Why 2013 was the year of the personal data breach
As 2013 winds to a close, it’s time to look back at the biggest security events and incidents of the year. Here’s hoping there are some lessons to be learned—something to provide a foundation for stronger protection and a safer online and mobile world in 2014 and beyond.
With each passing year, the world of technology evolves and improves, and that includes building stronger defenses against cybersecurity threats. Unfortunately, cybercriminals are continuously adapting and acquiring new techniques, too, and successfully exploiting emerging technologies in a perpetual game of security leapfrog.
Here’s the 2013 security highlight—er, lowlight—reel.
The concept of ransomware is simple: Attackers encrypt your data or lock you out of your PC or device using malware exploits, and then demand payment in exchange for restoring your access.
The biggest ransomware threat of 2013 was CryptoLocker. A recent report from Dell security researchers suggests that the CryptoLocker crooks raked in $30 million in only 100 days. That’s $300,000 a day on average from users paying the ransom to get access to their data again.
“2013 saw a significant trend toward ransomware because cyberattackers were able to utilize Tor and Bitcoin to anonymously blackmail people into paying for access to their own data,” says Ken Westin, security researcher for Tripwire.
The CryptoLocker ransom is generally $300. If you don’t have a recent backup of your data, you don’t have many options—either pay the ransom, or lose all of your data and start over from scratch. On the positive side, the criminals do, in fact, follow through on their promise to return your PC or data once you’ve paid the ransom.
“This trend will accelerate and migrate to mobile devices in 2014,” Westin says. “There’s an enormous number of consumers to target who are dependent on the data and services in their mobile device. More than half of mobile-device users don’t use even the most basic security precautions, making them easy prey for cyberattackers.”
Wolfgang Kandek, CTO of Qualys, warns that traditional defenses may not offer much protection against CryptoLocker. The attack does not require any special access or privileges, so it’s very difficult to prevent using standard computer security tactics. “XKCD had it absolutely right in its April 2013 comic strip,” he says. “If all my important data is my user data, the malware does not need to escalate to administrator to wreak havoc.”
You really have only one way to protect yourself against ransomware threats: You must back up your data on a regular basis. If your system is compromised by ransomware, you can simply restore your own data from the backup rather than paying the extortionists.
The overlap between ransomware and mobile security brings us to the next security trend of 2013: mobile malware. The volume of mobile malware has continued to grow exponentially, as cybercriminals try to take advantage of the fertile new territory.
FortiGuard Labs reported that it logged 50,000 malicious Android samples in January 2013—about 500 per day. As of November, that number had spiked to 1500 new malware samples per day.
The trend is alarming, but such reports also seem a bit “the sky is falling” at this point. Security vendors keep telling us that the volume of mobile malware is growing at a distressing pace, yet we haven’t really seen a significant malware attack against mobile devices in the real world.
It’s only a matter of time, though, before criminals move beyond the testing and proof-of-concept phase, and actually plant a malicious payload. The attack may not be as pervasive or obvious as old-school PC malware, because attackers have learned that flying under the radar and avoiding detection is a more lucrative strategy.
FortiGuard says that it has started to see evidence of a threat called AndroRAT, which attackers can deliver as a Trojan horse buried within an otherwise normal app. The RAT, or remote application tool, enables the attacker to send SMS text messages from the infected smartphone, monitor calls and SMS texts, direct the device’s browser to a specific URL, or perform a variety of other actions that could serve either to compromise personal information or to siphon funds from the victim.
We’re still waiting for “The Big One,” but mobile malware will eventually live up to the hype—probably when users least expect it.
If you didn’t already follow the established practice of changing your passwords every few months, 2013 probably left you little choice as sites and services forced users to choose new passwords in the wake of data breaches. Living Social, Evernote, and Adobe all experienced major data breaches in which tens of millions of user accounts were compromised, and passwords were exposed.
“One could argue that 2013 was ‘The Year of Stolen Credentials,’” says Dwayne Melancon, CTO of Tripwire. “According to DataLossDB, the top five largest breaches in 2013 affected about 450 million records—that’s a lot of instances of ‘12345,’ ‘password,’ and ‘monkey.’ The most alarming thing is that many of these stolen passwords were found to have been stored in insecure ways despite plenty of warnings about using strong cryptography.”
To cap things off, we found out that Target was the victim of cybercrooks. Between Black Friday and December 15, hackers collected credit card details on about 40 million people who had shopped in person at the popular retail chain.
The year kicked off with the Mandiant report on APT1, which offered undeniable proof that U.S. agencies and companies were being infiltrated by a group based out of China. But after everyone spent the first half of the year worried about foreign—possibly state-sponsored—attacks out of China, Iran, and Syria, Edward Snowden dropped a bomb that would change the conversation dramatically.
Snowden—a contractor for the National Security Agency—fled the United States (eventually finding temporary asylum in Russia) and shared with the world details about the NSA’s spying on just about everything and everyone around the globe. The ripples from the Snowden revelations are still being felt, as U.S. citizens, the U.S. government, and the nation’s allies struggle to find a balance between proactive diligence and overt violations of privacy and civil liberties.
“What he released essentially proved to the 10th degree that the U.S. government was itself infiltrating its own corporations and has been eroding the privacy of millions for years already,” says Andrew Storms, a security researcher with CloudPassage. “The hundred-pound gorilla in the room wasn’t China or Iran, but our own U.S. agency called the NSA.”
“Perhaps the only good news from the Snowden leak is that it has forced a lot of companies to take a serious look at which data is important to them and how it’s being protected,” Melancon says.
Looking ahead to 2014, the looming threats are essentially the same. The threat from mobile malware will continue to grow, and we will continue to strive to protect our personal data—from cybercriminals and from our own governments.