Examining the Worst Data Breaches of 2013: Part 2

Yesterday, we looked at why this year’s Adobe breach was unique in both scale and what it caused for ripple effects in the security industry. Now let’s continue and look at more of the worst data breaches of 2013.

Social Media and the News as Attack Vector – Reporters became political targets, and the hijacking of media itself became a strategic breach.

The Syrian Electronic Army (SEA) captured the “hacktivist” crown this year, with a series of defacements and hacks of major news organizations and Twitter handles. The SEA is a loosely defined group of attackers supporting Syrian President Bashar al-Assad, who made national headlines with their claim of an attack on President Obama from the Associated Press’ Twitter handle, causing a brief $136 billion dollar dive in the stock market. The SEA went on to deface the The New York Times, The Washington Post, National Public Radio, and Al-Jazeera, among other news outlets. You may rightly be asking yourself, “If these attacks were primarily about causing havoc and getting a pro-Assad message out, how does this constitute a data breach?” The answer is simpler than you might think.

Data breaches are always about information, whether it is Personally Identifiable Information (PII), accounts and passwords, or intellectual property. The SEA flipped this strategy on its head; it was the first time information distribution itself became the target. Social media and the news are primarily about connecting the right people with the information they want to find. The AP’s Twitter handle or the New York Times are trusted news sources, and in the eyes of many, so is their information.. As we saw with the fake President Obama message, information is inherently valuable in its own right. The SEA learned that controlling the flow of information and message from a trusted source can have an outsized impact.

The other half of the equation could be something all together more sinister. If the SEA was able to compromise accounts, domains and sensitive locations on the network, there would be a wealth of information potentially available to them. Given their political motivations, and the wealth of confidential sources news organizations rely on, the SEA could have been looking for intelligence on these sources for reprisal.

GitHub – Became a GotHub. How much intellectual property was stored in private GitHub accounts?

In a codification of the ripple effect from large breaches like Adobe, we come to GitHub. The service sits in a unique position on the web, being a place to come together and collaborate on software development, and it is this position that differentiates their breach. First off, GitHub represents a treasure trove of intellectual property: new products, proof-of-concepts, the potential fortunes of start-ups and established businesses around the world. Apart from financial motivations, a clever attack could do interesting things like injecting malicious code into an active project, signed by the author.

How did the breach happen though? GitHub saw nearly 40,000 unique IP addresses being used to brute-force weak user passwords. Given the ubiquity of shared usernames and passwords we have mentioned before, it is very likely the lists gleaned from Adobe were used in the brute-force attempts. One thing is clear: the GitHub breach highlights the shift caused by collaborative and often cloud-based web applications. These services hold the crown jewels, with massive stores of data accessible from anywhere, with countless vectors available for attack. Weak passwords, shared credentials, lack of two-factor authentication and countless other avenues for compromise are created each day.

What does it all mean?

As an industry, we need to move away from thinking about data breaches in terms of ever-larger losses of customer records and increasing targets. Big breaches aren’t going away, but attackers are moving toward more targeted and persistent breaches.

To this new breed of attacker, it’s about the specific intellectual property and monetary gains obtained from a smaller group of high-value organizations. Attackers are also thinking about maximizing their efforts with the asymmetric nature of breaches, meaning compromising the right organization, with the right type of information and the right user can help them easily pivot towards other applications.

Frame it this way: an attacker creates a compilation list of usernames and passwords from many large breaches and builds or rents a large distributed Botnet. The attacker has a specific organization in mind, where the attacker wants a special piece of software, or to deface a site for political retaliation. The Botnet is turned against the site, feeding the stolen user credentials in slow enough, from enough unique IPs, it looks like perfectly normal traffic. Add in the layers of a blended threat, with complementary spearphishing attacks and custom-crafted malware, and you begin to see how today’s era of data breaches may be a little smaller, but much more deadly.