2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 1)
Step into a new year with the essential insights for your security
After a year filled with incidents, 2018 brought a host of reveals about the extent of this threat. Then, it quickly became the year of privacy concerns, after an onslaught of major data breaches and the never-ending Cambridge Analytica scandal. We put together this timeline for a quick overview of what came before, so everyone is better equipped for 2019. Because we don’t believe in alarmism and scaremongering just for the sake of getting a reaction, we gathered both the good and the bad news of cybersecurity. We also included a few helpful tips to keep your digital life safe, so scroll on!
January in cybersecurity review
The bad news:
January probably marked the fever pitch of buying cryptocurrencies, as Bitcoin soared to the $20,000 mark. Unfortunately, this also started a forest fire of cyber attacks, with cryptocurrency exchanges getting hacked, users getting scammed, phishing multiplying and so on. Wherever there’s money being traded online, that’s where you’ll find malicious actors trying to turn a profit. The crypto area proved to be particularly profitable to them and most outlets rushed to it. However, the two big bads of January were Meltdown and Spectre, attacks everyone has heard about by now, as it sent security experts around the world in a full panic. These two major vulnerabilities were discovered not in online platforms, as usual, but in Intel chips, critical components providing the processing power of most computers in the world. The aptly-named “Meltdown” could let hijackers get into higher-privileged parts in a computer’s memory. The haunting Spectre let them access data from other apps running on the machine. The worst part? Both of these fundamental vulnerabilities were also present in processors made by companies like AMD and ARM, so they were basically in every computer. In the following months, chipset makers released various patches and temporary fixes, which slowed down some computers by even 20%. While news like this usually gets stuck in enthusiast circles, the whole world felt the impact of Spectre and Meltdown, as patches were issued at a breakneck pace and everyone could feel their machines slowing down.
The good news:
On the upside, Google X made the biggest announcement: the Alphabet group, Google’s mother company, debuted Chronicle, its own cybersecurity product that includes the famous VirusTotal service. It was good news for consumers, as, with Google’s resources and data, perhaps companies would do a better job of keeping user data safe. However, since then, we’ve not heard much on Chronicle’s cybersecurity efforts. Perhaps in 2019?
You can’t do anything about flawed systems but that doesn’t mean you shouldn’t take care of yourself. If you’re thinking about investing, especially in cryptocurrencies, following these protection steps is essential.
February in cybersecurity review
The bad news:
2017 was the year of ransomware, with devastating attacks shaking healthcare, transportation, state agencies and businesses both big and small. February kicked off with a major reveal from the US Government: the Trump administration attributed the devastating NotPetya ransomware attacks of 2017 to Russia. This announcement showed just how far cyberwarfare can go and how many innocent businesses and individuals can get in the crossfire. For those who weren’t quite as aware of cybersecurity or data protection back then, NotPetya was the most devastating cyber attack in history, crippling essential infrastructure, and services. The White House described said that it “quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” Even though the White House said that “this was also a reckless and indiscriminate cyberattack that will be met with international consequences,” NotPetya and similar strains continued to show up in 2018, highlighting how unprepared businesses are for this threat. We wrote more on the topic here and explained why traditional solutions like Antivirus are, due to their nature, simply unable to detect ransomware in time.
The good news:
The good guys took down “Infraud,” a criminal online, arresting and indicting dozens of criminals that dealt in stolen user data, malware, skimmed devices for ATMs and so on. The criminal marketplace was one of the major Dark Web operations in history, putting to shame even the famous Silk Road. Authorities estimated that, through it, regular Internet users lost a total of up to half a billion USD. The hackers were arrested en masse through a Homeland Security action coordinated with law enforcement in Australia, Britain, Italy, France, Kosovo, and Serbia. In the world of cybercrime, this win is not a tiny drop in a bucket but a great example of how collaboration and resource sharing can positively make an impact for everyone.
For ransomware protection, you need more than a simple antivirus. This goes for regular users and doubly so for businesses so that a large-scale attack doesn’t catch so many computers lacking the essential security layers.
