The biggest security stories of 2018

Like the year before it, 2018 had its share of security stories involving both local and international companies.

Data breaches were still plentiful, hardware vulnerabilities were uncovered and the Australian government took note with legislation.

CRN compiled the biggest cybersecurity stories that came out this year for your reading pleasure.

Intel reveals 'comprehensive' threat mitigation response to Spectre and Meltdown vulnerabilities

January

Intel vice president Stephen Smith said the chip giant is moving forward with a "comprehensive" threat mitigation plan that includes operating system and firmware updates that will be made available in the next "few weeks" in the wake of what is being referred to as Meltdown and Spectre microprocessor security holes.

"We have been working to put together a combination of operating system updates on the broadly used operating systems and some firmware updates that we developed that are specific to the configuration and operation of our processor," said Smith in a conference call with analysts on Wednesday night.

"That has all been developed with industry partners, tested with industry partners, working with OS vendors and with OEMs. We have been working at this for some time such that we'll be ready beginning in the next few days to start the deployment of the mitigations. It will probably take a few weeks before the mitigations we have in mind will all be available to customers."

Read more in the original story.

Vulnerabilities uncovered in Dell EMC data protection technology

January

Researchers discovered several vulnerabilities inside Dell EMC's data protection products that allowed attackers to gain full control of the systems.

Dell EMC's Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance all contain a standard component – Avamar Installation Manager – which was vulnerable, according to findings from the security technology and services firm Digital Defense.  Researchers uncovered three vulnerabilities within Dell's data protection suite.

"Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file," said Digital Defense, in a statement.

Read more in the original story.

Intel hit with multiple lawsuits over Meltdown, Spectre bugs

January

Intel faced three class-action lawsuits as it continued to grapple with fallout after acknowledging its chips were vulnerable to two massive security bugs.

The three complaints, which were filed in the days after revelations that Intel chips are vulnerable to these security bugs, cited Intel's "failure to disclose" the security vulnerability in a timely fashion.

"Intel has been aware of a material defect in its microchips that leaves its customers susceptible to unauthorised access by hackers… Intel knew of the material defect in its microchips and intentionally chose not to disclose the defect to its customers. Intel’s material defect can be patched — but patched computers, smartphones and devices suffer reduced performance," stated one of the lawsuits, filed in the District of Oregon.

Read more in the original story.

Meet the researcher who hacked his own computer and discovered Meltdown flaw

January

Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel.

The 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's central processing unit (CPU) and stolen secrets from it.

Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.

Read more in the original story.

AMD says chips are also exposed to Spectre security flaw

January

Advanced Micro Devices (AMD) said its microprocessors were susceptible to both variants of the Spectre security flaw, days after saying its risk for one of them was "near zero".

The company said there was "no change" to its position on the susceptibility of its chips to Spectre, but shares fell as much as 4 percent after the first AMD announcement.

Security researchers disclosed a set of flaws that could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel, AMD and ARM Holdings.

Read more in the original story.

Australia joins US condemnation of Russia over 'NotPetya' attack

February

The Australian Government joined the US and UK in its condemnation of Russia over the 'NotPetya' malware attack of June 2017, which brought business and critical infrastructure to a halt.

The Australian government stated that through consultation with the US and UK governments, as well as local intelligence agencies, it had found the incident to have been perpetrated by Russian state-sponsored actors.   

"The Australian Government condemns Russia’s behaviour, which posed grave risks to the global economy, to government operations and services, to business activity and the safety and welfare of individuals," the statement read.

Read more in the original story.

Precedent Communications, the company behind the Red Cross data breach, goes bust

26 February

Precedent Communications was operating at a substantial loss in the years leading up to the website developer being blamed for the biggest data breach in Australian history.

The company fell into liquidation in December 2017, 13 months after it was revealed that the personal records of 550,000 donors to the Red Cross Blood Service were exposed online. Precedent had been engaged to redesign and maintain the Red Cross' core website in 2015.

The breach exposed names, gender, physical and email addresses, phone numbers, dates of birth, and countries of birth when an anonymous individual came across a 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.

