This Attack Feels Different

Following the Ashley Madison hack in July 2015, Troy Hunt — the security expert who runs HaveIBeenPwned.com — started receiving inquiries and pleas from people worrying about whether or not their names and e-mails would be found in the database hackers published online.

For some, the hack sparked deep seeded feelings of guilt and remorse. Some registered users even admitted considering the worst. “I have contemplated suicide daily for the past week,” one person e-mailed to Hunt. “My two beautiful children and my wife are keeping me alive. I am very worried that her family and others will find out, making it extremely difficult for her to stay with me.”

Time's Up!

Image from KrebsOnSecurity.

The motivations behind this attack seemed different than just a commonplace data grab. It was more personal, intending at first to do serious damage to Ashley Madison and its reputation. But because of the site’s purpose, the hack had a devastating effect on affected users. Names, e-mail addresses, credit card information, purchase history, search queries, and profile information were all published online for anyone in the world to search. People could easily find friends, colleagues, family members, spouses, or even enemies and conclude they were cheaters, even if that was not the case. Suddenly careers, relationships, and families were jeopardized as a result of trusting a site that promised privacy — something we all do every day.

2014: The Year of the Breach as Usual

While Target was still going through settlement proceedings in the aftermath of its huge data breach in 2013, hackers hit Sony Pictures, Home Depot, JP Morgan Chase, Spotify, Neiman-Marcus, CHS Community Health Systems, Staples, Michael’s, and eBay (not to mention dozens of others), causing the media and the security community to label 2014 the year of the breach.

It was the year every corporation in the world woke up to the dire state of security. But the motive for these attacks — with the exception of Sony — made logical sense, as the economic rewards were direct and immediate. Grab as much data as possible; then sell it to the highest bidder. The hackers involved were mostly out to make a buck, not ruin lives.

Sony Pictures

Image from HackerNews

And while individual users, consumers, and shoppers might have gone through the annoyance of needing a new credit card or a password reset, the effects of losing personal data in a massive breach never hurts in the same exigent sense of what happened throughout 2015.

The hacks witnessed this year — though the large data grabbing hacks also continued — hit an intimate level.

2015: The Year of Extortion

Though Ashley Madison provided a yet unseen case study in what can happen when the incriminating details of millions of individuals’ lives get published online, monetary gains were still very much a motivation for hackers in 2015. Shortly after the attack, extortionists began to send threats of notifying the spouses and friends of individuals found in the leaked database, unless they received a Bitcoin payment.

Ransomware also amplified to an astounding level. McAfee estimated the number of attacks in the third quarter of 2013 at 1.5 million. In the second quarter of 2015, that estimate was 4 million, with 1.2 million of the attacks being totally new. The rapid popularity growth is likely due to the cheap and effective nature of ransomware attacks. Hackers now only need to spend a marginal amount of capital to set up an infrastructure, and the returns can be large.

Ransomware attacks strike fairly indiscriminately, hitting both companies networks and individuals alike. Once in, the exploits are written to deliberately encrypt files that are likely irreplaceable.

Lock picking.

Image from Gizmodo.

Victims through no fault of their own suddenly risk losing videos and photos of their first born, or the last trip to see Grandma, or the important tax files needed for next year’s return. Some of the latest variants of attack even add insult to injury, mocking victims with a taunting pop-up message once files are encrypted.

Unfortunately, these attacks work often enough to encourage attackers to persist. Hitting individuals and corporate networks alike, ransomware has become so effective that an FBI agent speaking at a security conference this year admitted to suggesting that victims just pay the ransom to avoid losing access to files forever.

There are precautions (like backing up files to the cloud) that can help protect against losing data, and security companies are pitching in to provide tools that can help decrypt locked files. This is great news for infected computers, but security and cryptology experts are already imagining a future in which people are faced with the dilemma of paying a ransom to get your car to start in the morning or watch Netflix on a smart TV.

That imagined future might already be on the doorstep.

IoT: Insecurity at Work, at Home, and on the Road

In June researchers OpenDNS Security Labs published a report examining the security of various Internet of Things (IoT) devices, after finding that all of the devices examined had a vulnerability of one kind or another. It’s becoming clear that security is often an afterthought for IoT device manufacturers and software developers.

Hello Barbie

AP Photo/Mark Lennihan

Also in 2015, researchers Chris Valasek and Charlie Miller demonstrated the very real possibility of disabling a car while its being driven; a Barbie doll showed it could be used to spy on children; vulnerabilities in apps from VTech breached millions of images and voice messages of children (luckily they were not published); researchers at Rapid7 demonstrated that nine publicly available baby monitors were vulnerable to attack; and security expert Billy Rios was hired by the Mayo Clinic to hack medical equipment currently deployed in hospitals to find out which devices vulnerable — all of them were hackable.

It seems the forewarnings of the risks embedded devices bring to the workplace, and into our homes and lives, are already too late. IoT is hackable, and they are already present in everyday life.

How We Turn the Tide

If attacks are getting more personal, we must all start taking security personally. Though it was a challenging year in a lot of ways, 2015 is also seeing a lot of positive progress in security.

Researchers advanced their detection methods and threat intelligence models. Industry experts are starting to collaborate more, as are government entities from different nations. The US government has decided to start taking security seriously. Encryption now owns a front-and-center role in the dialog about the future of security. Security companies are having success finding and mitigating large scale attacks that affect millions. And two-factor authentication is becoming a standard for vendors.

Apology posted to Pastebin.

Captured from Pastebin.

Even a ransomware author has shown a change of heart, posting an apology and decryption details to Pastebin.

But there is still much work to do. All the efforts of the smartest security experts in the world, and the billions of dollars invested in safety for online users and their devices cannot save an ignorant Internet populace. We are reaching a critical point for individual Internet users to accept some responsibility for their own security and apply common sense with their decisions about trust, password management, financial transactions, and what to post online.

There is no question; the hacks that occurred this year were alarming. But as the Internet will only increase its role in our daily lives, it’s imperative to keep up the fight in 2016 and beyond.

This post is categorized in: