s unknown exactly what encryption the US government can break, and if you don’t want them snooping on you, it’s always best to use the latest, strongest encryption.
Lesson 4: Personal Data Of Children Is At Risk
The more connected and digital our kids become, the more their data is being collected by companies. VTech creates kid-friendly tablets and connected watches, and in 2015 a hacker got into their database. The hacker was able to use old and not-so-sophisticated techniques to gain access through the main VTech website. Once inside, they were able to grab hundreds of thousands of user records, which included kids' names, addresses, birthdays, photos, videos and voice recordings.
That's not censored. That's what they actually look like.
We were going to make another music joke here, but we don't know any songs from 2015.
This created a lot of bad press for VTech and resulted in a class action lawsuit. Years later the FTC fined VTech $650,000 for violating COPPA laws. In the US, the Children's Online Privacy Protection Act requires companies that collect data for people under 13 to adhere to certain privacy guidelines. And a significant portion of those laws boil down to, "Hey, don't do that."
The lesson we can learn from the VTech breach is that toy makers do not always take security and privacy seriously. Their business model is to make cheap toys for the masses and can severely come short when it comes to securing private data. When buying toys that connect our kids digitally, we should not trust the company to keep our privacy in their best interest. We should teach children early not to enter private information into toys and electronic devices. Because that private information can be used against us.
Think "stranger danger," except with every modern device they come in contact with.