5 Events in 2011 That Challenged Online Security and Trust Assumptions
2011 is only three-quarters through. Yet, so much has already happened in the world of infosec this year that I’d like to start thinking about the events that have challenged our online security and trust assumptions.
- Data breach at RSA allowed attackers to compromise aspects of the SecurID product and led to compromises of defense contractors and possibly other firms. Until this incident, the effectiveness of SecurID specifically and token-based authentication in general as a security control was rarely, if ever, questioned.
- Data breach at the CA company DigiNotar allowed the attacker to issue illicit digital certificates for popular sites such as Google, Microsoft, AOL and many others. The certs, when used in a man-in-the-middle scenario, allowed attackers to stealthily snoop and modify the traffic that victims exchanged with these sites. The incident highlighted some of the limitations in the CA-based SSL trust model of the web.
- A surge in MacDefender malware for OS X, and the ease with which this rogue antivirus program spread demonstrated that OS X was also vulnerable to infections. While Apple issued software updates in attempts to curtail the spread of MacDefender, the company’s arguably slow response hinted on the company’s relative inexperience at dealing with such incidents.
- The appearance of ZeuS malware modules for mobile devices allowed attackers to intercept SMS authentication codes. By infecting both the victim’s PC and mobile phone, the attackers obtains victims’ banking logon credentials from the infected computer and could collect one-time authentication codes transmitted to their phones. This development highlighted the limitation of relying on the phone as the foolproof authentication token.
- The re-emergence of malicious hacking groups that compromised data for political and other causes or just for fun highlighted the diversity and vulnerability of potential targets. (Anonymous and LulzSec are the most prominent examples of such groups.) Their attack campaigns have caused many organizations that were complacent in their perspective on information security to reexamine their infosec posture.
These events are acting as catalysts for changing the threat models we use to secure data, networks and applications. If there were other critical events that I failed to list, please leave a comment. What will the remainder of 2011 bring? We’ll know soon enough.
Hand-picked related items: