Like the year before it, 2018 had its share of security stories involving both local and international companies.
Data breaches were still plentiful, hardware vulnerabilities were uncovered and the Australian government took note with legislation.
CRN compiled the biggest cybersecurity stories that came out this year for your reading pleasure.
Intel reveals 'comprehensive' threat mitigation response to Spectre and Meltdown vulnerabilities
Intel vice president Stephen Smith said the chip giant is moving forward with a "comprehensive" threat mitigation plan that includes operating system and firmware updates that will be made available in the next "few weeks" in the wake of what is being referred to as Meltdown and Spectre microprocessor security holes.
"We have been working to put together a combination of operating system updates on the broadly used operating systems and some firmware updates that we developed that are specific to the configuration and operation of our processor," said Smith in a conference call with analysts on Wednesday night.
"That has all been developed with industry partners, tested with industry partners, working with OS vendors and with OEMs. We have been working at this for some time such that we'll be ready beginning in the next few days to start the deployment of the mitigations. It will probably take a few weeks before the mitigations we have in mind will all be available to customers."
Vulnerabilities uncovered in Dell EMC data protection technology
Researchers discovered several vulnerabilities inside Dell EMC's data protection products that allowed attackers to gain full control of the systems.
Dell EMC's Avamar Server, NetWorker Virtual Edition, and Integrated Data Protection Appliance all contain a standard component – Avamar Installation Manager – which was vulnerable, according to findings from the security technology and services firm Digital Defense. Researchers uncovered three vulnerabilities within Dell's data protection suite.
"Combining the three identified vulnerabilities, full compromise of the affected system is possible by modifying the configuration file," said Digital Defense, in a statement.
Intel hit with multiple lawsuits over Meltdown, Spectre bugs
Intel faced three class-action lawsuits as it continued to grapple with fallout after acknowledging its chips were vulnerable to two massive security bugs.
The three complaints, which were filed in the days after revelations that Intel chips are vulnerable to these security bugs, cited Intel's "failure to disclose" the security vulnerability in a timely fashion.
"Intel has been aware of a material defect in its microchips that leaves its customers susceptible to unauthorised access by hackers… Intel knew of the material defect in its microchips and intentionally chose not to disclose the defect to its customers. Intel’s material defect can be patched — but patched computers, smartphones and devices suffer reduced performance," stated one of the lawsuits, filed in the District of Oregon.
Meet the researcher who hacked his own computer and discovered Meltdown flaw
Daniel Gruss didn't sleep much the night he hacked his own computer and exposed a flaw in most of the chips made in the past two decades by hardware giant Intel.
The 31-year-old information security researcher and post-doctoral fellow at Austria's Graz Technical University had just breached the inner sanctum of his computer's central processing unit (CPU) and stolen secrets from it.
Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor's 'kernel' memory, which is meant to be inaccessible to users, was only theoretically possible.
Australia joins US condemnation of Russia over 'NotPetya' attack
The Australian Government joined the US and UK in its condemnation of Russia over the 'NotPetya' malware attack of June 2017, which brought business and critical infrastructure to a halt.
The Australian government stated that through consultation with the US and UK governments, as well as local intelligence agencies, it had found the incident to have been perpetrated by Russian state-sponsored actors.
"The Australian Government condemns Russia’s behaviour, which posed grave risks to the global economy, to government operations and services, to business activity and the safety and welfare of individuals," the statement read.
Precedent Communications, the company behind the Red Cross data breach, goes bust
Precedent Communications was operating at a substantial loss in the years leading up to the website developer being blamed for the biggest data breach in Australian history.
The company fell into liquidation in December 2017, 13 months after it was revealed that the personal records of 550,000 donors to the Red Cross Blood Service were exposed online. Precedent had been engaged to redesign and maintain the Red Cross' core website in 2015.
The breach exposed names, gender, physical and email addresses, phone numbers, dates of birth, and countries of birth when an anonymous individual came across a 1.74GB file containing 1.28 million records while scanning IP address ranges for publicly exposed web servers containing .sql files.
Github patches 4 million vulnerabilities in half a million repositories
Github announced the discovery of more than 4 million vulnerabilities located in 500,000 plus repositories.
Shortly after the program was launched, Github said 450,000 of the identified flaws had been resolved by 1 December, 2017 and its rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent.