March in cybersecurity review
The bad news:
March definitely started off on the wrong foot, with a host of revelations giving headaches to mostly anyone connected to the internet. First, GitHub revealed that it had survived the biggest DDoS attack ever recorded. The attack saw 1.3 terabits of traffic per second levered against GitHub servers. This time, it wasn’t a huge botnet of devices left unsecured by regular users and hijacked by attackers to do their bidding, but another type of DDoS attack that relied on querying databases responsible for website loading speed. If you want to know more about DDoS and how various attacks work, check out this in-depth explanation. Then, just a day after the GitHub announcement, Equifax made a chilling announcement once again. Another 2.4 million people were affected by the 2017 Equifax data breach, which meant 2.4 million more people having to go through the headaches involved with credit freezing. There was also a massive UnderArmor data breach with 150 million accounts compromised but, fortunately, that only included information like usernames and emails, not passwords or other highly sensitive data. Isn’t it concerning that you can say “fortunately only emails were stolen” nowadays, especially when discussing the data of hundreds of millions of people? The pace of data breaches and reveals has been relentless this year, making users extremely untrusting towards major services (and for good reason!). Oh, and not to mention that the city of Atlanta, from water management departments to police, was hit by the SamSam ransomware. This was an attack that initially cost $2.6 million to recover from, then the costs went up to $9.5 million once the extent of the damage was properly assessed, even though the ransom was only $52.000. Just goes to show why ransomware should not be underestimated, especially for organizations that do not have the budget or the awareness required for cyber resilience. *cough, cough, healthcare*
The good news:
On the upside, another major bust happened in March, when the Department of Justice indicted nine hackers for attacking over 300 universities worldwide, 144 of which were based in the UK. The DOJ revealed that the malicious actors took off with an estimated $3 billion in intellectual property (ebooks, research, various other library resources), stealing 31 terabytes of data and selling it on Megapaper.ir and Gigapaper.ir. How did the attacks happen? Good old spearphishing. The hackers sent off emails to university professors and other employees, tricking them into handing over their login credentials. And yes, just like with NotPetya and other major operations, these were state-sanctioned hackers. “For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,” said Deputy Attorney General Rosenstein. Fortunately, as collaboration increases, cybercriminals have a tougher time taking advantage of borders to target other countries, as shown by the outcome of this massive investigation. Another great news was that the Ghostery ad-blocker went open source, finding a better business model and focusing more on their users’ privacy. We’re major fans of this service and the announcement couldn’t have made us happier, as Ghostery is now vetted by thousands of developers and provides a really granular control over the ads you’re seeing.
Beyond using proper security shields against ransomware, to be safe you need to know what you’re up against. The best online protection is knowing how phishing and spearphishing attacks work, so learn how to spot malicious links!
April in cybersecurity review
The bad news:
April kicked off with some bad revelations for Android users. A team of security experts from Security Research Labs took to the Hack in the Box security conference to reveal their project: two years spent reverse engineering Android phones’ operating systems to demonstrate that the makers of those phones hid security patches from users. “We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” said one of the researchers, who gave an example as well. The Samsung 2016 J3 smartphone showed its owners that it had every available update installed in 2017 but skipped 12 security-critical patches. In an Android landscape filled with malicious apps and too many phishing attacks to count, this reveal certainly didn’t help to assuage fears. The researchers fortunately launched an app to check if your phone lacks critical updates, so we encourage you to use it. Then, after the Android revelation, another bombshell dropped.
Alexa can turn into a spy device.
Security researchers from Checkmarx demonstrated an attack in which they did not have to hack Alexa to make her listen to everything the owners had to say. Essentially, they just manipulated the Alexa skills and showed just why it’s so risky to have an always-on, connected device fitted with a microphone. Fortunately, this attack is no longer possible.
The good news:
And, in even better news for website owners worldwide (and netizens in general), in April Europol managed to finally shut down the biggest DDoS for hire website in the world. More than 136,000 users wanting to damage had registered for webstresser.org, a malicious service that could launch junk traffic attacks to any website for as little as $19 per month. The authorities from Germany and the US stepped in and arrested the owners, taking down the site’s infrastructure as well.