Read more in the original story.

Surveillance reseller Streamax beats NSW Police in court

March

A Sydney reseller specialising in surveillance technology successfully appealed against the police’s decision to revoke its licence, despite a corruption finding against a former director.

The NSW Civil & Administrative Tribunal reinstated the master security licence of Streamax Australia after finding that it should not have been revoked by NSW Police in June 2017.

Read more in the original story.

Github patches 4 million vulnerabilities in half a million repositories

March

Github announced the discovery of more than 4 million vulnerabilities located in 500,000 plus repositories.

In 2017, the code sharing site started vulnerability scanning for known Common Vulnerabilities and Exposures in its Ruby and JavaScript libraries, according to a March 21 blog post. The libraries are operated through the company's Dependency Graph which matches the code against the vulnerabilities.

Shortly after the program was launched, Github said 450,000 of the identified flaws had been resolved by 1 December, 2017 and its rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent.

Read more in the original story.

Facebook says data misuse hit 87 million users, up from initial estimates

April

Facebook revealed the personal information of up to 87 million users may have been improperly shared with political consultancy Cambridge Analytica, up from a previous news media estimate of more than 50 million.

Most of the 87 million people whose data was shared with Cambridge Analytica, which worked on US president Donald Trump's 2016 campaign, were in the United States, Facebook chief technology officer Mike Schroepfer wrote in a blog post.

The company released a graph setting out the number of people it estimated had been affected from each country, which revealed 311,000 Australians' data may have been improperly shared.

Read more in the original story.

Australian government condemns Russian hackers for attack on Cisco devices

April

The Australian government condemned Russian state-sponsored hackers for a series of attacks against government agencies and businesses that targeted commercial Cisco routers and switches in 2017.

Following condemnation from US and UK counterparts, then-cybersecurity minister Angus Taylor said that the government had determined Russian "state-sponsored actors" were responsible for the attacks last year.

Taylor said in a statement that a number of Australian organisations were affected, though there was no indication that information had been successfully compromised.

Read more in the original story.

Intel unveils chip security tech powered by GPUs and machine learning to detect threats

April

Intel lifted the curtain on the company's first hardware-level security features to protect against sophisticated cyberattacks, and they already have buy-in from two major players.

Unveiled at the 2018 RSA Conference, the chipmaker's Intel Threat Detection Technology is a new brand for a set of silicon-level security capabilities while Intel Security Essentials is a new framework that aims to standardise built-in security features for the company's processors.

Intel had been working to ensure customers and partners that it takes security seriously following the January disclosure of the Meltdown and Spectre side-channel vulnerabilities that had a larger impact on Intel than its competitors.

Read more in the original story.

Twitter glitch leaves 330 million user passwords exposed

May

Twitter urged its more than 330 million users to change their passwords after a glitch caused some to be stored in readable text on its internal computer system rather than disguised by a process known as "hashing".

The social network company said it had resolved the problem and an internal investigation had found no indication passwords were stolen or misused by insiders.

"We fixed the bug and have no indication of a breach or misuse by anyone," chief executive Jack Dorsey said in a Tweet. "As a precaution, consider changing your password on all services where you’ve used this password."

Read more in the original story.

Kaspersky shifts all data for Australian customers from Russia to Switzerland

May

Kaspersky Lab moved the data it uses for Australian customers to Switzerland as it continued to respond to the "breakdown of trust" due to fears of Russian hacking.

The cybersecurity vendor said it would install 800 servers in a data centre in Zurich by the end of 2019 to store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow.

Read more in the original story.

"Several hundred" budget Android devices shipped with pre-installed malware

May

Antivirus software vendor Avast discovered adware pre-installed on “several hundred” different Android device models and versions.

The company said a number of the devices affected were from manufacturers like ZTE and Archos, with the majority not certified by Google.

Avast said the adware was previously described by fellow antivirus provider Dr. Web and goes by the name of “Cosiloon”.

Read more in the original story.

