Every year hack attacks seem to get worse---whether in their sophistication, breadth, or sheer brazenness. This year was no different. Big hacks hit a range of high-profile targets, from the web's leading adultery website to the federal Office of Personal Management. We're also ending 2015 with a doozy of a hack mystery: Juniper Networks discovered two unauthorized backdoors in its NetScreen firewalls, one of which would allow the unknown hackers to decrypt protected traffic passing through the firm's VPN/firewall.
Juniper Networks found the backdoors at an apropos time---US officials are aggressively pressing US tech companies to install backdoors in their systems to let the government access protected communications for criminal and terrorist investigations. But opponents have long argued that a backdoor for the government would create a vulnerability that bad guys could exploit as well. Juniper's hack illustrates this point perfectly. The hidden VPN backdoor in the Juniper systems exploits weaknesses that the NSA is believed to have previously built into the encryption algorithm the Juniper systems---and the systems of some other security vendors---rely on to secure communications. Just as predicted, the attackers in this case essentially hijacked one alleged backdoor to create their own---earning them this year's award for the most ingenious and brazen attack.
Here's WIRED's look back at the biggest hacks in 2015.
The prize for the biggest hack of 2015 goes to OPM---the federal Office of Personnel Management. The hackers, reportedly from China, maintained their stealth presence in OPM's networks for more than a year before being discovered. When the breach was finally uncovered, initial estimates placed the number of victims at 4 million. But that number soon ballooned to more than 21 million, including some 19 million people who had applied for government security clearances and undergone background investigations, as well as an additional 1.8 million spouses and live-in partners of these applicants. The hackers got their hands on a trove of sensitive data, including the SF-86 forms of people who applied for clearances. The forms can contain a wealth of sensitive data not only about the workers seeking a security clearance, but also about their friends, spouses, and other family members.
If this wasn't bad enough, the agency eventually admitted that the hackers also gained access to the fingerprint files of some 5.6 million federal employees, many of whom hold classified clearances and use their fingerprints to gain access to secured facilities and computers.
System administrators who planned to attend the Star Wars: The Force Awakens premier probably had their plans wrecked when Juniper Networks announced on December 17 that it had found two backdoors installed in certain versions of its ScreenOS software. This is the operating system that runs on the company's NetScreen VPN/firewalls, which are used by government agencies and corporations around the world. As administrators scrambled to apply patches Juniper released, they learned that one of the unauthorized backdoors consisted of a hardcoded master password the attackers had surreptitiously embedded in the software's source code. The password would essentially allow attackers to take complete control of any vulnerable NetScreen device connected to the internet.
The second backdoor was just as bad, but in a different way. This one appears to undermine the encryption algorithm known as Dual_EC that Juniper uses to encrypt traffic passing through the NetScreen VPN. The backdoor is the kind that a nation-state intelligence agency would love to have to give it the ability to intercept and decrypt large amounts of VPN traffic. But what makes the backdoor even more interesting and notable is the fact that it appears to be based on another backdoor the NSA allegedly created years ago in the Dual_EC algorithm for its own secret use, all of which underscored the risks of letting the government install backdoors in tech products.
Unlike the stealth OPM hack, the breach of AshleyMadison.com, a site that touted itself as the premier platform for married individuals seeking partners for affairs, was loud and flashy and deserves the award for brazenness. Exactly one month after their hack of the cheating site went public, the hacker or hackers behind the breach made good on a threat to release sensitive company data, dropping more than 30 gigabytes of internal company emails and documents, as well as details and log-in credentials for some 32 million accounts with the social networking site. The data included names, passwords, addresses, and phone numbers submitted by users of the site. Although many of the personal account details were fabricated by users to remain anonymous, the hackers also released seven years worth of credit card and other payment transaction details, which exposed the real names and address of many customers. Reality TV star Josh Duggar was among those exposed by the breach. The company has been hit with several lawsuits from irate customers who accused the cheating site of being negligent in protecting their data.
Nation-state hacks connected to the NSA and the British intelligence agency GCHQ were in the news again this year. This time the victim was Gemalto, a Dutch firm that is one of the leading makers of mobile phone SIM cards. Although the attack was disclosed this year, it actually struck Gemalto in 2010 and 2011, according to The Intercept, which broke the story. The attackers targeted the company's huge cache of cryptographic keys, but Gemalto says they didn't succeed. If the hackers did obtain the keys, the hack has huge implications. Gemalto's SIM cards and cryptographic keys are used to help secure the phone communications of billions of customers of AT&T, T-Mobile, Verizon, Sprint, and more than 400 other wireless carriers in 85 countries. Stealing the crypto keys would have allowed the spy agencies to wiretap and decipher encrypted phone communications between mobile handsets and cell towers.
