2015 network security highlights

Monday, December 7, 2015

At the end of last year, security bull released its first annual security event review article, 2014 network security event. This paper reviews the major events with great influence in the safety industry in the past year, and makes a brief judgment on the future trend. After the issue of memorabilia, it has attracted the attention of many people in the industry and even the management department, indicating the reference value of memorabilia to the industry and society. Therefore, the security bull decided to keep this form of reviewing the annual network security events. Now, another year is about to pass. Let's take a look at 2015 cybersecurity highlights.

Safety activities are in full swing

2015 can be called the outbreak year of domestic security activities. Relevant personnel and enterprises not only actively participate in influential foreign security conferences, but also hold the most concentrated year of domestic conferences, salons, forums, conferences, exhibitions, competitions and other activities.

Among them, cracking, attack and defense and other competitions are particularly popular. The cracking competitions are mainly pwn2own in the world, geekpwn and hackpwn in China. Whether it's the safest operating system, browser, the most popular software application, or intelligent devices such as cars, drones, electric ovens, POS machines, mobile phones, etc., they can't retreat in front of the crack master. Competitions like domestic attack and defense are also breaking out. For example, the 180 person competition on Beijing 429 capital cyber security day, the 2015 China cyber security competition in Wuhan and the annual cyber security competition (xdctf) have been held all over the country.

List of important activities of safety industry in 2015

On the one hand, the explosion of security activities reflects the rise of security tide in the whole society, on the other hand, it also reveals a certain degree of impetuosity. Security is not just loopholes and solutions, not just hackers and attack and defense experts, but more importantly, defenders and builders engaged in security work, security practitioners who understand the operation of enterprises and their businesses, who are the cornerstone of the whole security industry.

2、 Financing M & A continues

international

In 2015, the security industry set off a wave of investment and M & A, with at least 20 financing M & A of more than 100 million US dollars. The biggest three were Bain capita's US $2.4 billion acquisition of blue coat, Cisco's US $635 million acquisition of OpenDNS and SingTel's US $770 million acquisition of trustwave, a management security service provider.

Foreign security industry acquisition and financing trends in 2015

Note: this table only includes billion level USD financing

From the above information, we can see that cloud security and security services are a major trend of financing and M & A, and we can see the rise of Israeli start-ups in the security industry.

domestic

Baidu, Tencent, Ali and 360 have made frequent moves in investment and merger this year, and the influential and public ones are: Tencent's second investment in Chuangyu, with an investment amount of about 600 million yuan; Baidu's wholly-owned acquisition of safety treasure, with an unknown amount of at least 100 million yuan; Ali's acquisition of hanhaiyuan, with a reported acquisition amount of about 200 million yuan; 360 officially announced its establishment in May this year. 3 60 enterprise security group, meanwhile, has invested in many security enterprises in the industry, such as skyguard, winut, etc., with a total investment of more than 3 billion yuan in the past three years.

In addition to the layout of Internet giants, some security emerging and start-up enterprises, such as Ming Dynasty Wanda, security dog, dark cloud, Witkey security, loophole box, micro online, sky guard, clover, etc., also have tens of millions (yuan) of financing.

In terms of strategic cooperation, Tencent and Qiming Xingchen, Alibaba cloud and Anheng, PricewaterhouseCoopers and Gu'an Tianxia have reached strategic cooperation in terms of terminal security services, cloud security and security advisory services respectively. After reaching middleware technical cooperation with IBM, Huasheng Tiancheng launched a domestic server based on IBM power technology.

In terms of listing, both Tianrongxin and Shangxun information are listed on the "new third board", and traditional security enterprises such as Shanghai Geer, Jida Zhengyuan and shanshi.com are also actively planning to go public.

