Like last year, we've culled together the most popular Threatpost stories of the year. In case you missed any, or you're looking to relive the 2015: Stagefright, Pwn2Own, hacked children's toys--it's all here.
10: Google to Embrace DMARC
Google announced in October that it'd adopt stricter DMARC, or Domain-based Message Authentication, Reporting, and Conformance policies in June 2016 and in doing so, reject any messages that fail to pass the corresponding authentication checks. The move is expected to curb phishing and limit email address spoofing, and apparently got the attention of Threatpost readers, as it was the 10th most read story of the year.
Facebook made some serious strides when it comes to security this year. It adopted OpenPGP encryption, anointed Ex-Yahoo CISO Alex Stamos as CSO, and even began notifying users of targeted, nation-state attacks. At the beginning of the year however, a Trojan disguised as a phony Flash player was able to circulate on the social network and infect more than 110,000 users in just two days. Facebook eventually blocked and stopped the links from spreading – whatever the company is doing, it’s working; attacks like these have been few and far between over the last several months.
A slew of Cisco appliances were affected by a serious vulnerability this summer wherein if an attacker discovered the default SSH key, they could connect to the appliance, and do as they please. The company’s Web Security Virtual Appliances, Email Security Virtual Appliances, and Content Security Management Virtual Appliances were implicated by the vulnerability. While Cisco was quick to fix the issue, it doesn’t make the fact that it existed in the first place any more comforting.
A smorgasbord of vulnerabilities in the Open Smart Grid Protocol, a collection of specifications used to deliver information for meters, modules, and other smart grid devices, were brought to light by a paper in May. Experts like Matthew Green, noted crypto professor at Johns Hopkins, railed against a weak homemade encryption scheme discussed in the paper. Perhaps the best takeaway from the debacle were the following words of wisdom from Adam Crain, security researcher and founder of
Automatak: “The No. 1 rule of cryptography… ‘Don’t invent your own.'"
GHOST was one of the year's more critical and memorable—thanks to its seriously Pac Man-esque logo—vulnerabilities of the year. The issue, unearthed in January, affected all versions of Linux dating back to 2000, thanks to a heap-based buffer overflow in glibc, a GNU C library. The vulnerability ultimately spurred a handful of articles, especially after researchers disclosed in the following weeks how PHP apps, WordPress, ICS products, and enterprise apps were affected. It was the first article, published shortly after researchers at Qualys identified the vulnerability, that clocks in at No. 3 on our list.
No browser proved impenetrable for hackers at this year’s Pwn2Own, the hacking contest that runs alongside CanSecWest each March in Vancouver, Canada. Each of the major browsers, Microsoft’s Internet Explorer, Mozilla’s Firefox, Google’s Chrome, and Apple’s Safari, fell on the second day of the competition. Collaboratively, HP’s Zero Day Initiative and Google’s Project Zero, the two consortiums that host Pwn2Own, paid out $442,000 to researchers for their work over the course of the two days.
Google got the attention of a lot of readers back in April when it began phasing out NPAPI, an archaic, cross-browser API in Chrome. The move was announced almost a year and half in advance, but that didn’t prevent frustrated Chrome users from flocking to the comment section of the story. The technology, which technically stands for Netscape Plugin Application Programming Interface, dates back to 1995, and was one of the first ways developers added functionality to browsers. When Google phased it out in April, it essentially turned off plugins like Java and Silverlight by default, angering many a IT department employee. The company went on to remove it from the browser entirely in September.