As activereach celebrates its 10th birthday, we take a retrospective look at the past decade of cybersecurity
I love to go on long country hikes. The problem is, along with getting more tired as I get older, the human mind stops paying attention to its surrounding over time and starts to crave novelty and anomaly. In short – going for long walks can be boring.
At these times, it is good practice to stop the walk, turn around, and look back on how far you’ve come. A brief retrospective gives you refreshment and re-energises your progress. activereach has been in the business of security for ten years and it seems a good time to take stock.
Please join me on this hilltop, water bottle in hand, as we look back over the past ten years of hiking through wild cybersecurity country.
2008: activereach is incorporated into a relatively simple world of AV software and firewalls…
Do you remember 2008? Android phones did not exist to challenge the arrival of the iPhone just in time for Christmas 2007. Amazon’s cloud services had yet to land in Europe. For most people tablets were something you took for headaches – the iPad was two years away.
Although we didn’t know it at the time, we were at the end of the 3rd generation of cyber attacks. Viruses were countered by AV software, Internet attacks were countered by firewalls, and application attacks were countered by e-mail and web filtering gateways. It was a simpler world.
The state of the art was in intrusion protection systems (IPS), although that was notoriously difficult to implement and manage – so many companies did not bother. DDoS mitigation was only for the wealthiest of organizations – banks and online gambling sites. The maximum DDoS attack reported was 40Gbps.
When data was going missing, it was usually because laptops, hard drives, or back-up tapes had been lost, or gone missing in-transit. There was a smattering of reported breaches through hacks – web application attacks such as SQL injections were continuing to yield results for hackers who knew of the simple technique that had been around since the late nineties.
2008 – Barack Obama and the Large Hadron Collider
Notably, 2008 saw the first recorded incidence of simultaneous cyber attack campaigns alongside information and conventional warfare between two states in the conflict between Russia and Georgia. Russia had demonstrated a capability and willingness to launch cyber attacks against neighbours, as Estonia had found out in 2007, and Russian hackers were implicated in attacks against Israel the previous year.
In commercial circles, malware continued to be a major concern, with the arrival and growth of machines infected with the Zeus trojan, which created a delivery system capable of carrying all sorts of malicious payloads.
2009: activereach completes the 1st year of trading & along come mobile apps and the first block of Bitcoin…
2009 arrived with a bang. The first block of Bitcoin was mined in January. Android phones started to appear. The Apple Store and Google Play made mobile applications or “apps” widely available to smartphone users. WhatsApp was developed.
2009 – BitCoin and WhatsApp
US payment services provider Heartland had to announce that over 100m payment card details had been compromised by hackers. The Conficker worm was making a mess of government, corporate, and domestic computers. Conficker was a self-updating chimera of the most advanced malware techniques known at the time and was consequently difficult to contain. Variable hard encrypted payloads, anti-anti-malware activity, creation of backdoors, and self-defence behaviour. At its peak in early 2009, the worm was estimated to have infected 9m hosts. Even in 2015, hundred of thousands of device infections were still being reported.
2010: activereach completes 2nd year of trading & cyber attacks pervade intelligence systems
Unknown to most of the world until 2010 (when Google announced it in a blog post), Google, Adobe, Juniper, Rackspace, and another thirty or more organizations were attacked by a group from China over the course of six months, with attempts made to subvert source code used in the development of various products and in various systems, steal confidential communications, and intellectual property.
Dr Larry Ponemon published a paper calculating the cost of a data breach through a detailed survey of 250 large companies – concluding that enterprise breaches from five different countries amounted to an average of $3.4m per breach.
From 2010 to 2012, the US CIA suffered a number of catastrophic intelligence failures which led to over 60 agents being arrested, and probably executed. First by Iran and then by China. The covert communications system used by the CIA to communicate to informants had been compromised and their intelligence networks systematically dismantled.
The fourth generation of cyber attacks had started.
2010 – UK Prime Minister David Cameron and the 1st generation Apple iPad
In 2010, Microsoft tried to redeem itself from the vulnerabilities that had led to Conficker’s success by launching Azure to challenge Amazon’s domination of cloud services. Samsung launched the Galaxy Smartphone. Apple countered with the first iPad. Icelandic volcano Eyjafjallajoekull grounded aircraft across Europe and set a new standard for memorable passwords (but only when combined with upper and lower case letters, numbers and special symbols.)
