Ian Levy, the new National Cyber Security Centre's technical director, grabbed many headlines in 2016, as the government and its new cyber-command centre in the centre of London was established to become the new public facing body for tackling cyber-security issues. It has set the tone for how we speak about data breaches, educate the public and businesses about the many cyber-threats they now face and how to go about solving them. Levy has set about cutting the FUD that surrounds the industry and getting down to the business of boosting cyber-protection.
2016 will forever be remembered as the year where Theresa May, the UK's Prime Minister, went about implementing the Investigatory Powers Bill which she had been responsible for introducing as Home Secretary. The bill is widely known as the ‘Snoopers' Charter' as it legitimises some existing data gathering practices previously declared illegal and heralds in new spying powers which many view as invasive; it has been criticised by many for requirements such as encryption backdoors. It could yet still be retracted due to a case currently in the European Court of Human Rights, brought by Labour MP Tom Watson. It has been described as “the most invasive surveillance law introduced by a western democracy” by NSA leaker Edward Snowden and is bound to have many ripple effects well into 2017 and beyond, with some civil liberties groups looking to challenge it in the courts.
It could be argued that security blogger Brian Krebs is responsible for alerting the information security industry about the Mirai botnet. While Europol takedown DD4BC, a gang offering DDoS-as-a-service, Krebs blogged about another such gang from Israel, vDOS which got caught because of a silly security vulnerability in its website which revealed their identities. In retaliation, gangs blasted Krebs' website with a record-busting 620Gbps attack. Akamai which was protecting Krebs at the time, dropped the blogger due to “financial reasons”, which prompted a further, even larger, 1.1Tbps attack on French web hosting company OVH. As it transpired, the same botnet was responsible for both attacks. A mere week or so later, the same still unnamed botnet attacked Dyn, a DNS provider which supplies services to some of the major websites on the internet such as Spotify and Reddit. Causing mass-hysteria, user ‘Anna-Senpai' released the source code to the Mirai botnet on HackForums, claiming it could pull in over 300k IoT devices, all thanks to its use of a 60-long list of default credentials device-owners forgot to change, or simply couldn't as they were ‘burned in'. The press went into meltdown, and FUD was spread as thick as brandy butter on Christmas day. Some security vendors such as Digital Shadows said the release of the code to Mirai wasn't what it was painted to be, as it wasn't as easy to deploy as you might think, however it did say that should the criminal posses the appropriate know-how, it could cause a lot of damage.
Highlighting the scale of problem of unprotected Internet of Things devices in 2016, SANS dean of research Johannes Ullrich showed that exploits TR-064 and TR-069 were almost certainly the cause of an outage that hit Deutsche Telekom customers. It was discovered that the routers were used as part of a botnet. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and installed an emergency patch. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.
Password-sleuth Troy Hunt, who operates the website haveibeenpwned.com (and blogs at troyhunt.com), has had yet another busy year of notifying people to the effects of data breaches and getting the message out that password-reuse, a cause of many mishaps online, is still very much a serious issue. Hunt deserves praise as his aim isn't simply to compile a long list of passwords, but with every breach he blogs about, affecting the likes of companies like the Red Cross, Michael Page, PayAsUGym, Dropbox, Bluesnap and others,he looks to educate about the need for improved behaviour from both businesses and users themselves. For example, Hunt is a strong advocate for use of a password manager, as he claims the average person has well over 100 passwords. Likewise, Hunt is a consultant who advocates a ‘get the basics right' to businesses who are looking to protect their users' data.
The issue of data protection and privacy took many headlines in 2016, and Jan Philipp Albrecht, German Green MEP has remained a prominent campaigner on both issues. In his role as vice-chair of the European Parliament Committee for Civil Liberties, Albrecht brought forward the case to crack down on internet giants such as WhatsApp, Skype and other online messaging services safeguarding for not taking users' privacy with enough seriously enoughness. The move followed the news that Facebook was to share user data data between Whatsapp and Facebook in order to better target advertising at users. The European Commission plans to publish a draft law on data privacy that aims to ensure instant message and internet-voice-call services face similar security and privacy rules to those governing SMS text messages, mobile calls and landline calls. Albrecht said: “It was obvious that there needs to be an adjustment to the reality of today. We see telecoms providers being replaced and those companies who seek to replace them need to be treated in the same way.”