There are also three large-scale merger and acquisition events in China this year, i.e. Cisco and Inspur jointly invested US $100 million to establish a joint venture, Asiatic technology acquired all Chinese businesses of trend technology, established an independent security company Asiatic security, and Ziguang acquired 51% of Huasan's shares with us $3 billion. In addition, Qihoo 360 will complete the privatization with a total price of $9 billion, and plans to go public in China. These events show the impact of localization policy on enterprises. Foreign enterprises want to retain their share in the Chinese market in the form of joint venture or M & A, while domestic security enterprises think that they cannot get the due value in the foreign market. It is expected that next year, more and more foreign related enterprises will integrate into the domestic market.

3、 Loophole impact goes underground

In another article "seven trends of network security in 2015" released by the security bull at the end of last year, the vulnerability in 2015 was predicted: "those software and system based on communication protocol and traditional operating system, which are mature earlier and widely used at present, have greater capability, such as Java, Android. As for smart home or wearable devices, although manufacturers lack of security considerations, due to the lack of large-scale application, although many vulnerabilities can be foreseen to be found, but the huge impact of the vulnerability can not be formed. "

Now let's take a look at the major loopholes this year. The loopholes here do not include those that have not yet been widely exposed and have not actually had a significant impact.

Stagefright / Java deserialization / wormhole / redis unauthorized access / SS7 / Ping socket use after free / dexclassloader / venom / SMB redirection / Frank / Ghost

In this series of vulnerabilities, there are system level vulnerabilities such as stagefright and protocol level vulnerabilities such as break and SS7. There are applications such as wormhole and "elder" vulnerabilities such as SMB redirection. Either way, there was no level of impact or loss, like last year's bleeding hole in the heart. The reason is not only the strengthening of security work in all aspects of the whole industry, but also the improvement of emergency response ability and loophole submission mechanism. But it can not be ignored that the underground black market is harmful to the interests of the global Internet users, even the national and social security.

4、 Information leakage is still surging

In 2015, the largest number of information leaks were 27 million government employees and applicants of the United States personnel management agency (OPM), 80 million customers and employees of anthem, the second largest medical insurance company in the United States, 37 million users of Ashley Madison, an extramarital website, and hacking team, an Italian Spyware company Being hacked, 400g data including multiple zero day vulnerabilities, intrusion tools and a large number of working emails and customer lists are transferred to the Internet for arbitrary download.

The four information leakage incidents have different influence. OPM has risen to the political influence of the internet war between countries. Anthem is mainly related to the customer's personal insurance number and medical record. Ashley Madison is mainly concerned with privacy and moral issues. Two people have committed suicide because of this incident. The impact of hacking team mainly lies in the engineering loopholes and open back door code, which means that the network weapons are handed over to the illegal personnel, and the average technical level of the whole underground black production is easily improved.

The following is an information disclosure event with great global impact in 2015. The time is the month of event disclosure, not the time of event occurrence:

