A Most Dubious Year
As 2016 comes to a close, it's time to look back and evaluate the year in tech. Unfortunately, this year has been dominated by concerning stories about hacks, security flaws and data breaches.
Over the last 12 months, a slew of companies revealed that they had been hacked into, Twitter accounts belonging to celebrities and well-known companies were hijacked, and there were claims that Russian hackers were able to influence the Presidential election. Malicious hackers weren't necessarily more active in 2016 than in other years, but they certainly seemed to be more effective. Looking ahead to 2017, there's no telling whether they can be stopped.
Still, 2016 could be considered a banner year in security failures. In the following slides, we'll briefly discuss some of the biggest boo-boos of the year — and shed some light on just how poorly secured some companies and organizations were.
Read on for more.
Not One, But Two Massive Yahoo Data Breaches
Yahoo revealed in the fall of 2016 that it had suffered not one, but two, massive data breaches in recent years. The first revelation centered on a 2014 database intrusion that saw an unknown group of hackers steal usernames, email addresses, telephone numbers, and strongly hashed passwords. It affected about 500 million users, Yahoo said in a press release in September, which set a new record for the number of accounts affected.
As if that wasn't bad enough, Yahoo in December disclosed that it had also fallen victim to a hack at the hands of another unknown party in August 2013 that saw 1 billion users targeted. Not only was the number of affected accounts double that of the previously disclosed breach — yes, Yahoo broke its own record — but the passwords in this case were weakly hashed and almost certainly were "cracked" by attackers. If your Yahoo account was hijacked at some point after mid-2013, this breach may have been why.
Along with the billion-user breach, Yahoo also disclosed that an unknown number of user authorization cookies, which would allow anyone access to an account without a password, were stolen in 2015 or 2016 — possibly by the same group that stole the 500 million user-account credentials in 2014.
Some industry analysts were questioning whether Verizon should go through with its $4.8 billion acquisition of Yahoo's core internet properties.
LinkedIn Comes Clean
LinkedIn rose in the breach rankings this year when reports surfaced that about 117 million usernames and passwords for the social network had been swiped by hackers in June 2012. Back then, LinkedIn said only 6.5 million accounts had been affected. The dataset of usernames and passwords were available for purchase on the Dark Web in the spring of 2016 for about $2,200.
The passwords were poorly hashed, and a wave of hijacked accounts at other services that followed were probably a result of LinkedIn members using the same passwords for other accounts. Even Facebook founder Mark Zuckerberg saw his Twitter account hijacked.
In response, LinkedIn forced affected users to reset their passwords, but offered no apology for not fully investigating the 2012 breach when it was initially discovered. Rather than being punished by stockholders or users, LinkedIn's penalty for this inexplicable security sloppiness was to be purchased by Microsoft for $26 billion.
The Democrats and John Podesta
In what might have been the most shocking set of data breaches this year, both the email servers of the Democratic National Committee and the Gmail account of Hillary Clinton's campaign chair John Podesta were hacked into, with the result that embarrassing email messages were leaked online through WikiLeaks.
The CIA and the White House both said that the hacks were perpetrated by the Russian government with the aim of swaying this year's Presidential election to Donald Trump, the eventual winner. President Obama said that the U.S. would answer Russia's alleged intrusions with proportional response, but gave no clue as to what that might be.
Home Wi-Fi Routers
Owners of some common brands of home Wi-Fi routers had a rough time this year. In December, a massive vulnerability was discovered in some high-end Netgear Nighthawk routers that would have allowed far-off attackers to silently take complete control of home Wi-Fi networks. At first, the best response was to turn off the routers in question. But within a couple of weeks, Netgear had patched most of the flaws.
A month earlier, similar flaws were found in eight different models of D-Link routers. It wasn't clear at time of this writing whether firmware for all of those models had been patched.
Another report surfaced in December saying a malvertising campaign was attacking more than 160 router models, including a couple made by D-Link and Netgear. The bad news was that researchers couldn't figure out the specific brand or model of all but a handful of the affected routers. The good news was that all the attacks involved known vulnerabilities, which means that all you'll need to do is update your router's firmware.
Corporate Twitter Accounts
Twitter accounts far and wide were targeted this year by a gang of bored teenagers called OurMine. The group, which likes to style itself as a security consultancy, broke into a slew of celebrity and corporate accounts this year to, ahem, let those targeted know that they need to improve their security. Most recently, OurMine broke into a Sony Music Twitter account to declare pop singer Britney Spears dead.
