The security industry can be a giant repetitive, follow-the-loser echo chamber of unoriginal thoughts, familiar flaws and copycat theories. But if ever there was a year in which folks could stand back and look at what’s gone on and say, what in the hell just happened, 2011 was it. So rather than going in for the typical year-in-review or top stories shtick, let’s just have a look back at some of the more absurd, unexpected and amusing twigs and berries from the last 12 months, shall we?
It’s hard to pick a place to start with the ridiculousness that went on this past year, but the attack on RSA seems as good a place as any. The first public news of the compromise came from RSA itself, when it published a blog post explaining that an attacker had been able to gain access to the company’s network through a “sophisticated” attack. Officials said that the attacker had compromised some resources related to the RSA SecurID product, which set off major alarm bells and ripples throughout the industry. SecurID is used for two-factor authentication by a huge number of large enterprises, including banks, financial services companies, government agencies and defense contractors, to name a few. Within a couple of months of the RSA attack, there were attacks on SecurID customers, including Lockheed Martin, and the working theory many experts espoused was that the still-unidentified attackers were interested in LM and other RSA customers all along and, having run into trouble compromising them directly, went after the SecurID technology and then looped back to the customers once that was in hand.
This attack is one of the rare ones to fall into both the “Wow, I didn’t see that coming at all” and “Man, I really should’ve seen that coming” categories. RSA is an obvious target for any attacker, whether he’s looking for bragging rights for some silly Web pwnage or is more interested in dumping the database of SecurID seeds. But, at the same time, the specifics of the attack were so depressingly mundane (targeted phishing email with a malicious Excel file attached) that they caught some people off-guard. Either way, it turned out to be an oddly appropriate standard-bearer for 2011.
Next up in the cavalcade of weirdness would have to be the mostly true adventures of Anonymous and LulzSec. The two groups, which may or may not be sub-sets or super-sets of one another, dominated the headlines for much of the year, beginning with the pre-emptive strike by Anonymous on HBGary Federal CEO Aaron Barr that eventually led to his resignation. Barr had bragged publicly that he was going to identify some members of the group during a talk in San Francisco during the RSA Conference week. Anonymous members responded by dumping a huge cache of personal emails belonging to Barr and other HBGary Federal executives online.
Anonymous and LulzSec then spent the next few months targeting various retailers, public figures and members of the security community. Their Operation AntiSec aimed to expose alleged hypocrisies and other sins by members of the security community. They targeted a number of federal contractors, including IRC Federal and Booz Allen Hamilton, exposing a lot of personal data in the process. To take this to its inevitably absurd conclusion, Congress tried to get involved in July when Sen. John McCain urged Senate leaders to form a select committee to address the threat posed by Anonymous/LulzSec/Wikileaks.
Because all of our other national problems have been solved.
Now, as goofy as the RSA and Anonymous stories have been, the award for most ridiculous, dopey and silly storyline of 2011 has to go to the compromises of various certificate authorities throughout the year. Comodo was the first to fall when it was revealed in March that an attacker had been able to compromise the CA infrastructure and issue himself a pile of valid certificates for domains belonging to Google, Yahoo, Skype and others. The attacker bragged about his accomplishments in Pastebin posts and later posted evidence of his forged certificate for Mozilla.
In the aftermath of the attack, teeth were gnashed, hands were wrung and hair was pulled out. Solutions were proposed, ideas forwarded and Moxie Marlinspike essentially went away for a little while and solved the problem with his Convergence notary system. Then everyone kind of went on about their business and pretended that the CA system still works.
Oh, and then it happened again. And it was the same guy.
This time, Comodohacker, who is apparently an Iranian national, targeted the Dutch CA DigiNotar. The details of the attack were slightly different, but the end result was the same: He was able to issue himself several hundred valid certificates. He branched out a little this time, though, going after domains owned by the CIA among others. In the end, all of the major browser manufacturers had to revoke trust in the DigiNotar root CA and the damage to the company was so bad that the Dutch government eventually took it over and later declared it bankrupt.
This actually happened. A lone attacker not only made Microsoft, Apple and Mozilla yank a root CA from their list of trusted roots, he also forced a certificate authority out of business.
So if we look back at 2011, the year that security went bananas, what did we learn? If history is any guide, probably nothing. But there’s one fact that emerged from all of the chaos and finger-pointing that went on, it’s that not only can anything happen in this industry, it’s likely.