Security experts explain what went wrong and how it affected you.
This New Year’s Eve, a lot of companies—and government agencies—have resolutions to make. At the top of the list: to not repeat the same security mistakes they did in 2015, which exposed the personal data of millions of people, and left their phones and laptops at risk.
TechRepublic came up with its list of the top 5 security failures of 2015. Analysts explain how they may have affected you.
1) Laptop companies inserted secret software that left you vulnerable
Three big companies—Dell, Lenovo and Toshiba—sold you laptops with hidden programs that allowed the bad guys to get in through a back door, reported TechRepublic. The companies later offered tools to remove the programs.
Cybersecurity experts say the hidden, vulnerable software was a big mistake.
“The first thing I thought was, ‘Do not buy a system from Lenovo, Dell or Toshiba,’” said Patrick C. Miller with Archer Security Group. “They didn’t just erode my trust, they totally lost my trust.”
Why would these companies make these hidden moves?
“They’re either mitigating something or collecting something,” said Daniel Lance with Archer Security Group.
“The approach they took is not accidental,” said Miller. “It makes you question what the intent was. Was it because they were shipping you beta software, and it wasn’t quite cooked yet, and they wanted to come fix it? Was it that they wanted to monitor what you were doing for advertising purposes?”
2) Massive hacking of highly sensitive government personnel records
Think all of the information you would need to give to get a special government security clearance. That data was breached in two attacks on the U.S. Office of Personnel Management, leaving 21 million people at risk, reported TechRepublic.
“I was part of the OPM breach,” said Miller. “My clearance information was in there, and, yeah, I’m pissed.”
He said the government required him to fill out an extensive form to get the security clearance, including Social Security numbers for all of his family members, even his children, and personal and detailed information about his life, from his early years on.
“You put your entire life history into that form,” Miller said. “All my personal information, everything.”
How did the OPM protect that sensitive information for millions of people?
“They completely dropped the ball when it comes to strong authentication,” Miller said. “Shortly said, the basic blocking and tackling wasn’t done for this degree of data sensitivity.”
“The potential to social engineer any one of these people has now gone to extreme success levels, because they didn’t follow the same level of security that most states require for far less information,” he added.
3) Info from adultery web site revealed
An attack exposed the information of millions of members of the Ashley Madison “meet-and-cheat” site, leading to investigations, lawsuits, and reportedly at least one suicide.
But some cybersecurity experts say this incident is not as significant as the other security failures on the list, in part because the method of attack has not been revealed.
It may have been an inside job, explained Lance, not an outside hack through a security flaw.
“It’s not a big security snafu,” said Lance. “This is like a dime-a-dozen, really.”
“There’s something provocative about it because of the content of the web site,” Lance added. “If it were a site where they shared cooking recipes, no one would really care.”
“As a security professional, I’m far more concerned about massive health care data breaches and fraudulent digital certificates than this,” said Miller.
Miller said some shady hackers could add the info from the Ashley Madison incident to their arsenal of data to use for attacking people, along with data from other breaches.
“I think the greatest hack value is that it might provide a force multiplier,” said Miller. “It provides you with additional leverage.”
4) New, undercover way to take over your phone
A vulnerability in the Android ‘Stagefright’ library of code allowed bad guys to get to your phone just by sending you a text message, even if you didn’t view it.
“Yeah, that’s a big deal,” said Miller, “It isn’t something that requires you to do anything. You receive a text message and you’re ‘owned.’ That’s a problem.”
The bad guys could do whatever they wanted to your phone, Lance said.
“Pull all of your photo library, pull all of your contacts, pull all of your stored passwords,” he said. “Your geo information, where you usually hang out.”
“They could basically steal all content for the phone,” agreed Miller. “They could insert themselves into the application stream, such as gathering banking information. Once you ‘own’ the phone, you basically own everything on it.”
Even worse, the phone’s real owner would probably not be able to tell anything was wrong, they said. Google now issues Android security updates every month to try to stop this and other problems.
5) Updating some phones can be messy and insecure
There is not a timely system for updating Android phones, TechRepublic reported, leaving people with “outdated, insecure software,” even after Google started issuing monthly updates.
“This is a big vulnerability,” said Lance. “I wouldn’t say it’s new.”
He said the problem started long before 2015.
Miller said people with iPhones get their updates, with fixes for security issues, through a centralized system. But people with Android phones do not.
“There’s no one central place to go get all of your stuff,” he said. “The model itself lends itself to, well, let’s just say a large degree of inconsistency in what the updates are.”
Lance said the problem lies in Android’s desire to allow a more open system.
“No one’s actually owning the software,” added Lance. “All of the services that they’ve cobbled together to build their service for the customer are implemented in a such a way that are insecure.”
TechRepublic said some company made moves to improve security, but added, “…As it stands, Android updates are still fundamentally broken.”
Why so many fiascos?
A number of companies have communication and behavior issues, said Bob Beachy with Archer Security Group.
The company culture may consider discussion of possible security issues to be a sign of failure, rather than an important part of the work process.
“Many large companies are still oriented in such a manner that IT personnel, even at the highest levels, are afraid of delivering bad news, even if it is the truth,” said Beachy.
“This results in CEOs having an unrealistic picture of their overall security capabilities and resources,” he said. “It also means that IT personnel are afraid that asking for help or admitting past mistakes will reflect negatively, rather than help the company avoid a bigger problem down the road.”