D’Oh! 2016 Was Another Extraordinary Year for Cybersecurity. What Does It Mean for the Future?
2016 has been a curious year in the world as well as in cybersecurity. Historic breaches, hair-raising ransomware, IoT attacks, and even some election intrigue, this was a year to remember in the realm of cybersecurity. Let’s look back at the biggest stories and highlight some things we can learn as we move forward.
The Rise of Ransomware
In early February, staff at the Hollywood Presbyterian Hospital in Los Angeles arrived at work to find themselves suddenly locked out of their systems. The hospital was the victim of a malware attack and forced to pay the equivalent of $17,000 in bitcoin to have its systems unlocked. The attack made national headlines; many media outlets originally, and erroneously, reported that the ransom was in the millions. In any case, it was an introduction for some to a type of cyberattack known as ransomware.
According to the FBI, the cost of ransomware totaled $209 million in only the first three months of this year. Those using ransomware employed tools including call centers, email response groups, graphic artists, and translators to walk people through paying ransom.
The health care industry is a particularly notable target of these attacks, presumably due to the critical and sensitive nature of their data, which forces a greater urgency to concede to ransom demands. Yet organizations in a wide variety of industries as well as countless individuals have fallen victim to ransomware attacks.
2016 also saw a rise in “Ransomware-as-a-Service”, in which malware developers enlist “distributors” to help spread infections for a cut of the profits. In one case, affiliate distributors were discovered to receive as much as 85% of payments if able to attain a certain volume quota. In another case, a strain of ransomware was found for sale on the dark web for the low, low price of $39.
All Eyes on Mirai
October 21st was an odd day for the internet and its users. Those attempting to navigate to many popular websites had unusual trouble doing so. The reason was a rather historic Distributed Denial of Service (DDoS) attack on the managed domain name service infrastructure of Dyn.
Basically, in a DDoS attack an unusual number of devices are captured into a botnet and pointed toward a single target. This overwhelms the target so that legitimate traffic is unable to flow through.
The attack on Dyn contained roughly 100,000 devices. Mirai was the name of the botnet used in the attack. It infects vulnerable devices, such as DVRs, IP cameras, routers, even baby monitors connected to the growing Internet of Things (IoT). The botnet was also used this year in attacks on the cybersecurity blog KrebsOnSecurity, French web services provider OVH, and the internet infrastructure of Liberia. Mirai’s author also released its source code online.
The attack on Dyn highlighted some notable vulnerabilities inherent in the devices connected to the IoT. These vulnerabilities include default passwords that often remain unchanged after an end user connects the device. These passwords are easy to obtain or crack in a dictionary attack leaving them susceptible to being pulled into a botnet. Owners are typically unaware that their devices have been pulled into a botnet, and because the devices are often perpetually connected to the internet, they are an enticing weapon for those able to harness them.
Did Somebody Order Malware?
In January, KrebsOnSecurity reported that fast food chain Wendy’s was investigating unusual activity on payment cards previously used at many of its locations. In May, the company announced that 300 of its stores had uncovered malicious software on its point-of-sale-systems. By July, that number had increased to 1,025 of its 5,800 locations. Hackers obtained cardholder names, credit/debit card numbers, expiration dates, among other data. Wendy’s attributed the blame for the breach on a third-party vendor who had access to its point-of-sale systems.
Meanwhile, pizza chain CiCi’s dealt with its own breach this year. In July, CiCi’s announced that it too had been the victim of a breach through its point-of-sale systems, affecting 140 of their 450 restaurants between June of 2015 and July of 2016. The breach was believed to have compromised more than 600,000 payment cards. KrebsOnSecurity reported that it was told by a source that hackers used social engineering techniques to trick employees into installing the malware.
Uh-oh, Yahoo!
Saying it’s been a brutal year for Yahoo may be the understatement of the year. The tech company was on the losing of end of not one, but two massive breach announcements. In September, Yahoo admitted that the account credentials for 500 million users were stolen sometime in late 2014 including names, emails, phone numbers, encrypted passwords, and security questions. It was a historic breach announcement. Yet it was just the beginning.
In December, the company announced that in a separate 2013 breach one billion accounts were compromised. This breach also included names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers. Although there may have been overlap between the accounts compromised in the breaches, regardless, the breadth of the breaches is enormous.
While never a good time for such damaging news, the announcements have come at a particularly bad time for Yahoo who is in the process of selling itself to Verizon for $4.8 billion. Bloomberg reported on December 15th that Verizon is seeking ways to either negotiate a price cut or exit from the deal.
