Sign up to our newsletter
2016 has been a challenging year for politics, public sanity and celebrity longevity, but also, for individuals and companies, a testing time in terms of online security. Pitted against increasingly sophisticated and targeted cybercriminals, it’s not been easy going, as these notable security incidents from the past 12 months reveal.
In October, cybercriminals launched major DDoS attacks, disrupting a host of websites, including the likes of Twitter, Netflix, PayPal, Pinterest and the PlayStation Network, amongst many others.
The attack was staggering for its size, at one time measuring close to 1 TbpsThe group behind the attack did this by compromising thousands of endpoint IoT devices (initially thought to be 100,000 – later downscaled to nearer 20,000 by security researchers), transforming them in a botnet and essentially flooding traffic to DNS hosting provider Dyn (recently acquired by Oracle).
Of course, this attack had a short-term effect on some of the world’s most popular sites but that’s not what makes it significant, nor too the attack method (DDoS remains in the toolkit of every cybercriminal).
No, the attack was staggering for its size, measuring close to 1 Tbps at one time, which was not dissimilar to the DDoS attack which targeted Brian Krebs’ website one month earlier (more on this later). And with Gartner predicting that there will be 20.8 billion ‘connected’ things talking to each other by 2020, you can be sure that this kind of DDoS attack is just the start.
Approximately 40,000 Tesco Bank accounts were compromised in a cyberattack in early November, but this in itself was not hugely significant – after all we have seen bigger data breaches (think Target in 2013).
Instead, it was the tale of thousands of customers losing physical money from their accounts – a rarity in a cybercrime age where most damage is naked to the human eye.
The bank, which has more than seven million customers, reported that roughly 9,000 customers had as much as £600 (approximately $763) siphoned from their accounts, and pledged to refund those losses within 24 working hours.
The precise nature of the attack was unclear, with some suggesting the compromise of a third-party retailer and others pointing to cybercriminal activity. One customer said that cash had been withdrawn from his account in four separate transactions, with all of these coming from Rio de Janeiro in Brazil.
Needless to say the attack has far-reaching consequences not only for the customer but for Tesco too, with the UK’s Financial Conduct Authority (FCA) preparing to issue a potentially huge fine.
The Dyn DNS attack rightfully grabbed the headlines for IoT security (or lack of it) in October, but one month later there was another security incident that had arguably far bigger consequences.
Local reports suggest that cybercriminals were not only able to compromise the building automation system used across the two buildings by flooding it with bogus traffic – forcing devices to restart every few minutes – but also denying administers remote access to the device.
This meant that technicians had to physically visit the buildings and remove the affected hardware from the internet until the malicious traffic could be filtered out.
IT management company Valtia said that there is strong evidence that vulnerable and internet exposed devices manufactured by the local tech manufacturer Fidelix were to blame for the incident.
In February, cybercriminals reportedly angry about US ties with Israel breached the US Department of Justice’s database.
The attack highlighted how big government agencies can suffer from the same issues as enterprisesCNN reported the attackers released data on 10,000 Department of Homeland Security employees one day, and then released data on 20,000 FBI employees the next day. Information stolen and released included names, titles, phone numbers, and email addresses, although the Department of Justice said it did not believe other sensitive information, such as social security numbers, were obtained.
The method of attack remains a mystery, but what is significant about it is that it revealed that not only can cybercriminals compromise a big government agency, but also drew attention to the fact that they suffer from the very same issues as enterprises.
After all, the cybercriminals – apparently tweeting from the account @DotGovs – claimed it took one week for the Department of Justice to realize that their systems had been compromised.
X-rated adult website AdultFriendFinder has now been hit by cybercriminals in consecutive years, with this year’s attack in November involving far more people than before.
This time, the amount of accounts compromised was immense — approximately 412 million users had personal information stolen and published in criminal marketplaces on the dark web.
The breached data included email addresses, passwords, VIP member status, browser info, last IP address to log in, and purchases. LeakedSource was responsible for finding and reporting the breach to the public’s attention.
