2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2)
All the major events that defined the security landscape for the last 6 months and the key takeways for you to improve your digital wellbeing.
In part 1 of this retrospective, we took stock of what happened in the first 6 months of 2018 and what we had to learn in terms of cybersecurity and privacy. Now, we review the second part of the year and inventory the most relevant insights and actionable advice. Got anything else to add? Drop us a line.
July in cybersecurity review
The bad news:
This summer was more hot than usual for health care companies, with two of them losing incredible amounts of data and funds to malware attacks. The same SamSam ransomware that hit the city of Atlanta and caused damages upwards of $10 million encrypted the machines of LabCorp, a major lab services provider. In Canada, CarePartners found the medical histories and contact information of 80,000 of its patients stolen in a massive data breach and held for ransom. Some of those patients even had active credit card numbers and expiry dates on file. “The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed,” highlighted a CBS News report. The good news: In July, Google took us all by surprise by announcing the end of phishing. Well, at least among Google’s ranks. The company reported it completely eliminated phishing among its employees by switching to physical keys for 2-factor authentication. For those who missed this news, a physical key is simply a USB device that works the same as the codes online services text you or provide for you as an extra security layer after the password. With a physical key, to log in you input your password, then connect the device and it will authenticate you instead of that code.
That’s an easy thing to do for them and that’s why we always recommend using a dedicated app for 2FA, not SMS-based codes. Furthermore, with physical keys, you eliminate the hassle of having to open an app every time and putting in the unique code.
August in cybersecurity review
The bad news:
August kicked off with another big profile ransomware attack. A WannaCry strain hit TSMC (Taiwan Semiconductor Manufacturing Co.), one of Apple’s biggest suppliers of components for iPhones, Apple Watches and iPads. TSMC traced the incident to a supplier who connected an infected device to a computer, without scanning it beforehand, which caused the ransomware to spread until it took down three plants. Oh yes, and the Alaskan borough of Matanuska-Susitna was, as this outlet put it, “cast back to the dark ages” after BitPaymer ransomware took out almost 500 workstations and 120 out of 150 servers. If ransomware wasn’t enough, the organization was also under fire from an external attacker, which gained access to the network and deployed the Emotet banking trojan. Everything from email to phones, doors and payment systems went down, which forced employees to actually pull out typewriters and pens to write receipts by hand. “In 35 years in the business, this is the worst I’ve seen. It’s meant to disrupt our way of life,” said Eric Wyatt, the orgs’ IT director.
The good news:
While things were pretty dire during summer’s last month, there was one great thing that happened. Apple removed Onavo Protect, a Facebook-owned VPN, from its app store. What for? Data collection, obviously. Apple wasted no time to tell Facebook that its Onavo Protect violated the App Store Guidelines, which specifically try to stop app developers from farming user data then selling it to third parties. Why a VPN though? Because Onavo Protect did more than just reroute users’ traffic to a Facebook-owned website, it also “improved” its service by “analyzing your use of websites, apps, and data.” It was a ham-fisted attempt by Facebook to collect even more information from those who, in theory, care about privacy. Fortunately, Apple continued their strategy of protecting user privacy and data security in their ecosystem. As for Google, the company allowed the Onavo Protect to be available for download.
If you truly care about privacy, not just accessing region-locked services or content, do your research on the VPN provider you pick. Otherwise, you’re paying for nothing, as some VPN services actually collect your data and sell it to third parties. We put together a few tips on this here.
September in cybersecurity review
The bad news:
The good news:
After what seemed like endless months of waiting for perpetrators to be caught, the US Department of Justice announced that it had finally charged one of the hackers involved in the WannaCry attack. The fact that the hacker in question is North Korean and belongs to an organization also blamed for the massive Sony Breach and an $81 million robbery should surprise no one. The positive takeaway here is that authorities managed to create a damning paper trail between the individual and the North Korean government, eliminating any doubt that WannaCry was a state-sponsored attack. “The insight into how an adversary like this works can help defenders plan on what they might be up to,” explained Ben Read, senior manager of cyberespionage analysis at FireEye in a Wired article covering the event.
The old “cybersecurity is a high-stake cat and mouse game” line comes to mind. This two news from September really do put into perspective hackers’ creativity (here is how they change tactics during attacks) and the challenges of apprehending them.
October in cybersecurity review
The bad news:
October showed that old tactics still work for new attacks. Cyrptomining malware might be a 2018 “novelty”, but fake updates and installers are old as dirt. Combine them and you get fake Adobe installers that really do install a new version of Flash but also sneak a crypto jacking script that will enslave your PC to mine for the cryptocurrency. We explained in this piece what cryptojacking really means, how you can secure your devices against it and what you need to be aware of. If you know the basics, it’s easier to avoid even more advanced attacks.
