2017’s biggest cybersecurity facepalms

» Top New Products

Ace The Firefighter Interview
cs_image_0

Learn  how  to  absolutely  smoke  your  firefighter  interview  so  you  can  get  the  job.                                       

$25.00
Make Him Obsessively Desire You...
cs_image_1

Learn  how  to  access  the  impulsive  part  of  any  man's  mind    and    make  him  go  crazy  for  you.                     

$47.00
Learn How To Trade Futures
cs_image_2

Learn  how  to  day  trade  the  futures  market  for  consistent  daily  profits                                                           

$77.97
How To Increase Pitching Velocity
cs_image_3

Discover  How  To  Add  5  -  10  MPH  To  Your  Fastball  Velocity  In  Just  16  Weeks  Or  Less                                     

$197.00
How To Pray Effectively
cs_image_4

Learn  how  you  can  avoid  the  pain  and    frustration  from  prayers  not  granted                                                   

$27.00
Instant Photography Website
cs_image_5

Learn  How  To  Have  Your  Own  Profitable  Photographer  Website  In  48  Hours  Or  Less  Easily.                           

$27.00
Success At Wedding Reception
cs_image_6

With  This  Learn  How  To  Create  A  Fun  And  Memorable  Wedding  Reception  Even  If  You're  A  Novice.               

$39.00
Remedy from anxiety
cs_image_7

Learn  How  To  Treat  Your  Panic  Attacks  and  Anxiety,Regain  Your  Self  Confidence,and  Enjoy  Life  Without  Fear

$47.00
A Daily Bible Devotional Resources
cs_image_8

Read  a  chapter  a  day  from  the  bible's  book  of  the  revelation  or  hebrews.                                                       

$7.95
How To Spray Paint Your Car
cs_image_9

Learn  the  secrets  of  professional  car  spray  painting  and  body  work  repair  in  2  hours.                             

$37.00
300,000 PLR Articles.
cs_image_10

Includes  transferable  Private  Label  Rights  to  300,000+  articles                                                                         

$17.00
Audacity workshop
cs_image_11

Learn  the  tips  and  tracks  on  how  easy  it  to  use  audacity  with  no  prior  training.                                       

$39.95

2017 was a year like no other for cybersecurity. It was the year we found out the horrid truths at Uber and Equifax, and border security took our passwords. A year of WannaCry and Kaspersky, VPNs and blockchains going mainstream, health care hacking, Russian hackers, WikiLeaks playing for Putin’s team, and hacking back.

In 2017 we learned that cybersecurity is a Lovecraftian game in which you trade sanity for information.

Let’s review the year that was (and hopefully will never be again).

Moscow mules

This was the year Kaspersky finally got all the big press it’s been angling for. Unfortunately for the antivirus company, it wasn’t for its research. Kaspersky spent an uncomfortable year in the headlines being accused of working with Russia’s FSB (former KGB). Eventually those suspicions got it banned from use by US government agencies.

Kaspersky’s alleged coziness with Putin’s inner circle has made the rounds in the press and infosec gossip for years. But it came to a head when an NSA probe surfaced, the Senate pushed for a ban, and — oddly — the Trump administration came with the executioner’s ax.

Obviously, Kaspersky — the company and its CEO of the same name — denied the accusations, and offered to work with the US government. They offered up their code for review and filed suit when the ban passed.

At this point, the only thing that might save Kaspersky’s reputation in the US would be finding us that pee tape. Fingers crossed.

Be still, my backdoored heart

A ransomware attack on Hollywood Presbyterian Hospital in 2016 put health care hacking center stage, but in 2017 it turned into a true nightmare.

The WannaCry ransomware attack spread like wildfire, locking up a third of the National Health Service (NHS) in England. That was followed by other worms, like Petya/NotPetya, which hit US hospitals in June.

The security of pacemakers was exposed as being awful, specifically in the case of medical device manufacturer St. Jude Medical (now rebranded as Abbott). A lot of people hated on researcher Justine Bone and MedSec for the way they went about exposing pacemaker flaws, but they were right. The FDA put a painful pin in it when it notified the public of a voluntary recall (as a firmware update) of 465,000 pacemakers made by St. Jude Medical.

Meanwhile, white-hat hackers put together the first Cyber Med Summit — a doctor-run hacker boot camp for medical professionals. That the Summit exists is a tiny bit of good news in our medical mess, but it also proved that you should probably make sure your doctor keeps a hacker on staff.

Medical staff at the Summit got a wake-up call about medical-device exploits and concluded they need to add “hacking” to their list of possible problems to assess and diagnose.