Facebook says data misuse hit 87 million users, up from initial estimates
Facebook revealed the personal information of up to 87 million users may have been improperly shared with political consultancy Cambridge Analytica, up from a previous news media estimate of more than 50 million.
Most of the 87 million people whose data was shared with Cambridge Analytica, which worked on US president Donald Trump's 2016 campaign, were in the United States, Facebook chief technology officer Mike Schroepfer wrote in a blog post.
The company released a graph setting out the number of people it estimated had been affected from each country, which revealed 311,000 Australians' data may have been improperly shared.
Australian government condemns Russian hackers for attack on Cisco devices
The Australian government condemned Russian state-sponsored hackers for a series of attacks against government agencies and businesses that targeted commercial Cisco routers and switches in 2017.
Following condemnation from US and UK counterparts, then-cybersecurity minister Angus Taylor said that the government had determined Russian "state-sponsored actors" were responsible for the attacks last year.
Taylor said in a statement that a number of Australian organisations were affected, though there was no indication that information had been successfully compromised.
Intel unveils chip security tech powered by GPUs and machine learning to detect threats
Intel lifted the curtain on the company's first hardware-level security features to protect against sophisticated cyberattacks, and they already have buy-in from two major players.
Unveiled at the 2018 RSA Conference, the chipmaker's Intel Threat Detection Technology is a new brand for a set of silicon-level security capabilities while Intel Security Essentials is a new framework that aims to standardise built-in security features for the company's processors.
Intel had been working to ensure customers and partners that it takes security seriously following the January disclosure of the Meltdown and Spectre side-channel vulnerabilities that had a larger impact on Intel than its competitors.
Twitter glitch leaves 330 million user passwords exposed
Twitter urged its more than 330 million users to change their passwords after a glitch caused some to be stored in readable text on its internal computer system rather than disguised by a process known as "hashing".
The social network company said it had resolved the problem and an internal investigation had found no indication passwords were stolen or misused by insiders.
"We fixed the bug and have no indication of a breach or misuse by anyone," chief executive Jack Dorsey said in a Tweet. "As a precaution, consider changing your password on all services where you’ve used this password."
Kaspersky shifts all data for Australian customers from Russia to Switzerland
Kaspersky Lab moved the data it uses for Australian customers to Switzerland as it continued to respond to the "breakdown of trust" due to fears of Russian hacking.
The cybersecurity vendor said it would install 800 servers in a data centre in Zurich by the end of 2019 to store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow.
Telstra freezes job ads after hack of Australian SaaS provider PageUp People
At least three major Australian organisations suspended recruitment activities after a malware infection at their recruitment portal provider PageUp People, amid concerns job applicants’ personal information was compromised.
Telstra, Australia Post and the Reserve Bank of Australia released advisories or notices on their websites after learning of the breach.
“[PageUp People] have advised us that their investigation is continuing and while this is occurring we have suspended our use of their services,” Telstra human resources group executive Alex Badenoch wrote in a blog post.
PageUp People, the embattled Melbourne-based recruitment software provider that last week revealed its systems had been breached, has turned to a pair of Australian cybersecurity consultancies for remediation.
The company, which develops a recruitment software service used by a range of major Australian businesses, including Coles, Telstra, Australia Post and Medibank, revealed last week it had been compromised after a malware infection the previous month.
PageUp admitted on Tuesday that its attackers had likely gained access to personal data relating to clients, placement agencies, applicants, references and our employees.
DXC Technology's client fails government cybersecurity standards
Geoscientific research agency Geoscience Australia was vulnerable to cyber attacks and its ICT general controls were not sound, a report from the Australian National Audit Office (ANAO) revealed.
The report named DXC Technology as Geoscience Australia’s contracted ICT service provider, and is responsible for maintaining the security of ICT environment, including patch management.
“While DXC is responsible for ICT operations and security, Geoscience Australia remains accountable for its ICT security, including the administration and oversight of the service level agreement with DXC,” the report said.
Reddit says user data between 2005 and 2007 breached
Social media network Reddit revealed that a hacker broke into a few of its systems and accessed some user data, including current email addresses and a 2007 database backup containing old encrypted passwords.
A copy of an old database backup containing very early Reddit user data from the site's launch in 2005 through May 2007 was accessed by the hacker, the social media network said.
"Although this was a serious attack, the attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs," Reddit's founding engineer Christopher Slowe wrote on the site.
