Tales of De-Crypt: 2011 Authentication And IAM Horror Stories

Whos scared of monsters under the bed when theres Lulzsec, Russian mobsters, and cybercrooks creeping out there?

It has been a banner year for authentication and identity and access management (IAM) failures, with embarrassments of epic proportions hitting the headlines nearly every month so far this year. Weve seen a lot this year: targeted authentication tokens, sophisticated password-stealing Trojans, rogue certificates, stolen passwords and misappropriated accounts.
Dark Reading
takes a look at the most ghoulish hacks, vulnerabilities and screw-ups to hit the headlines in 2011.
1. RSA Token Terror
After a junior employee at security heavyweight RSA fell prey to a run-of-the-mill phishing attack, hackers were able to make their way into the companys network and hack into its SecurID servers. RSA confirmed that some information related to the RSA SecurID product had been extracted. But industry speculation has run high that the token seeds were compromised in some way.
Lessons Learned:
Security experts were aghast that the token seeds were resident in a place on the network where a hacker could even find them. The incident illustrates that network segmentation is a key best practice to mitigate the risk of a companys most critical assets.
2. DigiNotar Dead as a Doornail
The trustworthiness of certificate authorities (CAs) has been thrown into tumult after a single black hat dubbed ComodoHacker managed to create a handful of
fraudulent Comodo SSL certificates in March
and followed that up by hacking CA DigiNotar to
issue over 500 more rogue certs
. He claims to have hit other certificate authorities as well. The fallout ended up sinking the company some weeks later.
Lessons Learned:
Unlike the isolated Comodo incident, for which that company responded swiftly with notification and action, DigiNotar knew about the fake certs long before the news went public and did nothing to get the word out. The situation is a good reminder at how important communication is in high-impact breach situations. It also illustrates that the fundamental basis of trust for Internet authentication still needs work.
3. HBGary Federal Pwnage
After HBGary Federals CEO claimed he was on the brink of releasing damaging information about Anonymous members, the group went on the offensive against the firm and spawned the LulzSec/AntiSec movement in the process. It was able to
infiltrate the government contractors network
through SQL injection, steal stored passwords, and gradually own not just all the companys e-mail and internal accounts, but also its executives social media accounts.
Lesson Learned:
Hubris is not becoming of security executives who run companies that store passwords on insecure servers. Even the humble should learn to keep passwords better protected from multi-stage attacks that start with SQL injection. Anonymous was able to use Rainbow tables to crack the passwords encryption because the firm used weak MD5 hashes to protect them.
4. LulzSec Lurks Everywhere
The members of
LulzSec and AntiSec
have kicked the poorly constructed security anthill at dozens of enterprises, government agencies and more by breaking into network and distributing unencrypted passwords and other sensitive information far and wide in an embarrassment campaign with lasting repercussions. Some of the biggest-impact breaches include the one at
Sony Pictures
, which exposed a million account details,
Booz Allen Hamilton
, for which a cache of tens of thousands of passwords and emails was published and even at the U.S. Senate Web property, for which some e-mails and passwords of users were released.
Lessons Learned:
LulzSec owes much of its success to two key vulnerabilities that plague organizations over and over again. First is a lack of input validation or database monitoring that allows them to commit SQL injection attacks at will. And second is the propensity of organizations to store login information unencrypted and unprotected within network systems.
5. Hackers Guess Citi Account Numbers
Hackers were able to game Citgroups online account site by manipulating the account number that appeared in the Web address browser bar to randomly guess other account numbers and gain access to random customers accounts. The trick gave them
access to customer names, account numbers, and transaction information
.
Lessons Learned:
Web applications providing access into sensitive information, financial or otherwise, must be tested not only for vulnerabilities but also for business logic flaws such as the one that allowed hackers to circumvent Citis online banking authentication engine.
6. Bank of America Rogue Employee
An employee who used access to Bank of America systems was able to leak information to an identity theft ring that used it to modify bank account information and create fake accounts under the names of victims, stealing $10 million before authorities caught up with them this year.
Lessons Learned:
Role-based access controls and frequent reviews of privilege rights are critical to prevent rogue employees from engaging in unauthorized activity and access to information they can turn over to thieves.
7. Duqu Doom Descends
A refinement on the code foundation laid down originally by Stuxnet,
Duqu
has raised the hair on the back of the neck of many security researchers since it was discovered this month. This password- and data-stealing Trojan features a rogue certificate thats since been revoked, but its able to fly under the detection radar by injecting itself into running processes.
Lessons Learned:
Duqu scares folks because it has them questioning the security trust model on many levels. Not only is this another instance of hackers manipulating the certificate authority ecosystem, its lack of disk access should have security vendors looking for better ways to detect attacks like this in the future.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Tales of De-Crypt: 2011 Authentication And IAM Horror Stories