Pinterest Stumbleupon Whatsapp
Ads by Google

As we near the precipice of 2016, let’s take a minute to reflect on the security lessons we learned in 2015. From Ashley Madison Ashley Madison Leak No Big Deal? Think Again Ashley Madison Leak No Big Deal? Think Again Discreet online dating site Ashley Madison (targeted primarily at cheating spouses) has been hacked. However this is a far more serious issue than has been portrayed in the press, with considerable implications for user safety. Read More , to hacked kettles 7 Reasons Why The Internet of Things Should Scare You 7 Reasons Why The Internet of Things Should Scare You The potential benefits of the Internet of Things grow bright, while the dangers are cast into the quiet shadows. It's time to draw attention to these dangers with seven terrifying promises of the IoT. Read More , and dodgy security advice from the government, there’s a lot to talk about.

Smart Homes Are Still a Security Nightmare

2015 saw a rush of people upgrading their existing analog household items with computerized, Internet-connected alternatives. Smart Home tech really took off this year in a way that looks set to continue into the New Year. But at the same time, it was also hammered home (sorry) that some of these devices aren’t all that secure.

The biggest Smart Home security story was perhaps that the discovery that some devices were shipping with duplicate (and often hard-coded) encryption certificates and private keys. It wasn’t just Internet of Things products either. Routers issued by major ISPs have been found to have committed this most cardinal of security sins.

router2

So, why is it a problem?

Essentially, this makes it trivial for an attacker to spy on these devices through a ‘man-in-the-middle’ attack What Is A Man-In-The-Middle Attack? Security Jargon Explained What Is A Man-In-The-Middle Attack? Security Jargon Explained Read More , intercepting traffic whilst simultaneously remaining undetected by the victim. This is concerning, given that Smart Home tech is increasingly being used in incredibly sensitive contexts, such as personal security, household safety Nest Protect Review and Giveaway Nest Protect Review and Giveaway Read More , and in healthcare.

Ads by Google

If this sounds familiar, it’s because a number of major computer manufacturers have been caught doing a very similar thing. In November 2015, Dell was found to be shipping computers with an identical root certificate called eDellRoot Dell's Latest Laptops Are Infected With eDellRoot Dell's Latest Laptops Are Infected With eDellRoot Dell, the world's third largest computer manufacturer has been caught shipping rogue root certificates on all new computers - just like Lenovo did with Superfish. Here's how to make your new Dell PC safe. Read More , while in late 2014, Lenovo was began intentionally breaking SSL connections Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Lenovo Laptop Owners Beware: Your Device May Have Preinstalled Malware Chinese computer manufacturer Lenovo has admitted that laptops shipped to stores and consumers in late 2014 had malware preinstalled. Read More in order to inject adverts into encrypted webpages.

It didn’t stop there. 2015 was indeed the year of Smart Home insecurity, with many devices identified as coming with an obscenely obvious security vulnerability.

My favorite was the iKettle Why the iKettle Hack Should Worry You (Even If You Don't Own One) Why the iKettle Hack Should Worry You (Even If You Don't Own One) The iKettle is a WiFi enabled kettle that apparently came with a massive, gaping security flaw that had the potential to blow open entire WiFi networks. Read More (you guessed it: A Wi-Fi enabled kettle), which could be convinced by an attacker to reveal the Wi-Fi details (in plaintext, no less) of its home network.

ikettle-main

For the attack to work, you first had to create a spoofed wireless network that shares the same SSID (the name of the network) as the one which has the iKettle attached to it. Then by connecting to it through the UNIX utility Telnet, and traversing through a few menus, you can see the network username and password.

Then there was Samsung’s Wi-Fi connected Smart Fridge Samsung's Smart Fridge Just Got Pwned. How About The Rest Of Your Smart Home? Samsung's Smart Fridge Just Got Pwned. How About The Rest Of Your Smart Home? A vulnerability with Samsung's smart fridge was discovered by UK-based infosec firm Pen Test Parters. Samsung’s implementation of SSL encryption doesn’t check the validity of the certificates. Read More , which failed to validate SSL certificates, and allowed attackers to potentially intercept Gmail login credentials.

samsung-smartfridge

As Smart Home tech becomes increasingly mainstream, and it will, you can expect to hear of more stories of these devices coming with critical security vulnerabilities, and falling victim to some high-profile hacks.

