As the year draws to a close there has certainly been a spike in criminal cyber activity. In a sense, events this year are no different than previous years except the scale of activity is increasing and the damage more widespread. There’s also the irrevocable sense that the cyber and physical worlds are now so finely entangled that actions in one inevitably echo loud and clear in the other.
2014 was certainly a momentous year in terms of cyber incidents, hacks and law enforcement swoops. We’ve had pictures of naked celebrities hacked from Apple’s iCloud and posted on sites like 4chan, and a major hack on a US bank widely believed to be message from Russia to stop meddling in the Ukraine. And there was also unprecedented cooperation between 17 law enforcement agencies to close down 400 sites on the dark web peddling everything from guns, drugs and counterfeit currencies to pornography, credit card numbers and killers for hire. But in this case, and given the nature of the dark web, it might be a case of whack-a-mole where one site goes down and another one pops up.
The year got off to an almost predictable start when prosecutors in Germany in the ancient medieval town of Verden revealed that 16 million account details had been hacked including email addresses and passwords. This was followed in April by news from the same prosecutors that 18 million further accounts had been hacked. The accounts were compromised by hackers in the middle of January and there was a suggestion that the same group of hackers is responsible for both thefts and that they may be based in one of the Baltic countries. Some of the accounts were used to send spam emails and others for online shopping portals.
It seems like a major email provider is hit by a big hack every few months or so and this time it was Yahoo!, and not for the first time. The company admitted to a massive email password hack – it won’t say how many accounts have been compromised but the company is believed to have 273 million worldwide. If you hold a Yahoo! account and haven’t changed your password you receive an insistent message telling you to do so. Just following this announcement a series of ‘industry’ reports revealed some startling figures; every 12 seconds someone in the world becomes a victim of cybercrime; in 2013 an estimated £1 billion was stolen from UK residents by cyber bandits.
Occasionally a software vulnerability hits the mainstream news because it’s a big story. The first one of the year surfaced in March involved a vulnerability in open-source software used to encrypt web communications which has been discovered. Dubbed Heartbleed, it was widely thought to affect the majority of servers that drive internet traffic. Understandably it sent seismic shock waves through the technology industry and particularly among Internet Service Providers. It was a glaring hole that had been in existence for a long time and the effect was akin to finding a hole in Fort Knox big enough to drive a truck through. Attacks have taken place using Heartbleed but not on the scale first anticipated.
Everyone’s favourite online market place and the granddaddy of auction sites, eBay admits it user database has been attacked by hackers. The database contains encrypted passwords and email addresses, physical addresses, phone numbers and dates of birth. It urges all 148 million users to change their passwords.
In late 2104, US retailer Target was hacked; over 40 million customer card details were stolen. The shock waves reverberated for months with some banks diving into the dark web and buying up the stolen details on hackers’ sites to avoid reputational damage. The company didn’t come clean about the hack for some time and in May over six months after the wholesale plundering, Gregg Steinhafel, the CEO of Target, fell on his sword holding himself personally accountable. It was a rare move for a CEO and signified the scale of damage that had been done.
In a rare move, the UK’s National Crime Agency launches a media blitz warning of Gameover Zeus and Cryptolocker. The move illustrates how big the malware problem can be with all major news media outlets covering the story. Gameover was believed to be responsible for the loss of hundreds of millions of pounds globally, while Cryptolocker freezes computers and demands a ransom. This was a particularly nasty piece of software with unbreakable encryption. But that said, a fix has now been created for it, but not after it caused a lot of damage.
An enormous but almost benign hack hit JP Morgan Chase in the US. It affected the accounts of 76 million households and about seven million small businesses, making it one of the largest of its kind. Curiously, the hackers weren’t after profit and were content to sit back and watch jaws drop at the audacity and scale of the hack. It wasn’t long before the finger was pointed at the Russian government. The hack was traced to Ukraine and was believed to be a message to the US; if it didn’t back off from political meddling in the Ukraine, there would be consequences.
The internal records of up to 25,000 employees of America’s Department of Homeland Security are exposed during a computer hack at a contractor that handles security clearances. The contractor USIS said the intrusion had “all the markings of a state-sponsored attack,” without adding any further detail. Could it be the Russians again?
Images of naked celebrities leak on the internet following a password hack of Apple’s iCloud. Those affected reads like a who’s who of stars in the female celebrity firmament including Jennifer Lawrence, Jenny McCarthy and Rihanna. However, some of the images were fabricated while some were also genuine. While clearly a violation of privacy and a salutary lesson in the importance of online security, it was also greeted with wry irony in some quarters as celebs that live by the camera also squirm with embarrassment by the camera.
Another headline hitting bug hits the headlines. This one is about a bug called Bash and Shellshock. It’s a family of security bugs in the widely used Unix Bash shell. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. It is also widely used in critical national infrastructure causing both the UK and US governments to issue red flag alerts.
US and European law enforcement join hands to shut down 400 deep net web sites trading in everything from drugs to guns. The ‘bust’ included Silk Road 2.0. The joint operation between 16 European countries and the US saw 17 arrests. The sites operated on the Tor network which as well as providing anonymous access to legitimate sites, also lets people hide their visits to thousands of illegal marketplaces, trading in drugs, child abuse images as well as sites for extremist groups. It was the taking down of the original Silk Road last year that signalled a ramping up in the fight against cybercrime and this much bigger operation saw the battle taken to a new level. It also signalled that the authorities seem to have developed new techniques to track down the origins of these networks and those behind them. But that said with 400 sites closed and just 17 arrests there seems to be a lot of work left to do.