A year in infosec: Bears, botnets, breaches ... and elections
How often can we say that an IT blunder might have changed the course of world history? Hillary Clinton’s use of a private email server whilst serving as outgoing US President Barack Obama’s Secretary of State became a key element in the US presidential election this year.
The FBI investigation around Clinton’s use of a private email server while serving as the US’s top diplomat arguably tipped the balance against her in the US president election and granted leadership of the "free world" to Donald Trump.
During the election process, the public was bombarded with insider communications made available through the hacked Democratic National Committee (DNC) network and the leaked emails from Clinton campaign chair John Podesta.
The leaks fuelled the idea that Clinton was given preferential treatment by party officials and that Democratic nomination contender Bernie Sanders was deliberately sidelined. The DNC and the candidate at the very top of the Democrat ticket both suffered as a result.
Podesta fell victim to a phishing scheme that compromised his accounts and exposed insider communications that portrayed Clinton as too cosy with the political establishment and Wall Street - in a year when the public wanted an outsider. Revelations from the leaks in themselves were far from explosive and their real significance was arguably in reminding voters about the Clinton private email server controversy, the focus of an on-again, off-again FBI probe.
US intelligence agencies blamed Russia for the hacks and by December President Obama promised to take action against Russia over its alleged interference in the presidential election campaign.
UK Chancellor Philip Hammond announced an update of the UK’s cyber security strategy in early November that warned that the UK would retaliate against state-sponsored cyber attacks. Important elections in Germany and France next year mean that cyber security will continue to be hot potato politically in 2017.
After a series of high-profile breaches in 2015 that involved criminal and state-sponsored attacks, the leaks continued well into 2016.
In September, Yahoo! announced that data associated with 500 million user accounts had been stolen in one of the largest cybersecurity breaches ever, dating back to 2014, and blamed by the internet firm on state-based hackers. The scale of the attack only became evident when a hacker who had previously sold stolen account information from other companies began selling millions of Yahoo! users’ data online.
Peace also attempted to flog off data on 167 million LinkedIn accounts and 360 million credentials from MySpace users through the dark web. Threat intelligence firm InfoArmor told El Reg that it suspected the same gang was responsible for breaching Yahoo!, MySpace, LinkedIn and more.
By December, Yahoo! admitted that one billion user accounts had been compromised in an earlier attack, dating back to 2013.
Possibly stolen user account information included “names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers”, Yahoo disclosed.
Verizon, which had agreed to buy Yahoo!, threatened to rescind its $4.8bn offer soon after the first breach disclosure in September. Compounding its problems, Yahoo! also faces a potential class-action lawsuit.
Breaches of high profile websites and retail outlets leading to the leak of personal details and (worse) credit card records have, of course, been an issue for many years. Politicians are beginning to act through the introduction of new regulations.
The EU’s long awaited General Data Protection Regulation (GDPR) passed this year. GDPR will introduce tougher breach disclosure rules and punitive fines for negligence that results in data breaches of up to four per cent of a business’s annual turnover. UK data protection regulators and politicians are both arguing that post-Brexit Britain should adopt data protection laws similar to those of the EU.
Ransomware is the new black
Cybercrime continue to be a problem for businesses as well as consumers throughout the year. Hackers targeted banks connected to the global financial messaging service, SWIFT, in a series of high-profile attacks.
Hackers stole $81m from an account held in New York by Bangladesh's central bank after apparently lifting the financial institution's authorisation codes using malware. The same hacking crew is suspected in the theft of $12m from an Ecuadoran bank, Banco del Austro SA and $10m from a Ukrainian bank as well as a string of thwarted attacks worldwide in Vietnam, the Philippines and elsewhere.
In response, SWIFT said it will "expand" its use of two-factor authentication as well as mandating “baseline” security standards and improved information sharing.
Ransomware as a threat emerged three years ago or more but scams based on file encrypting malware really reached prime-time in 2016. Victims throughout the year included several hospitals worldwide (examples here, here and here) and San Francisco’s subway system. Victims are normally unable to access compromised data until a payment is made for a decryption key.
File-encrypting malware - alongside longer established denial of service scams - became the two dominant threats of 2016.
The long-standing DDoS threat took another on another dimension this year after hackers created a potent Internet-of-Things botnet. The Mirai botnet (a zombie network of PVR and web cams) was used to devastating effect in October, taking out DNS provider Dyn and leaving scores of high profile websites unreachable as a result. A group called New World Hackers claimed responsibility for the DDoS assault.
Weeks later a Mirai variant was detected spreading across the consumer routers of multiple ISPs, creating a potent attack platform in the process.
Malware was able to infect IoT devices by taking advantage of default factory-installed passwords. Simply changing passwords may be enough and firmware updates make be required. Fixing the problem is going to be an uphill struggling since consumers rarely update the software on their IoT kit but needs to be resolved for the sake of internet hygiene. ®