{"id":17261,"date":"2019-12-19T11:10:02","date_gmt":"2019-12-19T19:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/12\/19\/news-10997\/"},"modified":"2019-12-19T11:10:02","modified_gmt":"2019-12-19T19:10:02","slug":"news-10997","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/12\/19\/news-10997\/","title":{"rendered":"A decade in cybersecurity fails: the top breaches, threats, and \u2018whoopsies\u2019 of the 2010s"},"content":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 19 Dec 2019 18:03:33 +0000<\/strong><\/p>\n

This post was co-authored by Wendy Zamora and Chris Boyd. All opinions expressed belong to your mom.<\/em><\/p>\n

Back in the days before climate change stretched frigid winter months directly into the insta-sweat of summer, there was a saying about March: in like a lamb, out like a lion. The same might be said about the last decade in cybersecurity fails.<\/p>\n

What kicked off with a handful of stories about niche hacks ballooned into daily splashy headlines about massive data breaches, dangerous outbreaks, and increasingly sophisticated attack campaigns. The game has truly changed, generating a multi-billion-dollar industrial complex, and inspiring millions to stock up on tinfoil hats while saving trendy rumpus room designs to their Pinterest boards. <\/p>\n

To comment on the sweeping changes brought on by the last 10 years of hacks, breaches, privacy debates, and evolutions in malware, Malwarebytes researchers Wendy Zamora and Chris Boyd take a look at the most noteworthy, mind-blowing, and sometimes chuckle-inducing cybersecurity fails that defined the decade.<\/p>\n

2011: Game over, PlayStation<\/h3>\n
\"cybersecurity<\/figure>\n

WZ:<\/strong> It all started with the gamers. In my mind, gaming is nearly as genre-defining as porn when it comes to testing, adopting, and embracing early tech evolutions. The two go hand-in-hand, so to speak.<\/p>\n

I\u2019ll just give you a minute to wipe that last image out of your head before proceeding.<\/p>\n

Great. So, in 2011 the world got its first glimpse at the power of a good hack to not only steal data, but also bring operations to a grinding halt. The 77 million members of the Sony PlayStation Network<\/a>, including minors under the age of 18, had their personal data exposed to hackers. But worse for the gamers, they were locked out of their accounts for 23 days, unable to play online, purchase, or otherwise indulge in their favorite pastime. <\/p>\n

For the sheer number of users alone, this hack is noteworthy, but more, it was a foreshadowing of the ways in which cybersecurity fails could do more than just steal information\u2014they could disrupt lives.<\/p>\n

2012: Mat Honan\u2019s digital life torched<\/h3>\n
\"cybersecurity<\/figure>\n

CB: <\/strong>PlayStation was significant for sheer cultural impact, if not actual affected numbers, given the size of recent breaches. I usually groan when looking at yearly lists of cybersecurity fails because I know 90 percent of it is going to be the same generic breach we\u2019ve all seen a hundred times over. Yes, it\u2019s bad that six million customer records were swiped from a web-facing database. No, it doesn\u2019t make for interesting reading. <\/p>\n

Instead, I\u2019m much more interested in specific examples of personal ruination. One such example is from 2012, when technology writer Mat Honan found his entire digital world torn in half<\/a>. I\u2019d argue this is one of the most spectacular digital demolition jobs I\u2019ve ever seen. The crooks had no interest in him, his data, or his devices. They just wanted that sweet, sweet three-character Twitter handle. If everything important to him was torched along the way? Too bad, so sad. <\/p>\n

This guy pretty much lost everything of real, singular importance to him in the attack. All those photos of his kid as a baby? Bam, gone. Google account taken over and deleted. iPhone and iPad data erased. Anything still on his MacBook drive was locked away behind features designed to make his life more secure, like the four-digit PIN. The worst feeling in the world isn\u2019t just the compromise; it\u2019s knowing that those helpful systems are a gigantic pain in the backside once someone who isn\u2019t you is in the driving seat.<\/p>\n

Some basic actions\u2014enabling 2FA on gmail and making backups\u2014would have essentially made this a non-event. Did Honan miraculously manage to get his photographs back? Sure. It was a lucky escape, and we generally don\u2019t get that lucky. This was one of those landmark, hot knife through buttery cybersecurity fails. I double dare you to top it.<\/p>\n

2013: Snowed under<\/h3>\n
\"cybersecurity<\/figure>\n

WZ: <\/strong>Sure, sure, Honan\u2019s digital demise uncovered many holes in security processes we previously thought were failsafe, and maybe taught Apple customer service a valuable lesson in active listening. But as you yourself noted\u2014I don\u2019t think anyone learned anything from it. In contrast, Edward Snowden<\/a> jolted the world out of its collective ostrich pose and demonstrated how very much 1984 got it right. <\/p>\n