Telstra freezes job ads after hack of Australian SaaS provider PageUp People

June

At least three major Australian organisations suspended recruitment activities after a malware infection at their recruitment portal provider PageUp People, amid concerns job applicants’ personal information was compromised.

Telstra, Australia Post and the Reserve Bank of Australia released advisories or notices on their websites after learning of the breach. 

“[PageUp People] have advised us that their investigation is continuing and while this is occurring we have suspended our use of their services,” Telstra human resources group executive Alex Badenoch wrote in a blog post.

Read more in the original story.

Security consultants mop up after PageUp breach

June

PageUp People, the embattled Melbourne-based recruitment software provider that last week revealed its systems had been breached, has turned to a pair of Australian cybersecurity consultancies for remediation.

The company, which develops a recruitment software service used by a range of major Australian businesses, including Coles, Telstra, Australia Post and Medibank, revealed last week it had been compromised after a malware infection the previous month.

PageUp admitted on Tuesday that its attackers had likely gained access to personal data relating to clients, placement agencies, applicants, references and our employees.

Read more in the original story.

DXC Technology's client fails government cybersecurity standards

June

Geoscientific research agency Geoscience Australia was vulnerable to cyber attacks and its ICT general controls were not sound, a report from the Australian National Audit Office (ANAO) revealed.

The report named DXC Technology as Geoscience Australia’s contracted ICT service provider, and is responsible for maintaining the security of ICT environment, including patch management.

“While DXC is responsible for ICT operations and security, Geoscience Australia remains accountable for its ICT security, including the administration and oversight of the service level agreement with DXC,” the report said.

Read more in the original story.

Cyanweb Solutions hit by "criminal hacking", website data and backups lost

July

Digital marketing and web provider Cyanweb Solutions lost nearly all customer data and backups after a “criminal hacking incident” that compromised one of its servers last week.

The three-staff, Perth-based company provides web design, hosting, online marketing and search engine optimisation for around 500 clients. The company did not have offsite backups in place.

According to an advisory posted on its website, "A professional hacking group attacked, infiltrated the server and destroyed all data, including all available backup data.

Read more in the original story.

Reddit says user data between 2005 and 2007 breached

August

Social media network Reddit revealed that a hacker broke into a few of its systems and accessed some user data, including current email addresses and a 2007 database backup containing old encrypted passwords.

A copy of an old database backup containing very early Reddit user data from the site's launch in 2005 through May 2007 was accessed by the hacker, the social media network said.

"Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs," Reddit's founding engineer Christopher Slowe wrote on the site.

Read more in the original story.

Intel discloses another three chip flaws

August

Intel disclosed three more possible flaws in some of its microprocessors that could be exploited to gain access to certain data from computer memory.

The vendor's commonly used Core and Xeon processors were among the products that were affected, the company said.

"We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices," the company said in a blog post.

Read more in the original story.

New Intel bugs hit virtual machines the hardest

August

Intel disclosed three more vulnerabilities within its server, client and workstation processors, signalling that security issues for the company's CPUs were far from over.

L1 Terminal Fault and two related vulnerabilities were similar to previously disclosed side-channel analysis security issues, including the Meltdown and Spectre variants that kicked off a new level of concern over CPU security when they were disclosed in January.

Read more in the original story.

Melbourne teen pleads guilty to Apple hacking

August

An Australian teenager pleaded guilty to hacking into the main computer network of Apple, downloading big internal files and accessing customer accounts, because he was a fan of the company.

The boy, 16, from Melbourne, broke into the company's mainframe from his suburban home many times over a year, The Age reported, citing statements by the teenager's lawyer in court.

The teen downloaded 90 gigabytes of secure files and accessed customer accounts without exposing his identity. When Apple became aware of the intrusion it contacted the US Federal Bureau of Investigation, which referred the matter to the Australian Federal Police (AFP), the newspaper said, quoting statements made in court.

Read more in the original story.

Huawei slams Australian 5G ban call

August

Huawei called the Australian government’s choice to ban it from the local 5G market a politically motivated decision, arguing it was devoid of a factual and equitable basis.