Governments Still Don’t Get It

One recurring theme we’ve seen over the past few years is how utterly oblivious most governments are when it comes to security matters.

Some of the most egregious examples of infosec illiteracy can be found in the UK, where the government has repeatedly and consistently shown that they just don’t get it.

One of the worst ideas that’s being floated in parliament is the idea that the encryption used by messaging services (such as Whatsapp and iMessage) should be weakened, so the security services can intercept and decode them. As my colleague Justin Pot saliently pointed out on Twitter, that’s like shipping all safes with a master keycode.

It gets worse. In December 2015, the National Crime Agency (the UK’s answer to the FBI) issued some advice for parents Is Your Child a Hacker? The British Authorities Think So Is Your Child a Hacker? The British Authorities Think So The NCA, Britain's FBI, has launched a campaign to deter young people from computer crime. But their advice is so broad that you could assume anyone reading this article is a hacker - even you. Read More so they can tell when their children are on the road to becoming hardened cybercriminals.

These red flags, according to the NCA, include “are they interested in coding?” and “are they reluctant to talk about what they do online?”.

BadAdvice

This advice, obviously, is garbage and was widely mocked, not only by MakeUseOf, but also by other major technology publications, and the infosec community.

But it was indicative of a troubling trend. Governments don’t get security. They don’t know how to communicate about security threats, and they don’t understand the fundamental technologies that make the Internet work. For me, that’s far more concerning than any hacker or cyber-terrorist.

Sometimes You Should Negotiate with Terrorists

The biggest security story of 2015 was undoubtedly the Ashley Madison hack Ashley Madison Leak No Big Deal? Think Again Ashley Madison Leak No Big Deal? Think Again Discreet online dating site Ashley Madison (targeted primarily at cheating spouses) has been hacked. However this is a far more serious issue than has been portrayed in the press, with considerable implications for user safety. Read More . In case you’ve forgotten, let me recap.

Launched in 2003, Ashley Madison was a dating site with a difference. It allowed married people to hook up with people who weren’t actually their spouses. Their slogan said it all. “Life is short. Have an affair.”

But gross as it is, it was a runaway success. In just over ten years, Ashley Madison had accumulated almost 37 million registered accounts. Although it goes without saying that not all of them were active. The vast majority were dormant.

Earlier this year, it became apparent that all was not well with Ashley Madison. A mysterious hacking group called The Impact Team issued a statement claiming they’d been able to obtain the site database, plus a sizable cache of internal emails. They threatened to release it, unless Ashley Madison was shut down, along with its sister site Established Men.

Avid Life Media, who are the owners and operators of Ashley Madison and Established Men, issued a press release that downplayed the attack. They emphasized that they were working with law enforcement to track down the perpetrators, and were “able to secure our sites, and close the unauthorized access points”.

On the 18th of August, Impact Team released the full database.

It was an incredible demonstration of the swiftness and disproportionate nature of Internet justice.  No matter how you feel about cheating (I hate it, personally), something felt utterly wrong about it. Families were torn asunder. Careers were instantly and very publicly ruined. Some opportunists even sent subscribers extortion emails, through email and by post, milking them out of thousands. Some thought their situations were so hopeless, they had to take their own lives. It was bad. 3 Reasons Why The Ashley Madison Hack Is A Serious Affair 3 Reasons Why The Ashley Madison Hack Is A Serious Affair The Internet seems ecstatic about the Ashley Madison hack, with millions of adulterers' and potential adulterers' details hacked and released online, with articles outing individuals found in the data dump. Hilarious, right? Not so fast. Read More

The hack also shone a spotlight at the inner workings of Ashley Madison.

They discovered that of the 1.5 million women who were registered on the site, only around 10,000 were actual genuine human beings. The rest were robots and fake accounts created by the Ashley Madison staff. It was a cruel irony that most people who signed up probably never met anyone through it. It was, to use a slightly colloquial phrase, a ‘sausage fest’.

It didn’t stop there. For $17, users could remove their information from the site. Their public profiles would be erased, and their accounts would be purged from the database. This was used by people who signed up and later regretted it.