Depending on which side of democracy you stand on, Snowden, a former CIA contractor-turned-whistleblower, is either a hero or a war criminal for his 2013 revelations about the extent and reach of NSA-sponsored surveillance systems set up in the aftermath of 9\/11. Global telecommunications systems, Internet watch lists, international cooperation, the works. In the list of cybersecurity fails, this may be the Holy Grail.<\/p>\n

Regardless of political stance, Snowden\u2019s reveal was a real eye-opener for the public, and it sparked a massive worldwide debate that rages on to this day. They call it \u201cthe Snowden effect.\u201d<\/a><\/p>\n

Just ask anyone what\u2019s more important to them: national security or personal privacy? Do they have \u201cnothing to hide\u201d or is their right to stay off the grid of upmost importance? If you can easily answer this question and guarantee everyone in the room with you agrees, then you must be reading this from far in the future, when this list will look positively quaint in comparison to yours.<\/p>\n

2013: Cryptolocker ransomware changes the game<\/h3>\n
\"cybersecurity<\/figure>\n

CB: <\/strong>Okay, Snowden is a double-edged sword. On the one hand, he helped confirm that those conspiracy theorists were onto something. On the other hand, he helped confirm that those conspiracy theorists were onto something. I also wonder if the significance of his findings made that much of an impact outside the US, considering lots of folks just shrugged and carried on regardless.<\/p>\n

If you want actual global impact on a scale you can feel, ransomware is where it\u2019s at. Cryptolocker ransomware, specifically. <\/p>\n

Ransomware was all fun and games until Cryptolocker<\/a> came onto the scene and dashed users\u2019 hopes by being the first widespread malware to encrypt files and hold them hostage until ransom was paid. Ransomware prior to Cryptolocker mostly relied on cheap tricks instead of encryption, but its arrival in 2013 cemented this method\u2019s popularity forever, spawning clones and higher encryption stakes by the bucketload. <\/p>\n

2013 again: Target hack<\/h3>\n
\"cybersecurity<\/figure>\n

WZ: <\/strong>Okay, I will totally give you Cryptolocker. Game changer, no question. But this next breach is the quintessential lesson in \u201cit only takes one time,\u201d the Occam\u2019s razor of cybersecurity fails. It also happened to be the splashiest, loudest security news of the decade (so far). Why? Because everyone loves Target. Everyone.<\/p>\n

In 2013, Target screwed up big time.<\/a> Its HVAC vendor had been hit with malware via lowly phishing email<\/a>, but the technician remained dubiously unaware of that infection, which went ahead and stole Target\u2019s network credentials. Hey, kids! What happens when you give third parties access to your VPN without thoroughly vetting them or their equipment for threats? You get hacked. <\/p>\n

Also, note to businesses of all sizes: Free scanners do not proactively block threats. (Yes, we know, the HVAC people were using the free version of Malwarebytes.) They detect and clean malware only when you run a scan<\/em>. Had the vendor been using our real-time anti-malware technology (or any other antivirus platform with always-on protection), this attack would have been erased from history. <\/p>\n

2014: sorry, celebs! The Sony Pictures hack<\/h3>\n
\"sony\"<\/figure>\n

CB: <\/strong>Everyone may love Target in the US, but on the other side of the pond, we enjoy \u00a31 stores where everything costs, uh, \u00a31.50. No, I don\u2019t understand it either. What I do understand is I\u2019m about to up the stakes to DEFCON 1 (Is that the bad one?) with a hacking tale that truly went viral. Step forward for the second time today, Sony! <\/p>\n

The long version of the Sony Pictures hack can be read here<\/a>. The short version? A hacker group called Guardians of Peace pilfered massive amounts of data from Sony servers, and in the years that have followed, it\u2019s now tricky to remember where conspiracy theories and documented facts cross paths. A shady North Korean conspiracy, FBI and NSA involvement, multiple unreleased movies dumped online, thinly-veiled references to terrorist acts unless The Interview <\/em>was pulled from theatres, and more all happened in the space of a month.<\/p>\n

This cybersecurity fail is the equivalent of a Fast and Furious<\/em> movie where the smalltime family of car heisters somehow ends up stealing nuclear footballs and taking down Russian submarines in their spare time. Also, hurling insults at someone who starred in a film called Hackers<\/em> seems like a great way to invoke the Gods of dramatic irony.<\/p>\n

