Review – How Cyber Security Events in 2016 Will Affect 2017
The beginning of the year of 2017 brings us into a reflective mood. A lot has happened in the IT-security world last year and I would like to take a look back at 2016 from our perspective.
The worst things in life happen when people do not learn from the past. If we forget about our recent history and past events, we will repeat mistakes instead of learning from them. I want to discuss which cyber security incidents will still have an impact in 2017 and what we can do better this year, as individuals as well as an organization or company.
For that I asked the whole Boxcryptor team for help. Each incident will be commented by one of our developers. They will provide advice and insights on how they deal with the challenges of cyber security and how they would assess these incidents.
Since it is really hard to decide what was most important or impactful, we will go through the year chronologically. What kept IT and security specialists busy in the beginning of the last year? Right, ransomware and encryption in general.
1. The Rise of Ransomware
Source: Google Trends (www.google.com/trends)
This Google Trends chart shows how big of a thing ransomware became in 2016 compared to the previous four years. Many see a connection there between the rise of the digital currency bitcoin and ransomware.
Bitcoin is now the preferred payment method of most ransomware infections because it allows users to send and receive money from anywhere in the world, often anonymously.
Will this trend continue in 2017?
Sadly, probably yes. It is a deviously smart business model for ruthless cyber criminals. We covered this phenomenon in February, when it all started and some hospitals have been taken ransom. Later in the year, one of our developers dissected the code and functionalities of one type of ransomware. With the threat of ransomware around us, it is much more important to adopt responsible behavior online.
Christian Olbrich, software developer at Boxcryptor since 2012, says:
“With ransomware, there’s nothing that beats backups – either on a separate disk or encrypted in the cloud. The latter allows you to revert any changes made by a virus. Combine that with a careful attitude towards files from the internet, and you should never have to worry about ransomware again.”
2. The Encryption Debate
Around the same time of the year a hot debate flared up between two greatly influential players in the US: Apple and the FBI. Thanks to this debate, everybody, even those who do not work in the IT sector and are security conscious, heard about encryption. What is more important, security, or privacy? Well, there have been many incidents where for the sake of security, privacy has been sacrificed. However, we are of the opinion that security and privacy have to go hand in hand and probably every IT specialist in the world is agreeing with us.
For example, encryption is crucial to the functioning of the digitalized industry 4.0 and for stable democracies to work. It is almost funny that the leaders demanding a weakening of encryption are using it themselves. The FBI, for example, needs and wants proper encryption to be able to operate the way they do. They want it for themselves but not for others. Sorry, it does not work that way and we hope that this discussion will take a more positive turn in 2017. Because, the security we gain on the back of privacy is a false one.
Apple won, for now. There is no special FBI backdoor in their iPhone encryption. But these discussions are not over and will, in the current heated political situation, very likely become a topic in 2017, too.
Robert Freudenreich, co-founder of Boxcryptor says:
“Strong encryption is essential for our lives and our work in the 21st century. To weaken encryption to catch single criminals, is going to cost us all. Additionally, one can never know who will control the instruments we build now in five or ten years.”
3. DDoS Attacks and the Vulnerable Internet of Things
DDoS attacks have been around for a longer time. But in 2016 it went from niche topic that is relevant for IT-specialists to a topic relevant for everybody. Why? Because bluntly said, your fridge could be an accomplice in the next DDoS attack. The Internet of Things (IoT) connects devices to the internet so that they can become “smart” and can serve us and our laziness better. While your computer or laptop is updated quite frequently, these smart devices almost never receive updates that would patch vulnerabilities and just keep them up-to-date. Therefore, they are easier to hack. This becomes a problem when an army of devices gets hacked and joined together to launch a DDoS attack, as it happened last October.
A DDoS attack is a disruption of an online service that is caused by an overwhelming number of traffic. If you want a website to collapse you just have to send a couple of million people to that website at the same time. In the case of the DDoS attack in October, the Mirai botnet did just that. The servers of Dyn – a domain name system (DNS) infrastructure – were attacked. Since many websites rely on this service, its takedown resulted in a major collapse of many big websites. Airbnb, Spotify, Twitter, eBay, Reddit or the New York Times were affected. And what is that Mirai botnet? It is a collection of IoT-devices, for example digital cameras and DVR players. It is actually possible that your digital camera was an accomplice in one of the biggest DDoS attacks in history.
Since there are more and more devices available that are connected to the internet, chances are high that this was not the last DDoS attack on this scale.
Michael, system administrator at Boxcryptor since 2015, says:
“Private persons who do not want to be part in a DDoS attack or who do not want to support that without their knowledge should stay clear of the Internet of Things. Not everything has to be connected to the internet. Everything that is connected has to be updated regularly, and sadly, many manufacturers of smart devices are sloppy about that. Even good, established brands sometimes have horrible vulnerabilities, and employ programmers who only care for functionality and not security.
For businesses and organizations who want to prevent being hit by a DDoS attack, there is no magic cure yet. For that reason, these attacks are so successful. However, a preventively set up CDN (Content Delivery Network), such as Akamai or Cloudflare could help.“
4. Data Breaches and Password Leaks
According to ZDNet, more than 2.2 billion records have been exposed last year, in almost 3000 data breaches.
