2016: AppSec Year in Review

Accounts Taken Over and Credentials Seriously Stuffed

Credential stuffing attacks were made possible by several hacks that hit the news in 2016. Hacks like these happen in two (or more) phases, often occurring years apart. The first phase is stealing the credential pairs — user names and passwords, often selling them or publishing them publically on the Internet. The second phase is using those credentials to compromise other systems.

LinkedIn. The original hack took place in 2012, made easier because at that time the company did not protect passwords with encryption. The company believed that the hackers got about 6.5 million passwords. However, earlier this year, the business-focused social networking site announced that the hackers actually accessed 117 million user names and passwords (some estimates put that number even higher), data from a quarter of their customers. They realized the extent of the breach when the hacked information was made available for sale in markets on the dark web this year.Yahoo. Two major hacks were announced in 2016.

500 million user accounts. This hack, announced in September of this year, happened in 2014 but the scale of the breach wasn’t publicly announced until 2016. The company believes a state sponsored actor was responsible for this hack; the information also hit markets on the dark web this year.1 billion user accounts. This hack, just announced in December of this year, happened in 2013. The company has not been able to determine the intrusion method or confirm all the types of information stolen, though they believe the information did not include payment card or bank account information because it is stored in a separate system.

As a result of these historical breaches, we’ve seen the growth of a completely new class of authentication attack in 2016: credential stuffing. Unlike traditional attempts to break authentication systems by trying every possible password a user might have picked, credential stuffing exploits the fact that most users reuse their passwords between websites. If an attacker knows that john.doe@gmail.com used the password Yankees<3 on LinkedIn, he can then try that email address and password on every other major website virtually undetectably. Since our hypothetical user probably used his LinkedIn password for other websites, our attacker will gain access. While this might sound minor, when it’s multiplied by tens of millions of publically known credential pairs, the threat becomes enormous and very difficult to mitigate.

IoT Delivers Hackers

The downside of the connected device revolution was revealed in October this year. Dyn, which provides Internet infrastructure to many major websites, was the victim of a distributed denial of service (DDoS) attack. As a result, millions of U.S. users were prevented from accessing sites like Twitter, Netflix, and Paypal.

The attack came from hackers use of compromised devices connected via the Internet of Things (IoT), primarily digital video cameras and IP cameras. The malware looked for IoT devices that used factory default user names and passwords, then took over those devices and overwhelmed the servers at Dyn.

How Secure Is my Framework?

This year revealed the vulnerabilities inherent in some web application frameworks. For the Ruby on Rails framework for example, several CVEs (common vulnerabilities and exposures) were issued in 2016 addressing cross-site scripting (XSS) vulnerabilities and directory traversal vulnerabilities inherent in the framework itself. These framework vulnerabilities are particularly damaging, as they impact swathes of applications across the internet simultaneously.

The hacks this year highlighted the challenges with application security. The Verizon 2016 Data Breach Investigations (with data from 2015) report cited 2,260 breaches with confirmed data loss and 64,199 confirmed security incidents (from a dataset of over 100,000 incidents and 3,141 breaches, filtering out incidents without enough information or those which devices were repurposed as infrastructure to use against other targets ), with web application attacks being the leading type of incident (at 40%).