UpGuard Blog

2016: The Year of Preventable Hacks

Written by UpGuard | Dec 21, 2016 7:34:42 PM

As the holiday season approaches, the world’s fraudsters, scammers, and blackhats can take no small measure of yuletide cheer from their work in 2016 - a banner year for hacking. Call it the dark side of technological innovation, an equal and opposite reaction to the increasing breadth and efficiency of the internet. 2016 was a record-breaking year for data breaches, powerfully affecting the spheres of life like never before - from a presidential election rife with electronic intrigue, to a business landscape increasingly shaped by hacking. But if there is a silver lining to be found, looking at the most damaging data breaches to actually occur in 2016, it is the depressing fact that some of the worst hacks exploited well-known vulnerabilities which could’ve been easily prevented.

Known Vulnerabilities

In October 2016, hackers published evidence indicating the parent company of online "adults only" social network Adult Friendfinder had been breached, absconding with information including a database of 73 million users, employee details, and keys for remote operation of the site's servers. Spread across the company's digital properties, the number may exceed 100 million compromised users - all because of some poorly written code. Analysts believe hackers exploited a "Local File Inclusion" vulnerability on the servers this year to directly raid its files.

That same month, an infamous vulnerability appeared to have similarly crippled data storage provider Modern Business Solutions, when a known hacker published multiple tweets indicating the names, personal information, and IP addresses of 58 million customers had been stolen in a large data breach. The exploitation, which could ultimately expose as many as 258 million users, was likely the result of operating on an open MongoDB database easily accessible to hackers. This vulnerability is extremely well-known, allowing unsecured systems to directly face the internet, yet is still pervasive, affecting tens of thousands of commercial web servers.

"Some vulnerabilities may be even more simply resolved, using basic, free cybersecurity tools easily available on the internet."

Fortunately, it is easy to check for this vulnerability and ensure such an open database is closed.

Some vulnerabilities may be even more simply resolved, using basic, free cybersecurity tools easily available on the internet. In February 2016, hackers accessed the systems of Verticalscope Inc, the parent corporation of over a thousand lifestyle websites and forums, such as AutoGuide.com. While it is unclear how 45 million users' credentials, email addresses, and IP numbers might have been stolen, VerticalScope's digital properties failed to use HTTPS encryption, while its forums used VBulletin and CMS software with known vulnerabilities. Reliance on legacy systems, and a lack of basic HTTPS protections, are risks which are simply unaffordable when doing business online today.

Whistleblowing By Other Means

Some of these staples in the hacker toolkit can even have a history-changing impact. In 2014, an anonymous source known only as "John Doe" approached a German newspaper with 11.5 million documents taken from the files of Panama-based international law firm Mossack Fonesca.

"Some of these staples in the hacker toolkit can even have a history-changing impact."

In April 2016, after two years of work, over eighty journalists cooperating under the auspices of International Consortium of Investigative Journalists published their findings from the so-called "Panama Papers" - revealing a massive underworld of offshore tax avoidance structures, with high-profile clients in dozens of countries around the world, including heads of state, elected officials, and business leaders. Post-leak technical analysis of Mossack Fonesca's IT environment revealed staggering vulnerabilities and damaging misconfigurations which could've allowed hackers to access and steal decades worth of records. Obsolete front-end technology, unencrypted email messaging, and a "high-risk SQL injection vulnerability" all offered the means by which the source of the leak, professing disgust with the firm's business practices, might have acquired the documents.

Political Hacking

The Mossack Fonesca disclosures damaged, and in some cases, toppled leaders around the world - part of a growing trend of politicized hacking. In July 2016, Wikileaks began publishing over 19,000 internal emails from the Democratic National Committee, obtained by a hacker calling themselves "Guccifer 2.0." While US law enforcement has publicly accused the Russian government of involvement in the breach, what is definitively known is that Clinton campaign chairman John Podesta was fooled into providing his Gmail login information to the hackers via a spearphishing email. The tactic, in which hackers sent a password reset email to Podesta, convincingly spoofing an official notification from Google, can be an effective form of social engineering - which is why tools such as SPF, DKIM, and DMARC can effectively reduce the ability of spearphishing emails to reach their targeted inbox.

Such hacks are hardly confined to the American political system. In April 2016, two hacking collectives claimed responsibility for the exposure of personal information for anywhere between 55 and 70 million Filipino voters in the run-up to the country's presidential election - perhaps the largest theft of government data ever.

That same month, Mackeeper uncovered an Amazon-hosted electoral database containing the voter registration records for 93.4 million Mexican citizens - more than 70 percent of the country's population; left-wing political party Movimento Ciudadano admits it put the information online.

In September 2016, MacKeeper also disclosed that two publicly accessible databases hosted on Google Cloud appeared to contain personal details, addresses, electoral records, and driver license information for nearly 10 million Louisianians. As with the Mexican data, this public access cloud had no password protections and was fully accessible via an open port using a deep crawl search engine.

Looking Forward

How best can companies respond if so afflicted in 2017? The example of "drag-n-drop" personal website host Weebly, which suffered a massive data breach, can be instructive. In February 2016, Weebly was attacked by hackers who stole information for 43 million users. Having encrypted customer passwords using bcrypt hash, hackers were unable to access customer websites. Weebly was also responsive to independent grey-hat hackers who notified them of the data breach, aiding in their swift response.

Hackers will continue to perfect newer tactics, such as ransomware attacks, and employ tried-and-true favorites, such as phishing schemes, to get what they want. But as the worst breaches of 2016 can show us, the success of all these efforts rely in at least some part on simple vulnerabilities and mistakes - which means they can be stopped.