2015: not sorry, cheaters<\/h3>\n
\"cybersecurity<\/figure>\n

WZ: <\/strong>Yikes, yeah, 2014 was not a great year to be a celebrity. Just ask the victims of The Fappening<\/a>. But I\u2019m going to pivot and mention one of the decade’s cybersecurity fails that was actually a good thing: The Ashley Madison hack<\/a>. <\/p>\n

Bringing to public conscious the term \u201chacktivism,\u201d these do-gooders breached the database of the website dedicated to helping married people find true love by cheating on their partners. Some 32 million adulterers\u2019 credentials and credit card information were dumped online, after which they were likely dumped by their angry spouses. There\u2019s not much else I can say here except you guys are assholes and deserved this one. The end.<\/p>\n

CB: <\/strong>Yeah, I got nothing. Those cheaters were bad and should feel bad.<\/p>\n

2016: But her emails?<\/h3>\n
\"shadow<\/figure>\n

WZ: <\/strong>Look, everyone and their mother is going to say the DNC hack was the biggest cyber event of 2016. The Russians most certainly pinned the tail on the Democratic donkey, interfered in our elections, and overall made a right mess of things. There\u2019s no doubt Russia\u2019s actions cast a shadow over American democracy. But as far as global, far-reaching impact is concerned, I\u2019ve got my eye on a different blight. <\/p>\n

In 2016, a shady hacking group known as the Shadow Brokers<\/a> started leaking NSA secrets, vulnerabilities, and exploits onto the Internet, embarrassing the agency, but more importantly, putting sophisticated tools in the hands of cybercriminals that would be employed over the remainder of the decade. <\/p>\n

Most notably, they disclosed a group of SMB vulnerabilities and their accompanying exploits, which were later used to propagate the WannaCry infection laterally through thousands of endpoints, and which are still in use today to spread deadly Emotet<\/a> and TrickBot<\/a> infections in worm-like fashion.<\/p>\n

If it weren\u2019t for the cybersecurity fails caused by the Shadow Brokers, who knows? Threat actors might still be messing around with small potato consumer scams and identity theft. But with grown-up utilities in hand, they realized they could do a lot more damage to a lot more devices, and soon turned their greedy gaze to loftier goals. <\/p>\n

2017: the year of the outbreak<\/h3>\n
\"wannacry\"<\/figure>\n

CB: <\/strong>Well, super sneaky government tool thefts are all well and good, but the impact of ransomware retooling and running wild can\u2019t be denied. In 2017, ransomware authors decided that just going after home users was becoming a little old hat, so they started targeting large organisations in a wave of outbreaks (fueled by the very exploits stolen from the NSA in 2016). Sadly for us, those organisations included many of the services we make use of on a daily basis, whose files and operations were encrypted and held up for Bitcoin ransom.<\/p>\n

WannaCry<\/a>, NotPetya<\/a>, and BadRabbit<\/a> were the big three ransomware epidemics of the year, but the malware made headlines time and time again as ransomware authors inched themselves into every available corner. Threat actors may have become a little less inventive during this period, but they certainly weren\u2019t resting on their laurels. <\/p>\n

Arguably the heaviest-hitting ransomware story of 2017 was the WannaCry attack on NHS, as \u00a392m vanished down the plughole. This was a seismic attack, the aftershocks of which are still felt today, spinning off into unexpected places that have taken on a life of their own.<\/p>\n

2017: crypto fever<\/h3>\n
\"cybersecurity<\/figure>\n

WZ: <\/strong>I could go with Equifax here<\/a>, but come on, son. Another day, another breach. In 2017, it was safe to say that basically anyone who had ever been online had their information compromised. Which is why I will instead turn to the birth of a brand-new form of cybercrime: cryptomining.<\/p>\n

Bitcoin and other cryptocurrency had always been the favored tender of the black market, as it\u2019s anonymous and nearly impossible to trace. However, in 2017, crypto became more mainstream as a sudden, acute increase in value had even the beariest of bears opening cryptowallets and investing in super-niche altcoins. So naturally, cybercriminals being the vultures of the Internet, they found a way to capitalize on all this carrion by jacking the CPU\/GPU of other users\u2019 systems to generate coin.<\/p>\n

Starting in late 2017, we started noticing hundreds of millions<\/em> of detections of coinhive.com<\/a>, a CPU-mining platform that\u2014while itself was a legitimate service\u2014was being abused by cybercriminals to mine users without their permission. This kicked off a landslide of cryptomining<\/a> activity that spawned the creation of multi-platform cryptomining malware, drive-by mining attacks, crypto-bundlers, crypto-themed scams, cryptowallet drainers, crypto crypto cryptors, and crypto.<\/p>\n

