It's the end of 2018, and this is your year in security

From fried chips to stuffed elections, a look back at the year that was

celebrating in front of flaming birthday cake

The 2018 calendar year saw an interesting mix of both technical and strategic questions, as engineers were met with new problems and execs were forced to cope with stark new realities.

Here are a few of the most interesting and memorable stories to break over 2018.

Meltdown menace

It's a bit anticlimactic for the biggest news in the year to erupt in its first days, but that is exactly what happened when, on January 4, The Register broke word on security vulnerabilities present in one form or another in nearly all modern desktop, mobile, and server chips.

Known as Meltdown and Spectre, the design flaws would allow an attacker to pull information from the processor's kernel memory, potentially allowing an attacker to access things like passwords and decryption keys.

Fallout from the disclosure was swift and severe, with Intel, AMD, Microsoft, and virtually every other major vendor forced to spend months dealing with the flaws.

US election hackers tell voters to get stuffed

Normally, America's mid-term election years hardly draw any attention outside of Washington DC. However, with a heated political climate and investigations of the 2016 presidential election still going on, the 2018 vote became one of the biggest ongoing security stories of the year.

First, there was the talk that both foreign and domestic hackers could be looking to sway public opinion by targeting certain groups or by spreading misinformation. By the summer, security companies were already warning that Russian crews were trying to infiltrate campaigns in order to steal and leak sensitive information and tip the scales toward one candidate or another.

Then, there was the possibility that the machines themselves could be hacked. These fears were underscored in August when the Defcon voting village exhibit showed how even a novice hacker could break into a machine and do everything from erasing vital data to changing the actual vote tally.

Fortunately for the voters, and in spite of the best efforts of Congress, the elections went off with very little fanfare and only one instance of outright voter fraud.

Considering the mess we were looking at earlier in the year, that wasn't such a bad outcome.

Docket to Russia

Speaking of elections, 2018 also saw US authorities begin efforts to bring to justice the Russian groups who oversaw the 2016 election meddling.

In February, Republican-appointed special prosecutor Robert Mueller charged 13 members of the Russian Internet Research Agency (IRA), a well-known troll factory, with conspiring against the United States in 2016.

Among the charges were that the trolls stole the identities of American citizens and used fake companies to create a front for their disinformation campaign. This included moving millions of dollars from Russia to the US in order to fund bogus rallies and purchase promoted posts and tweets.

Of course, the IRA crew have yet to even be apprehended in Russia, let alone extradited to the US. There is also no indication that Moscow will ever cooperate, as the Kremlin has said that the 13 professional trolls would be protected by diplomatic immunity.

Cambridge Analytica shows that Facebook hasn't learned a damn thing

Facebook not giving a crap about data privacy and getting hammered for it has become something of an evergreen story these last few years.

2018, however, saw perhaps the worst of the social network's scandals when it was revealed that influence-peddling research company Cambridge Analytica had harvested tens of millions of Facebook profiles to gather information and covertly shape public opinion.

This would eventually lead to the end of Cambridge Analytica as a going concern and would force Mark Zuckerberg to once again get up in front of the world and say how really, truly, truly, absolutely he sorry was that, yet again, he and his company made a huge profit by selling out people's personal lives.

How sincere was that apology? Well, it only took a few months for Facebook to do the same thing all over again.

Malware goes cuckoo for cryptocoins

The year saw the emergence, or better yet, explosion, of a new type of malware: the cryptocoin miner. Lured by the promise of big payoffs and low risks, malware writers began to load up their payloads with scripts that would use the compute cycles of infected machines to generate cryptocoin for the attacker.

Eventually, cryptocoin miners and wallet-stealing trojans would make their way into everything from in-the-wild exploits to injected scripts on charity websites and even otherwise legitimate software packages.

Sadly (or perhaps not sadly) for the malware writers, the year also saw the price of Bitcoin and other crypto currencies plummet from all-time highs in January to depressing lows in December that matched pre-boom levels.

Summer of the leaky buckets

Of all the head-pounding security cockups to occur this year, perhaps none were as consistently frustrating as the data leaks created by poorly secured cloud storage buckets.

Armed with little more than Shodan and a lot of spare time, researchers have made a career out of rooting out AWS S3 storage instances that were not adequately walled off from public access.

When the buckets are left open to the internet, it often results in the mass exposure of private business information and in many cases, the personal info of customers and citizens. Some of the targets to fall victim this year included political campaigns, robocalling companies, and social networking strategists.

Amazon has done what it can to get a hold of the issue, including placing stricter default settings on S3 buckets and giving administrators more control over when and where data can be shared. Ultimately, however, the responsibility will lie with the admins themselves, and companies will need to tighten up their practices if they want to avoid a repeat of this issue in 2019.

Equifax breach finally gets its post-mortem

A report more than a year in the making was finally issued in December of 2018 when Congress delivered its formal account of the 2017 breach at Equifax saying 145 million Americans' personal data was leaked to hackers.

In the 96-page writeup, investigators condemned the credit agency's mega-breach as "entirely preventable" and savaged Equifax for, among other things, taking more than a year and a half to spot the lapsed security certificate that left its network vulnerable to the hackers.

The breached application itself was also faulted, found to be woefully out of date and connected to dozens of external databases that it no longer needed access to, the system allowed the hackers to get at tens of millions of customer records they would otherwise have not been able to access.

Equifax has since disputed portions of that report.

It wasn't only Equifax's IT operation that caught heat in 2018. The year also saw one of the executives who profited off the incident be brought to justice (sort of).

Software development boss Sudhakar Reddy Bonthu was given eight months' home confinement and was fined $50,000 as well as forced to turn over $75,000 in gains he made when, upon learning of the breach, he purchased options on Equifax stock that allowed him to turn a quick profit when the breach was revealed to the public and the share price plummeted.

Mirai saga carries on

The Mirai botnet has emerged as one of the largest and most influential botnets in recent memory as it showed just how vulnerable, and effective, unsecured IoT devices can be.

In 2018, the Mirai story took a number of new twists. In June, criminals hung some more flesh on the framework bones of Mirai to create a nasty new group of IoT botnet menaces. In May, researchers calculated the cost of the attack and found that each infected internet thing cost device owners about $13.50 in power, bandwidth, and repair costs.

In September, we learned that the three crooks behind Mirai would escape jail time thanks to a deal that saw them work on behalf of the FBI. And two months later, we found out that Mirai had become even more dangerous, thanks to code tweaks that let it infect Linux servers alongside IoT hardware.

Clearly, Mirai is the awful, unwanted, infectious gift that keeps on giving.

Windows 10 can't get out of its own way

This one wasn't exactly unexpected, but it was still noteworthy.

In 2018, as it has in previous years, Microsoft released a major new update to Windows. And as it had in previous years, that update managed to cause all sorts of strange and wondrous new problems for PC owners once it was installed.

For Microsoft, the big cockup came in October when the Windows 10 Fall Creators Update landed. Within days customers began reporting that the new firmware was prone to randomly wiping files, prompting Microsoft to pull the update just four days into its availability.

The problems would not end there. Even after it was re-released, Windows 10 continued to be beset by errors, and by the end of the month El Reg had declared the Fall release "officially a shit show."

But the complaints didn't stop there. In late November Microsoft was still adding new bugs to its advisories on the release, and as the year rolled to a close new reports surfaced of unwanted data collection.

So all in all, it was a pretty standard year for Windows. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019