As we near the precipice of 2016, let’s take a minute to reflect on the security lessons we learned in 2015. From Ashley Madison, to hacked kettles, and dodgy security advice from the government, there’s a lot to talk about.
2015 saw a rush of people upgrading their existing analog household items with computerized, Internet-connected alternatives. Smart Home tech really took off this year in a way that looks set to continue into the New Year. But at the same time, it was also hammered home (sorry) that some of these devices aren’t all that secure.
The biggest Smart Home security story was perhaps that the discovery that some devices were shipping with duplicate (and often hard-coded) encryption certificates and private keys. It wasn’t just Internet of Things products either. Routers issued by major ISPs have been found to have committed this most cardinal of security sins.
So, why is it a problem?
Essentially, this makes it trivial for an attacker to spy on these devices through a ‘man-in-the-middle’ attack, intercepting traffic whilst simultaneously remaining undetected by the victim. This is concerning, given that Smart Home tech is increasingly being used in incredibly sensitive contexts, such as personal security, household safety, and in healthcare.
If this sounds familiar, it’s because a number of major computer manufacturers have been caught doing a very similar thing. In November 2015, Dell was found to be shipping computers with an identical root certificate called eDellRoot, while in late 2014, Lenovo was began intentionally breaking SSL connections in order to inject adverts into encrypted webpages.
It didn’t stop there. 2015 was indeed the year of Smart Home insecurity, with many devices identified as coming with an obscenely obvious security vulnerability.
My favorite was the iKettle (you guessed it: A Wi-Fi enabled kettle), which could be convinced by an attacker to reveal the Wi-Fi details (in plaintext, no less) of its home network.
For the attack to work, you first had to create a spoofed wireless network that shares the same SSID (the name of the network) as the one which has the iKettle attached to it. Then by connecting to it through the UNIX utility Telnet, and traversing through a few menus, you can see the network username and password.
Then there was Samsung’s Wi-Fi connected Smart Fridge, which failed to validate SSL certificates, and allowed attackers to potentially intercept Gmail login credentials.
As Smart Home tech becomes increasingly mainstream, and it will, you can expect to hear of more stories of these devices coming with critical security vulnerabilities, and falling victim to some high-profile hacks.
One recurring theme we’ve seen over the past few years is how utterly oblivious most governments are when it comes to security matters.
Some of the most egregious examples of infosec illiteracy can be found in the UK, where the government has repeatedly and consistently shown that they just don’t get it.
One of the worst ideas that’s being floated in parliament is the idea that the encryption used by messaging services (such as Whatsapp and iMessage) should be weakened, so the security services can intercept and decode them. As my colleague Justin Pot saliently pointed out on Twitter, that’s like shipping all safes with a master keycode.
Imagine if government said every safe should have a standard second code, in case cops want in. That's the encryption debate right now.
— Justin Pot (@jhpot) December 9, 2015
It gets worse. In December 2015, the National Crime Agency (the UK’s answer to the FBI) issued some advice for parents so they can tell when their children are on the road to becoming hardened cybercriminals.
These red flags, according to the NCA, include “are they interested in coding?” and “are they reluctant to talk about what they do online?”.
This advice, obviously, is garbage and was widely mocked, not only by MakeUseOf, but also by other major technology publications, and the infosec community.
The @NCA_UK lists an interest in coding as a warning sign for cyber crime! Quite astounding. https://t.co/0D35wg8TGx pic.twitter.com/vtRDhEP2Vz
— David G Smith (@aforethought) December 9, 2015
So an interest in coding is now a "warning sign of cyber crime". The NCA is basically a 1990s school IT dept. https://t.co/r8CR6ZUErn
— Graeme Cole (@elocemearg) December 10, 2015
Children who were 'interested in coding' grew up to be the engineers who created #Twitter, #Facebook and the #NCA website (among others)
— AdamJ (@IAmAdamJ) December 9, 2015
But it was indicative of a troubling trend. Governments don’t get security. They don’t know how to communicate about security threats, and they don’t understand the fundamental technologies that make the Internet work. For me, that’s far more concerning than any hacker or cyber-terrorist.
