With each passing year, data breaches get bigger and more invasive. But 2014 saw a new twist to the breach phenomenon with the Sony hack. The attackers didn’t just steal data, they scorched Sony’s digital earth as they exited its networks, wiping data from servers and leaving administrators to clean up the mess and restore systems.
Digital destruction of this sort was first seen in Saudi Arabia and Iran when computers used in the oil industries were struck in 2012 with data- and system-destroying malware. The attack against Sony was different, however, in that gigabytes of sensitive Sony data were also released to the public, creating damage of a different sort—to the company’s bottom line. Whether this sparks a new trend in corporate hacks remains to be seen. One thing is certain: next year will bring a new round of attacks.
Here’s a look back at this year’s top hacks—the biggest and the noisiest.
1. Sony Wins for Most Pwned Company
On November 24, workers at Sony Pictures Entertainment got a rude surprise when an image of a red skeleton suddenly invaded computers nationwide and announced that the company’s secrets were about to be spilled. Yes, the company had been hacked yet again, in a breach that was so widespread administrators kicked workers off the network entirely, taking down email servers, VPN access and even the company WiFi as they attempted to root out the invaders and re-seize control.
News of what may turn out to be the biggest hack of the decade went public after a former worker posted an image of the ominous skeleton splash screen on Reddit, saying a former colleague at Sony had sent it to him. The group claiming responsibility for the breach—GoP, or Guardians of Peace—soon made good on its threat to spill, leaking more than 40 gigabytes of stolen data to the internet—including sensitive worker information such as medical data, salaries and performance reviews; celebrity film salaries and Social Security numbers; and full copies of several unreleased films. It’s a hack that will continue to give long into the new year, since the hackers claim to have stolen more than 100 terabytes of data, including entire databases and email spools, but have so far released only a small fraction of this.
It’s not the first time Sony has been hacked, of course. In 2011, members of Anonymous and LulzSec tore through the company’s networks as part of a 50-day hacking spree targeting multiple victims. They launched the breach against Sony on its PlayStation Network, where they stole data pertaining to more than 75 million customers. A second breach at Sony Online Entertainment compromised an additional 25 million customers. Sony Pictures and Sony BMG were also struck.
2. Regin Reigns as Top Government Hack
Stuxnet and Flame are difficult kings to unseat. But Regin—the massive government spy machine responsible for invading the European Union, a Belgian telecom and a Belgian cryptographer—managed to do just that. Although the hacks were done in 2011 and 2013, the spy tool responsible for them was exposed only this year. Regin is more than a spy tool, though. It’s a customizable platform capable of hijacking entire networks and infrastructures rather than just individual machines and has been around since at least 2008, possibly earlier. Built to remain stealth on systems for years, its most disturbing feature is a component designed to target GSM base stations in a way that could give the attackers control over a telecom’s entire mobile network. It’s believed to have been used by government spy agencies to hijack the mobile network in Afghanistan and other countries. Who’s behind the tool? The UK spy agency, GCHQ, perhaps with help from the NSA, is believed to be its designer.
3. Home Depot
Continuing the wave of attacks that struck Target, Michael’s and Neiman Marcus, Home Depot announced in September that it had suffered a breach that exposed some 56 million credit and debit cards of customers, a figure that surpassed last year’s Target breach by more than 10 million. The attackers had been in the company’s network since at least April, before the company discovered the breach five months later, and had gained entry following two previous, smaller breaches of the company’s network. Security contractors had reportedly urged the company to activate an extra security measure that might have helped spot the malicious activity but failed to do so.
4. Live Nude Girls! Fappening Now!
In September, Hollywood It-girl Jennifer Lawrence inadvertently joined the growing pantheon of celebrities whose private parts were made public after hackers seized her nude selfies and posted them online. Lawrence was in good company. Hackers who frequented the 4chan forum released a cache of some 500 images—an event that came to be known as The Fappening—stolen from a reported 100 celebrity iCloud accounts. These included nude pics belonging to Kate Upton, Kaley Cuoco, Hayden Panetierre, and Kirsten Dunst. Speculation about how the photos were obtained focused on a flaw in iCloud, Apple’s online backup service, that failed to limit the number of times someone can attempt to open an account with a password, making it possible for someone to brute-force their way in with repeated password guesses.
