2016 was an extraordinary year for cybercriminals. It seemed like either a massive data breach or a bank heist hit headlines every other day. Will history repeat itself in 2017? That depends on if we bother to learn from these incidents or instead assume they’re outliers.
Here at the Security Awareness Company, you can bet we’re voting on the former. As the great Oscar Wilde once said, “Experience is simply the name we give our mistakes.” If that’s true, then the world has plenty of experience in the (lack of) information security department. Here’s a look at five of the biggest security blunders of 2016, and what we can learn from them.
In what experts are calling one of the biggest cybersecurity breaches ever, Yahoo! announced in September that data “associated with at least 500 million user accounts” was stolen. It seemed quite bad at the time. But then, just a few months later, they announced that a breach dating back to 2013 compromised one billion accounts.
The pair of hacks were apparently unrelated and the results prompted Yahoo! users to update passwords immediately, and change any related passwords for other accounts.
What we can learn.
We’re not in the business of telling people who to do business with, but it may not be a terrible idea to reconsider what email services you use. We are in the business of telling people that strong passwords aren’t enough. You also need unique passwords for every single account you own, and they need to be changed regularly. The criminals that hacked Yahoo! owned those accounts for months and maybe even years before the information was made public. Which means they had plenty of time to leverage the cracked passwords against other online accounts—exacerbating the impact of those affected.
The “world’s largest sex and swinger community” suffered the one of the world’s largest data breaches when over 339 million accounts from AdultFriendFinder.com were hacked in late 2016. Included in the breach were over 15 million deleted accounts that hadn’t been purged from their databases, according to ZDNet.com.
In total, over 412 million accounts of the Friend Finder Network—an entertainment company that runs AdultFrienderFinder.com, Cams.com, Penthouse.com, Stripshow.com, and iCams.com—were compromised. Leakedsource.com, a breach notification website, called it the biggest breach of 2016 at the time of its discovery.
What we can learn.
Joining websites of this nature come with added security risks because they will always be highly targeted by cybercriminals. So it’s best that when you do join, you use a junk email account that is totally isolated from all of your other accounts (you could make this argument for websites of all varieties, not just adult entertainment ones). It’s also wise to understand a website’s policies when it comes to deactivating your account, as many don’t actually delete your information. Oh, and use strong, unique passwords no matter what.
In a breach that originally occurred back in 2012, it was thought that around 6.5 million encrypted passwords were posted online. As it turns it out, those numbers weren’t entirely accurate. In May of 2016, LinkedIn confirmed rumors that the number of compromised accounts was 117 million—or roughly 73 percent of LinkedIn’s user-base.
According to Motherboard, the passwords were originally encrypted with poor security measures on LinkedIn’s behalf:
LeakedSource provided Motherboard with a sample of almost one million credentials, which included email addresses, hashed passwords, and the corresponding hacked passwords. The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked.
What we can learn.
When setting up a social media profile or any online account, you have the right know what security measures the website is utilizing to protect your information. In fact, you almost have a duty to investigate that information before setting up your accounts. Finding out what encryption methods are being used may not always be easy (we should at least ask), but reviewing privacy settings is security 101. Oh, and change your passwords every now and then.
The Internet of Things, and the hacking thereof, became all the rage in 2016. One incident in particular made headlines when several major websites were knocked offline for millions of people in late October. The attack—a distributed denial of service, or DDoS—used a strain of malware known as Mirai, whose source code had been made public by its author(s) a few weeks before. Mirai infects everyday internet-connected devices such as DVRs, routers and security cameras and recruits them to form a botnet. This army of rogue devices is then pointed at internet servers, flooding them with more requests than they can handle and causing them to crash.
The attack in question was launched against DYN, a New Hampshire based internet service company, and caused major internet outages in the northeastern part of the United States. But that’s not the last we’ve heard of Mirai. Reports of botnets being launched against internet servers surfaced once again in November, this time in Liberia.
What we can learn.
Unlike the breaches of Yahoo! and LinkedIn where we can blame the companies directly for their poor security measures, this one falls on end-users more so than anyone. While it’s true that companies developing internet-connected technology could make a better effort to establish more rigorous security protocols, the attack on DYN’s severs would have been a lot more difficult for cybercriminals had the owners of these devices updated usernames and passwords. It was reported that many infected devices still had default manufacturer passwords, meaning they were never changed. That’s a major security fail. Be sure you update security settings immediately when you buy anything that can connect to a network.
Belgian Crelan Bank
In what painted an ominous start to 2016, news broke in late January that the Belgian Crelan Bank was the victim of a fraud that resulted in a $75.8 million loss (70 million euro). Officials blamed the loss on a scam known as CEO Fraud, also called BEC (Business Email Compromise).
CEO Fraud is a classic spear phishing attack in which the scammers either gain access to a high-level executive’s email, or spoof their email, and then impersonate them by sending requests to someone in the financial department for bank account information or wire transfers. Spear phishing attacks are successful because the email appears to come from someone the victim is familiar with.
What we can learn.
Even though these phishing scams can be hard to spot, a little bit of skepticism goes a long way. Always be on the lookout for anything that seems off by confirming the source of an email, checking for spelling or grammatical errors, and if you’re even a little bit confused by a request, be sure to ask. You’re better off assuming an email is a scam than assuming it’s legit. We can expect many more of these types of attacks in 2017.
Latest posts by Justin Bonnema (see all)
- 2019 SAP Planning Calendar - December 11, 2018
- Incident Response in 3 Domains - November 30, 2018
- How the NIST Framework Improves Your Organization’s Cybersecurity - November 15, 2018