Peace, No Peace
With a storefront that contains a solid satisfaction rating and feedback score, “Peace_of_Mind” could be an internet shop worth perusing for us solid digital citizens, that if the storefront wasn’t located on the dark web and wasn’t selling potentially our very own internet credentials. Hacker Peace_of_Mind (or Peace) turned some heads throughout the cybersecurity community this year, or at least induced some heartburn, by putting up for sale the account credentials of users that totaled in the hundreds of millions including 167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, and 71 million from Twitter.
Much of the data came from breaches that occurred years ago, which may make the data seem innocuous. Yet it highlighted a serious issue, and that is reusing the same password on different websites. If a password is obtained in a breach, any other account in which that password is used is vulnerable. For instance, if one password was used on a MySpace account that hasn’t been touched in five years and that same password is also being used on a different social account, the latter account remains vulnerable.
In June, Wired’s Andy Greenberg scored an interesting interview with Peace, although he’s quick to point out that verifying Peace’s story is difficult due to his/her desire to remain digitally cloaked.
Bear Claws in the Honeypot
Fancy Bear and Cozy Bear: sounds like some cute mammals Goldilocks might run into while enjoying some porridge, right? Not so much. They’re the names some experts have used to describe hacking groups tied to headline-grabbing attacks leading to subsequent releases of a cache of emails and attachments that many say were intended to influence this year’s presidential election.
To simply boil down what is a multifaceted story with enormous political, national, and international implications:
Many, including those in the American intelligence community, have attributed the attacks to actors working on behalf of the Russian government. Others have voiced skepticism of these claims, including President-elect Donald Trump. Russian President Vladimir Putin, meanwhile, has denied any involvement. President Obama has asked for a full review before he leaves office on January 20th and influential senators from both sides of the political aisle have called for an in-depth investigation.
As we close out 2016, and look forward to next year and further on into the future, what can we learn? What are a few lessons we can collect?
The Apparent Vulnerabilities of IoT
The Internet of Things is growing exponentially. This means that any vulnerabilities that now exist will only be compounded as more and more devices are added. These devices are often not created with security as a paramount concern. They’re developed instead with the need to get to market faster and cheaper. Manufacturers, therefore, need to do a better job of implementing security throughout the supply chain. This includes a greater awareness of the interdependencies that are involved in the development of these products. A “secure-to-market” approach is needed.
Manufacturers also need to make it effortless for an end user to implement security measures. Often passwords are difficult, if not impossible for an end user to change. This is extremely counter-productive to good cybersecurity. A recently released federal report recommends that these devices should be rendered unusable until users change default usernames and passwords and should also reject weak usernames and passwords.
By turning our attention away from reactive cybersecurity practices and toward active cybersecurity protocols that lead to the development of inherently secure technology, we can limit attack vectors and increase security.
The Password System is Broken
Identity authentication needs to improve. Relying on passwords as the primary means is not a sufficient solution to solving risk. Even security questions and answers, considering the repercussions of the enormous Yahoo breach outlined above, are now recognized as suspect. This will be a challenge for designers and cybersecurity professionals. Through improved authentication methods we can improve digital security.
In the meantime, end users (that’s all of us) need to do everything we can to protect ourselves. This means taking steps to use strong passwords that are never reused and using multifactor authentication where it is available.
An extra step may also be fully deleting accounts that are no longer in use (instead of just letting them languish), including removing ALL information, such as changing the answers to security questions, birth date, contact information, etc., so they are no longer correct. We cannot solely rely on companies to remove accounts and account information. To fully protect ourselves, it can be valuable to strip out authentication information, especially if that authentication information is going to be used elsewhere.
Identity Monitoring and Protection
Is it that more breaches are occurring, or are we just beginning to hear about them more? In either case, the major breaches in 2016 are a reminder how necessary it is to constantly monitor your online identity. This may be online account, personal identity, banking, or credit information, or all of the above. As you would monitor your weight, cholesterol level, blood pressure, food and drink intake, so too is it vital to continuously check important personal information stored online. Whether it’s regularly perusing your bank and credit card statements or employing a credit or personal identity monitoring service, you should play an active role in scrutinizing your identity that exists digitally.
Education, Now More Than Ever
As our digital identities are increasingly intertwined with our physical identities, protecting ourselves online is now a fundamental concern to safety. This goes for us as both employees of an organization and in our personal lives. The tools and tricks malicious actors use to apply their trade is constantly evolving. So too are the ways that can be used to identify and combat these tricks. The key is to be diligent about educating yourself and your organization. This is a responsibility that we all should take seriously.
At FPOV, we offer cybersecurity training that is proven to help organizations and individuals lower their risk of falling victim to a cyberattack. Click here for a comprehensive look at our cybersecurity training.
2016 was an unforgettable year. We learned a lot of lessons. Many of them were difficult. Yet if we can apply what we’ve learned to 2017, our future may indeed be bright.