I’m not crying, you’re crying

On May 12, more than 150 countries were hit in one weekend by a huge ransomware crime wave named WannaCry. The attack was derived from a remote code execution vulnerability (in Windows XP up through Windows Server 2012) called “EternalBlue,” found in the April Shadow Brokers/NSA dump. Those who did their Windows updates were not affected.

WannaCry demanded $ 300 in bitcoin from each victim, and among those included were the UK’s National Health Service (NHS). The ransomworm was stopped in its tracks by the registration of a single domain that behaved like a kill switch. The creators apparently neglected to secure their own self-destruct button.

Researcher MalwareTech was the hero of the day with his quick thinking, but he was sadly repaid by having his identity outed by British tabloids. Adding insult to injury, he was later arrested on unrelated charges as he attempted to fly home after the DEF CON hacking conference in August.

Two weeks after the attack, Symantec published a report saying the ransomware showed strong links to the Lazarus group (North Korea).

Others independently came to the same conclusion. Eight months later, and just in time for his boss’ warmongering on North Korea, Trump team member Thomas P. Bossert wrote in the Wall Street Journal that “the U.S. today publicly attributes the massive ‘WannaCry’ cyberattack to North Korea.”

Maybe he’s just a backdoor man

US Deputy Attorney General Rod Rosenstein in October introduced the world to the new and totally made-up concept of “responsible encryption” — and was promptly laughed out of the collective infosec room.

“Responsible encryption is effective secure encryption, coupled with access capabilities,” he said.

He suggested that the feds won’t mandate encryption backdoors “so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle.”

Even non-infosec people thought his new PR buzzwords were suspect. “Look, it’s real simple. Encryption is good for our national security; it’s good for our economy. We should be strengthening encryption, not weakening it. And it’s technically impossible to have strong encryption with any kind of backdoor,” said Representative Will Hurd (R-Texas) at The Atlantic’s Cyber Frontier event in Washington, D.C.

Politico wrote:

It’s a cause Rosenstein has quietly pursued for years, including two cases in 2014 and 2015 when, as the US attorney in Maryland, he sought to take companies to court to make them unscramble their data, a DOJ official told POLITICO. But higher-ups in President Barack Obama’s Justice Department decided against it, said the official, who isn’t authorized to speak to the news media about the cases.

To everyone’s dismay, Rosenstein doubled down on his “responsible encryption” campaign when he capitalized on a mass shooting — using as his example the phone of Devin Patrick Kelley, who opened fire on a congregation in Texas, killing 26 people.

He said, “Nobody has a legitimate privacy interest in that phone … But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge.”

Like Uber, but for Equifax

If there was some kind of reverse beauty pageant for worst look, worst behavior, and best example of what not to do with security, we’d need a tiebreaker for 2017. Equifax and Uber dominated the year with their awfulness.

Equifax was forced to admit it was hacked badly in both March and July, with the latter affecting around 200 million Americans (plus 400,000 in the UK). Motherboard reported that “six months after the researcher first notified the company about the vulnerability, Equifax patched it — but only after the massive breach that made headlines had already taken place… This revelation opens the possibility that more than one group of hackers broke into the company.”

Shares of Equifax plummeted 35 percent after the July disclosure. And news that some of its execs sold off stock before the breach was made public triggered a criminal probe.

Which brings us to the “unicorn” that fell from grace.

In late November, Uber admitted it was hacked in October 2016, putting 57 million users and more than half a million drivers at risk. Uber didn’t report the breach to anyone — victims or regulators — then paid $ 100,000 to the hackers to keep it quiet and hid the payment as a bug bounty. All of which led to the high-profile firing and departures of key security team members.

Just a couple of weeks later, in mid-December, the now notorious “Jacobs letter” was unsealed, accusing Uber of spying and hacking. “It was written by the attorney of a former employee, Richard Jacobs, and it contains claims that the company routinely tried to hack its competitors to gain an edge,” Engadget wrote, and “used a team of spies to steal secrets or surveil political figures and even bugged meetings between transport regulators — with some of this information delivered directly to former CEO Travis Kalanick.”

The letter was so explosive, it’s now the trial between Uber and Waymo — so we can be sure we haven’t seen the last of Uber’s security disasters in the news.

Images: Getty Images/iStockphoto (Wannacry); D. Thomas Magee (all illustrations)

Engadget RSS Feed

Post Author: martin

Avatar
Martin is an enthusiastic programmer, a webdeveloper and a young entrepreneur. He is intereted into computers for a long time. In the age of 10 he has programmed his first website and since then he has been working on web technologies until now. He is the Founder and Editor-in-Chief of BriefNews.eu and PCHealthBoost.info Online Magazines. His colleagues appreciate him as a passionate workhorse, a fan of new technologies, an eternal optimist and a dreamer, but especially the soul of the team for whom he can do anything in the world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.