Austrian lawyer Max Schremes is still fighting his case against social media giant Facebook, and in 2016 the Irish Data Commissioner kicked Max Schrems' latest Facebook complaint up to the Court of Justice of the EU. The move followed the collapse of the Safe Harbour agreement after a Court of Justice of the EU ruling in favour of Schrems in 2015 after the court had found that data held in America would not be held in the same level of data protection as it would in Europe. Privacy Shield, the successor to the Safe Harbour agreement was also found to be inadequate, and due to a Germany-based lawsuit, it continues to face its fair share of legal challenges and critiques that could derail the trans-Atlantic pact. The lawsuit filed by Digital Rights Ireland (DRI), a digital rights nonprofit, is challenging the efficacy of the protections promised by Privacy Shield. It claims that the agreement, which replaced the longstanding Safe Harbour deal, is still inadequate in protecting citizens' data and privacy. Speaking with news website EuroScientist, 2016 Global Editor Network (GEN) Summit in Vienna earlier this year, Schremes said he thinks the proposed solutions to safeguard the privacy of European citizens have evolved, and asserted that the culture of privacy in Europe needs rebooting.
Under the leadership of Rob Wainwright, director of Europol, the law enforcement agency has had a busy year. Earlier in the year, Wainwright wrote an opinion piece for SC which saw him predict an upwards trend in cyber-crime. He wrote, “What we see at Europol is that the volume, scope and material cost of cyber-crime all remain on an upward trend and have reached alarming levels. The relentless growth of illicit cyber-criminal markets remains a real and significant threat to our collective security in Europe.” Although arguably a somewhat self-fulfilling prophecy, the agency has taken down multiple gangs such as DD4BC, the Avalanche crime platform, been a founding member of the nomoreransom.org initiative, signed several MoUs, various ATM gangs operating throughout Eastern Europe and they even had time to work with the NCA and FBI on the Silver Shadow exercise run by the UK's National Crime Agency and involved law enforcement officials from eight different countries including the US, Georgia, Lithuania, Bulgaria and Ukraine. Also taking part were representatives from Europol's Joint Cyber Action Taskforce (J-CAT). The aim of the exercise was to see how investigators and prosecutors would work together in the event of a massive cyber-attack spanning many legal jurisdictions, with the goal of building an effective response to such incidents.
As the threat of ransomware continues to rise, Raj Samani, EMEA CTO of Intel Security, has played an important role in leading the crusade to defeat it. 2016 saw the launch of NoMoreRansom.org, a non-profit collaboration between Intel Security, Kaspersky Lab, Europol and the Dutch National Police who are cracking variants of the malware, and releasing ransomware decryption tools on its their website. The website has had its fair share of successes, with over 6,000 being saved from having to pay the ransom to the criminals. Later in the year, the likes of Bitdefender, Emsisoft, Check Point and Trend Micro joined the project as new associate partners. As a result, even more decryption tools have been added to nomoreransom.org, joining the eight tools already available free of charge to victims. Both the private sector and law enforcement are stepping up efforts to fight the cyber-criminals who are using ransomware to deprive their victims of large amounts of money.. However, awareness remains key to stopping ransomware from being successful and that's what the companies are keen to achieve.
Rather than just talking about the information security industry skills shortage Stephanie Daman, CEO of Cyber-Security Challenge UK is at the forefront of those trying to rectify the problem. The Cyber-Security Challenge hosted another final of it's Masterclass in early November, and the winner, 18-year-old Ben Jackson from Sussex, is also the competition's youngest entrant in its six year runtime. The folks at Cyber-Security Challenge UK have also been involved in an initiative dubbed Qufaro, which is opening a new cyber-academy for Britain's brightest cyber-security talent at Bletchley Park, the former site of the Enigma code-cracking mission undertaken by British security services. Alastair MacWilson, chair of Qufaro and the Institute of Information Security Professionals said: “Qufaro will make it easier for budding professionals to grow their cyber-security skills at every stage of their journey, and contribute more to the sector.”