2017 was a year like no other for cybersecurity. It was the year we found out the horrid truths at Uber and Equifax, and border security took our passwords. A year of WannaCry and Kaspersky, VPNs and blockchains going mainstream, health care hacking, Russian hackers, WikiLeaks playing for Putin’s team, and hacking back.
In 2017 we learned that cybersecurity is a Lovecraftian game in which you trade sanity for information.
Let’s review the year that was (and hopefully will never be again).
Moscow mules
This was the year Kaspersky finally got all the big press it’s been angling for. Unfortunately for the antivirus company, it wasn’t for its research. Kaspersky spent an uncomfortable year in the headlines being accused of working with Russia’s FSB (former KGB). Eventually those suspicions got it banned from use by US government agencies.
Kaspersky’s alleged coziness with Putin’s inner circle has made the rounds in the press and infosec gossip for years. But it came to a head when an NSA probe surfaced, the Senate pushed for a ban, and — oddly — the Trump administration came with the executioner’s ax.
Obviously, Kaspersky — the company and its CEO of the same name — denied the accusations, and offered to work with the US government. They offered up their code for review and filed suit when the ban passed.
At this point, the only thing that might save Kaspersky’s reputation in the US would be finding us that pee tape. Fingers crossed.
Be still, my backdoored heart
A ransomware attack on Hollywood Presbyterian Hospital in 2016 put health care hacking center stage, but in 2017 it turned into a true nightmare.
The WannaCry ransomware attack spread like wildfire, locking up a third of the National Health Service (NHS) in England. That was followed by other worms, like Petya/NotPetya, which hit US hospitals in June.
The security of pacemakers was exposed as being awful, specifically in the case of medical device manufacturer St. Jude Medical (now rebranded as Abbott). A lot of people hated on researcher Justine Bone and MedSec for the way they went about exposing pacemaker flaws, but they were right. The FDA put a painful pin in it when it notified the public of a voluntary recall (as a firmware update) of 465,000 pacemakers made by St. Jude Medical.
Meanwhile, white-hat hackers put together the first Cyber Med Summit — a doctor-run hacker boot camp for medical professionals. That the Summit exists is a tiny bit of good news in our medical mess, but it also proved that you should probably make sure your doctor keeps a hacker on staff.
Medical staff at the Summit got a wake-up call about medical-device exploits and concluded they need to add “hacking” to their list of possible problems to assess and diagnose.
I’m not crying, you’re crying
On May 12, more than 150 countries were hit in one weekend by a huge ransomware crime wave named WannaCry. The attack was derived from a remote code execution vulnerability (in Windows XP up through Windows Server 2012) called “EternalBlue,” found in the April Shadow Brokers/NSA dump. Those who did their Windows updates were not affected.
WannaCry demanded $ 300 in bitcoin from each victim, and among those included were the UK’s National Health Service (NHS). The ransomworm was stopped in its tracks by the registration of a single domain that behaved like a kill switch. The creators apparently neglected to secure their own self-destruct button.
Researcher MalwareTech was the hero of the day with his quick thinking, but he was sadly repaid by having his identity outed by British tabloids. Adding insult to injury, he was later arrested on unrelated charges as he attempted to fly home after the DEF CON hacking conference in August.
Two weeks after the attack, Symantec published a report saying the ransomware showed strong links to the Lazarus group (North Korea).
Others independently came to the same conclusion. Eight months later, and just in time for his boss’ warmongering on North Korea, Trump team member Thomas P. Bossert wrote in the Wall Street Journal that “the U.S. today publicly attributes the massive ‘WannaCry’ cyberattack to North Korea.”
Maybe he’s just a backdoor man
US Deputy Attorney General Rod Rosenstein in October introduced the world to the new and totally made-up concept of “responsible encryption” — and was promptly laughed out of the collective infosec room.
“Responsible encryption is effective secure encryption, coupled with access capabilities,” he said.
He suggested that the feds won’t mandate encryption backdoors “so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle.”
Even non-infosec people thought his new PR buzzwords were suspect. “Look, it’s real simple. Encryption is good for our national security; it’s good for our economy. We should be strengthening encryption, not weakening it. And it’s technically impossible to have strong encryption with any kind of backdoor,” said Representative Will Hurd (R-Texas) at The Atlantic’s Cyber Frontier event in Washington, D.C.
Politico wrote:
It’s a cause Rosenstein has quietly pursued for years, including two cases in 2014 and 2015 when, as the US attorney in Maryland, he sought to take companies to court to make them unscramble their data, a DOJ official told POLITICO. But higher-ups in President Barack Obama’s Justice Department decided against it, said the official, who isn’t authorized to speak to the news media about the cases.
To everyone’s dismay, Rosenstein doubled down on his “responsible encryption” campaign when he capitalized on a mass shooting — using as his example the phone of Devin Patrick Kelley, who opened fire on a congregation in Texas, killing 26 people.
He said, “Nobody has a legitimate privacy interest in that phone … But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge.”
Like Uber, but for Equifax
If there was some kind of reverse beauty pageant for worst look, worst behavior, and best example of what not to do with security, we’d need a tiebreaker for 2017. Equifax and Uber dominated the year with their awfulness.
Equifax was forced to admit it was hacked badly in both March and July, with the latter affecting around 200 million Americans (plus 400,000 in the UK). Motherboard reported that “six months after the researcher first notified the company about the vulnerability, Equifax patched it — but only after the massive breach that made headlines had already taken place… This revelation opens the possibility that more than one group of hackers broke into the company.”
Shares of Equifax plummeted 35 percent after the July disclosure. And news that some of its execs sold off stock before the breach was made public triggered a criminal probe.
Which brings us to the “unicorn” that fell from grace.
In late November, Uber admitted it was hacked in October 2016, putting 57 million users and more than half a million drivers at risk. Uber didn’t report the breach to anyone — victims or regulators — then paid $ 100,000 to the hackers to keep it quiet and hid the payment as a bug bounty. All of which led to the high-profile firing and departures of key security team members.
Just a couple of weeks later, in mid-December, the now notorious “Jacobs letter” was unsealed, accusing Uber of spying and hacking. “It was written by the attorney of a former employee, Richard Jacobs, and it contains claims that the company routinely tried to hack its competitors to gain an edge,” Engadget wrote, and “used a team of spies to steal secrets or surveil political figures and even bugged meetings between transport regulators — with some of this information delivered directly to former CEO Travis Kalanick.”
The letter was so explosive, it’s now the trial between Uber and Waymo — so we can be sure we haven’t seen the last of Uber’s security disasters in the news.