2/2/2015

Security Breaches
Five Most Significant Security Breaches

Edvaldo Mantovanelli
20062349

Maria Luiza Silva

20062346

TABLE OF CONTENTS
1

Sony/Microsoft ..................................................................................................................................... 2
1.1

Appropriate Security Services ....................................................................................................... 2

1.2

Technological Mechanism............................................................................................................. 2

Sony....................................................................................................................................................... 2
2.1

Appropriate Security Services ....................................................................................................... 2

2.2

Technological Mechanism............................................................................................................. 3

Home Depot .......................................................................................................................................... 3

3.1

Appropriate Security Services ....................................................................................................... 3

3.2

Technological Mechanism............................................................................................................. 3

Itamaraty ............................................................................................................................................... 3
4.1

Appropriate Security Services ....................................................................................................... 4

4.2

Technological Mechanism............................................................................................................. 4

Icloud..................................................................................................................................................... 4
5.1

Appropriate Security Services ....................................................................................................... 4

5.2

Technological Mechanism............................................................................................................. 5

1 SONY/MICROSOFT
Company

Information
Leakage

Integrity
Violation

Sony/Microsoft

Denial of
Service

Illegitimate
Use

This attack was considered one of the major Denial of Services attacks in history, around 1.2 terabytes per
second. The group, knowns as Lizard Squad, used the tool known as distributed denial-of-service (DDoS)
to attack. This is a common technique that overloads servers with data requests. It was used to unstabilize
Sony and Microsoft servers during 2014s Christmas period.

1.1 APPROPRIATE SECURITY SERVICES

Since the attack to Sony/Microsoft prevented the users to use the services, the appropriate security
service should be availability. That is based on ensuring the system availability to its users when required.

1.2 TECHNOLOGICAL MECHANISM

The suggested mechanisms for this attack is replicating all data and services to a backup server, so that if
the main server is being attack a backup one (or more than one) starts working.

2 SONY
Company
Sony

Information
Leakage
X

Integrity
Violation

Denial of
Service

Illegitimate
Use

On November 24, Sony Pictures suffered a hacker attack that left a message on all company computers
with the signature "Hacked by #GOP" (Guardians of Peace). Those hackers shared 1TB of supposed 100
TB achieved files. Among that information shared, there are: controversial emails exchanged between
executives from Sony, addresses and telephone numbers of artists such as Julia Roberts, the social security
number of the actor Sylvester Stallone, director Steven Spielberg requests for donations to political parties,
false names used by famous artists and films that have not yet been released, and others.
Furthermore within those 100 TB of data there are: criminal records of the company's employees, salary
negotiations, medical prescriptions on the retirement of employees, spreadsheets containing wage
records of the 6800 company employees and an extensive range of documents containing the "modus
operandi" for Sony Pictures in the market in which it operates.

2.1 APPROPRIATE SECURITY SERVICES

The attack to Sony allowed important files to be leaked. To prevent this type of attack the access control
services and data confidentiality services should be improved. In order to prevent confidential files
leakage and unauthorized access.

2.2 TECHNOLOGICAL MECHANISM

The mechanisms that should be reinforced are file permissions and encryption. Those mechanisms if
properly developed could prevent an unwanted access to confidential files. This could be managed
through encryption and setting a specific permission based on safer identification process.

3 HOME DEPOT
Company
Home Depot

Information
Leakage
X

Integrity
Violation

Denial of
Service

Illegitimate
Use
X

The company said that 56 million payment cards had been stolen, and later disclosed 53 million email
address had also been pilfered. Home Depot indicated that stolen account information from a third-party
vendor was used to gain access to the companys internal computer network. Deeper access was
reportedly made easier by a vulnerability in Microsofts Windows operating system, which reportedly
was patched after the breach was already underway according to The Wall Street Journal and Bloomberg
Businessweek.
Once inside Home Depots inner workings, the hackers used a series of custom-built malware programs.
The malware surreptitiously swiped account information of unsuspecting customers for five months
before detection, according to the Journal.

3.1 APPROPRIATE SECURITY SERVICES

Necessary security services in this case are Access Control and Data Confidentiality.

3.2 TECHNOLOGICAL MECHANISM

In this attack credit card accounts were stolen through a third party that had access to the companys
Intranet. So, the mechanisms that would help are controlling better who can access the files and using an
encryption system to protect the files from interception.

4 ITAMARATY
Company
Itamaraty

Information
Leakage
X

Integrity
Violation

Denial of
Service

Illegitimate
Use
X

The action began on May 19, 2014. The universe of affected post office is indefinite, but the potential
victims includes about 1,500 Brazilian diplomats around the world, a number that could triple if
considered local embassies staff and foreign ministry officials.
The methodology, known as phishing, is the best known hackers strategies. It consists of sending fake
emails, but disguised with known senders and contents with aspects of truth.
3

In the cyber attack over Itamaraty, the email subject was about the vandalism act suffered by the Brazilian
embassy in Germany in May, 12 2014 in protest against Brazilian World Cup expenditure. When the
attachment is opened, the email password is captured.
Hackers may have had access not only to personal information of diplomats but also the ostensible
telegrams, confidential or secret. Even if the size of the attack was known, it would not be disclosed,
evaluates a Brazilian diplomat.
The computer system of Brazilian diplomacy is considered poor by their own diplomats.

4.1 APPROPRIATE SECURITY SERVICES

In this case the attackers didnt corrupt the system, they only used phishing through emails to get access
to institutional accounts. And then got access to the internal file repository, compromising only the data
confidentiality services.

4.2 TECHNOLOGICAL MECHANISM

The mechanism that need improvement in this case is encryption. Because, the phishers only got the
institutional account passwords. If the files were properly encrypted another verification along with the
password would be required.

5 ICLOUD
Company
ICloud

Information
Leakage
X

Integrity
Violation

Denial of
Service

Illegitimate
Use
X

The Find My iPhone service allowed guessing procedure because there was not a limit of attempts to
enter a wrong password. So with specialized software to discover passwords with words or sound bites,
you can break the confidentiality of a great part of Apples users.
This failure would be easily explored if the criminal knew how to automate software to guess passwords
of an Apple ID account from which he already had the address of confirmed email. Apparently, an email
from a celebrity was discovered and, with it, your account to iCloud was invaded. How many famous know
each other and iCloud also stores all contacts on iPhones, it is likely that hackers have searched multiple
accounts to get to celebrities and others.
Two days before the leak, the method was published on GitHub and ended up being shared on Hacker
News.

5.1 APPROPRIATE SECURITY SERVICES

The breach was due to unlimited trials on passwords, so the service that needs attention is authentication.

5.2 TECHNOLOGICAL MECHANISM

One simple solution to this attack would be a limiter to passwords attempts. If the user fails after a certain
amount of trials the device or account would be blocked for a determined period of time. Or also it could
use a better system, like biometrics or digital signatures.