The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Security was never far from the headlines in 2016, with data breaches at large firms occurring almost daily at some points in the year.

And it wasn't just about the data breaches, there were security-related legal and political developments around the controversial Investigatory Powers Bill, and the EU's General Data Protection Regulation (GDPR).

Computing now brings you our collection of the most important security stories of the year.

Rowhammer

In October security researchers demonstrated a new class of hardware-based attack that, they claim, could enable hackers to acquire root access to Android devices without exploiting any software flaws or requiring user permission.

"The root of the problem is that many memory chips have a hardware vulnerability, known as Rowhammer," Herbert Bos, professor of systems security at Vrije Universiteit Amsterdam in The Netherlands told Computing.

He continued: "It allows attackers to change the content of memory that they should never be able to access. The effect is pure physics, but exploitable from software."

Since the Rowhammer attack was first publicised, attacks against Android devices have provided inconsistent results, with 12 attacks against 15 different Google Nexus 5 devices proving successful, for example, and only one of two attacks against the Samsung Galaxy S5.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Michael Page Recruitment hacked - all passwords compromised

In November recruitment firm Michael Page has admitted that it had been hacked, with all passwords compromised. The company claimed that the hack took place at the beginning of the month.

In an email to clients, it warned that names, email addresses and passwords were all accessed by hackers unknown, although adds that the passwords, at least, were encrypted.

The company claimed that the attackers gained access via a development server used for testing PageGroup websites by its IT services provider Capgemini.

"We regret to inform you that on 1 November 2016, we were made aware that an unauthorised third party illegally gained online access to a development server used by our IT provider, Capgemini for testing PageGroup websites," the company admitted in its email.

"We are sorry to tell you that the details you provided as part of your mypage subscription have been identified as amongst those accessed... Since we identified that your data was accessed, we have worked non-stop to fix this issue with Capgemini, who are a global leader in consulting, technology and outsourcing services," it continued.

The email added: "We immediately locked down our servers and secured all possible entry points to them. We carried out a detailed investigation into the nature of what happened."

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

AdultFriendFinder hack exposes 20 years of data on 400 million users

In November it emerged that Friend Finder Network Inc, the company that runs the AdultFriendFinder dating website, had been hacked for the second time in 18 months, with the attackers making off with some 20 years of users' data.

The data, which includes user names, emails and passwords, had been spilled on the LeakedSource website, but LeakedSource initially decided against publishing the whole lot.

"Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October 2016 for over 400 million accounts representing 20 years of customer data, which makes it by far the largest breach we have ever seen," claimed LeakedSource.

"This event also marks the second time Friend Finder has been breached in two years, the first being around May 2015," it added.

The 400 million user number comes from the organisation's wider network that includes Penthouse.com, described as an "adult magazine akin to Playboy", and Cams.com, a site "where adults meet models for sex chat live through webcams".

AdultFriendFinder claimed the bulk of the users, however, with some 340 million of them. LeakedSource has decided against publishing the dataset from the hack, which it usually does.

"After much internal deliberation by the LeakedSource team, and for various reasons, we have decided that this dataset will not be searchable by the general public on our main page for the time being," the organisation said at the time.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

'Dirty COW' Linux kernel security vulnerability being exploited in the wild, warns Red Hat

In October a Linux kernel security flaw - dubbed ‘Dirty COW' - was found being exploited ‘in the wild', as open source software vendor Red Hat warned, with users urged at the time to update their systems as soon as possible.

The flaw and its exploitation was uncovered by Linux security researcher Phil Oester, who claimed that the exploit is easy to execute and will almost certainly become more widely used. A patch was soon rushed out.

"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.

"As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP."

Oester said that he uncovered the exploit for the bug, which has been around since 2007, while examining a server that appeared to have been attacked.

"One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed. A few years ago I started packet capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox," he said.

"These rolling packet captures have proved invaluable numerous times. I would recommend this extra security measure to all admins."

The Dirty COW moniker was applied as a descriptive of the security flaw: "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system," Red Hat warned.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Oracle removes 'malicious code' following security breach

In August Oracle acknowledged a security breach believed to have been perpetrated by a notorious gang of Russian cyber criminals. The software giant said the attack, which affected more than 700 systems, meant it had to remove "malicious code" from "legacy systems".

Systems affected include, in particular, a customer-support portal for companies using Oracle's MICROS credit card payment systems, where users were urged to change their passwords.

Oracle admitted that it had "detected and addressed malicious code in certain legacy MICROS systems", in an email to security researcher Brian Krebs over the weekend. In total, there are more than 330,000 Oracle MICROS cash registers in use around the world.

