Google Project Zeroer, Tavis Ormandy opened last year by demonstrating critical flaws in Trend Micro antivirus software. The vulnerabilities were detailed in a scalding disclosure log published later that year, with Ormandy at one point remarking, “I don't even know what to say”. In June, Ormandy exposed numerous vulnerabilities in Symantec's range of enterprise products. Norton security, Norton 360, Symantec Email Security and Symantec Protection engine among others all use the same core engine and were all vulnerable to a variety of wormable remote code execution attacks.
Another star threatseeker of 2016 is Chris Vickery. This security researcher wins a top billing in 2016 for two discoveries. The first of the records of 93.4 million Mexican voter records. The second, and perhaps the more groundbreaking, was the discovery of a database with the information of 154 million American voters in an election season beset with IT security catastrophes.
This isn't the first time that Vickery stumbled upon large tranches of voter information. On the very tail end of 2015, the Mackeeper security researcher discovered the records of 191 million voters.
The always exceptional Troy Hunt got his hands on several high profile threats this year. The list is almost too long to cover but the Australian researcher's many achievements include the disclosures of breaches on popular video game Minecraft and children's e-toy manufacturer VTech among others. He confirmed the legitimacy of the 68 million accounts stolen from Dropbox and hacked a Nissan Leaf from halfway around the world.
His website, haveibeenpwned.com allows anyone to go see if they have in fact been pwned by any number of the large data breaches over the past few years. Too boot, he was made a Microsoft Regional Director.
Flavio Garcia, senior lecturer in computer security at the University of Birmingham, and his fellow researchers would have been deserving of this honour a couple of years ago. when they attempted to reveal vulnerabilities in the Megamos Crypto transponder found in a great number of vehicles. The vulnerability, if properly exploited would allow the easy, and keyless theft of cars manufactured by Volkswagen and others.Volkswagen and Thales successfully brought an injunction against the work and publication was postponed. It wasn't until late 2015 that that research was finally published. One year later, Garcia and his team produced an even greater revelation at the Usenix conference last August. Garcia unveiled new research showing that hundreds of millions of vehicles produced over the last couple of decades and from a great variety of manufacturers could be wirelessly broken into in a minute.
Continuing on the theme of car hacking, the guys at Keen Security Lab also broke new ground. Finally, and for the first time, the team broke into Tesla's CAN bus system, allowing them, or potential attackers to remotely control the vehicle.
ESET deserves credit for vindicating a threat long feared, now dreaded, by the IT security community. SC speaks, of course, about ESET's work on BlackEnergy. Late 2015 and 2016 saw a series of attacks on Ukrainian critical infrastructure that saw the hobbling of major organisations in Ukraine and most notably, the electrical grid. The attack resulted in blackouts for around 700,000 residents of the Ukrainian province of Ivano-Frankivsk.
The Slovakian IT security company noted similarities between this particular attack and other cyber-espionage operation seen in years previous. This would, perhaps unsurprisingly, place BlackEnergy's attacks on Ukrainian critical infrastructure in the context of the country's simmering conflict with Russia.
Recently, ESET has noted BlackEnergy's return, targeting Ukrainian banks under the new moniker of Telebots.
Crowdstrike's linking of the hack of the Democratic National Committee to Russia deserves a mention for the controversy if not the magnitude of the claim. After a series of embarrassing internal emails were leaked, the US Democratic party turned to Crowdstrike to investigate. The firm concluded that the ever infamous Fancy Bear, a group that it and many others link to Russian intelligence, hacked into the party and handed those emails over to Wikileaks.
These revelations and counter-claims would come to largely define an election which the Democratic party eventually lost. Whether or not the breach revelations decided that loss is hard to gauge and the veracity of the claims of the Democratic party, outgoing President Barack Obama, the US intelligence establishment, and indeed, Crowdstrike are still hotly contested by many including, unsurprisingly, the Russian government and president-elect Donald Trump.
Researchers at Imperva lifted the lid on new threats in their analyses of the massive DDoS attack on DNS provider Dyn. The October 21 attack took out service to multiple popular websites including Twitter, Amazon, GitHub and The Boston Globe.
The attack was conducted using a Mirai botnet, a threat which leverages the great bounty of unsecured IoT devices and is quickly outdoing its DDoS rivals in sheer flood power. Imperva's analysis of not just the attack but Mirai itself served as a timely undressing of such a formidable threat.
Note should certainly be made of Carnegie Mellon University's hacking of TOR. Funded by the US Department of Defence, Carnegie Mellon researchers attempted to retrieve information, through TOR, on an individual involved with the Silk Road, the dark web marketplace used to traffic in a variety of illegal goods, but chiefly narcotics. The act understandably caused consternation among privacy supporters and TOR advocates. Whatever the moral value of the act, the researchers have done something that few, if any others, have achieved.In October, Applied Risk ICS security consultant , Alexandru Ariciu found weaknesses in Moxa's ioLogik Ethernet I/I products, used in a variety of industrial settings including manufacturing, nuclear, oil and gas plants. Among the array of weaknesses discovered were problems with how the products managed passwords as well as XSS flaws that could be exploited to execute arbitrary code.