Be very careful with what devices you allow in your home, especially smart devices. See what can happen with unsecured devices and what you can do to prevent that. Always keep your devices updated, from your computer to your phone or any other IoT device. Only buy devices that get updated religiously, outdated software is commonly targeted by criminals.
May in cybersecurity review
The bad news:
While Facebook was the social media platform that took the most heat this year, Twitter also had a major security incident. In May, the chief technology officer of Twitter announced that a bug in the platform exposed user passwords internally, in plain text. While Twitter said it was unlikely criminals got their hands on those passwords, security experts urged users to change their passwords.
The good news:
On May 25, the General Data Protection Regulation (GDPR) went into effect. This was the biggest piece of legislation every passed design to protect your data and let you know exactly what happens to your information whenever you go online or download an app. With fines of up to 20 million or up to 4% of the annual worldwide turnover (whichever sum was bigger) for those companies caught mishandling user data, GDPR promised to usher in a new age for the processing of personal data. However, at the surface level, all that happened is that Internet users from Europe got bombarded with a thousand emails all saying “Please let us use your data from now on.” Which obviously lead to a lot of misplaced complaining, as users were swamped by too many unwanted communications and missed the opportunity to actually see where their data went. Like one wise netizen said, complaining about GDPR emails is like putting your fingers in your ears and going “La La La” while a police officer reads you your Miranda rights. Unfortunately, a lot of users did just that, choosing to either remain unaware or simply feeling overwhelmed by too many data breaches and Facebook revelations
- Strong passwords are not enough. Use two-factor authentication, it’s essential to keep your accounts from being compromised.
- Read terms of service for the services you use and use efficient privacy tools to minimize the risk of trackers and beacons gathering your data.
June in cybersecurity review
The bad news:
And the data breaches continued all through June, with headlines showing millions of users’ being compromised. First, the public was made aware by the existence of Exactis, a marketing and data aggregation company. How? A data breach, of course. The company exposed a database with 340 million records with phone numbers, home addresses and personal characteristics of Americans. A security researcher spotted the unsecured database using Shodan, a common search engine and was shocked to see just how many accounts were contained in it. Then, right when public sentiment couldn’t be more unfavorable towards Facebook, a bug in the platform made up to 14 million users’ posts public. No matter what your privacy settings and restricted lists were, every post was made available for the world to see. But, troublesome as that incident was, it paled in comparison to the MyHeritage breach. Fortunately, the breach for this online genealogy website only exposed email addresses and hashed passwords for 92 million users. Why fortunately? Because MyHeritage also operates MyHeritage DNA, the DNA-testing kit you can order and use at home to find out your ancestry. In the case of a compromised email or online account, you can always make another. What can you do if your DNA and medical info get out there? If it’s just curiosity urging you to get a consumer DNA testing kit, you know what they say about that and what happens to the cat ;).
The good news:
On the bright side, June brought quite a lot of good news for your security. Through Operation Wire Wire, US official took down a rink of more than 70 email scammers – 42 US citizens, 29 Nigerians and 3 individuals from Poland, Mauritius, and Canada. The operation seized $2.4 million in funds and recovered more than $14 million in money scammed from unfortunate victims. The same month, California unanimously passed the California Consumer Privacy Act of 2018, a bill built with GDPR principles in mind, designed to bring the same benefits to US residents of California. Then, the best news of June: the Wi-Fi Alliance announced the WPA3 security protocol for Wi-Fi, which virtually eliminates the risk of dictionary attacks trying to guess your password. Seeing how WPA2 was launched in 2018, the WPA3 update was long in the making and will go a long way into making sure Wi-Fi networks are more secure. However, the rollout will take some time, with experts estimating the end of 2019 for large-scale implementation of the protocol.
Until WPA3 gets widely deployed, spend a few minutes to secure your Wi-Fi network and learn more about what the risks are. And we’ll end this 2018 in cybersecurity retrospective on that happy note. Stay tuned for part two of this series, which will review what happened in the last 6 months and the lessons everyone should learn from those events. Got anything to add? Drop us a line below.