The Biggest InfoSec Stories of 2018
'Tis the season to reflect on the past twelve months. These are the biggest cybersecurity stories of 2018.
It almost seems impossible not to start with this news. Chronologically speaking, it kicked off 2018. Just a few days into January, we learned of Meltdown and Spectre, two vulnerabilities in basically every computer chip made in the last 20 years. The issues can be exploited via speculative execution, an optimization technique in which a computer performs tasks before they're needed, to read kernel memory. The story was notable because of the severity of the vulnerabilities – a short-term fix would slow down machines, a long-term fix would essentially require CPU makers to change the way their chips work - but also how the news broke. Coordination between multiple parties broke down, which lead to a debate over the embargo and why many tech companies were caught off guard when it was announced early. Companies have (and will continue) to patch the vulnerabilities, but it's very likely, they - Spectre especially - will continue to haunt us for a long time.
Data misuse has really been the story of the year and it's hard to think of a company that perfected it better than Facebook this year. For those keeping track at home, it was back in April that we learned that Cambridge Analytica, a think tank connected to the Trump campaign, harvested the data of 87 million profiles thanks to the service’s lax privacy policies. A slipup in May allowed posts by 14 million Facebook users to be readable to anyone, even though users had intended to make those posts private. We learned in June the company gave device makers like Apple, Samsung, data belonging to users as well. A bug in Facebook's photo API exposed photos belonging to 6.8 million users in September. Fast-forward to last week when we learned the company gave companies like Amazon, Spotify and Netflix much greater access to user data than previously known. That's only a handul of the social network's scandals this year. It's gotten to the point where we’ve become almost tone deaf when it comes to news about Facebook mishandling users; it's difficult to see the signal from the noise. Hopefully in the new year we hear less about data privacy scandals like this and more about laws around giving users better control over the type of data they provide companies.
Speaking of laws that laws that give users more control over their data, it’s still too early to say what the implication of the California Data Privacy Protection Act will be but it's impossible to deny the fact that its passage is a big deal. The act isn’t as expansive as the EU's General Data Protection Regulation but it is pretty broad. It would require businesses to disclose what information they collect, what businesses do with it, and what third parties businesses share it with. Businesses would also have to comply with consumer requests to delete it, or requests to opt out of the data being sold. The law doesn't take effect until January 1, 2020 – and will likely undergo some changes before that - but the fact that it was passed in the first place has already laid the groundwork for similar national legislation.
It's rare that a federal agency like the FBI hands down a request to citizens nationwide like to reboot their routers but that's just what it did this past June. The FBI recommended the measure as a way to stop a Russian strain of malware, VPNFilter, from infecting more devices. Before taking it down, the malware, which had commandeered 500,000 routers across 54 countries, had the ability to sniff network traffic, inject malicious content into web traffic, and strip encryption from HTTPS sessions.
This story, from just a few weeks ago, is unique in the sense that it bookended a lengthy string of damaging ransomware attacks. No one’s been arrested yet, and it’s quite possible they never will be – but when the DOJ indicted two men responsible for allegedly writing and distributing the SamSam ransomware, it put a name to the attackers purportedly behind a series of attacks dating as far back as December 2015. SamSam knocked both the city of Atlanta and Newark, lab diagnostics company LabCorp, and countless hospitals offline over the course of 34 months. In addition to hospitals, the ransomware also grounded many healthcare providers to a halt in January this year when Allscripts, an electronic healthcare record vendor, was hit, affecting applications that allow e-prescribing, EPCS and some other services.