The Stuxnet worm was identified, malware specifically designed to target industrial control equipment. Seemingly designed to disable uranium enrichment facilities in Iran, it is widely believed to be the product of joint US and Israeli cyber warfare teams.
2010 also saw DDoS attacks being used by media companies to attack torrent sites used to distribute pirate copies of films. In retaliation, hacktivists under the Anonymous umbrella launched DDoS attacks at banks and pro-copyright organizations.
2011: activereach completes 3rd year of trading & high profile hacks at Sony hit the headlines…
Sony dominated the cybersecurity headlines in 2011. The Playstation network was taken down for 23 days after an intrusion in April. 77 million data records, 12,000 payment card details (albeit encrypted), and possibly 24 million accounts from subsidiary companies were stolen setting a new high. The breach ended up costing Sony an estimated $171m.
In June, Sony Pictures suffered the loss of over a million customer records, personal information and passwords stored without encryption. In August, Sony was on the end of a barrage of DDoS activity over 200Gbps, designed to boost the reputation of the group launching the attacks. They also used Twitter to create bomb threats against commercial airlines transporting Sony executives.
In other, concerning, news, two-factor authentication giant RSA announced that its systems had been breached by a nation-state backed actor, compromising its popular hardware tokens. Over the next months they had to increase manufacturing capacity sevenfold to replace all of the hardware tokens globally, at an estimated cost to companies using the system of $12 per token.
The Ponemon Institute cost of breach report for 2011 put the average breach cost for enterprises at $5.9m.
2012: activereach completes 4th year of trading & global supply of hard drives hit by malware…
2012 and 4G arrived in the UK, boosting mobile device communication capacity tenfold from 2Mbps to 20Mbps or more. Business-oriented social media platform LinkedIn was hacked losing over 164 million data records, e-mail addresses and password hashes, which were unsalted and easily cracked.
2012 – Curiosity and the supersonic man Felix Baumgartner
The hugely destructive Shamoon malware was identified when it was released against assets of the Saudi government. The malware stole data, erased and corrupted local files, and damaged hard drive boot sectors using a so-called “logic bomb” preventing easy recovery. Rebuilding that many damaged devices impacted the global supply of hard drives for a time.
2013: activereach completes 5th year of trading & litigation hits Yahoo big time…
The international standard for information security management, ISO 27001 was substantially revised in 2013. However, this was blotted out from the popular imagination when contractor and former member of the CIA, Edward Snowden, leaked thousands of documents; blowing the lid off a wide range of mass surveillance activities conducted by the US NSA and members of the five eyes intelligence alliance. People are still wondering what side of the moral line that act fell on.
Maximum DDoS attack volume seen soared to over 300Gbps with the attack on Spamhaus.
Tumblr was breached losing 65 million records. The passwords were hashed and salted, rendering the data nearly useless – criminals sold the data for $150 on the black market.
Tumblr “Did you see that? I lost 65 million records. At least I salted the hash.”
Yahoo “Hold my beer and watch this.”
Yahoo reported that one billion of its user accounts had been affected by a breach. This was later revised upwards to all of its three billion accounts. 43 consumer class action lawsuits arrived on the company doorstep shortly afterwards. Their top lawyer resigned.
Ponemon Institute reports the average cost of cybercrime to enterprises in 2013 was $7.2m.
Maximum DDoS attack volume seen reached 400Gbps.
2014: activereach completes 6th year of trading & Bitcoin comes crashing down…
By 2014, Mt.Gox had become the largest Bitcoin exchange in the world, accounting for, perhaps, ¾ of all transactions. It was not all plain sailing though, running into legal difficulties and facing seizures of assets by government departments. However, it all imploded in February – 745,000 Bitcoins were stolen (worth about $473m). The site closed down, the company filed for bankruptcy protection and the CEO was eventually arrested in Japan and put on trial. The value of Bitcoins plunged 36% in the immediate aftermath. It seems amazing now that it did not derail the whole blockchain movement.
2015: activereach completes 7th year of trading & the Ashley Madison breach really hurts…
There was plenty of discussion in 2015 when adultery-enablement service Ashley Madison was hacked and 60GB of “customer” data was published by hackers in an apparent attempt to close down the company behind it. With some countries still having the death penalty for marital infidelity, and individuals being pushed to the brink of suicide by the revelations, it brought data subject rights of privacy into the spotlight for many people.
