DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > 2016: AppSec Year in Review

2016: AppSec Year in Review

Here is an overview of the hacks from 2016 and a breakdown of the vulnerabilities that led to the attacks.

Richard April user avatar by
Richard April
·
Dec. 30, 16 · Security Zone · Opinion
Like (2)
Save
Tweet
2.36K Views

Join the DZone community and get the full member experience.

Join For Free

Accounts Taken Over and Credentials Seriously Stuffed

Credential stuffing attacks were made possible by several hacks that hit the news in 2016. Hacks like these happen in two (or more) phases, often occurring years apart. The first phase is stealing the credential pairs — user names and passwords, often selling them or publishing them publically on the Internet. The second phase is using those credentials to compromise other systems.

LinkedIn. The original hack took place in 2012, made easier because at that time the company did not protect passwords with encryption. The company believed that the hackers got about 6.5 million passwords. However, earlier this year, the business-focused social networking site announced that the hackers actually accessed 117 million user names and passwords (some estimates put that number even higher), data from a quarter of their customers. They realized the extent of the breach when the hacked information was made available for sale in markets on the dark web this year.Yahoo. Two major hacks were announced in 2016.

500 million user accounts. This hack, announced in September of this year, happened in 2014 but the scale of the breach wasn’t publicly announced until 2016. The company believes a state sponsored actor was responsible for this hack; the information also hit markets on the dark web this year.1 billion user accounts. This hack, just announced in December of this year, happened in 2013. The company has not been able to determine the intrusion method or confirm all the types of information stolen, though they believe the information did not include payment card or bank account information because it is stored in a separate system.

As a result of these historical breaches, we’ve seen the growth of a completely new class of authentication attack in 2016: credential stuffing. Unlike traditional attempts to break authentication systems by trying every possible password a user might have picked, credential stuffing exploits the fact that most users reuse their passwords between websites. If an attacker knows that john.doe@gmail.com used the password Yankees<3 on LinkedIn, he can then try that email address and password on every other major website virtually undetectably. Since our hypothetical user probably used his LinkedIn password for other websites, our attacker will gain access. While this might sound minor, when it’s multiplied by tens of millions of publically known credential pairs, the threat becomes enormous and very difficult to mitigate.

IoT Delivers Hackers

The downside of the connected device revolution was revealed in October this year. Dyn, which provides Internet infrastructure to many major websites, was the victim of a distributed denial of service (DDoS) attack. As a result, millions of U.S. users were prevented from accessing sites like Twitter, Netflix, and Paypal.

The attack came from hackers use of compromised devices connected via the Internet of Things (IoT), primarily digital video cameras and IP cameras. The malware looked for IoT devices that used factory default user names and passwords, then took over those devices and overwhelmed the servers at Dyn.

How Secure Is my Framework?

This year revealed the vulnerabilities inherent in some web application frameworks. For the Ruby on Rails framework for example, several CVEs (common vulnerabilities and exposures) were issued in 2016 addressing cross-site scripting (XSS) vulnerabilities and directory traversal vulnerabilities inherent in the framework itself. These framework vulnerabilities are particularly damaging, as they impact swathes of applications across the internet simultaneously.

The hacks this year highlighted the challenges with application security. The Verizon 2016 Data Breach Investigations (with data from 2015) report cited 2,260 breaches with confirmed data loss and 64,199 confirmed security incidents (from a dataset of over 100,000 incidents and 3,141 breaches, filtering out incidents without enough information or those which devices were repurposed as infrastructure to use against other targets ), with web application attacks being the leading type of incident (at 40%).

IoT Hack (falconry)

Published at DZone with permission of Richard April, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Regression Testing: Significance, Challenges, Best Practices and Tools
  • Learn the Weekly Rituals You Should Master as a Software Project Manager
  • Automation Testing vs. Manual Testing: What's the Difference?
  • 8 Must-Have Project Reports You Can Use Today

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo