2016’s hacks, attacks and security blunders
Just when we thought things couldn’t get worse than 2015’s security and privacy disasters, the asshole known as 2016 came along to trample and pee on any hope we had left for a hack-free, secure future. This was the year Hollywood hacking scare-fantasies like War Games started to feel uncomfortably real. Yay…
This lovely year, our government used Tor exploits, the UK passed its terrible Snooper’s Charter, our TSA failed at cyber, the FBI got its hacking powers expanded and the Shadow Brokers tried to sell NSA secrets. But it’s the stories below that shaped this year in hacking and cybersecurity. They may have even had a hand in changing the course of history for the free world.
All for nothing
All it takes to get the FBI’s panties in a bunch is for someone to say “no” — and bunched they became when the agency wanted to get into an encrypted iPhone related to the San Bernardino shootings. The FBI wanted Apple to build a custom version of iOS with a backdoor. Apple said it not only wouldn’t, but couldn’t break the phone’s encryption for the case, because it would essentially break encryption on every other iPhone. This turned into a knock-down-drag-out fight both in congressional testimony and in the press. Everyone had an opinion, and the encryption debate became a vitriolic and emotional squabble. Eventually, the FBI picked itself up, dusted itself off, and ponied up $1.3 million for an exploit that allowed it into the phone.
An unhealthy diagnosis
When the Hollywood Presbyterian Hospital had its files held hostage in February by malware demanding payment, the digital plague known as ransomware finally got everyone’s attention. While not the first emergency service organization to fall victim to these extortion schemes, the hospital’s predicament highlighted the direness of the situation. The hospital was at a standstill with its systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications all out of commission. Staff relied on pencil and paper; it was reported that radiation and oncology were temporarily shut down. The hospital eventually paid the ransom and got its files unlocked, and no one was harmed as a result of the disruption (that we know of). Still, it demonstrated just how fragile the systems our lives depend on have become.
Ocean’s 15 is going to be boring
The SWIFT bank heists are the stuff blockbuster films are made of. That is, if we wanted to watch George Clooney sit at a computer mashing keys for about 1,000 hours. In April, hackers swiped $81 million from Bangladesh Bank thanks to a flaw in SWIFT international banking software. A bank in Vietnam was also hit with the same technique, to the tune of $1 million. Then May saw another round of SWIFT-related bank robberies, in which hackers snatched $12 million from an Ecuadorian bank. Most of the attacks targeted Australia, Hong Kong, the UK, the Ukraine and the US, and they probably won’t stop anytime soon. It’s now believed a second group is targeting banks using the same methods, again using malware to cover its tracks via SWIFT.
Offshoring accountability
There was one big hack and dump that actually felt like it wasn’t done with completely evil intentions. That was the Panama Papers leak, in which a boatload of offshore-tax-haven records was released to the public via a handful of global news organizations. The offshore money-laundering firm Mossack Fonesca provided tax-avoidance services mostly to the rich and despotic, who wanted to stay technically within the law but needed to cover their unethical tracks. The resulting scandals prompted the prime minister of Iceland and FIFA ethics-committee member Juan Pedro Damiani to resign. Former UK Prime Minister David Cameron had some fessing up to do; leaders of Sudan and Azerbaijan, Pakistan Prime Minister Nawaz Sharif and Ukraine President Petro Poroshenko were also named in the papers. China’s government went on damage control and demanded reporting on the Papers be stopped after the family members of eight Communist Party elites were shown to have dealings with offshore companies.
Leave Britney alone
Throughout the year, one group managed to ruin the day of many CEOs, companies, and celebrities: social media extortionists extraordinaire OurMine. Grabbing usernames and passwords from breach dumps, finding famous names and seeing if the credentials still work isn’t exactly the work of hacking masterminds. But OurMine has made headlines time and again with this very simple formula. Big names on the “hacked by OurMine” list include Katy Perry, Marvel, Mark Zuckerberg, Google’s Sundar Pichai, Yahoo’s Marissa Mayer, AOL’s Steve Case and Twitter CEO Jack Dorsey. They proved that even the people who should know better reuse passwords, and companies aren’t doing a good enough job at telling users to change their passwords after a breach. Though, we can note with a small amount of dark amusement that one of its recent victims is Sony … which you’d think would know all about password and security hygiene by now.
What’s the opposite of security?
If there was a contest for getting embarrassingly hacked and being the worst at user security, Yahoo surely became the reigning queen of 2016. In fact, they won the race to the bottom so hard this year, the company may be hanging onto the crown for years to come. When Yahoo revealed in September it had been hacked in 2014, just after its sale began to Verizon, the truth started coming out. That incident affected a jaw-dropping 500 million Yahoo users. Turns out this was only one of the intrusions Yahoo failed to tell us about, because this month it revealed that it was hacked again, in 2013. This time, it took the crown for the biggest exposure of customer records and credentials, ever — with over 1 billion accounts coming up pwned in a years-long compromise. Yahoo always had a tough slog when it came to staying afloat, but this year we found out that it really sucked at everything. But most especially security.
When your DVR is a honeypot
There was only one way this year could get worse when it came to hacking, and of course, it happened. Insecure IoT devices were leveraged via the Mirai Botnet to take out about half the internet when PayPal, The New York Times, Pinterest, Spotify, Twitter and many more sites went offline in October. WikiLeaks said it was all about them, everyone blamed Russia, and IoT hackers pretty much just rolled their eyes. The attackers did all this by exploiting the stupid decisions of “smart” appliance companies who left backdoors and default passwords in things like connected cameras and DVRs. The Mirai Botnet incident was only a partial use of the gigantic implanted malware bot-army, so that’s just great. It certainly served as a warning — albeit too late — about security neglect in manufacturing, and just how fragile our internet economy and communications really are.
Like D-Day, but for drama
In July, President-elect Donald Trump invited the Russians to hack us in a very specific way… and they did. So weird, right? They even went the extra mile for him by taking down his Democratic opponent with a series of hacks (and subsequent leaks, via WikiLeaks) that may have swayed the election in the bad hombre’s favor. It was the world’s most painful lesson in cybersecurity. John Podesta got owned through bad advice encouraging him to click a phishing link, and every US state panicked about the vulnerability and hackability of its voting machines. The result has been an ugly, rolling-downhill cyberwar with Russia, pitting the incoming president against the White House and most governmental organizations who believe Russia fucked us over — while Trump defends the 400-lb hackers who made him look good. And not just by physical comparison.
Images: Jaap Arriens/NurPhoto via Getty Images (iPhone); Shutterstock (Yahoo); REUTERS/Dado Ruvic/Illustration (Mossack Fonseca)
(53)