LinkedIn, for example, has been hacked as early as in 2012. However, only in 2016 it became apparent that much more accounts were affected than previously stated. A database with login information of 117 million users was offered for sale by a Russian hacker on the dark web. The passwords were encrypted, but not salted. Apparently, LinkedIn only started to salt passwords after the first incident in 2012.
Apart from LinkedIn, 65 million accounts were breached at Tumblr, and a stunning 427 million old accounts were breached at Myspace.
For Yahoo, the year of 2016 was not a particularly good one. In September the company confirmed that over 500 Million accounts have been breached, containing names, email addresses, phone numbers, dates of birth, and hashed passwords. According to security specialist Graham Cluley, these email addresses could now be abused for phishing campaigns and malicious attacks via email. Yahoo users should be especially careful now and not open links and attachments in suspicious emails.
However, it is still getting worse. In December, Yahoo confirmed another hack, with a total of 1 billion hacked accounts. If you are a yahoo user, now it is high time you leave Yahoo and look for a new email provider.
In the cloud sector there have been a couple of minor incidents, which are of course just as painful for the affected individuals as the big leaks. Somebody, for example, gained access to Pippa Middleton’s iCloud and offered private photos to newspapers in Britain. There has also been a breach of 68 million encrypted Dropbox passwords, which, just as in the LinkedIn breach, dated back to 2012 but surfaced in 2016.
If you encrypt your images in the cloud, as in this example with Boxcryptor, they are protected in case of a data breach at the provider.
These password leaks have serious consequences for the overall security of password-protected accounts and therefore will have consequences for 2017.
The reason for that is that the more password databases there are available to criminals, the easier it is for them to hack passwords in the future, because they gain a list of before-used passwords. Software can just go through the most common passwords and brute force accounts for them. Since people are predictable and lazy, many use simple passwords that are easy to remember. The most common passwords are 123456 and password, and those can be tried out in a split second. But even less obvious passwords can be figured out more easily thanks to these password databases. What helps? With a password manager that creates random 16-character passwords and two-factor authentication, you are protected perfectly.
Nicole, software developer at Boxcryptor since 2014, says:
“It is important to never use the same password for different services. Since it is difficult to remember several secure passwords, the best solution in my opinion is a password manager. With such a tool, you only have to remember one password. I personally think it is reasonable to use several email addresses and use them according to the importance of the service. You should consider using a different email address for your next online shopping tour than for PayPal, for example.”
5. 1984: Surveillance and Government-authorized Hacking
Two democracies passed laws and rules last year that are a stunning blowback for privacy. In November, the parliament of the UK granted the government new hacking and surveillance powers: The Investigatory Powers Bill, or Snoopers’ Charter, as opponents of the new bill call it. While the ones responsible for the bill see it as a necessity to ensure security and prevent terrorism, the executive director of the Open Rights Group, Jim Killock calls it
one of the most extreme surveillance laws ever passed in a democracy.
There is an ongoing petition that still tries to prevent it. If it becomes law in 2017 – which is very likely – a total of 48 authorities are allowed to access internet connection records without a warrant. For that purpose, internet history data has to be stored for 12 months. Also, police forces and intelligence services are allowed to hack computers and track behavior on it with a warrant.
A similar setback for privacy happened in the US with the change of Rule 41. From now on, the FBI and law enforcement are able to search multiple computers across the country with a single warrant. Before, they were only allowed to search computers in the district where the warrant was granted.
According to fortune.com
Civil liberties groups have warned Rule 41 represents a dangerous expansion of the government’s surveillance power, and will lead law enforcement bodies to “forum shop”—seeking warrants in districts where a judge is most likely to grant them.
Thanks to these changes it will probably be much easier now to get a warrant to search computers. Opponents think that the change of rule 41 collides with the Fourth Amendment of the Constitution, which prohibits unreasonable searches and seizures.
Jonas, Software developer at Boxcryptor since 2012 says:
“To defend yourself against government surveillance is hard and may not be necessary, as long as you do not get on their radar. If you are not happy with governments theoretically being able to spy on you or if you are an investigative journalist that has to protect sensitive information by all means, you can start self-defending yourself by encrypting your machines and cloud and by using a VPN for private internet connections.”
Trumps organizations have been under attack several times last year – there were two data breaches at his hotel chain as well as a leak of resumes of future interns at his campaign. ZDNet makes a good point about these incidents:
Let's hope his cybersecurity strategy is better when he's in office.
This brings us to why he made it into this list. Some maybe are still digesting that he will be the next president of the United States. And many of us are wondering what his presidency will bring, for example in terms of cyber security.
He most likely will not be pro encryption because he clearly sided with the FBI in the above mentioned encryption debate. But again, as the FBI and many other authorities worldwide, he would like to have rules that only apply to the others. The fact that he asked people to boycott Apple in a speech but continued to tweet from his iPhone shortly afterwards is very telling. Please boycott Apple, folks, but of course I will continue to use it because their stuff is just so pretty and practical.
We honestly do not know where Trumps presidency will lead us in terms of cyber security. Therefore, no comment on this one by the team.
What will the year 2017 bring? We are not really sure what Trump is up to. So we just have to wait and see. We are pretty sure that cyber criminals will not just stop trying to earn money with ransomware. Therefore, it is of importance to be aware of where the biggest threats are waiting and how to avoid them. Password leaks and data breaches are always possible, so try to keep your sensitive data as safe as possible, for example with encryption and VPN’s, and be aware of security threats. Then, you will be ready for a successful, breach-free and happy 2017.