But Apple Chief Executive Tim Cook denied the brute force method and said the photos were stolen because hackers were able to correctly answer the security question celebrities set up for their iCloud accounts to reset their password or because celebrities were likely tricked into revealing their usernames and passwords in a phishing scam. Once in the accounts, the hackers were able to download the entire contents of the accounts to their own device.
In response, Apple tightened its iCloud account protections by setting up a system to send an email alert to users whenever someone tries to obtain the contents of their iCloud account from a new device. It also added two-factor authentication to its iCloud service.
But never fear. Even with Apple’s fixes hackers will find other ways to feed their need for nude celebrity pics. Look for Fappening II coming to a theater soon.
5. Snappening Becomes the New Fappening
Just as the fracas over the Fappening was beginning to die down, a new online debacle took its place—this one involving the release of some 13 gigabytes of data, or 98,000 photos and videos belonging to users of Snapchat. The images were made available through the Pirate Bay file-sharing service after someone at 4chan discussed releasing them. The data belonged to Snapchat users who had saved their Snapchat session pics and videos through a third-party application called Snapsaved.com, undermining Snapchat’s “instant delete” privacy feature.
6. TweetDeck Hacked—Panic (and Rickrolling) Ensues
What’s worse than a Twitter feed flooded with promoted tweets you don’t want to see? A Twitter feed laced with a worm. After an Austrian teen discovered a flaw in TweetDeck, Twitter’s popular application for managing Twitter feeds, untold numbers of users began exploiting it to turn other Twitter accounts into their zombies. The vulnerability allowed anyone in a TweetDeck user’s Twitter timeline to send JavaScript in a tweet to that user that would then execute arbitrary pop-up messages on the user’s screen or cause their Twitter account to automatically re-Tweet messages of the attacker’s choosing. Miscreants mostly used it for amusement, forcing accounts to distribute messages like “Yo!”, “HACKED” and the RickRoll classic “NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN.” The 19-year-old Austrian responsible for the melee discovered the flaw when he tried to send a ♥ symbol in a Tweet. In doing so, he found that he could send coded script in a tweet that would force other accounts to retweet his message automatically. The @NYTimes and @BBCBreaking were among some 30,000 Twitter feeds that inadvertently retweeted his message containing the heart symbol. The teen notified Twitter about the flaw, but before the company could patch it, other users were already exploiting it.
7. Bitcoins Hacked Bit by Bit
Let’s call it the other Moore’s Law. The more popular a new system becomes, the more likely it’s going to get hacked. If digital currencies like Bitcoin didn’t quite hit the mainstream as a monetary option this year, they certainly did as hacker targets. Several heists involving Bitcoin and other currencies surfaced as the value of the currencies rose. It began in part last February when the online drug emporium Silk Road 2.0, successor to the original Silk Road, was hacked and drained of all of its currency—an estimated 4,400 Bitcoins worth about $2.6 million. “I am sweating as I write this,” Defcon, the site’s administrator, wrote. “I must utter words all too familiar to this scarred community: We have been hacked. Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty.”
This wasn’t the end of Bitcoin woes, however. The following month, news emerged of a global Bitcoin heist conducted through the Pony botnet. Using machines infected with the Pony virus, cybercriminals hijacked about 85 virtual wallets holding Bitcoin and other crypto currencies, making off with about $220,000 over five months.
The crimewave continued in March when Flexcoin, a Canada-based Bitcoin bank, announced it had been hit by hackers who siphoned 896 Bitcoins worth about $620,000 at the time. The heist crippled Flexcoin, which was forced to close down as a result. Numerous other crypto currency services were hit in a domino wave: the Bitcoin exchange Poloniex was hacked the same month, losing 76 Bitcoins worth about $50,000 at the time; CoinEX, too, was struck, losing all of the bitcoins in its possession. The wave of attacks raised suspicions about possible embezzlement, prompting a CoinEx representative to assure customers that the company’s operators were not “doing a runner” and simply pretending to be hacked while absconding with their funds. In June, yet another crypto currency heist was exposed when Dell SecureWorks reported that Synology NAS storage units used for mining Dogecoin were being hijacked in an attack that netted the thieves $620,000 worth of the digital currency in two months. A few months later, SecureWorks reported another novel tactic in which the thieves used BGP hijacking techniques to redirect traffic from customers of at least 19 ISPs in order to seize temporary control of a group of Bitcoin miners.
No comments:
Post a Comment