Bangladesh Central Bank
Bangladesh's central bank, Bangladesh Bank, was targeted in a brazen attack this year. After hackers were able to break into a bank official's computer, they stole credentials and moved $101 million from Bangladesh Bank's account at the Federal Reserve Bank of New York to accounts in the Philippines and Sri Lanka via the global SWIFT money-transfer system. Once the cash hit those accounts, it was moved through casinos. Soon after, Bangladesh Bank closed down its network and worked to shore up its security. But the damage was done and as of this writing, only $38 million has been recovered.
Ransomware concerns ramped up in 2016. A slew of ransomware attacks targeted companies, networks, individuals and especially nonprofit and governmental organizations around the world, leading to tens of millions of dollars in ransom payments and even more in system repairs and upgrades.
Some of the ransomware looked like Pokemon Go. Another strain mimicked Windows Update. Still more spread among WordPress blogs and among Facebook users. We even saw the first ransomware made to attack Macs.
In the worst instance that we know of, a ransomware attack happened upon San Francisco's Muni transit system and effectively took down more than 2,000 Muni computers, crippling public transit. The Muni system didn't pay the ransom, which was believed to have been 100 bitcoins, or about $75,000 at the time of the attack.
Stolen NSA Tools
A hacking group known as the Shadow Brokers in August claimed to be in possession of tools the NSA allegedly uses to conduct espionage around the world. Those tools, which the Shadow Brokers called "cyber weapons," were apparently stolen from the Equation Group, the name that Russian security firm Kaspersky Lab uses for a cyberespionage group allegedly tied to the Stuxnet computer worm — in other words, the NSA. While the Shadow Brokers' claims initially sounded dubious, third-party experts examined the data samples and said they appeared to be the real deal.
In October, an NSA contractor was arrested and accused of taking home files pertaining to many of the same hacking tools the Shadow Brokers had put up for sale. But it's still not clear whether the accused man passed along those files to anyone else.
Mirai and IoT Insecurity
The weak security of many Internet of Things devices became a major concern in 2016 after hackers employed Linux botnet malware called Mirai to infect thousands of unprotected commercial security cameras and digital-video recoders. Once that was complete, the hackers used their now-massive botnet to launch the largest-ever distributed denial-of-service (DDoS) attack against a single target, temporarily knocking out a large chunk of the internet.
The Old Standby: Adobe Flash Player
Adobe's Flash Player was once again a popular target for hackers this year. In May, malvertising targeted some of the Internet's top sites through Flash Player vulnerabilities — just loading the ads in your browser could allow hackers to lock down your computer. Meanwhile, hackers discovered previously unknown Flash flaws that targeted Windows users and allowed hackers to remotely hijack computers. Fun.
The FriendFinder network, which runs AdultFriendFinder, Penthouse, Stripshow, Cams, and iCams, was targeted by a massive hack that saw its databases breached and 412 million usernames, email addresses and passwords stolen. The data set was promptly published online, much to the chagrin of those around the globe who signed up for the service in hopes of maintaining their privacy.
Cheap Android Phones with Backdoors
Three million inexpensive Chinese smartphones, including those sold by BLU, were found to be vulnerable to remote hijacking, thanks to poorly implemented firmware updates that could let an attacker inject malware into the update process.
Those who knew how to take advantage of the flaw could have gained full control over a device, stolen personal information or even installed more malware. BLU fixed the flaw with a software update, but whether other companies did is not known.
Meanwhile, at least 28 other models of Chinese handsets, including two inexpensive Lenovo models, were found to harbor pre-installed malware that installed apps without the user's permission and injected ads where it could.
The Malvertising Blitz
Like ransomware, malvertising was one of the chief malware scourges of 2016. Malvertising campaigns infected well-known websites, buried malware deep inside images, and even redirected their targeting efforts from browsers to Skype and even home Wi-Fi routers. Many hapless users found themselves infected as soon as they loaded a web page (no clicking necessary), and the malware payload was often -- you guessed it -- ransomware.
The upside is that it's often pretty easy to defend against malvertising. Make sure your browsers and operating systems are up to date, install and run good antivirus software, disable Adobe Flash Player or set it to click-to-run and avoid using Microsoft Internet Explorer as much as you can. (Microsoft's new Edge browser is much safer.)