2016 is coming to a close and what better way to take stock of the year than by summarising the biggest security news? The Detectify Team has listed 7 news that shaped the field of web security in 2016. Large-scale hacker attacks, ransomware and controversial privacy policy were some of the year’s hot topics – let’s hope next year brings more secure websites and security awareness!
1. The Dropbox Hack
Plenty of sites were hacked in 2016, but one security breach that had a significant impact on a large number of people and got a lot of attention in the media was the Dropbox hack. Millions of user accounts were compromised, affecting nearly two thirds of Dropbox’s users. The incident highlighted the importance of using strong and unique passwords and the need for companies to encourage users to do so.
2. The Dyn DNS DDos attack
On October 21, many services were unavailable as a consequence of the largest DDos attack to date. The attack targeted DNS provider Dyn using a Mirai botnet of IoT devices and caused downtime for many major websites like Reddit, Twitter and Netflix. It is no secret that IoT devices are extremely vulnerable, but this DDos attack showed just how dangerous IoT can be when exploited.
3. UK’s Investigatory Powers Act
The controversial Investigatory Powers Bill passed into law in November 2016, increasing the state’s surveillance powers in the name of security and anti-terrorism. Logs of internet users’ connection records now need to be retained for 12 months, allowing authorities to access the data without a warrant. The legislation has raised concerns about the lack of checks and balances, but this is not the first time privacy has been discussed in 2016. In the US, Cisco announced that the NSA had been targeting its firewalls and the FBI requested an iPhone backdoor from Apple, sparking a legal battle and a lively debate about how far authorities’ can, and should, reach.
4. The Bitfinex hack
The popular cryptocurrency was at the heart of security discussions this summer after the Bitfinex exchange was hacked, costing the exchange’s customers over $60 million worth of bitcoin. Even though Bitfinex offered compensation, the incident exposed the risks tied to investing in bitcoin as vulnerable exchanges do not always reimburse currency holders. With banks and governments slowly but surely taking steps towards the world of bitcoin, we will probably see more discussions about the currency’s security in 2017.
5. The Dirty COW Exploit
A true blast from the past, the Dirty COW Exploit is a Linux kernel vulnerability that allows attackers to gain administrator privileges in 5 seconds. The race condition had been hiding in the kernel for eleven years and Linus Torvalds explained that he was aware of it and tried to fix it over a decade ago. The exploit is just one of many examples of old bugs emerging as critical vulnerabilities that emphasise the need for continuous security.
6. Ransomware
2016 was the year of ransomware. The number of ransomware attacks increased threefold, affecting a wide range of organisations. Amongst those affected were San Francisco’s public transport system, a hospital in Baltimore, and Bournemouth university, showing that nobody is entirely safe. Preventive measures combined with a greater security awareness can hopefully curb the wave of ransomware attacks in the future.
7. DARPA’s Cyber Grand Challenge
This year, DARPA organised a Cyber Grand Challenge, a really cool competition where teams hack and patch vulnerabilities. What’s special about the challenge is that the participants are fully automated systems, so they compete without human intervention. The winning machine, Mayhem, was invited to the DEFCON Capture the Flag and became the first autonomous computer system to take part in the competition. Hurray for automation!
Where is security headed in 2017?
While we at Detectify lack a crystal ball to predict the future, we think that some of the current trends in security could continue into 2017. IoT security will probably be in focus and we can expect hackers to find more vulnerabilities in IoT devices as well more DDoS attacks and worms. We might also see more advanced attacks on Tor networks and more exploits with dramatic names and sophisticated branding (we’re looking at you, Heartbleed, Poodle and Dyre Wolf).
On a more positive note, we think security awareness is going to make headway in 2017 and we are excited to be part of the journey! We will continue to support developers in their security work and help secure as many websites as possible. Go hack yourself in 2017!