While cryptomining has since died down from its 2017-2018 heyday, it remains forever part of the threat landscape, and I\u2019m sure we\u2019ll be seeing much more of it as cryptocurrency and blockchain technology take hold in the next decade.<\/p>\n

2018: shine\u2019s off social media<\/h3>\n
\"cybersecurity<\/figure>\n

CB: <\/strong>2018 was all about the covert use of data pulling the strings in every direction you can imagine. Data mining and digital assets plus social media makes for a cracking combination in the wrong hands, and it turns out Facebook was the place most of this war was fought and won (or lost, if you were on the receiving end).<\/p>\n

Cambridge Analytica, a political consulting firm based in the UK, probably knew they\u2019d walked into \u201coh, whoops\u201d territory when their offices were raided in 2018<\/a>. They\u2019d been mucking around on multiple elections worldwide<\/a>, but drew attention to themselves and Facebook after it was discovered that they\u2019d been harvesting the personal information from 50 million Facebook user profiles without their permission<\/a>. The repercussions<\/a> from this story continue to be felt today, as lawmakers now scrutinize Big Tech for their data privacy policies.<\/p>\n

2018: data privacy becomes a thing<\/h3>\n
\"cybersecurity<\/figure>\n

WZ:<\/strong> Actually, I have to semi-agree on Cambridge Analytica. But I see your social media problems and I raise you an entire Internet of data privacy<\/a> issues. In 2018, users got a rude awakening into the inner workings of the tech giants they\u2019d come to love, rely on, and otherwise be addicted to. Wait, you\u2019re selling my information to pharmaceutical companies? You can actually record my conversations <\/em>through my digital home assistant? Suddenly, users had to be just as wary of legitimate tech companies as they were of cybercriminals. <\/p>\n

The awareness of 2018 led to global action, as GDPR<\/a> was put into effect, launching a million cookie notices and EULA rewrites. Digital data privacy had always been an issue, reaching far back to pre-Y2K years, and it will continue for many decades as we contend with biometrics and genetic data. But 2018 represented a period of public \u201cwokeness\u201d that forever changed the way we build, buy, regulate, and use technology.<\/p>\n

2019: the year of the triple threat<\/h3>\n
\"cybersecurity<\/figure>\n

CB:<\/strong> We\u2019re too close to 2019 to be able to say conclusively what stuck and what stank, but the triple threat of Emotet<\/a>, TrickBot<\/a>, and Ryuk ransomware<\/a> caused such massive problems across a range of critical infrastructure and business services<\/a> that any 2019 listicle that doesn\u2019t feature this attack is missing the mark. If your mailbox hasn\u2019t detected the familiar twang of an Emotet malspam<\/a> landing on the network yet, you\u2019re doing very well indeed. <\/p>\n

The triple threat officially saw light in 2018, but it was the attack <\/em>of 2019. If there was news of a city declaring a state of emergency, a school shutting down for weeks, or a hospital shelling out thousands in ransom payment, you bet it was on account of these three devils. It\u2019s an assault from every angle, and in an alien invasion, this would be the part<\/a> where the hero escaped through a conveniently placed air vent.<\/p>\n

Cybersecurity fail of the decade<\/h3>\n

All this arguing on which cybersecurity fails were most awe-inspiring, death-defying, or just plain stupid would be pointless if we didn’t wrap it up in a nice year-end bow. So, without further ado, we’ll now take our pick of the top cybersecurity fail of the decade. Drumroll please…<\/p>\n

WZ: <\/strong>My vote is for Shadow Brokers because it set off a chain of events that allowed for cybercriminals to evolve into more sophisticated, industrialized players, essentially radically changing the threat landscape from a bunch of kids messing around in their basements to organized criminals aimed at taking down organizations, swiping millions of users’ personal data and making significant profit in the process.<\/p>\n

CB: <\/strong>My pick is the Mat Honan hack. It’s not as big, or as flashy, or as sophisticated as most of the attacks on display. But what happened to him pretty much still happens to people now as their first introduction to the world of “All my data is gone forever.” How they torched his digital existence and salted the earth is beyond brutal\u2014and, most chillingly, it was nothing personal.<\/p>\n

Which of these cybersecurity fails would you vote for? Sound off in the comments!<\/p>\n

The post A decade in cybersecurity fails: the top breaches, threats, and \u2018whoopsies\u2019 of the 2010s<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Malwarebytes Labs| Date: Thu, 19 Dec 2019 18:03:33 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
As the 2010s come to a close, we take a snarky walk down memory lane, listing the craziest, most impactful, or simply just awful cybersecurity fails of the decade.<\/p>\n

Categories: <\/p>\n