But the leak showed that Ashley Maddison didn’t actually remove the accounts from the database. Instead, they were merely hidden from the public Internet. When their user database was leaked, so were these accounts.

Perhaps the lesson we can learn from the Ashley Madison saga is that sometimes it’s worth acquiescing to the demands of hackers.

Let’s be honest. Avid Life Media knew what was on their servers. They knew what would have happened if it were leaked. They should have done everything within their power to stop it from being leaked. If that meant shutting down a couple of online properties, so be it.

Let’s be blunt. People died because Avid Life Media took a stand. And for what?

At a smaller scale, it can be argued that it’s often better to meet the demands of hackers and malware creators. Ransomware is a great example of this Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More . When someone is infected, and their files are encrypted, the victims are asked for a ‘ransom’ in order to decrypt them. This is generally in the bounds of $200 or so. When paid up, these files are generally returned. For the ransomware business model to work, victims have to have some expectation they can get their files back.

I think going forward, many of the companies who find themselves in the position of Avid Life Media will question whether a defiant stance is the best one to take.

Other Lessons

2015 was a strange year. I’m not just talking about Ashley Madison, either.

The VTech Hack VTech Gets Hacked, Apple Hates Headphone Jacks... [Tech News Digest] VTech Gets Hacked, Apple Hates Headphone Jacks... [Tech News Digest] Hackers expose VTech users, Apple considers removing the headphone jack, Christmas lights can slow down your Wi-Fi, Snapchat gets into bed with (RED), and remembering The Star Wars Holiday Special. Read More was a game changer. This Hong Kong based manufacturer of children’s toys offered a locked-down tablet computer, with a kid-friendly app store, and the ability for parents to remotely control it. Earlier this year, it was hacked, with over 700,000 children’s profiles being leaked. This showed that age is no barrier to being the victim of a data breach.

It was also an interesting year for operating system security. While questions were raised about the overall security of GNU/Linux Has Linux Been A Victim of Its Own Success? Has Linux Been A Victim of Its Own Success? Why did Linux Foundation head, Jim Zemlin, recently say that the "golden age of Linux" might soon come to an end? Has the mission to "promote, protect and advance Linux" failed? Read More , Windows 10 made grand promises of being the most secure Windows ever 7 Ways Windows 10 is More Secure than Windows XP 7 Ways Windows 10 is More Secure than Windows XP Even if you don't like Windows 10, you really should have migrated from Windows XP by now. We show you how the 13 year old operating system is now riddled with security issues. Read More . This year, we were forced to question the adage that Windows is inherently less secure.

Suffice to say, 2016 is going to be an interesting year.

What security lessons did you learn in 2015? Do you have any security lessons to add? Leave them in the comments below.  

  1. fcd76218
    December 29, 2015 at 11:33 pm

    "Perhaps the lesson we can learn from the Ashley Madison saga is that sometimes it’s worth acquiescing to the demands of hackers."
    The one lesson you have not learned is that extortionists (AM hackers are nothing more than that) do not stop extorting when you say 'pretty please.' When they find a victim that pays, they just keep raising the ante until they are stopped.

    " Windows 10 made grand promises of being the most secure Windows ever"
    And you believe everything Microsoft tells you?!

    "This year, we were forced to question the adage that Windows is inherently less secure."
    Windows has always been like a fence. The only thing that has changed over the years is that the holes have gotten smaller and MS has hidden the secret gate a bit better.

    • Matthew Hughes
      December 31, 2015 at 1:23 pm

      The problem with your argument is that the Ashley Madison hackers weren't motivated by any financial reasons. They just wanted to remove some grubby little site off the Internet. It's hard to see a next step up from that.

      • fcd76218
        December 31, 2015 at 2:22 pm

        Look at the bigger picture, Matthew. Today they want to remove AM from the Internet for being "grubby". Many people would applaud that. However, what gives The Impact Team the right to impose their morality on the rest of the world? ISIS, al Qaeda and Taliban are trying to impose Sharia Law and Islam on the "unbelievers". How do you feel about that?

        The next step up is every pressure group with the technological know-how shutting down sites that they do not approve of. How about PETA shutting the sites of all companies that provide meat to the public?

Leave a Reply

Your email address will not be published. Required fields are marked *