It’s been a long, depressing, breach-filled year in the world of computer security.
Yahoo broke the record for allowing the largest hack in history—twice. Millions of zombified webcams and DVRs took down the Internet for users in the United States. Russia was accused of “hacking the vote,” and a new type of malware earned a tidy profit extorting unsuspecting users for Bitcoin. What was it John Oliver said about 2016 (NSFW), again?
Hackers turn Yahoo into yahoos
In September, Yahoo shocked the world when it revealed that at least 500 million user accounts had been breached. At the time, the breach was believed to be the largest theft of personal data from a major technology company ever. Making matters even worse, Yahoo later disclosed that the hack itself had happened in 2014 but only came to light in 2016, so the attackers had access to user information for years.
But it turns out that was just the warm-up. In mid-December, Yahoo dropped the jaw-dropping revelation that a separate hack occurred around August 2013 that leaked the data of one billion users—double the record-breaking hack from September. This is why strong, unique passwords for every site and service you use is important, people.
The one threat that defined 2016 more than any other has to be ransomware. This nasty malware encrypts your files and then holds them hostage, demanding payment—usually in semi-anonymous Bitcoin—before decrypting your stuff. Many, many, many ransomware variants made headlines in 2016, including Locky, DMA Locker, Surprise, and an amateurish (yet effective) version called Ranscam that takes your money but deletes your files anyway. There was even mobile ransomware, and in July researchers found a version of Locky that could operate offline to be even more effective. In August, a study by Malwarebytes said ransomware was so common it was hitting nearly half of all U.S. businesses.
In October, a botnet kicked off a massive distributed denial of service (DDoS) attack against Dyn, a major domain name system (DNS) provider. DNS is the web routing system that turns a website name like google.com into a numerical Internet Protocol address such as 126.96.36.199 for computers to read. Without DNS a web browser cannot find the website you want to see—and that’s exactly what happened to millions in the United States during the DDoS attack. Access to major sites such as Twitter, GitHub, and Netflix went up and down throughout the day.
Several days later we learned the botnet that wreaked the DNS havoc consisted of about 100,000 household devices (such as webcams and DVRs) infected with the Mirai malware. Yes, an army of dumb, insecure smart devices attacked the web.
Apple stops patching QuickTime
QuickTime used to be one of the most ubiquitous pieces of software on a PC. It was vital for watching many early videos, especially in iTunes. Over time, however, QuickTime has become less and less important, and now it's borderline unnecessary. Earlier this year, after two critical vulnerabilities were discovered for the software, Apple apparently decided to deprecate QuickTime for Windows rather than fix the issues.
In other words, if you’re still running QuickTime on your Windows machine uninstall it now.
Your credit card's security measures aren't as secure as you'd think. Researchers at Newcastle University in the United Kingdom demonstrated that discovering a credit card’s expiration date and card verification value (CVV) number can actually be relatively simple. The researchers came up with a novel way to guess these low-digit numbers using a technique called “distributed guessing.”
Basically, a laptop carries out hundreds of guesses simultaneously on various payment sites, using slightly different expiration date and CVV details for the card. Within about six seconds you’ll find the right numerical sequence to unlock a credit card’s secret codes, the researchers said. The weakness is a failure to properly limit attempts at filling out payment details, and credit card systems that don’t actively monitor for simultaneous incorrect credit card detail attempts.
This year, computer hacking graduated from harassing businesses and government agencies to direct intervention in the U.S. presidential election. The first instance was a breach of the computer network of the Democratic National Committee. Wikileaks published a trove of documents in July that included nearly 20,000 emails and thousands of attachments from DNC staffers.
Several scandals sprung up in the aftermath, including implications that the DNC actively tried to work against Bernie Sanders’ campaign to support frontrunner Hillary Clinton as the Democratic nominee. DNC Chair Debbie Wasserman Schultz was forced to resign as a result of that revelation. A hacker going by the name Guccifer 2.0 claimed responsibility for the data theft, but American investigators believed it was the work of Russian state actors.
Russian dirty deeds
In September, U.S. investigators looked into the possibility that Russia was trying to undermine or disrupt the election. Toward the end of 2016, the Central Intelligence Agency and other American intelligence agencies concluded with “high confidence” that Russia tried to covertly influence the election. The concern wasn’t over hacking voting machines but that Russian hackers had infiltrated the computer systems of both major U.S. political parties, possibly with direct involvement from Russian President Vladimir Putin.
As of mid-December, the Office of the Director of National Intelligence (ODNI)—the head of the American intelligence community—had not endorsed that assessment, according to Reuters.
The San Bernardino iPhone
In December 2015, Islamic extremists committed a terrorist attack in San Bernardino, California, killing 14 people and seriously injuring another 22. The couple later died in a gunfight with police.
In 2016, an iPhone belonging to one of the terrorists took center stage because it used Apple’s built-in security tools to protect the device from unauthorized access. The FBI wanted Apple to create special software to allow investigators to get into the phone. Apple refused, arguing the FBI wanted the company to, in effect, “custom-build malware” to undermine the company’s own security features.
The FBI eventually dropped its request to Apple after a security firm was able to help investigatorsaccess data on the phone. The case’s legacy lives on as lawmakers consider what kind of help companies with encryption-capable products should provide to law enforcement.
In August, an anonymous hacker group called the Shadow Brokers said it had obtained hacking tools from the Equation Group, a cyber-espionage team linked to the National Security Agency. During the infiltration the Shadow Brokers grabbed sophisticated exploits that were reportedly used by the NSA. The tools were capable of infecting device firmware and remaining on an infected system even after a complete operating system refresh. After revealing a portion of their treasure trove, the Shadow Brokers attempted to sell other hacking tools they’d obtained, but as of early October the sale had generated little interest.
It started as a single $81 million malware attack against a Bangladeshi bank targeting the SWIFT (Society for Worldwide Interbank Financial Telecommunications) transaction software. By late May, however, up to a dozen banks around the world were investigating potential hacks against the SWIFT system. In July, SWIFT was seeking help from outside security professionals to control the widening hacking epidemic.