Another serious nation-state hack targeted the Moscow-based antivirus firm Kaspersky Lab. The attackers, believed to be some of the same group that created Stuxnet and Duqu, breached the security firm's networks in 2014 to gather intelligence about nation-state attacks the company is investigating. In 2010 Kaspersky researchers had helped decipher and expose Stuxnet, a digital weapon created by the US and Israel to sabotage Iran's nuclear program and in 2011 had also helped decipher Duqu, a spy tool that struck targets in Iran and elsewhere. The attackers were apparently concerned about other attacks of theirs that the Kaspersky researchers might be working to expose. But the intruders, who used a malicious tool against Kaspersky that the security firm dubbed "Duqu 2.0," weren't just looking for information about attacks Kaspersky was investigating---they also wanted to learn how Kaspersky’s detection software worked so they could devise ways to bypass it and avoid getting caught on the machines of Kaspersky customers.
Nation-state hackers themselves suffered a blow this year when the Italian hacking firm Hacking Team had a massive breach. The company sells surveillance software to law enforcement and intelligence agencies around the world, including oppressive regimes. Its software, which the company claims bypasses antivirus and other security protections to operate stealthily on a victim's machine, has reportedly been used against activists and political dissidents in Morocco, the United Arab Emirates, and elsewhere. Hacking Team is even suspected of selling a tool to someone in Turkey who used it against a woman in the US. The firm doesn't publicly identify its customers and generally sidesteps questions about its questionable buyers. But the hacker or hackers who breached the company's network dumped 400 gigabytes of company emails and documents online, including correspondence that exposed employees discussing the sale of their software to Syria and Turkey.
In a world where security and surveillance companies like Kaspersky Lab and Hacking Team get hacked, no one is secure. But CIA Director John Brennan apparently thought his personal AOL account was safe---that's where a group of young hackers discovered he was storing the sensitive SF-86 application he'd filled out to obtain his top-secret government security clearance. Who needs OPM to store, and leak, your secrets when AOL will do just fine? As one of the hackers told WIRED, they didn't actually breach AOL's network or Brennan's computer to get into the spy chief's email account. They used the oldest form of hacking available---social engineering---to trick a Verizon worker into revealing Brennan's personal information so they could reset the password to his email account and take control of it.
Although this breach targeted T-Mobile customers, T-Mobile wasn't the target of the hack. Experian, the credit reporting agency, sheepishly disclosed to the mobile phone carrier this year that hackers had broken into its network to steal data on 15 million T-Mobile customers. T-Mobile had sent the data to Experian to conduct credit checks on new customers signing up for its services. The exposed data included names, addresses, birth dates, encrypted Social Security numbers, drivers’ license ID numbers, and passport numbers. The hack is a reminder that even if a company takes care to protect the data of its customers, third-party companies and contractors who do business with them also have to carefully guard that data.
If you want to steal money, you rob banks. If you want to steal passwords, you hack a password manager. That's exactly what intruders did this year when they breached the network of LastPass, a service that offers users a one-stop shop to store their passwords. LastPass said the hackers accessed email addresses, encrypted master passwords, and the reminder words and phrases that users designated they wanted the site to ask them if they forgot their master passwords. LastPass said it used strong “hashing” and “salting” functions to secure the master passwords customers choose to lock the vaults where their plain-text passwords are stored, but the company admitted that if customers used simple master passwords, the attackers might be able to crack them. Let's hope that LastPass customers weren't using 12345 for their master keys and that other password services are using strong methods similar to LastPass to secure customer data.
The US Internal Revenue Service is not new to hacking. The federal agency, which processes the annual tax returns that individuals and businesses file each year, has been hit before. Initial reports indicated that the hackers this time accessed some 100,000 tax returns. But like the OPM hack, those numbers grew as the investigation deepened. Eventually authorities determined that the thieves accessed more than 300,000 taxpayer accounts. The hackers targeted the site's Get Transcript feature, which allows taxpayers to view and download copies of the tax returns they filed with the agency---which include sensitive information such as their Social Security numbers and incomes. Although tax filers have to answer multiple identity verification questions to access their files, the hackers apparently came armed with information they had gathered from other sources to correctly answer questions.
Health insurance providers have suffered a wave of attacks in the last couple of years. One of the biggest targets hit this year was Anthem, billed as the second largest health insurance company in the country. Hackers reportedly had access to data on some 80 million current and former customers, including names, Social Security numbers, birth dates, addresses, and income data. “Safeguarding your personal, financial and medical information is one of our top priorities,” the company said in a statement after the hack, “and because of that, we have state-of-the-art information security systems to protect your data.” But apparently that state-of-the-art security system didn’t involve encrypting or otherwise masking Social Security numbers. It's not clear if the attackers were after the data to commit identity theft or insurance fraud. But at least one security firm found similarities between the OPM and Anthem hacks, suggesting the same hackers, reportedly from China, targeted them.