The federal government moved to restrict Huawei’s involvement in the rollout of 5G on the supposed grounds that its involvement exposed privacy concerns to the interests of Huawei's Chinese ownership.

“The Australian government's decision to block Huawei from Australia's 5G market is politically motivated, not the result of a fact-based, transparent, or equitable decision-making process," Huawei said in a statement.

Read more in the original story.

Public cloud used to power supercharged DDoS attacks

September

Public cloud was increasingly used by hackers to launch DDoS attacks, with a quarter of criminals using such services to launch malicious attacks between July 2017 and July 2018.

The number increased significantly compared to the previous 12 months when just 18.5 percent of attacked exploited public cloud services, according to research by Link11's Security Operation Center (LSOC). 

Microsoft Azure was the most used platform abused by hackers, with 38.7 percent of attacks originating from there, while AWS was used in 32.7 percent of incidents. Google lagged behind, being used for 10.7 percent of attacks.

Read more in the original story.

Charges laid over alleged $3 million business email compromise scam syndicate

September

NSW Police and the Australian Border Force (ABF) charged five members of an alleged Sydney-based coordinated fraud syndicate for their involvement in a business email scam.

Detectives from the NSW Police Crime Command’s Cybercrime Squad arrested a 36-year-old woman on Liverpool Street, a 20-year-old man and a 20-year-old woman at Chester Hill, another 36-year-old woman at Granville and a 43-year-old Nigerian national at the Villawood Immigration Detention Centre.

The group was allegedly involved in business email compromises to the value of more than $3 million, along with identity theft, romance scams and the fraudulent sale of goods.

Read more in the original story.

Equifax fined £500,000 for 2017 security breach

September

A British regulator fined credit reference company Equifax's UK arm Equifax Ltd £500,000 for failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.

The Information Commissioner's Office (ICO) said its investigation found that, although Equifax systems in the United States were compromised, Equifax Ltd was responsible for the personal information of its customers in Britain.

The cyber attack, which took place between 13 May and 30 July 2017 affected 146 million Equifax customers globally, the ICO said.

Read more in the original story.

Uber tpays US$148 million to settle data breach cover-up

September

Uber paid US$148 million for failing to disclose a massive data breach in 2016, marking a costly resolution to one of the biggest embarrassments and legal tangles the ride-hailing company had suffered.

The amount was the largest among attorneys general settlements in privacy cases. By comparison, the multi-state settlement with Target in 2017, over a breach in which 41 million people had their data stolen, was US$18.5 million.

Read more in the original story.

NSW govt's first cyber security strategy emerges

September

The NSW government unveiled its inaugural cyber security strategy, promising to introduce mandatory incident reporting and strengthen coordination in a bid to build a holistic approach to incident prevention and response.

The strategy, detailed a two-year action plan aimed at improving the state’s security posture using the government’s $20 million cyber security windfall in this year’s budget.

It set out an integrated approach to manage cyber security risks and respond to incidents across government.

Read more in the original story.

Facebook says big breach exposed 50 million accounts to full takeover

September

Facebook said that hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever, given the unprecedented level of potential access, adding to what was a difficult year for the company's reputation.

Facebook, which has more than 2.2 billion monthly users, said it was yet to determine whether the attacker misused any accounts or stole private information.

Chief executive Mark Zuckerberg described the incident as “really serious" in a conference call with reporters. His account was affected along with that of chief operating officer Sheryl Sandberg, a spokeswoman said.

Read more in the original story.

How VMtech and Cylance prevented a trojan attack on the Sydney Opera House

October

The Sydney Opera House (SOH) selected VMtech and Cylance to protect its approximately 1300 endpoints with Cylance's AI-based enterprise endpoint security.

As a non-profit funded by the NSW state government, the SOH is required to comply with data privacy and sovereignty laws.

On top of that, SOH management realised its database was a high-value target for cyber attackers who could compromise the information from its point of sale and ticketing systems, along with personal information from high-profile individuals that perform and the approximately 1.5 million who attend shows at the landmark each year.