• At the end of 2014, 130000 users' information on the official website of the Ministry of Railways (12306.cn) was leaked, including ID card, login password, etc. according to the investigation and analysis, it should be the place where the crash occurred;
• In January 2015, the Russian dating website topface, with 20 million user names and email addresses stolen;
• In February, Uber disclosed that the personal information of 50000 Uber drivers was obtained by unknown third parties, including social security code, driver photo, vehicle registration number and other information;
• In March, Premera Blue Cross, a health care provider, revealed that 11 million customers' medical and financial data had been leaked;
• In March, about 150000 patients' information of advantage dental, a dental medical institution, was leaked, including name, address, date of birth, telephone number and social security code;
• In April, 360 mending platform disclosed that there were 52.794 million pieces of information about the social security system in 19 provinces, including personal ID card, social security insurance information, finance, salary, housing and other sensitive information;
• In April, 160000 students at the University of metropolitan state leaked their personal information, including date of birth, home address, telephone number and personal scores;
• In May, 3.9 million users of the world-famous adult dating website, adult FriendFinder, leaked information, including e-mail, IP and even sexual preference information;
• In May, about 400000 users of mobile phone monitoring software manufacturer mspy leaked information, including email, SMS, photos, payment records and tracking data;
• In May, the IRS leaked financial information of more than 100000 taxpayers;
• In July, the order database of underwear manufacturer Hanesbrands was hacked, and about 900000 Internet and telephone users' information was leaked, including the last four digits of address, telephone and credit card;
• In July, firekeepers Casino Hotel disclosed 85000 information card and debit card information in 2014, including bank card number, name, verification code and card termination date. ;
• In August, more than 6 million user account passwords of barley.com, the online ticket sales platform, were leaked and sold in the black industry forum;
• In August, personal information of about 2.4 million online users of British Telecom Operator Carphone warehouse was leaked, including name, address, date of birth and encrypted credit card data;
• In October, more than 16GB of documents were leaked from the music crowdfunding website pateon, including the email addresses of 2.3 million users;
• In October, Experian, who provides data services for T-Mobile, a U.S. mobile phone service company, was hacked, resulting in the disclosure of personal information of 15 million users of T-Mobile, including user name, date of birth, address, social security number, ID number, etc;
• In October, Scottrade, a US securities firm, revealed the names and addresses of 4.6 million customers;
• In October, 1.2 million users of talktalk, a British Telecom Operator, leaked information, including emails, names and phone numbers, as well as tens of thousands of bank account information;
• In October, the contact information of more than 4.6 million customers of Scottrade, a U.S. online securities firm, was obtained by the attacker, and the leaked information was the customer's name and address;
• In October, the cloud platform exposed the "suspected leakage" of Netease user database, with a number of nearly 500 million. Although there is no evidence to prove this number so far, many ordinary netizens have said that their email has been logged in and tampered with, and even because of using Netease email to register for Apple account, it is also an indisputable fact that mobile network criminals are locked up;
• In November, 54 hotels under Starwood group found malicious software stealing credit card information, including customer name, credit card number, credit card security code and expiration date, and the number of leaks has not been announced;

• In November, the personal information of 5 million users and 6 million children of VTech, a Hong Kong early childhood education electronic equipment company, was leaked, including login password, IP address, photo, chat record name, gender, etc;
• In December, 650000 customers at waterspoons, a British fast-food chain, leaked information, including their names, dates of birth, e-mails and phone numbers.

It is worth noting that compared with 2014, the exposure of domestic information leakage events has a rising trend.

5、 Apt attacks emerge in endlessly

APT28

The apt28 hacker organization, which has been active since 2007, constantly uses the zero day loophole to attack NATO and US defense agencies. This is a highly skilled cyber espionage activity group to collect national defense and geopolitical intelligence. The technical personnel analyze that the group is supported by the Russian government.

APT17

Apt17 has attacked U.S. defense contractors, law firms, government agencies, as well as technology companies and mining companies. This hacker group mainly uses spear fishing to carry out the initial attack, and uses TechNet, the technical documentation website of Microsoft products, as the attack platform.

Duqu

Kaspersky, an anti-virus manufacturer, has also been attacked by apt this year. The attack program it uses is called Duqu 2.0, which exploits three zero day vulnerabilities of Microsoft. Duqu is one of the most concerned malicious programs after ZHENWANG worm. Most of Duqu appears in the industrial control system.

Naikon

In the past five years, the naikon hacking organization has conducted a large number of geopolitical activities with high profile. They have deployed advanced data mining tools and surveillance tools in many countries, mainly targeting high-level government agencies, civil and military organizations in the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Singapore, Myanmar, Nepal and other countries.

Sand worm

A group of hackers named the sand bug team used the zero day vulnerability "sand bug" in the windows operating system to make ppt files for attack. There are five main types of targets: governments, colleges, NATO, energy agencies and telecom operators. The targets of the attacks are all over Europe and even the United States.