What can we learn from this? Organizations will continue to ignore security if they see breaches as good PR, and online privacy can never be guaranteed – wherever you go on the web.
Back in June, a cybercriminal going by the name of ‘Peace’ came to prominence after data on millions of LinkedIn, Tumblr and Myspace users was made available online. All in, there were more than half a billion passwords posted.
Indeed, Peace’s dark web store has plenty of merchandise. According to Wired, his store includes 167 million user accounts from LinkedIn, 360 million from MySpace, 68 million from Tumblr, 100 million from the Russian social media site VK.com, and most recently another 71 million from Twitter, adding up to more than 800 million accounts and growing.
These collections of data thefts resulted in the social media takeovers of Facebook CEO Mark Zuckerberg, popstars Katy Perry and Drake, and Twitter cofounder Biz Stone to name a few.
But quite how he – if he indeed did it alone – managed to clock up such a data pool remains a mystery. There’s some suggestion that this is old data dating back to 2012 and that the severity of these attacks has been magnified through people reusing passwords.
Security journalist and researcher Brian Krebs is a respected name in the industry, outing cybercrime groups and revealing data breaches long before the affected companies themselves even knew of them.
But such efforts can put you at the hands of the wrong people, as Krebs found out in September when his website, arguably far more secure than most, was hit by a (then) record DDoS attack measuring in at between 620 and 655 Gbps.
The attack, though unsuccessful thanks to the efforts of the DNS provider Akamai, was stunning because the previous record-high DDoS attack was 363 Gbps. Not only that but, whilst the smaller attack was reliant on a technique to essentially ‘amplify’ a smaller attack into a bigger one, the Krebs’ attack turned out to simply be launched by a huge botnet of compromised devices.
What did we learn from this? Well, DDoS attacks are growing at a rapid rate in terms of size, and they are no longer just an entry-level attack to launch another attack, or to further infiltrate the network.
The company was forced to admit that up to 500 million customers may have had data stolen, including sensitive details such as names, email addresses, phone numbers and hashed passwords. While the size of attack was significant, it was notable too that fingers were being pointed at a state-sponsored actor.
This was not Yahoo’s first embarrassment as far as cybersecurity is concerned – it was breached in 2014 too – but what is particularly intriguing is that Yahoo may have known about the attack since August, two months prior to the breach being reported.
We often write ahead in the industry, meaning that this security incident didn’t even make the first draft of this feature. But, there you go – you can never rest on your laurels when it comes to cybercrime.
This unprecedented data breach made the front pages of websites all over the world on December 14th and 15th. Yahoo announced that this time around, up to one billion user accounts were thought to have been compromised – and, more devastatingly, it was revealed that this was a different incident to that related to 2014’s data breach.
According to Bob Lord, chief information security officer at Yahoo, it is believed that this data breach goes back as far as August 2013. While names, email addresses, phone numbers and hashed passwords were accessed, no bank account and payment data was compromised (it’s not stored on its system).
ESET’s Mark James commented: “So what can you do about the breach? NOTHING! Sorry, but it’s true, there is nothing you can do about that particular data breach but you can try and limit any further damage as a result of your data going missing.”
Accordingly, he offers some really useful and insightful security advice, so please do read his article. What does this mean for the security industry? It’s too early to say, but what is certain is that this marks a tipping point.
It may not have made front pages in the western hemisphere, but in April this was one of the most poignant and devastating cyberattacks of 2016.
A breach of the database for the Philippine Commission on Elections (COMELEC) resulted in the loss of personal information on every single voter in the Philippines — approximately 55 million people. Allegedly breached by Anonymous Philippines, the information was made public online by Lulzsec Pilipinas.
Anonymous’ actions were allegedly an effort to push COMELEC to turn on security features in the vote counting machines before the national elections on May 9th. This comes at an interesting time, and suggests politics could well be more influenced by outside forces than we like to admit.
Author Editor, ESET