Intel disclosed three more possible flaws in some of its microprocessors that could be exploited to gain access to certain data from computer memory.
The vendor's commonly used Core and Xeon processors were among the products that were affected, the company said.
"We are not aware of reports that any of these methods have been used in real-world exploits, but this further underscores the need for everyone to adhere to security best practices," the company said in a blog post.
Intel disclosed three more vulnerabilities within its server, client and workstation processors, signalling that security issues for the company's CPUs were far from over.
L1 Terminal Fault and two related vulnerabilities were similar to previously disclosed side-channel analysis security issues, including the Meltdown and Spectre variants that kicked off a new level of concern over CPU security when they were disclosed in January.
An Australian teenager pleaded guilty to hacking into the main computer network of Apple, downloading big internal files and accessing customer accounts, because he was a fan of the company.
The boy, 16, from Melbourne, broke into the company's mainframe from his suburban home many times over a year, The Age reported, citing statements by the teenager's lawyer in court.
The teen downloaded 90 gigabytes of secure files and accessed customer accounts without exposing his identity. When Apple became aware of the intrusion it contacted the US Federal Bureau of Investigation, which referred the matter to the Australian Federal Police (AFP), the newspaper said, quoting statements made in court.
Huawei called the Australian government’s choice to ban it from the local 5G market a politically motivated decision, arguing it was devoid of a factual and equitable basis.
The federal government moved to restrict Huawei’s involvement in the rollout of 5G on the supposed grounds that its involvement exposed privacy concerns to the interests of Huawei's Chinese ownership.
“The Australian government's decision to block Huawei from Australia's 5G market is politically motivated, not the result of a fact-based, transparent, or equitable decision-making process," Huawei said in a statement.
Public cloud used to power supercharged DDoS attacks
Public cloud was increasingly used by hackers to launch DDoS attacks, with a quarter of criminals using such services to launch malicious attacks between July 2017 and July 2018.
The number increased significantly compared to the previous 12 months when just 18.5 percent of attacked exploited public cloud services, according to research by Link11's Security Operation Center (LSOC).
Microsoft Azure was the most used platform abused by hackers, with 38.7 percent of attacks originating from there, while AWS was used in 32.7 percent of incidents. Google lagged behind, being used for 10.7 percent of attacks.
Charges laid over alleged $3 million business email compromise scam syndicate
NSW Police and the Australian Border Force (ABF) charged five members of an alleged Sydney-based coordinated fraud syndicate for their involvement in a business email scam.
Detectives from the NSW Police Crime Command’s Cybercrime Squad arrested a 36-year-old woman on Liverpool Street, a 20-year-old man and a 20-year-old woman at Chester Hill, another 36-year-old woman at Granville and a 43-year-old Nigerian national at the Villawood Immigration Detention Centre.
The group was allegedly involved in business email compromises to the value of more than $3 million, along with identity theft, romance scams and the fraudulent sale of goods.
A British regulator fined credit reference company Equifax's UK arm Equifax Ltd £500,000 for failing to protect the personal information of up to 15 million people in Britain during a 2017 cyber attack.
The Information Commissioner's Office (ICO) said its investigation found that, although Equifax systems in the United States were compromised, Equifax Ltd was responsible for the personal information of its customers in Britain.
The cyber attack, which took place between 13 May and 30 July 2017 affected 146 million Equifax customers globally, the ICO said.
Uber tpays US$148 million to settle data breach cover-up
Uber paid US$148 million for failing to disclose a massive data breach in 2016, marking a costly resolution to one of the biggest embarrassments and legal tangles the ride-hailing company had suffered.
The amount was the largest among attorneys general settlements in privacy cases. By comparison, the multi-state settlement with Target in 2017, over a breach in which 41 million people had their data stolen, was US$18.5 million.
The NSW government unveiled its inaugural cyber security strategy, promising to introduce mandatory incident reporting and strengthen coordination in a bid to build a holistic approach to incident prevention and response.
The strategy, detailed a two-year action plan aimed at improving the state’s security posture using the government’s $20 million cyber security windfall in this year’s budget.
It set out an integrated approach to manage cyber security risks and respond to incidents across government.
Facebook says big breach exposed 50 million accounts to full takeover
Facebook said that hackers stole digital login codes allowing them to take over nearly 50 million user accounts in its worst security breach ever, given the unprecedented level of potential access, adding to what was a difficult year for the company's reputation.
