Chances are that you didn't go a few days without hearing the word "cyber" last year. It's for good reason. It was a year of data breaches and hacks, impacting the public and private sector alike. Congress used some of these incidents to fear-monger and pass fundamentally flawed legislation, chiefly the Cybersecurity Information Sharing Act (CISA), that didn't even address the basic problem of poor security practices. So as 2015 comes to a close, we thought we would revisit a few.
OPM Hack and Breaches Upon Breaches
Perhaps the most attention-worthy of data breaches of 2015 was the Office of Personnel Management (OPM) hack. OPM was the victim of a breach that exposed the private information of 21 million Americans. But personal data was not the only thing on display—the OPM hack was a perfect demonstration of the government's own weak cyber security practices, and the inadequacy in remedies for individuals affected by the breach.
There were other significant incidents affecting the private sector, most notably Ashley Madison, Anthem, Experian, Hello Kitty, HSBC, Securus Technologies, and VTech.
Our personal devices weren't safe either. Researchers discovered a massive vulnerability in the Android operating system affecting millions of devices. The vulnerability, known as Stagefright, was contained deep in the code that handles processing and displaying images. The especially horrific part was that this vulnerability could be triggered simply by sending the victim a specially crafted text message. Google has since released a patch fixing the vulnerability, but many devices could still remain affected and unpatched.
Botnet of Things
The Internet! It's everywhere! More and more household (and non-household) items are being connected to the Internet, a phenomenon known as the Internet of Things (IoT). Unfortunately, with this explosion of Internet-connected devices came equally explosive security vulnerabilities. Hackers demonstrated the ability to remotely control Jeep vehicles, taking over the steering wheel and even disabling the brakes.
Security researcher Runa Sandvik discovered that a wifi-enabled smart-rifle could be hacked to cause it to mis-target. Multiple backdoors in consumer routers were found, and even your refrigerator could be vulnerable. Even the Barbie dolls that you bought for your children for Christmas are not safe. We hope that manufacturers of Internet-connected devices will take security more seriously in the coming year.
Hacking Team Hacked
There was a lot of schadenfreude at the news that the Hacking Team, a known purveyor of spying tools to oppressive regimes, was itself targeted by hackers. The notorious Italy-based spyware vendor had its own servers compromised, with attackers releasing over 400GB of internal data and communications with clients. The releases included revelations of dealings with regimes targeting activists and journalists, including Azerbaijan, Kazakhstan, Uzbekistan, Russia, Bahrain, Saudi Arabia and the UAE.
Nation-state actors aren't just using off-the-shelf spying tools by outfits like Hacking Team, but are busily developing their own. Researchers at Kaspersky Labs discovered a family of malware, developed by the Equation Group, that could insert itself in the firmware of a number of different brands of hard drives. This malware could then easily persist on that machine, reinstalling itself from a secret sector on the hard drive even if the operating system was completely reinstalled. Due to the complexity of the malware, it is likely that the Equation Group is state-sponsored, and Reuters quoted anonymous former employees of NSA who claimed that the malware was directly developed by the Agency.
There were more examples of state-sponsored malware attacks. One was a spear-phishing campaign which masqueraded as EFF itself. Another one was discovered on the devices of the late Alberto Nisman, an Argentine prosecutor, and linked by Citizenlab to a larger malware campaign in South America.
State-sponsored malware and attack campaigns highlight the terrifying capabilities of nation-state actors and reinforce the importance of security best practices and rejecting backdoors.
This article is part of our Year In Review series; read other articles about the fight for digital rights in 2015. Like what you're reading? EFF is a member-supported nonprofit, powered by donations from individuals around the world. Join us today and defend free speech, privacy, and innovation.