At least for those of us on the sidelines
We’re not trying to rank order the security events of 2016, but if we were this one would go down as the all time Grand Daddy of security breaches. Yahoo actually announced multiple data breaches this year. The first, as reported in September 2016, affected over 500 million Yahoo! user accounts and occurred sometime in late 2014. The second, as reported in December 2016, affected over 1 billion user accounts and occurring around August 2013.
Interestingly enough Yahoo claims that both breaches were the work of a “nation state”.
With the genesis of this breach dating back a number of years, you might ask, “Did Yahoo know about the breach”? The short answer is that they must have.
In fact Lou Rabon, Cyber Defense Group, predicted it independent of any affiliation with Yahoo. It only took two more years for them to announce it.
The impact of this breach is staggering, when you consider that at the time of the announcement Yahoo was in acquisition talks with Verizon at a price tag of over $4 billion. Initial reports were that the breach would reduce the value of the deal by 25% or $1 billion. To date the acquisition is still pending.
Here is more Yahoo breach analysis compliments of Whistic — How much should the “yayhoos” at Yahoo have been spending on cybersecurity? A rough statistical analysis
Democratic National Convention (DNC) Email Leak
This was big news because of the election year as well as the current state of relations between the U.S.A. and Russia. While the source of the leak is still uncertain many believe that the Russian government played a part. The emails from the leak were published through the well known “hactivist” site Wikileaks. On July 22, 2016 Wikileaks published 19,252 emails and 8,034 attachments from the DNC, the governing body of the United States’ Democratic Party.
The leak includes emails from seven of the DNC’s key staff members and led to the resignation of DNC chair Debbie Wasserman Schultz, DNC CEO Amy Dacey, CFO Brad Marshall, and Communications Director Luis Miranda also resigned in the wake of the controversy.
Healthcare records are a favorite target for cyber criminals — despite the current decrease in black market value (Abundance of stolen healthcare records on dark web is causing a price collapse). Supply and demand, right?
For healthcare in 2016 the largest reported data breach was Banner Health, with over 3.62 million individuals impacted in one incident. While officials at Banner discovered the breach in July of 2016, a third-party forensics investigation found that the initial attack occurred in June of 2016.
There were “a limited number of Banner Health computer servers as well as the computer systems that process payment card data at certain Banner Health food and beverage outlets” affected in the attack“ — Banner Officials
This means that patients, members and beneficiaries, and customers of the food and beverage outlet may have had certain information exposed. Whats interesting about this breach is that it was similar to the Target breach of 2013, which involved the hackers “piggy backing” from one system to the next. First the food and beverage outlet was breached, then the hackers were eventually able to penetrate a number of Banner Health computer servers.
“The attackers targeted payment card data, including cardholder name, card number, expiration date and internal verification code, as the data was being routed through affected payment processing systems,” — Banner
Here is an earlier piece Whistic did on the Banner Healthcare Breach — What We Should Learn from Cases Like Banner Health.
The Use of IOT Devices to Deliver Targeted DDoS Attacks
Towards the end of 2016 cybercriminals launched a major DDoS attack against DNS hosting provider Dyn (recently acquired by Oracle). The attack disrupted service for a number of notable sites, including Twitter, Netflix, PayPal, Pinterest and the PlayStation Network.
DDos attacks are nothing new, but what’s interesting about this story was the method the attackers used to create the massive attack — by massive I mean measuring close to 1 TBPS (terabits per second) at one time. The attackers were able to generate such a massive attack by compromising approximately 20,000 endpoint IoT devices and transforming them into a botnet which then flooded Dyn with traffic.
This event, as well as the attack on the Brian Krebs’ website, brought to light the insecure nature of IoT devices and the serious threat they pose to the security and operations of organizations around the world. On top of that insecurity, Gartner has predicted that there will be 20.8 billion ‘connected’ things talking to each other by 2020.
If we don’t see signifincant security upgrades in the IoT space, then we may reap some very serious concequences.
San Francisco Municipal Transportation Agency
In November 2016 San Francisco’s public railway system, known as Muni, was infected with malware that resulted in locked kiosks and computers and two days of free rides for passengers until the system came back online
The ticketing machines of San Francisco’s railway read “You Hacked, ALL Data Encrypted.” The hackers claimed to have stolen 30GB of data, which included the personal information of employees and riders. They demanded that the agency fix its vulnerable systems and pay a ransom of 100 Bitcoins, or about $73,000, or they would release all of the stolen personal information.
What’s most interesting about this story is that one day after the initial report was released, Brian Krebs released an article stating that the hackers themselves had been hacked. What a wacky, wild ride.
On Monday, KrebsOnSecurity was contacted by a security researcher who said he hacked this very same firstname.lastname@example.org inbox after reading a news article about the SFMTA incident. The researcher, who has asked to remain anonymous, said he compromised the extortionist’s inbox by guessing the answer to his secret question, which then allowed him to reset the attacker’s email password. A screen shot of the user profile page for email@example.com shows that it was tied to a backup email address, firstname.lastname@example.org, which also was protected by the same secret question and answer. — Brian Krebs
If you’d like to speak with a Whistic representative, please click here to schedule a conversation.
Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.
For more information about Whistic, visit: https://www.whistic.com.