From Sony to Snapchat: The Year in Hacks, Attacks, and No-Good Vulnerabilities
It was a great year to be a hacker. For the rest of us, not so much.
Image: Ingrid Richter/Flickr
This was a great year to be a hacker. For the rest of us, not so much.
Sure, fallout from the Sony hack may be top of mind this month, but let's not forget about the year's other myriad hacks, exploits, vulnerabilities and attacks. 2014 was an ongoing reminder that pretty much everything digital we hold dear is, in some way, broken and insecure. It's fitting, in fact, that this terrible, no-good year is ending with a devastating corporate hack, because that's exactly how the year began.
While the assault on Target's retail payment systems technically took place at the end of 2013, the breadth and depth of the attack wasn't clear until the new year. Attackers broke into the US retailer's payment systems—the computers that control its payment terminals at checkout, essentially—by first breaching Target's vulnerable HVAC (heating, ventilating, and air conditioning) computer systems. They made away with 40 million credit and debit card numbers between Nov. 27 and Dec. 15, 2013.
Then, in September, it was revealed that attackers had been using a similar technique since April to steal 56 million debit and credit card numbers from Home Depot's US and Canadian stores. Highly-specialized credit-card skimming malware played a key role in both hacks, and according to security software company Trend Micro, these types of attacks will only become more complex. Malware that can encrypt and exfiltrate data via the anonymity network Tor, for example, is already in use.
It probably really sucked if you shopped at both Target and Home Depot this year.
Attackers didn't just limit themselves to financial data, however. Later in September, a trove of nude celebrity photos was released onto the internet. Blame initially fell on the security of Apple's iCloud backup service, until it became clear that attackers were mostly using a combination of social engineering and good old brute-force techniques—essentially, using powerful computers to guess at every possible password combination—to obtain iCloud passwords instead. Username and passwords in hand, the attackers then used a third-party tool called Elcomsoft EPRB to download the target users' iPhone or iPad backup from iCloud, with photos, messages and other personal information contained within.
This was followed by the Snapchat hack, in October—not a hack of Snapchat itself, but of an insecure third-party service that enabled users to save copies of messages even after they were supposed to expire. Yet more photos were released online.
It felt like hardly a week went by without hackers either breaching or attempting to breach something
Really, it felt like hardly a week went by where attackers had either breached or attempted to breach something: White House computers, Wall Street, the NASDAQ, Israeli defence contractors, Canadian government computers, the Sands Casino—and that's just the big-name stuff, the stuff that was actually reported.
Which brings us to the ongoing saga of the Sony Pictures hack. Whoever is behind the attack and why it was carried out remain unclear—the US is now claiming North Korea's involvement, while others aren't so sure—but the documents released thus far are stunning in their breadth: social security numbers, salaries, passwords, unreleased movies, scripts, inflammatory executive emails, celebrity aliases, and security certificates used to protect and verify the identity of Sony software and servers. Much like the Target hack with which this year began, we may not know the whole story until next year.
That wasn't all 2014 brought us however. In particular, there was an unusual rash of vulnerabilities discovered in widely used software that most of us, implicitly, believed was secure. February started off with a dire bug in Apple's mobile operating system iOS, and its desktop operating system OS X that had gone unnoticed for over a year. Communications that appeared encrypted actually weren't, leaving users vulnerable to interception.
In April came Heartbleed, a serious vulnerability in an essential piece of server software called OpenSSL that went unnoticed for years, and which many, many companies use to keep their websites secure. When exploited, an attacker could gain access to all sorts of interesting data stored inside a remote server's memory—usernames, passwords, the content of transmitted data, and even the secret keys used to encrypt traffic to and from the server.
The NSA insists that it didn't know about Heartbleed before the rest of the world,and doesn't make a habit of exploiting zero-day vulnerabilities. But we learned about the agency's other pursuits, and the pursuits of its partners, in 2014 instead.
There was the discovery of Regin, a shadowy piece of malware in the same vein as Stuxnet. It attacked mostly European academics, governments and telecom companies (amongst others), has gone undetected since at least 2003, and is believed to be the work of the NSA and GCHQ. The Citizen Lab at the University of Toronto's Munk School of Global Affairs published research on the NSA's ability to hijack unencrypted internet traffic. The intelligence agency can reportedly deliver malware in lieu of, say, an innocuous YouTube video—all without the user's knowing. There were even reports that government agencies had botnets of their own—armies of vulnerable, infected computers that they could use to mask the source of their cyberattacks.
It's hard not to be cynical after a year like this—but it could also be the catalyst we need for a new year of change. What if more users embrace privacy and encryption? What if companies begin to invest more heavily in cybersecurity and defence—as they should have been doing all along? And what if our intelligence agencies were more transparent than they are now?
That's the optimist's take, anyhow. But why not try and believe? Outside of the internet's darkest corners, no one wants the new year to be worse.