The cybersecurity stories that caught your attention in 2019 will likely repeat themselves during … [+]
There can be no doubt, as 2019 draws ever closer to an end, that it has been quite the year as far as cybersecurity is concerned. I have reported on everything from the world’s top 100 worst passwords to how Apple’s iPhone FaceID was “hacked” in less than 120 seconds. The year didn’t even start on a high note, with the revelation of the “Collection 1” data dump affecting more than 770 million people. Within a month, this had been followed by collections two to five, taking the total number of hacked accounts involved to 2.2 billion. Hardly surprising, then, that the first six months of 2019 alone saw data breaches expose more than 4 billion records. The most difficult story I had to write, though, was how one in six CISOs were self-medicating or abusing alcohol as a result of the stresses the job entails. The cybersecurity mental health warning doesn’t only affect those at the top of the corporate tree; security researchers are also at risk. The one thing that all the stories above have in common is that none of them feature in the top 10 of my cybersecurity stories as measured by how many of you were reading them. So, without further ado, here are the top 10 cybersecurity stories of 2019, which open a window onto the 2020 cyber threatscape.
1. The Google Camera app security threat to hundreds of millions of Android users (1.9 million views)
On November 19, I reported how security researchers had uncovered a vulnerability that affected users of the Google Camera and Samsung Camera apps. What did the researchers discover? Oh, only a way for an attacker to take control of smartphone camera apps and remotely take photos, record video, spy on your conversations by recording them as you lift the phone to your ear, identify your location, and more. All of this performed silently, in the background, with the user none the wiser. Will this be the last time I write about a high-profile, used by millions, smartphone app that comes with a high-rated vulnerability? I want to say yes, but the truth of the matter is that I doubt I’ll have to wait too long into 2020 before the first such story appears. If Google, with all the resources available to it, still misses threats like this, then the chances of smaller, less well-resourced development teams will be any different.
2. Critical security vulnerability for 40 million Galaxy and Note users (1.2 million views)
At the start of October, Samsung confirmed a whole bunch of vulnerabilities that affected users of the Galaxy S8, S9, S10 and Note 9 and 10 smartphones. The most serious of the 21 security issues revealed by the October security maintenance release (SMR) was a critical vulnerability with the potential to impact a total of 40 million Galaxy S9 and Note 9 users. Although the vulnerability was fixed in that SMR, the problem of the threat window being open between the disclosure of the problem and the point when end-users could apply the patch remains problematical. As an Android user is all too aware, the fragmentation of the smartphone ecosystem means that security updates are rarely rolled out to everyone immediately. This is a problem that won’t be going away in 2020. On December 9, I wrote about an Android “permanent denial of service” vulnerability across versions eight through ten of the smartphone operating system. This was fixed by the December security update that was quickly rolled out. As I write this on December 27, my Note 10+ 5G has yet to receive that patch.
3. U.S. Government steps in to warn Windows users to update now (1 million views)
The updates theme continues with this story that focused on the United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issuing a warning to Windows users in the light of a critical security vulnerability. The threat in question being BlueKeep, and the update issue being that older versions of the Windows operating system were at risk as they were not being updated with the relevant patch. This despite Microsoft making an out-of-band fix available for systems running on Windows XP. As Windows 7 reaches end-of-life status on January 14, 2020, I doubt it will be the last time we see security issues such as this.
4. New Orleans declares state of emergency following cyber-attack (731,000 views)
On October 2, the FBI issued a “high-impact” cyber-attack warning in response to ransomware attacks on state and local government targets. The FBI issued mitigation advice that included updating operating systems, software, and device firmware with the latest security patches and ensuring data was backed up regularly and those backups verified. Fast-forward to December 14, and the City of New Orleans declared a state of emergency following, yep you guessed it, a ransomware attack. Given that the state of Louisiana had already come under attack in November, and 23 government agencies in Texas were taken offline following a cyber-attack in August, I’m sadly all but sure I’ll be writing similar reports in 2020.
5. Samsung firmware updates confusion (590,000 views)
This report covered another Samsung smartphone update story, but not relating to a critical vulnerability in Galaxy and Note devices this time. Instead, it concerned an app that had been downloaded by 10 million Samsung users that was designed to help manage firmware updates, and so improve the security of those devices. Security researchers warned that the app wasn’t “officially affiliated with Samsung” and that users could find themselves paying an annual fee to download free of charge updates. After a discussion with the app developers, who explained the misunderstandings of who the app was intended to be for and what problems it solved, the app was removed from Google Play while several updates were made. A good result with the developers taking note of concerns and taking immediate steps to rectify them. This is one story I hope will be repeated, in terms of outcome, during 2020.
6. Windows 10 update woes, part one (539,000 views)
Now you are probably wondering why there have been no Windows 10 security stories in the top 10 so far. If so, your concerns are about to be sated. And then some. Windows 10 update issues were a recurring theme for me during 2019, and rarely for positive reasons. This story is an excellent example of how Microsoft has got itself into something of a mess as far as the user perception of the Windows 10 update system is concerned. By this point in the year, October 9, users were already confused by the update process that promised to make their computers more secure but delivered more than just broken promises; a borked Windows Defender ATP for enterprise users being amongst the most serious. This particular story, however, involved Microsoft telling Windows 10 users to install updates in a specific order to prevent a multiple restart loop. I hope that 2020 will be the year that I stop writing about Windows 10 update problems. I’m not betting my house on it though.
7. Windows 10 update woes, part two (518,000 views)
On August 17, I reported how Microsoft confirmed an update warning for Windows 10 users as well as Windows 8.1 and Windows 7 and 8 for that matter. As well as causing black screens after the update for some users, this story warned about Visual Basic scripts that stopped working and impacted Microsoft Office users. As well as repeating my closing sentiment from story number six, I’d add that I expect to write about Office security problems into 2020 as well.
8. Windows 10 update woes, part three (515,000 views)
The Windows Defender Advanced Threat Protection (ATP) service breaking update to Windows 10 enabled the most surreal of headlines to be used for this story: Windows 10 Security Alert As Microsoft Says: ‘Do Not Install This Update.’ To be honest, I don’t think I can add any more here. Just another in a long line of Windows update-related stories from 2019 that I fear we won’t have seen the last of.
9. Google Gmail and Calendar credential-stealing threat warning (513,000 views)
Threat actors were found to be exploiting the incredible popularity of the Google Calendar and Gmail services to target a credential-stealing attack. The researchers described it as a “sophisticated scam” that employed the tight and automatic integration between different Google services against users to target them with malicious exploits. “Beyond phishing, this attack opens up the doors for a whole host of social engineering attacks,” Javvad Malik, a security awareness advocate at KnowBe4, said. Malik told me that to gain access to a building, for example, you could put in a calendar invite for an interview or similar face to face appointment such as building maintenance which, he warned “could allow physical access to secure areas.” Exploiting application functionality is an attack vector that is going nowhere in 2020, expect to see plenty more reporting on such things.
10. National Security Agency warns Windows users (473,000 views)
The final entry in this top 10 of cybersecurity stories that caught your attention across 2019 is directly related to number three in the list. Yep, it’s another BlueKeep warning. On Jun 7, I reported how the U.S. National Security Agency (NSA) had urged Microsoft Windows users to update now if their systems were not fully patched. This after Microsoft had already issued multiple update now warnings itself, such was the seriousness of the BlueKeep threat. I would expect, as older Windows operating system versions reach the end of life and end of support but not end of use, we will see more such threats emerging.