Ventura

Tula is a highly complex cyber espionage organization, possibly backed by the Russian government. For more than a decade, cyber espionage targeting government agencies, embassies and the military has been carried out. More than 40 countries around the world, including Kazakhstan, China, Vietnam and the United States, especially eastern and central European countries, are the targets of their activities. At the very high end, Tula hijacks the IP addresses of legitimate users' communication satellites and then uses them to steal data to hide their command control servers.

Equation group

According to the research report released by Kaspersky Lab, the firmware of more than ten brands of hard disk made by Seagate, Toshiba, western data and other well-known hard disk manufacturers has been implanted with spyware by a hacker organization called "equation group" (suspected to be supported by the National Security Administration). The group's activities date back to 2001 and may even start in 1996, when it infected thousands of computer systems in more than 30 countries and regions with a variety of spyware. The main target countries include Iran, Russia, Afghanistan, China, etc., involving government, military, financial, energy, media and other institutions.

Sea lily

The report released by 360 "Tianyan laboratory" first disclosed the details of a national hacker attack against China. The overseas hacker organization is named "oceanlotus". Since April 2012, "hailiao" has used Trojans to capture and control the computers of government personnel, outsourcers, industry experts and other target groups, and even manipulate computers to automatically send relevant information, aiming at China's maritime institutions, maritime construction departments, scientific research institutes and shipping enterprises Apt actions supported by foreign governments.

In recent years, the trend of apt attacks has become more and more intense, which reflects the game between countries on the level of cyberspace.

6、 Attention to safety accidents

The most influential security accident in China is the xghost incident.

On September 17 this year, it was revealed that Apple's development environment Xcode, which was downloaded unofficially, contained malicious code, which would automatically inject information stealing and remote control functions into compiled app applications. It is confirmed that wechat, Netease cloud music, Gaode map, Didi travel, railway 12306 and even some bank mobile applications are affected. More than 3000 apps on the app store are infected.

In China, there are two other major safety accidents. One is that in May this year, Ctrip was shut down for more than ten hours due to the wrong operation of its employees. A large number of users were unable to access the website, resulting in a direct loss of tens of millions of yuan. Second, on September 1, the upgrade of the security product yundun "security Knight" pre installed on Alibaba cloud server triggered a bug. All newly started executable files were isolated as malicious files, and some users' online services were seriously affected, and operation and maintenance work could not be carried out.

Security accidents are often caused by lax safety management or process problems. With the popularization and deepening of the Internet, the stable operation of a huge system becomes more and more important, and the operation and maintenance work is also an important part of the whole security work.

7、 Policies and regulations are ready

domestic

In the article "seven trends of network security in 2015", it was "bold to foresee that in 2015, it is possible to see the introduction of the draft legislation". At the end of June 2015, the 15th session of the Standing Committee of the 12th National People's Congress deliberated on the "network security law (Draft)", and solicited public opinions in early July. The important contents of the draft mainly include: determining the basic principles of network security work, integrating personal information protection into the right track and the security of network products and services, and stipulating that the government can take temporary measures to limit the network in case of major emergencies. It can be predicted that when the draft becomes a formal regulation, other relevant safety regulations and rules will be issued one after another.

Some other events related to security policy with great influence:

• In June, China Internet Association's self discipline Convention on disclosure and disposal of loophole information was signed in Beijing, which proposed three principles of "objective, timely and appropriate" disclosure of loophole information;
• In June, the general office of the State Council issued several opinions on the use of big data to strengthen the service and supervision of market subjects. Increase R & D and capital investment in network and information security technology, and establish and improve information security assurance system. To take necessary management and technical means to effectively protect the information security of the state and the information security of citizens, legal persons and other organizations;
• In July, the new national security law was implemented. The new law requires the construction of network and information security system, the enhancement of network and information security protection capacity, and the realization of the security and controllability of network and information core technology, key infrastructure and information system and data in important fields;
• In August, the National People's Congress formally passed the amendment to the criminal law of the people's Republic of China (9). This paper clarifies the obligation of network service provider to fulfill the information network security management, increases the penalty of information network crime, further strengthens the protection of citizens' personal information, and establishes clear provisions for increasing the crime of fabricating and disseminating false information;
• In September, the State Council issued the action plan for promoting the development of big data. In terms of network and big data security, it is required to adopt safe and reliable products and services in areas related to national security and stability. By 2020, it will achieve the safety and reliability of key equipment in key departments;
• In November, the State Administration for Industry and Commerce issued the opinions on strengthening the supervision of the Internet market to comprehensively strengthen the supervision of the Internet market. We will promote "network management by law", "network management by network management", "credit network" and "collaborative network".