The biggest security story of 2015 was undoubtedly the Ashley Madison hack. In case you’ve forgotten, let me recap.
Launched in 2003, Ashley Madison was a dating site with a difference. It allowed married people to hook up with people who weren’t actually their spouses. Their slogan said it all. “Life is short. Have an affair.”
But gross as it is, it was a runaway success. In just over ten years, Ashley Madison had accumulated almost 37 million registered accounts. Although it goes without saying that not all of them were active. The vast majority were dormant.
Earlier this year, it became apparent that all was not well with Ashley Madison. A mysterious hacking group called The Impact Team issued a statement claiming they’d been able to obtain the site database, plus a sizable cache of internal emails. They threatened to release it, unless Ashley Madison was shut down, along with its sister site Established Men.
Avid Life Media, who are the owners and operators of Ashley Madison and Established Men, issued a press release that downplayed the attack. They emphasized that they were working with law enforcement to track down the perpetrators, and were “able to secure our sites, and close the unauthorized access points”.
Statement from Avid Life Media Inc.: http://t.co/sSoLWvrLoQ
— Ashley Madison (@ashleymadison) July 20, 2015
On the 18th of August, Impact Team released the full database.
It was an incredible demonstration of the swiftness and disproportionate nature of Internet justice. No matter how you feel about cheating (I hate it, personally), something felt utterly wrong about it. Families were torn asunder. Careers were instantly and very publicly ruined. Some opportunists even sent subscribers extortion emails, through email and by post, milking them out of thousands. Some thought their situations were so hopeless, they had to take their own lives. It was bad.
The hack also shone a spotlight at the inner workings of Ashley Madison.
They discovered that of the 1.5 million women who were registered on the site, only around 10,000 were actual genuine human beings. The rest were robots and fake accounts created by the Ashley Madison staff. It was a cruel irony that most people who signed up probably never met anyone through it. It was, to use a slightly colloquial phrase, a ‘sausage fest’.
most embarrassing part of your name being leaked from the Ashley Madison hack is you flirted with a bot. for money.
— verbal spacey (@VerbalSpacey) August 29, 2015
It didn’t stop there. For $17, users could remove their information from the site. Their public profiles would be erased, and their accounts would be purged from the database. This was used by people who signed up and later regretted it.
But the leak showed that Ashley Maddison didn’t actually remove the accounts from the database. Instead, they were merely hidden from the public Internet. When their user database was leaked, so were these accounts.
BoingBoing days Ashley Madison dump includes information of people who paid AM to delete their accounts.
— Denise Balkissoon (@balkissoon) August 19, 2015
Perhaps the lesson we can learn from the Ashley Madison saga is that sometimes it’s worth acquiescing to the demands of hackers.
Let’s be honest. Avid Life Media knew what was on their servers. They knew what would have happened if it were leaked. They should have done everything within their power to stop it from being leaked. If that meant shutting down a couple of online properties, so be it.
Let’s be blunt. People died because Avid Life Media took a stand. And for what?
At a smaller scale, it can be argued that it’s often better to meet the demands of hackers and malware creators. Ransomware is a great example of this. When someone is infected, and their files are encrypted, the victims are asked for a ‘ransom’ in order to decrypt them. This is generally in the bounds of $200 or so. When paid up, these files are generally returned. For the ransomware business model to work, victims have to have some expectation they can get their files back.
I think going forward, many of the companies who find themselves in the position of Avid Life Media will question whether a defiant stance is the best one to take.
2015 was a strange year. I’m not just talking about Ashley Madison, either.
The VTech Hack was a game changer. This Hong Kong based manufacturer of children’s toys offered a locked-down tablet computer, with a kid-friendly app store, and the ability for parents to remotely control it. Earlier this year, it was hacked, with over 700,000 children’s profiles being leaked. This showed that age is no barrier to being the victim of a data breach.
It was also an interesting year for operating system security. While questions were raised about the overall security of GNU/Linux, Windows 10 made grand promises of being the most secure Windows ever. This year, we were forced to question the adage that Windows is inherently less secure.
Suffice to say, 2016 is going to be an interesting year.
What security lessons did you learn in 2015? Do you have any security lessons to add? Leave them in the comments below.