According to Krebs, the size and scope of the break-in is still being investigated and it is not known how the attackers gained access to Oracle's internal systems.

"Sources close to the investigation say Oracle first considered the breach to be limited to a small number of computers and servers at the company's retail division," wrote Krebs.

He continued: "That source said that soon after Oracle pushed new security tools to systems in the affected network, investigators realised the intrusion impacted more than 700 infected systems."

Krebs claims that he only started investigating the incident two weeks ago, after being contacted by an Oracle MICROS customer who had heard about a "potentially large breach" within Oracle's retail division.

However, further investigation by Krebs suggested that malware on Oracle's MICROS customer support portal was observed communicating with a server known to be used by Russia's notorious Carbanak Gang.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Computing's Enterprise Security Review Released

Computing's Enterprise Security Review 2016 'Moving defence to real time' was released in November.

Key highlights from the research include:

It should be required reading for every CISO, and indeed anyone with any responsibility for security in every business.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

GDPR boom time for 'data protection officers' - at least 75,000 required worldwide

The European Union's forthcoming General Data Protection Regulation(GDPR) will require the recruitment of "at least" 75,000 data protection officers to enable organisations to keep on top of their new legal obligations, reports emerged in November.

The GDPR will come in on 25 May 2018, and there won't be any grandfathering of existing contracts - organisations will need to be 100 per cent compliant from day one, or risk fines up to four per cent of turnover.

But according to the International Association of Privacy Professionals (IAPP), the GDPR will require the widespread and large-scale recruitment of data protection officers - typically lawyers specialised in data protection law - in order to stay on top of the new EU law.

"Because the EU's 28 member states together represent the world's largest economy and the top trading partner for 80 countries, many companies around the globe buy and sell goods to EU citizens and are thus subject to the GDPR," claimed the IAPP.

One of the requirements of the GDPR is that any organisation conducting large-scale processing of personal data must have a data protection officer who is independent from the organisation. Hence, companies across the world will now need to consider how to introduce such a role into their business, including the extent of their authority, to whom they will report and how the role will operate.

Earlier in the year, the IAPP claimed that organisations in Europe and the US would require at least 28,000 data protection officers, and suggested that this was a conservative estimate.

Now, the IAPP, using the same methodology, believes that as many as 75,000 data protection officer roles will be created in response to the GDPR, not just in the EU and US, but across the world.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Investigatory Powers Bill faces legal challenge from privacy groups

The Investigatory Powers Bill (IP Bill) lacks in proportion and a provides the state with unnecessary powers to monitor citizens, according to privacy groups who were preparing to take the government to court over the matter in November.

The IP Bill, better known as the Snoopers' Charter, had been passed by the House of Lords the previous week following a final debate examining various amendments. It will therefore become law within weeks, legalising a number of secret service activities that were ruled unlawful only in October.

It will require internet and telecoms companies to store comprehensive records of websites visited and phone numbers called for 12 months, and to enable police, security services and many other public sector bodies to access those records on demand.

It will also provide the security services with the legal power to bulk collect personal communications data, and give police and security services the explicit power to hack and bug computers and smartphones. Most of these powers will only require the approval of the home secretary.

The IP Bill already been criticised by the Open Rights Group and Privacy International, which described it as "intrusive and "draconian".

"It defies common sense," Silkie Carlo, policy officer at human rights organisation Liberty told the LA Times. "We are very, very resolutely in opposition to mass surveillance, which can never be considered proportionate or necessary in a democracy."

Carlo said Liberty was "gearing up" for a fight and intends to mount a legal challenge, saying the bill is "ripe for challenging."

The organisation has launched a campaign, dubbed "No #SnoopersCharter", of which more than 8,000 people have already joined.

"The Home Secretary claims this will make us safer - it won't. Mass surveillance is ineffective in preventing serious crime," the campaign website reads.

"Mass surveillance overwhelms our security services with irrelevant information on all of us, distracting them from finding the real criminals. The Government ignored the evidence that we need targeted, not total surveillance."

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Daily Motion hacked with 85 million credentials leaked

Daily Motion, the video sharing website not dissimilar to YouTube, was reportedly hacked in early December with details of its 85.2 million users stolen.

User names, email addresses and some hashed passwords were all exposed in the attack, according to LeakedSource, the hacking website that provides a database of almost three billion cracked records.