The good news:
The best news in October comes from Google, which released an important privacy app for all Android phones made in the last 7 years. Called Intra, the free app encrypts Domain Name System (DNS) connections on mobile and covers an important gap in privacy measures. In the past, visiting HTTPS-only websites is essential but still not totally private, as DNS is usually unencrypted and can be hijacked in order to steal your information. For journalists and other people operating in dangerous, surveillance-heavy areas, this tool is extremely valuable, as it protects from “DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.”
If you have an older smartphone running Android, Intra is a free download. If you have a newer Android device running Android 9 Pie, you can control these settings by going to this path: Settings > Network & Internet > Advanced > Private DNS. To avoid cryptojacking, the most basic of measures would be to either make sure you’re downloading patches and software from the official site or simply use a trusted software installer that makes sure updates are legitimate and deployed immediately.
November in cybersecurity review
The bad news:
Japan’s cybersecurity minister said point blank that he had never used a computer. He also revealed that, since the age of 25, he has “instructed” his employees and secretaries to use computers on his behalf. Seeing how November 30 was Computer Security Day and security experts around the world took to social media to share helpful cybersecurity tips, we hope at least Mr. Sakurada’s employees and secretaries took note. In any case, the incident did not do wonders for public confidence in how the Government approaches data security.
The good news:
The last few days of November saw a major, yet funny hacking incident. One user was inspired by how many unsecured printers he found using a popular security tool and decided to start a funny awareness campaign. He sent out this message to be printed on those unsecured devices and, at the same time, promote his favorite streamer with hilarious results.
— Dr.Moxmo (@Dr_Moxmo) November 29, 2018
Cases like Japan’s questionable leadership make it even more necessary to learn cybersecurity basics yourself and protect your valuable information. Don’t have time to go hunting for that knowledge? This quick course delivers one easily doable (and memorable!) security tip in your inbox every day, for a whole year. We’re classifying the Pewdiepie event as good news because the hacker in question only wanted to spread awareness over insecure IoT devices. Even better, they did it by tying into the humongous popularity of an Internet influencer, reaching a lot of people who otherwise wouldn’t have been exposed to good security practices. With so many troublesome reports and devices hijacked for nefarious purposes, old-fashioned pranks like these seem like a breath of fresh air. Curious to find out what can happen with insecure devices? We explained more here.
December 2018 in cybersecurity review
The bad news:
As 2018 was hurtling to the finish line, there was a massive Google+ data breach (resist the urge to roll your eyes), a massive Quora hack (another major service compromised) and bitcoin scams evolving into bomb threats (we told you hackers are creative!). SplashData released again a list of the most common passwords in the world and how they changed compared to last year, showing just how lax users are when it comes to protecting their own devices and accounts.
- 123456 Unchanged
- password Unchanged
- 123456789 Up 3
- 12345678 Down 1
- 12345 Unchanged
- 111111 New
- 1234567 Up 1
- sunshine New
- qwerty Down 5
- iloveyou Unchanged
At least two-factor authentication is more widespread nowadays, with services forcing users to rely more than a single password on, so the list above might not spell doom like in the past years. You could also smile at so many I love yous that unlock devices if you’re feeling optimistic. However, good password practices are mandatory, so try to be a bit more creative with them or use a password manager.
The good news:
Though the weather report for security was frightful in 2018, privacy-oriented Mozilla (mother company of Firefox, one of the browsers we highly recommend) managed to send out a very valuable message to its user base and beyond. Just in time for the holiday bonanza, when Christmas scams and other dangers multiply exponentially, Mozilla released a holiday shopping guide named “Privacy Not Included.” Not only is it useful on its own, showing the trendiest gadgets if you’re looking for a gift, but it also brings security and privacy front and center, pinpointing the IoT and smart devices insecure by design.
No doubt about it, 2018 has not been an easy year, not for regular users and not for businesses. Just how many data breaches happened? This handy visualization tool will probably burn itself on your eyelids. Hopefully, it will also kick you into gear and consider spending a bit of time to review the information you share with services. This AI-powered tool can go into the legalese of privacy policies and give you a much better overview of what happens to your data. You should also consider getting the right online security so your digital life won’t besieged by malware, cryptojacking, phishing, and other major threats. We put together these guides for you, so take the opportunity to step into a more secure, more private 2019:
- The Best free security and privacy tools in 2019
- Here Are The Essential Security Tips To Stay Safe On Social Media
- The Best Encrypted Messaging Apps You Should Use Today
- Today You’re Being Hacked – How To Choose Secure Settings
Do you have any other recommendations and tools for data privacy and security? Feel free to share below.