2017 was a year like no other for cybersecurity. It was the year we found out the horrid truths at Uber and Equifax, and border security took our passwords . A year of WannaCry and Kaspersky , VPNs and blockchains going mainstream, healthcare hacking , Russian hackers , WikiLeaks playing for Putin’s team , and hacking back . In 2017 we learned that cybersecurity is a Lovecraftian game in which you trade sanity for information. Let’s review the year that was (and hopefully will never be again). Moscow mules This was the year Kaspersky finally got all the big press they’ve been angling for. Unfortunately for them, it wasn’t for their research. The antivirus company spent an uncomfortable year in the headlines being accused of working with Russia’s FSB (former KGB) . Eventually those suspicions got it banned from use by US government agencies. Kaspersky’s alleged coziness with Putin’s inner circle has made the rounds in the press and infosec gossip for years. But it came to a head when an NSA probe surfaced, the Senate pushed for a ban, and — oddly — the Trump administration came with the executioner’s axe. Obviously, Kaspersky — the company, and its CEO of the same name — denied the accusations, and offered to work with the US government. They offered up their code for review and filed suit when the ban passed. At this point, the only thing that might save Kaspersky’s reputation in the US is finding us that pee tape. Fingers crossed. Be still my backdoored heart A ransomware attack on Hollywood Presbyterian Hospital in 2016 put health care hacking center stage, but in 2017 it turned into a true nightmare. The WannaCry ransomware attack spread like wildfire, locking up a third of the National Health Service (NHS) in England. That was followed by other worms, like Petya/NotPetya, which hit US hospitals in June. The security of pacemakers was exposed as being awful, specifically in the case of medical device manufacturer St. Jude Medical (now rebranded as Abbott). A lot of people hated on researcher Justine Bone and MedSec for the way they went about exposing pacemaker flaws, but they were right . The FDA put a painful pin in it when it notified the public of a voluntary recall (as a firmware update) of 465, 000 pacemakers made by St. Jude Medical. Meanwhile, white hat hackers put together the first Cyber Med Summit — a doctor-run, hacker boot camp for medical professionals. That the Summit exists is a tiny bit of good news in our medical mess, but it also proved that you should probably make sure your doctor keeps a hacker on staff. Medical staff at the Summit got a wake-up call about medical devices exploits, and concluded they need to add “hacking” to their list of possible problems to assess and diagnose. I’m not crying, you’re crying On May 12, over 150 countries were hit in one weekend by a huge ransomware crimewave named WannaCry . The attack was derived from a remote code execution vulnerability (in Windows XP up through Windows Server 2012) called “EternalBlue, ” found in the April Shadow Brokers/NSA dump. Those who did their Windows updates were not affected. WannaCry demanded $300 in Bitcoin from each victim and among those included were the UK’s National Health Service (NHS). The ransomworm was stopped in its tracks by the registration of a single domain that behaved like a killswitch. The creators apparently neglected to secure their own self destruct button. Researcher MalwareTech was the hero of the day with his quick thinking, but was sadly repaid by having his identity outed by British tabloids. Adding injury to insult, he was later arrested on unrelated charges as he attempted to fly home after the DEF CON hacking conference in August. Two weeks after the attack, Symantec published a report saying the ransomware showed strong links to the Lazarus group (North Korea). Others independently came to the same conclusion. Eight months later, and just in time for his boss’ warmongering on North Korea, Trump team member Thomas P. Bossert wrote in the Wall Street Journal that “the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.” Maybe he’s just a backdoor man US Deputy Attorney General Rod Rosenstein in October introduced the world to the new and totally made-up concept of ” responsible encryption ” — and was promptly laughed out of the collective infosec room. “Responsible encryption is effective secure encryption, coupled with access capabilities, ” he said . He suggested that the feds won’t mandate encryption backdoors “so long as companies can cough up an unencrypted copy of every message, call, photo or other form of communications they handle.” Even non-infosec people thought his new PR buzzwords were suspect. “Look, it’s real simple. Encryption is good for our national security; it’s good for our economy. We should be strengthening encryption, not weakening it. And it’s technically impossible to have strong encryption with any kind of backdoor, ” said Rep. Will Hurd (R-Texas) at The Atlantic’s Cyber Frontier event in Washington, D.C. Politico wrote : It’s a cause Rosenstein has quietly pursued for years, including two cases in 2014 and 2015 when, as the US attorney in Maryland, he sought to take companies to court to make them unscramble their data, a DOJ official told POLITICO. But higher-ups in President Barack Obama’s Justice Department decided against it, said the official, who isn’t authorized to speak to the news media about the cases. To everyone’s dismay, Rosenstein doubled down on his “responsible encryption” campaign when he capitalized on a mass shooting (using as his example the phone of Devin Patrick Kelley who opened fire on a congregation in Texas, killing 26 people). He said , “Nobody has a legitimate privacy interest in that phone … But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge.” Like Uber, but for Equifax If there was some kind of reverse beauty pageant for worst look, worst behavior, and best example of what not to do with security, we’d need a tiebreaker for 2017. Equifax and Uber dominated the year with their awfulness. Equifax was forced to admit it was hacked badly in both March and July, with the latter affecting around 200 million people (plus 400, 000 in the UK). Motherboard reported that “six months after the researcher first notified the company about the vulnerability, Equifax patched it — but only after the massive breach that made headlines had already taken place… This revelation opens the possibility that more than one group of hackers broke into the company.” Shares of Equifax plummeted 35% after the July disclosure. And news that some of its execs sold off stock before the breach was made public triggered a criminal probe. Which brings us to the “unicorn” that fell from grace . In late November Uber admitted it was hacked in October 2016, putting 57 million users and over half a million drivers at risk. Uber didn’t report the breach to anyone — victims or regulators — then paid $100K to the hackers to keep it quiet, and hid the payment as a bug bounty. All of which led to the high-profile firing and departures of key security team members. Just a couple weeks later, in mid-December, the now-notorious ‘Jacobs letter’ was unsealed, accusing Uber of spying and hacking . “It was written by the attorney of a former employee, Richard Jacobs, and it contains claims that the company routinely tried to hack its competitors to gain an edge, ” Engadget wrote , and “used a team of spies to steal secrets or surveil political figures and even bugged meetings between transport regulators — with some of this information delivered directly to former CEO Travis Kalanick.” The letter was so explosive it’s now the trial between Uber and Waymo — so we can be sure we haven’t seen the last of Uber’s security disasters in the news. Images: Getty Images/iStockphoto (Wannacry); D. Thomas Magee (All illustrations)
Continue Reading:
2017’s biggest cybersecurity facepalms