The passwords, however, were hashed with the Bcrypt algorithm with 10 rounds of rekeying, to the company's credit. The passwords will therefore not be easy to crack - or, at least, not as easy as passwords hashed using older or obsolete algorithms, such as SHA1 or MD5.

Representatives from both Daily Motion and Vivendi did not respond to requests for comment.

The Paris, France-based website, 90 per cent owned by French media giant Vivendi with telecoms company Orange hold a ten per cent stake, also has offices in London and San Francisco, but is very much a minnow alongside Google-owned YouTube.

The attack on Daily Motion caps a year of increasingly frequent successful attacks on high-profile websites and services.

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Dropbox hacked: Credentials of 68 million users spilled

In August, cloud storage company Dropbox, which had reportedly been considering a public share offering in 2017, was believed to have been compromised in a major cyber attack spilling some 68 million personal records.

The incident was uncovered by venerable security researcher Troy Hunt, who claimed that both he and his wife were affected. It comes less than a week after Dropbox sent emails to a number of users suggesting that they update their passwords which, the company said, hadn't been updated for a number of years.

Motherboard was first with the news, but Hunt verified it by checking his own details against a database released by a ‘supporter' of the Have I been pwned? website.

"Motherboard reported on what had been rumoured for some time, namely that Dropbox had been hacked," Hunt explained in a blog post.

"Not just a little bit hacked and not in that ‘someone has cobbled together a list of credentials that work on Dropbox' hacked either, but proper hacked to the tune of 68 million records."

Dropbox said in a blog post the previous week that anyone with a password created five or more years ago should change it immediately.

"If you signed up for Dropbox prior to mid-2012 and haven't changed your password since, you'll be prompted to update it the next time you sign in," the company said.

"We're doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed. We're sorry for the inconvenience.

"Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time."

Old the details might be, but Hunt confirmed that his wife's details were exposed and that her password has not changed since 2012.

"There is no doubt whatsoever that the data breach contains legitimate Dropbox passwords. You simply can't fabricate this sort of thing," he said.

"The only places that password ever existed was in her strongly encrypted 1Password keychain and on Dropbox's servers. It confirms the statement from Dropbox themselves, but this is the kind of thing I always like to be sure of."

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Saudi Arabia hit by wave of cyber attacks, Iran blamed

In early December Saudi Arabia was hit by a wave of destructive cyber attacks which resulted in data being erased at the government's aviation agency. Five additional targets were hit too, unnamed sources told Bloomberg.

In total thousands of computers were wiped in Saudi's General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days, the sources say.

The finger of blame was quickly pointed at Iran, according to the sources. The two countries recently severed diplomatic ties and are on opposing sides in the region's many conflicts including Syria, Yemen and Iraq.

In particular, the malware deployed is similar but to that used in earlier attacks which were blamed on that Iran, but experts say that other countries may have been involved, routing the attack to make it appear to be of Iranian origin, perhaps aiming to derail the recent nuclear deal with the USA.

The attacks were apparently carried out using an enhanced version of the Disttrack malware used against the oil company Saudi Aramco in 2012 in the so-called Shamoon attacks.

According to security vendor Palo Alto Networks: "Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The [Saudi Aramco] attack four years ago resulted in 30,000 or more systems being damaged."

The top 12 security stories of 2016

Most of us thought 2015 was the year of the data breach, but then 2016 happened. 2017 has a job to do if it wants to continue the trend

Tesco Bank hacked

Tesco Bank was hacked in November, with money stolen from 20,000 customer accounts. All online transactions were suspended at the time.

The bank, which has more than 7 million customers, confirmed that around 40,000 accounts saw "suspicious transactions" over the weekend, of which half had money taken.

Benny Higgins, Tesco Bank CEO, said in a statement on the company's website: "Tesco Bank can confirm that, over the weekend, some of its customers' current accounts have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently."

Customers reported that as much as £2,000 has been siphoned from their accounts over the weekend, with those affected also complaining that they are unable to get through to Tesco on the phone.

As well as suspending its online operations, Tesco Bank said it moved to block some customers' cards. The company hoped to refund customers within 24 hours, it said in a statement to the BBC.

"As a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts. This will only affect current account customers," Higgins said.

"While online transactions will not be available, current account customers will still be able to use their cards for cash withdrawals, chip and pin payments, and all existing bill payments and direct debits will continue as normal. We are working hard to resume normal service on current accounts as soon as possible."

However, the Financial Conduct Authority said banks must refund unauthorised payments immediately, unless they have evidence that the customer was at fault or the payment was more than 13 months ago.

And that concludes Computing's look at security in 2016. Stay safe in 2017!