Facebook, which has more than 2.2 billion monthly users, said it was yet to determine whether the attacker misused any accounts or stole private information.
Chief executive Mark Zuckerberg described the incident as “really serious" in a conference call with reporters. His account was affected along with that of chief operating officer Sheryl Sandberg, a spokeswoman said.
How VMtech and Cylance prevented a trojan attack on the Sydney Opera House
The Sydney Opera House (SOH) selected VMtech and Cylance to protect its approximately 1300 endpoints with Cylance's AI-based enterprise endpoint security.
As a non-profit funded by the NSW state government, the SOH is required to comply with data privacy and sovereignty laws.
On top of that, SOH management realised its database was a high-value target for cyber attackers who could compromise the information from its point of sale and ticketing systems, along with personal information from high-profile individuals that perform and the approximately 1.5 million who attend shows at the landmark each year.
Facebook says data breach affected 29 million users
Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, as the social media company said its largest-ever data theft hit fewer than the 50 million profiles it initially reported.
The company said it would message affected users over the coming days to tell them what type of information had been accessed in the attack.
The breach left users more vulnerable to targeted phishing attacks and could deepen unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals, cybersecurity experts and financial analysts said.
Mirai botnet hacker ordered to pay US$8.6 million in damages
A 22-year-old hacker was ordered to pay US$8.6 million in damages and serve six months of house arrest for helping launch a series of massive cyber attacks, the office of the US Attorney for the District of New Jersey said.
Paras Jha was one of three people responsible for the Mirai Botnet, a network of more than 100,000 infected internet-connected devices. These corrupted systems were primarily used for financial gain in the form of advertising fraud but the botnet was also used to launch cyber attacks against business websites by flooding them with internet access requests.
ASD chief Mike Burgess slams corporates contemplating “hacking back”
The chief of the Australian Signals Directorate, Mike Burgess, issued a blunt warning to Australia’s business community and their boards that mounting private offensive hacking attacks in the name of cyber or corporate security won’t be tolerated by the signals agency.
Tthe cyber tzar put a rare broadside into the business community for contemplating private offensive capabilities, revealing deep concerns within the government over some corporate behaviour.
“Worryingly I've heard of board rooms in Australia contemplating the prospect of hacking back to defend themselves against potential attacks,” Burgess told a room full of policy and security officials in Canberra.
Arq Group addresses speculation over its involvement in China hacks
Arq Group, formerly known as Melbourne IT, issued a statement regarding speculation it was involved in a state-sponsored hacking attack.
Company secretary Anne Jordan explained that the statement was a response to the United States Department of Justice last week releasing an indictment as part of an investigation into supposedly-China-sponsored hacking against aerospace companies in 2013.
A new version of the infamous Stuxnet worm was used to attack Iranian government networks, according to reports.
The famous malware apparently re-emerged, with Israeli news programme Hadashot stating that Iran "has admitted in the past few days that it is again facing a similar attack, from a more violent, more advanced and more sophisticated virus than before, that has hit infrastructure and strategic networks".
Iranian General Gholam Reza Jalali also confessed that "recently we discovered a new generation of Stuxnet which consisted of several parts... and was trying to enter our systems," according to the Islamic Society of North America.
Australia passes controversial encryption busting laws
Australia’s law enforcement agencies gained a wide range of new encryption-busting powers after Labor dropped all opposition to a highly contentious bill and let it pass without extra changes it claimed were needed.
The bill passed into law by 44 votes to 12 in the senate, having already cleared the lower house where just two MPs voted against it.
The law gives law enforcement the power to ask technology companies to create - and then seed - a vulnerability on "one or more target technologies that are connected with a particular person".
A contingent of Australia's technology community called out the Australian Labor Party for allowing the government's controversial encryption-busting to pass into law without any of the amendments it previously deemed were vital.
The Assistance and Access Bill grants Australia's law enforcement agencies powers to request tech companies to create and seed vulnerabilities on "one or more target technologies that are connected with a particular person."
The bill appeared to be defeated on the last day parliament will sit in 2018, until Labor leader Bill Shorten offered an olive branch to his rivals that night, agreeing to allow ALP senators to pass the bill without any of its own proposed amendments in order to empower law enforcement agencies before Christmas.