Read more in the original story.

Facebook says data breach affected 29 million users

October

Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, as the social media company said its largest-ever data theft hit fewer than the 50 million profiles it initially reported.

The company said it would message affected users over the coming days to tell them what type of information had been accessed in the attack.

The breach left users more vulnerable to targeted phishing attacks and could deepen unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals, cybersecurity experts and financial analysts said.

Read more in the original story.

Cathay Pacific reveals data breach, 9.4m passengers affected

October

Cathay Pacific Airways said that data of about 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines had been accessed without authorisation.

860,000 passport numbers, about 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed in the breach.

"We are very sorry for any concern this data security event may cause our passengers," Cathay Pacific chief executive Rupert Hogg said in a statement.

Read more in the original story.

Mirai botnet hacker ordered to pay US$8.6 million in damages

October

A 22-year-old hacker was ordered to pay US$8.6 million in damages and serve six months of house arrest for helping launch a series of massive cyber attacks, the office of the US Attorney for the District of New Jersey said.

Paras Jha was one of three people responsible for the Mirai Botnet, a network of more than 100,000 infected internet-connected devices. These corrupted systems were primarily used for financial gain in the form of advertising fraud but the botnet was also used to launch cyber attacks against business websites by flooding them with internet access requests.

Read more in the original story.

ASD chief Mike Burgess slams corporates contemplating “hacking back”

October

The chief of the Australian Signals Directorate, Mike Burgess, issued a blunt warning to Australia’s business community and their boards that mounting private offensive hacking attacks in the name of cyber or corporate security won’t be tolerated by the signals agency.

Tthe cyber tzar put a rare broadside into the business community for contemplating private offensive capabilities, revealing deep concerns within the government over some corporate behaviour.

“Worryingly I've heard of board rooms in Australia contemplating the prospect of hacking back to defend themselves against potential attacks,” Burgess told a room full of policy and security officials in Canberra.

Read more in the original story.

Arq Group addresses speculation over its involvement in China hacks

November

Arq Group, formerly known as Melbourne IT, issued a statement regarding speculation it was involved in a state-sponsored hacking attack.

Company secretary Anne Jordan explained that the statement was a response to the United States Department of Justice last week releasing an indictment as part of an investigation into supposedly-China-sponsored hacking against aerospace companies in 2013.

Read more in the original story.

Stuxnet is back, Iran admits

November

A new version of the infamous Stuxnet worm was used to attack Iranian government networks, according to reports.

The famous malware apparently re-emerged, with Israeli news programme Hadashot stating that Iran "has admitted in the past few days that it is again facing a similar attack, from a more violent, more advanced and more sophisticated virus than before, that has hit infrastructure and strategic networks".

Iranian General Gholam Reza Jalali also confessed that "recently we discovered a new generation of Stuxnet which consisted of several parts... and was trying to enter our systems," according to the Islamic Society of North America.

Read more in the original story.

Australia passes controversial encryption busting laws

December

Australia’s law enforcement agencies gained a wide range of new encryption-busting powers after Labor dropped all opposition to a highly contentious bill and let it pass without extra changes it claimed were needed.

The bill passed into law by 44 votes to 12 in the senate, having already cleared the lower house where just two MPs voted against it.

The law gives law enforcement the power to ask technology companies to create - and then seed - a vulnerability on "one or more target technologies that are connected with a particular person".

Read more in the original story.

Bill Shorten slammed over encryption busting bill

December

A contingent of Australia's technology community called out the Australian Labor Party for allowing the government's controversial encryption-busting to pass into law without any of the amendments it previously deemed were vital.

The Assistance and Access Bill grants Australia's law enforcement agencies powers to request tech companies to create and seed vulnerabilities on "one or more target technologies that are connected with a particular person."

The bill appeared to be defeated on the last day parliament will sit in 2018, until Labor leader Bill Shorten offered an olive branch to his rivals that night, agreeing to allow ALP senators to pass the bill without any of its own proposed amendments in order to empower law enforcement agencies before Christmas.

Read more in the original story.