international

• In May, the Bureau of industry and security of the U.S. Department of Commerce announced the revised draft of the Wassenaar agreement. The new rules stipulate that it is an export behavior for U.S. enterprises or individuals to report loopholes to foreign manufacturers, and they need to apply for government permission in advance, otherwise it will be deemed illegal;
• In June, the U.S. Congress passed the U.S. Freedom Act in June this year, and in November, the national security agency officially stopped large-scale monitoring of public telephone data;
• In October, the European Court declared the "EU decision 2000 / 520" related to the "US EU safe harbor agreement" invalid. Data regulators in EU member states can prohibit us companies from collecting and storing personal data of their nationals;
• In October, the U.S. Senate passed the Internet security information sharing act, which allows companies and the government to share hacker attack information. Before that, the house of representatives also passed the act, which will become a formal law after President Obama signs it;
• In November, the British government released a new version of the draft law on the right to investigate, which requires Internet companies and mobile phone manufacturers to permanently intercept and collect personal data transmitted through their networks, and give them the right to assist security agencies and police in investigating matters related to national security.

8、 The construction of national cyberspace security system is imminent

In June this year, the U.S. personnel management office was infiltrated by hackers and 27 million people leaked information. U.S. National Intelligence Director clapper even publicly said that China was identified as the primary suspect of the invasion. U.S. media even reported that the Obama administration is studying a series of "unprecedented" economic sanctions against China, which are mainly targeted at "Chinese enterprises and individuals who benefit from the theft of U.S. trade secret information through the Internet". But at the first cybersecurity dialogue between the two countries in December, the two sides confirmed that the OPM incident was defined as a non state backed attack.

In September this year, President Xi Jinping visited the United States and reached six points of consensus in the areas related to Internet issues. It includes network security review, general measures to strengthen the network security of information and communication technology in the business field, information and assistance provided by malicious network activities, opposition to Internet theft of intellectual property rights, formulation and promotion of national code of conduct for cyberspace in the international community, and establishment of a high-level joint dialogue mechanism between the two countries to combat cybercrime and related matters.

Just that month, two draft contracts and orders from the U.S. cyber command showed that the U.S. cyber command would outsource $460 million in expanded cyber attack capabilities to defense contractors. The United States has always regarded China as its biggest adversary of cyber security. Its defense department issued a new strategy against cyber attacks launched abroad in July. China is one of its strategic targets. The United States has now set up tens of thousands of cyber forces and developed thousands of cyber warfare weapons. The whole network combat system has been completed, and the network war can be launched at any time.

At present, the problem of network security in China is still prominent. For example, the lack of security awareness and the weak ability of network confrontation, including the weak foundation of network security such as laws, funds and talents, and the poor ability of security protection of key information infrastructure. Although we have reached a certain degree of consensus with the United States, the contest of network security capability behind us is still going on, and the situation is very severe. It is urgent to build a comprehensive prevention and control system of network security integrated with "prevention and control"!

Through the whole "2015 network security memorabilia", it can be summarized in four sentences:

Giant layout enterprise security, emerging start-ups are eager to try.

Loopholes black market torrent, spring tide coming state driven.

2015 events will be recorded here. See you next year!

Wang Xiao Rui

The author of financial and it articles, the translator of the famous social engineering work "the art of deception", the long-time writer of financial circle magazine, and the editor in chief of China computer security net and Guangguang net.