2016: activereach completes 8th year of trading & large-scale botnets of IoT devices strike home…
As if on cue, the EU published the new General Data Protection Regulation (GDPR) in 2016. The regulation establishes data subject rights over personal information and establishes a common set of requirements across EU member states for organizations of all types to enable those rights to be exercised, under the threat of headline-grabbing fines.
Meanwhile, the venerable Zeus trojan had evolved into the encrypted P2P botnet Gameover Zeus, and then elements were taken into the Dridex trojan, designed to extract banking credentials from computing devices. It is believed that the Dridex infection is responsible for tens of millions of dollars of theft from banks, including an attempt to steal $1bn – which succeeded in stealing $101m from Bangladesh Bank – and only didn’t net more because of a typo.
An expensive spelling mistake.
Ponemon Institute reports the average cost of cybercrime to enterprises in 2016 is $9.5m.
2016 – Brexit vote, UK Prime Minister Theresa May, US President Donald Trump
2016 was also notable for the massive DDoS attack on DNS provider Dyn. Major Internet services such as Twitter, Amazon, Github, Slack, Paypal, and many others were disrupted by a massive botnet of IoT devices conscripted using a software tool called Mirai. Mirai used a combination of techniques to ‘pwn’ IoT devices which had well-known default passwords, or hard-coded credentials. Those devices, even with limited CPU, when coordinated into botnets of tens to hundreds of thousands of devices, each with access to high capacity broadband, FTTC, and FTTP services, generated attacks exceeding 1Tbps.
2017: activereach completes 9th year of trading & ransomware attacks wreak havoc on a global scale…
2017 A one character buffer overflow bug in Cloudflare’s source code (the code required >=, but instead had ==), led to major websites like Uber, Fitbit, and 1Password, leaking customer data over several months. The Wannacry ransomware hit hundreds of thousands of devices across the world, bringing major disruption to the NHS.
The NotPetya malware caused chaos in Ukraine. Equifax somehow managed to lose 140 million records of consumers, and multi-billion finance management company Deloitte had to reveal that their main email system had been compromised, potentially for months, and that every single confidential email Deloitte had traded with customers in that time may have been visible to the attacker. Cue the next round of phishing e-mails to big business.
Ponemon Institute reports the average cost of cybercrime to enterprises in 2017 was $11.7m.
2018: activereach celebrates 10 years of trading & the number of data records stolen, lost, or exposed hits new heights…
2018 is not looking any better for businesses. We’ve seen nearly 1,000 breaches announced since the start of the year. Facebook joined the exclusive club of breaches of more than a billion records, Exactis, Twitter, Under Armour, BA, and many others have been hit. Some worse than others. I don’t think we’re quite at the top of the hill yet.
PRC = Privacy Rights Clearinghouse, DBIR = Data Breach Incident Review, ITRC = Identity Theft Resource Centre
Looking ahead: A new dawn of cybersecurity threats & challenges, ready to be countered by the next big AI thing…
With over 50% of the Earth’s population now having access to a computer and the Internet, and the average total number of breached records each year approaching a billion records (albeit skewed by some massive recent ones), it seems likely that all of us have had our data appropriated at some point over the past few years. Possibly several times.
PRC = Privacy Rights Clearinghouse, DBIR = Data Breach Incident Review, BLI = Breach Level Index
The sudden jump in scale between 2012 and now makes the journey from 2008 to 2012 seem very flat and uninteresting, but this was where the seeds of insecurity were sown. The rise of mobile devices, cloud computing, and services pandering to the information collection obsession of organizations of all types has created an environment that may look daunting.
I can see brighter weather on the horizon, though. There is a swell of organizations trying to get the basics right. Machine learning techniques are maturing, offering new security tools to protect ourselves, and our customers. A new horizon of challenges and opportunities awaits us. Pick up your bags (and water bottles) – and let’s head into the next decade reinvigorated, adapting to the new steeper paths and rarified air of an information economy in politically uncertain times.
Happy Birthday, activereach. Thank you for having me along.
This article was written by Max Pritchard, Senior Presales Consultant at activereach.