In what has become a regular feature here at IT Pro, we’re back again to take a look at some of the year’s most dramatic security stories, many of which were scarily similar to those we saw in 2018.
What’s clear is that businesses continue to face the same old threats, although you’ll see from our picks that there are plenty of examples of attackers using ingenious methods to breach systems.
Here’s our pick of 2019’s scariest security stories.
VFEmail’s nightmare year
The first entry on our list, and one of the earliest of 2019, involved an attack on US email provider VFEmail. In what was described as a catastrophic breach on VFEmail’s systems in February, the company’s infrastructure had been virtually wiped out overnight, with every disk on every server, including its backups, being destroyed.
Perhaps the most chilling part of the story is that there appeared to be no apparent motive behind the attack and that VFEmail may have been targetted randomly. No ransom was ever offered in exchange for the data, nor was there any evidence that the attacker was even interested in stealing the data.
We were under DDOS attack this weekend. If you received 'Unable to connect to server' warnings, that's an unfortunate side-effect of Cloudflare's active protection. Though without it, the site was completely inaccessible.
— VFEmail.net (@VFEmail) October 21, 2019
Despite the loss, VFEmail remained committed to staying operational, although the company would come under repeated attack throughout the rest of 2019. Customers would face phishing attacks over the following few months, only for the main service to be hit by three consecutive DDoS attacks in late October and early November. To date, work is still ongoing to restore full functionality to its services.
NASA narrowly averts catastrophe
Next up we have one of our most widely read stories from the year, and an example of how the miss-handling of relatively new hardware can pose a serious threat to legacy systems. In June, NASA revealed that a Raspberry Pi device had been blamed for a 2018 data breach that saw the theft of 500MB of mission system data.
An employee was said to have brought a Raspberry Pi into work without permission and connected it to NASA’s Jet Propulsion Laboratory network, which a hacker later targetted to gain access to adjoining systems.
The incident sparked a wider investigation into the organisation’s systems and networks, which found myriad flaws in its database management techniques and methods used to track devices and applications using internal networks. It was ruled that the JPL network was, in fact, incapable of detecting whether an unauthorised or unsecured device was attached to its network.
The report issued ten urgent recommendations for fixing NASA systems, all but one of which were implemented immediately. NASA was fortunate in this instance, as the relatively minor security incident revealed far greater problems plaguing its systems, which were mercifully fixed before disaster could strike.
Hackers at the door
For our next entry, we fast forward to November, where a vulnerability in Amazon’s Ring doorbells was discovered that could allow hackers to intercept their owner’s Wi-Fi passwords.
Researchers at Bitdefender discovered that by accessing a Wi-Fi network’s credentials, criminals could launch much larger and far more sophisticated attacks against a household. This was possible as the device stored passwords in plain text which were then communicated between a smartphone app and the doorbell using HTTP rather than the far more secure HTTPS.
The news prompted further calls for tougher legislation around the manufacture of connected devices, particularly when they are destined for the home.
King’s Cross, we barely recognise you
In what will likely set a precedent for the use of cutting-edge technology in public spaces, August saw an investigation by the Information Commissioner’s Office into the use of facial recognition technology at King’s Cross.
Private owners of the 67-acre site, which houses 50 buildings and is home to major companies such as Google, said they had introduced facial recognition technology alongside their CCTV system to improve the on-site public experience. However, both campaign groups and the Mayor of London Sadiq Khan criticised the decision as it was unclear precisely how the technology was being used. It also raised serious concerns about the capturing of personal data without consent.
The technology was eventually scrapped at the site, however, the owners have not ruled out the possibility of the technology returning at a later date.
The Collection Folders
What’s unusual about 2019 is that it only took 17 days before we saw what would be one of the largest data leaks of the year. Between late January and early February, a group of researchers determined that around 600GB worth of personal data had been leaked and was circulating online in caches known as “Collection” folders.
The initial discovery of the Collection #1 folder unearthed 773 million unique email addresses and 22 million passwords, figures that were then dwarfed when Collection folders 2 through 5 were then found. In total, it’s believed that around 2.2 billion emails and passwords were in the complete cache, now being shared around hacking forums.
It’s also believed that the data is an amalgamation of various leaks sourced from high profile data breaches, such as the enormous Yahoo hacks of 2013 and 2014. Despite the age of the data, security experts believe that criminals have relied on a lax approach to password hygiene and that many of the email and password pairs could still be exploited.
Citrix vs IRIDIUM
In March, Citrix revealed that it was working with the FBI to look into a breach on its systems after a number of documents had been reported stolen. Initial reports were light on detail, mainly as only very brief statements were issued by the company, and it would only be through the release of a report by cyber security firm Resecurity that we’d learn that around 6TB of data had been swiped in the raid.
The company had a number of high-profile customers at the time, including large corporations and both the US military and government.
Resecurity had traced the attack back to an Iranian hacking group known as IRIDIUM, which had bombarded a number of Citrix accounts with commonly used passwords, known as password spraying, before gaining a foothold. After this, the group was then able to methodically bypass each additional security layer, including two-factor authentication.
The IRIDIUM group had reportedly targetted hundreds of thousands of people at more than 200 companies during the previous two years leading up to the hack on Citrix, according to figures provided by Microsoft.
Microsoft: “We told you so…”
One of our most-read stories of the year actually surfaced at the beginning of December.
According to Microsoft threat researchers, 44 million of its customers were still using passwords that had been compromised in the past by large scale data breaches. This included both general users of Microsoft Service Accounts, as well as Azure Active Directory accounts owned by businesses.
Following a check on a database of three billion credentials sourced from public accounts and law enforcement, it was found that the 44 million customers were using the same compromised passwords across a number of online services.
The discovery forced Microsoft to issue a password reset to all affected customers, including an alert to business admins to reset user credentials. The company also urged customers to turn on multi-factor authentication.
Despite the shocking figure, the news potentially served as a great PR for Microsoft – the company has long been attempting to move customers away from passwords onto more secure passwordless authentication. The company revealed to IT Pro in November that it had managed to move 100 million customers to biometric authentication, although it would take at least three more years to move the remaining 700 million users.