The threats were everywhere
What a year in security 2015 was. We saw major cyberespionage groups uncovered, the most embarrassing data breach in history, an unbelievable Android flaw, and incredibly stupid decisions from two major PC makers.
If you thought 2014 was bad with Heartbleed and the Sony hack, just look at the big stories from 2015. It was a year when, more than ever, major data breaches and security flaws had very real world implications.
Data breaches are a run-of-the-mill occurrence these days, but every now and then a breach rises to the level of jaw-dropping. For 2015, that was most certainly the Ashley Madison hack in August. Hackers were able to breach the site and obtain real names, partial credit card numbers, home addresses, phone numbers, and even sexual preferences for many users of the infidelity service, including some celebrities, personalities, and politicians.
Unfaithful adults weren't the only ones to have their info hijacked this year. Child electronics maker VTech also suffered a data breach affecting 4.8 million parents and as many as 200,000 children.
A runner-up to the Ashley Madison debacle, Italian surveillance software maker Hacking Team fell to the digital fists of sneaky hackers who managed to pilfer as much as 400GB worth of data from the company's servers. This time around it wasn't just embarrassing company emails or home addresses that were leaked online. Hacking Team had a stash of previously unknown vulnerabilities, most notably for Flash and Windows, that ended up online. The vulnerabilities prompted Adobe and Microsoft to quickly roll out fixes for the security holes.
Super fishy security
During 2015, both Dell and Lenovo messed around with web security by shipping PCs loaded with self-signed root certificates. Lenovo got into trouble in February when a piece of software called Superfish was discovered on select Lenovo PCs. Superfish was designed to deliver advertising but also left users potentially vulnerable to hackers trying to intercept encrypted communications on a public Wi-Fi hotspot. Then in November, Dell did something similar by adding a root certificate to customer PCs in order to provide better customer support. But that certificate, along with the corresponding private key also installed on the PC, made it possible for hackers to generate trusted security certificates for pretty much any site they wished. An excellent tool for impersonating important sites like Google or even your bank in order to steal login credentials.
Encrypt everything, but leave the back door open
If normal people get to encrypt their personal communications, the terrorists win. That was the point of view espoused by many politicians and civil servants around the globe following the horrific November terror attacks in Paris. Most notably in the U.S., CIA head John Brennan complained that a lack of backdoors to encrypted communication services prevented the government from decrypting any messages it was interested in. Of course, the reality is that if you weaken encryption with backdoors, you make it possible for capable hackers and foreign governments to capitalize on the same vulnerabilities.
Android gets stage fright
Talk about astonishing security holes. In July, a security researcher discovered a surprising flaw called Stagefright that would allow hackers to run malicious code on Android devices just by sending the victim a specially crafted MMS. The victim wouldnt even have to open the message to get their device owned. Google released a patch for the bug very quickly, but it didn’t end there, as Google had to release a more robust patch in August, and then another round of Stagefright-related vulnerabilities appeared in October.
.Onion gets legit
The Tor project's hidden-sites effort got much needed mainstream support from Facebook in 2014 when the social network opened its own .onion site. Facebook was also the first to get an SSL certificate specifically for a .onion address. That turned out to be a big event that paid off in 2015, when the company helped the Tor project get official recognition for .onion hidden sites and pave the way for more .onion SSL certificates in the future.
What would a year in security news be without some big stories surrounding Adobe Flash? The former de facto web-video standard got everyone overheated in July following the Hacking Team hack, when three previously undiscovered Flash vulnerabilities became public. The vulnerabilities prompted Mozilla to temporarily block all versions of the Flash Player plugin on Firefox. Facebook Chief Security Officer Alex Stamos also called for Adobe to announce an end-of-life date for Flash Player.
Even if Adobe doesn’t kill Flash, the web will. This year saw several sites turn away from Flash: Amazon dropped it for ads, Twitch ditched Flash for HTML 5, and earlier in the year YouTube switched its default to HTML5 video instead of Flash.
In February, security researchers at Kaspersky Lab uncovered an advanced cyberespionage group dubbed the Equation Group that had infiltrated computers in countries such as Iran and Russia. Kaspersky stopped short of linking Equation to the U.S. but implied a connection. Equation Group had unbelievable capabilities, including a persistent type of malware that could only be removed by physically destroying a PC’s hard drive. Equation was called the most sophisticated cyberespionage group—until July, that is, when an even more advanced group called Duqu was uncovered, yet again by Kaspersky.
Browser-based password manager LastPass dealt with a major breach in June after hackers snuck in to the company’s network and stole account email addresses, password reminders, server per user salts, and authentication hashes. Thanks to LastPass’s security design, the company said users with a strong master password were safe from having their data decrypted by hackers. Those with weaker passwords were still vulnerable, however. To play it safe, LastPass asked all of its users to reset their master passwords. Plus, anyone signing in from an unrecognized IP address had to verify their first post-hack login via email or a two-factor authentication code.
In November, the Tor Project made a surprising accusation. The group said the Federal Bureau of Investigations paid Carnegie Mellon researchers at least $1 million to hack users on the Tor network in order to reveal their true identities. Tor says the focus of the user-unmasking was to find criminals, but ordinary users were also caught up in the dragnet. Both the FBI and Carnegie Mellon denied the allegations, but in a manner that suggested that at least some of Tor's suspicions were close to the mark. Interestingly, Carnegie Mellon researchers were due to give a talk at the Black Hat security conference in 2014 about how to unmask Tor users. The talk was abruptly pulled from the conference for reasons that were never made clear.