5 biggest security failures of 2015 and who is still at risk
Security breaches are, in all likelihood, an inevitability of information technology. Despite the best efforts of IT professionals, perfect security is not yet possible. Headaches arise when poor security practices by vendors, governments, and other companies put your information or users at risk.
These five security failures are the biggest stories of 2015, and have consequences that extend well into next year.
1. OEM-bundled tools create security vulnerabilities
In February, it was discovered that Lenovo had bundled an adware program called SuperFish into some consumer-model notebook computers. This software altered search results to insert alternative ads to what would normally appear. In order to scan encrypted web pages to identify where to insert advertisements, all of the affected computers have SuperFish self-signed root encryption certificates, making users vulnerable to a man-in-the-middle attack. Within a week of disclosure, Lenovo provided a removal tool. In November, Dell was caught with not one, but two root certificates allowing for man-in-the-middle attacks similar to the SuperFish incident.
In August, it was discovered that Lenovo was using the Windows Platform Binary Table (WPBT) feature of UEFI—intended for anti-theft software to persist after a disk format—to install a dropper that replaces Windows system files and installs utilities that update system drivers and report system data (machine type, system UUID, etc.) to Lenovo. Because of the use of WPBT, it would persistently reinstall itself on fresh Windows installations. Again, Lenovo provided removal tools for desktops and laptops.
The most damaging of these security holes was discovered in December, when the OEM-bundled service management software Lenovo Solution Center, Toshiba Service Station, and Dell System Detect were found to have structurally identical vulnerabilities that allow attackers to run arbitrary code at a system level, regardless of the type of user that is logged in. Unlike the aforementioned vulnerabilities, this also extends to Lenovo’s Think-branded professional line of computers.
2. Office of Personnel Management hacked twice
The United States Office of Personnel Management is the organization charged with managing the civil service operations of the federal government—and, by extension, holds records of current and former government employees, as well as people who applied to government positions unsuccessfully. These records include personally identifiable information for 21.5 million people, with fingerprints of 5.6 million people. Notably, OPM is often responsible for vetting people for national security clearances, which requires extensive, and often personally invasive documentation, which also appears to have been breached as a result of this hack.
3. Ashley Madison hack embarrasses millions
An organization called “Impact Team” hacked Avid Life Media, the operators of affair matchmaking website Ashley Madison in July, with the user data of millions of people being released by Impact Team in August. ZDNet’s Violet Blue noted that Ashley Madison is “a honeypot for people who had something to hide.” According to Dadaviz, about one third of the email addresses are fakes like “[email protected],” but a surprising number of users registered with their work email addresses, causing embarrassment both for employees and employers.
4. Stagefright creates text-message terrors
In July, a vulnerability was disclosed in Android’s libstagefright video playback library (which was also used in the recently-discontinued smartphones running Firefox OS) that allows for a buffer overflow in MPEG4 video files, allowing attackers to escalate privileges and run arbitrary code. This issue is compounded by the ease of utilizing the attack.
Viewing specifically crafted MMS messages allows attackers to gain control of vulnerable smartphones, if the AOSP-default Messages app is used. However, if Google Hangouts is used as the default SMS/MMS handler (as many Android devices have configured), users are vulnerable if they receive a message, even if it has not been viewed.
In October, a structurally identical bug was found in libutils. There are methods to mitigate the issue, such as disabling the automatic retrieval of MMS messages, but the vulnerabilities lie in the core of Android system libraries, which require a firmware update from device vendors.
5. Android’s update model leaves users vulnerable
The normal means of security updates is vaguely as follows: Researcher reports vulnerability, developer patches vulnerability, user (perhaps automatically) downloads updated software. Apple is able to deliver timely software updates to all (except depreciated models, though 2011’s iPhone 4S runs the latest version), and Microsoft is delivering on their promise to do the same on Windows Phone 10.
Android does not have this benefit. OEMs, not Google, are responsible for packaging Android core updates for their devices, and the excessively large product portfolio of many OEMs makes this a labor-intensive process. The issue is magnified in the US, where mobile carriers charge OEMs to deliver software updates, usually delaying delivery of updates for months for “quality of service” testing. Upgrading phones to new versions of Android after the initial sale is not only expensive for OEMs, it theoretically decreases sales of new devices with updated software, giving OEMs a perverse incentive to leave devices with outdated, insecure software.
Google finally announced monthly security updates for Android, which naturally roll out automatically to Nexus devices; and Samsung and LG were quick to issue updated firmware for their flagship models, while the President of HTC called the prospect “unrealistic”. Jack Wallen offered his guidance for fixing the Android update issue in November, but as it stands, Android updates are still fundamentally broken.
What’s your view?
Have you been affected by one of these issues? Is there a hack that you think is a more pressing issue than these top five? Share your thoughts in the comments.