A year in digital insecurity – nothing, and no one is safe

I have a relative who has been terrified of the Internet for years. Two decades ago, he was a heavy CompuServe user. Now, he only goes online at the library. But even he can’t escape. The Internet is everywhere now. It is in cars, on TV. It connects to medical devices, to toys (Barbie). It flies on airplanes, touches the power grid.

Andy Greenberg’s automobile-hacking crash-test dummy piece gets my nod as cybersecurity story of 2015.

Credit: Andy Greenberg

In reviewing the past year’s top cybersecurity stories, Lorenzo Franceschi-Bicchierai said 2015 proved that nothing, and no one, is really safe from hackers.” Children were not spared (Vtech). Nor were corporate hackers (Hacking Team).  Customers of 55 U.S. health care providers were hacked, the biggest Anthem, which did not encrypt social security numbers.

Journalists and political dissidents were targeted, of course. Citizen Lab’s sleuths and the AP uncovered a South American cyber-espionage operation with all the hallmarks of state sponsorship.

Kim Zetter at Wired predicts more hacker shakedowns, break-ins in which attackers extort victims, threatening to publish pilfered data. Brian Krebs, who broke the Ashley Madison hack story, noted the opportunistic extortions that followed. (Hollywood was still smarting from the Sony hack, and celebrities led by Jennifer Lawrence are surely thinking twice now about storing nude photos on iCloud).

The proliferation of ransomware _ which holds data hostage _ is scary enough. Zetter anticipates a growing threat of cyber-attacks that compromise the integrity of data. The Stuxnet hack, of course, did so much more than that, and a robot last year killed a human at a Volkswagen plant in Germany, violating Asimov’s first law of robotics. Ted Koppel, meanwhile, sounded the alarm on the threat a cyber-attack could pose to the U.S. power grid. Ukraine’s grid was hit in December in what security researchers called the first known hacker-caused outage.

The year’s biggest hack was of the U.S. government’s Office of Personnel Management. It exposed sensitive personal information from job applications, including of intelligence and military employees with security clearances. In all, 21.5 million people were potentially affected, 5.6 million sets of fingerprints obtained. The authors were Chinese, though Beijing claimed the hack was NOT state-sponsored. They told U.S. officials the culprits were arrested, @nakashimae reported, but provided no further information.

The U.S. government has not proven itself an trustworthy bearer of data; protection efforts fall short.

On the cusp of Christmas, a major vulnerability was announced. Juniper Networks found two unauthorized backdoors in its NetScreen firewalls that would allow “a knowledgeable attacker” to gain access to encrypted traffic on virtual private networks. Major U.S. corporations, banks, universities and government agencies were affected. A looming question in this unsolved mystery is whether the GCHQ (and by extension the NSA) had a role in creating the vulnerabilities.  Backdoors are exactly what U.S. and U.K. law enforcement want as theoretical tools against terrorism.

Silicon Valley has resisted the idea, and rightly so. Tim Cook of Apple emerged as its most passionate, articulate voice on how encryption and digital privacy are essential to our First Amendment rights and should not be sacrificed to satisfy the Department of Homeland Security.

“If you put a key under the mat for the cops, a burglar can find it, too. Criminals are using every technology tool at their disposal to hack into people’s accounts. If they know there’s a key hidden somewhere, they won’t stop until they find it,” Cook said in June.  Tim CookWeakening encryption makes no sense, he said. “The bad guys will still encrypt; it’s easy to do and readily available.”

So all the 2015 security news isn’t bad, after all.

South America hacker team targets dissidents, journalists

By FRANK BAJAK

LIMA, Peru (AP) — A shadowy cyber-espionage group that sent malware to the prosecutor whose mysterious death transfixed Argentina early this year has been hitting targets in left-leaning nations across South America, the Internet watchdog group Citizen Lab reported Wednesday.

The breadth and brazenness of the hackers’ activity bear the hallmarks of state sponsorship. So do its targets.

The group has been attacking opposition figures and independent journalists in Ecuador with spyware. It also ran dummy websites. The most elaborate, geared toward Venezuela, is a constantly updated news site featuring dubiously sourced “scoops” on purported corruption among the ruling socialists. In Ecuador, a similarly faux site seemed tailored to attract disgruntled police officers.

The researchers launched the three-month probe after determining that spyware found on the smartphone of Argentine prosecutor Alberto Nisman was written to send pilfered data to the same command-and-control structure as malware sent to targets infected in Ecuador. They said the hackers had a “keen and systematic interest in the political opposition and the independent press” in the three nations, all run by allied left-wing governments. That suggests it may have operated on behalf of one or more of those governments, the 60-page report said.

In September, the hackers threatened a Citizen Lab researcher as he poked around in a U.S.-based machine the group had infected.

“We’re going to analyze your brain with a bullet — and your family’s, too,” read a message that popped up on his computer screen. “You like playing the spy and going where you shouldn’t, well you should know that it has a cost — your life!”

That’s rare behavior among professional hackers, perhaps indicating little fear of criminal prosecution, said Morgan Marquis-Boire, one of the researchers.

In November, the group attempted to infect the computer of an Associated Press reporter, who was also investigating it, with a phishing attack aimed at stealing his Google password.

READ FULL STORY