Insecurities in trusted digital systems constantly made headlines in 2019, continuing a trend that helped define the last ten years.
The first year of this decade saw the discovery of Stuxnet, a computer worm that previewed the “cyber arms race” by attempting to undermine Iran’s nuclear program. Since then, we’ve seen the world’s first $10 billion malware outbreak, a constant gush of data breaches, and a growing focus on not only preventing cyber attacks but also detecting and responding to them.
Whether we’re discussing elections, banking, or foreign policy, the ways we protect devices, identities, and networks affect almost everyone. And the threats we need to defend against ourselves grow in complexity with every new convenience that the digitization of society adds to our lives.
So as we begin a new year, let’s look back at some of the stories that made international news and exposed pressing cyber security concerns.
773 million unique email addresses and 21 million unique passwords uploaded from a data dump called ‘Collection #1’
The massive collection of data posted to Troy Hunt’s Have You Been Pwned site just a few weeks into 2019 wasn’t new. But it was an enduring reminder of the challenges businesses have faced in securing private data and the risks consumers face from a seemingly endless torrent of leaks.
Billions of people were likely affected just by breaches announced this year.
The huge amounts of data we share to function as normal human beings in the 21st century will only make it harder and harder to secure our identities.
Norsk Hydro’s IT systems subjected to an ‘extensive cyber-attack, impacting operations in several of the company’s business areas’
To fight off the ransomware known as LockerGoga in March, the Norwegian aluminum maker Norsk Hydro immediately went into emergency mode. With the extraordinary effort of its employees, the company began to resume operations but the company still incurred damages as high as $75 million.
This attack differed from WannaCry and NotPetya, the global ransomware outbreaks of 2017, in a crucial way.
“There is no replication mechanism, this is not a worm, it is a targeted attack by the criminals,” Mikko Hypponen, F-Secure’s Chief Research Officer, told WIRED.
This was all about the money.
While ransomware has declined somewhat as a risk to consumers, criminals have focused the use of the threat on organizations that may be more inclined to pay — like small businesses, manufacturers, and governments.
Between 200 million and 600 million Facebook users may have had their passwords stored in plain text
Facebook’s privacy problems continued through 2019.
Whether it was issues with how the site secures passwords or leaks of 419 million phone numbers and the personal data of 267 million users, the world’s largest social network continued to show how difficult it is to protect the privacy of billions of people while trying to monetize their personal lives.
Facebook’s data tribulations will likely continue in 2020. The question is if the consequences of these lapses will ever become severe enough to force major changes in how people and governments deal with the company.
Microsoft released fixes for a critical Remote Code Execution vulnerability nicknamed ‘BlueKeep’
“CVE-2019-0708 could allow an attacker to execute remote code on a vulnerable machine that’s running Remote Desktop Protocol (RDP),” F-Secure’s Teemu Myllykangas reported in May.
By November, evidence was clear that failure to patch BlueKeep could result in severe consequences.
“F-Secure is aware of reports, both public and private, relating to a new malware strain which is a weaponized implementation of the CVE-2019-0708 vulnerability – commonly known as BlueKeep,” F-Secure Consulting warned. “The existence of malware exploiting the BlueKeep vulnerability raises the risk of exploitation across all organizations, irrespective of their normal threat profile.”
Thanks to what our CEO Samu Konttinen calls “trickle-down effect” of cyber warfare, vulnerabilities like BlueKeep, known and unknown, will continue to create risks for the foreseeable future.
GDPR celebrates is first birthday
Whether you love it or hate it, you can’t deny the impact of Europe’s General Data Protection Regulation in its first year.
“The awareness has been immense,” Eric Andersen, who works with companies on GDPR compliance, told our Cyber Sauna podcast. “Everybody’s talking about how do they protect data within organizations.”
The first major fines, issued in December of 2019, suggest that regulators intend to step up enforcement efforts. But the biggest impact of the law may be that California’s “light” version of GDPR, the California Consumer Privacy Act (CCPA), goes into effect on January 1, 2020.
The CCPA may be first law working off Europe’s experiment with data regulation but it won’t be the last.
IoT and connected home worries grow
“To no one’s surprise, internet of things (IoT) device insecurity has emerged as a top concern and top driver of internet attack traffic in the first half of 2019,” F-Secure’s Melissa Michael reported in September.
F-Secure’s decoy honeypot network that monitors cyber attacks around the world now sees more Mirai malware — which targets insecure IoT devices like webcams and routers — than any threats targeting PCs or smartphones. Persistent vulnerabilities in IoT devices rushed to market helped created this mess.
F-Secure Consulting continues to find vulnerabilities in so-called smart devices that are filling up offices and homes.
While conducting red team exercises to find vulnerabilities in office networks, our experts noticed the popularity the ClickShare presentation system and ended up identifying numerous vulnerabilities in the system. Our researchers also revealed weaknesses in a smart lock and a projector in just the last few weeks of 2019.
Concerns about the privacy policies of the Amazon Ring “smart” doorbell highlight the growing sense by consumers that the complications of securing a life where almost everything connects to the internet can be overwhelming.
In 2020, California will also roll out SB-327, the first law that regulates IoT security. But it only affects new devices.
That’s why F-Secure is working with internet security providers to offer protection for users’ connected home devices and identities that go well beyond what the current law expects.