Cybersecurity in 2019: Top 9 stories that show what the future holds
This year was a big one for cybersecurity news, with plenty of stories worthy of inclusion in a year-end review. We’re going to focus on those stories that are not only significant in and of themselves, but which are also notable for what they tell us about the changing cybersecurity landscape. In other words, we’ll take you through the top stories of 2019 which help us see the shape of things to come.
With that in mind, here are our picks for the top cybersecurity events of 2019.
Microsoft kills password expiration
Earlier in the year, Microsoft announced that it was dropping the requirement to periodically change passwords from its list of best practices for enterprise IT managers. The reason? Many users find the practice annoying, and having to remember new passwords all the time is difficult. The end result of forcing users to constantly change their passwords is actually worse password security, because people end up using simplistic passwords or doing things like writing down their passwords on Post-it notes. Microsoft’s decision to get smart about passwords was seen by many observers as a move away from the rather old-fashioned approach to credentials represented by passwords, opening the door to more effective and up-to-date methods of authentication.Read More
Baltimore under siege
Ransomware attacks on major cities have been in the news this year, but perhaps the most dramatic of these was the May 2019 attack on the city of Baltimore. The Maryland city’s core systems were inaccessible for weeks, and the total estimated cost of the attack, including mitigation costs and revenue lost during the incident, is expected to total over $18 million. Unfortunately, this probably won’t be the last large-scale cyberattack on a big city. While Baltimore dominated the headlines, it wasn’t the only municipality affected by ransomware attacks in 2019. Governments are attempting to keep pace with a changing threat landscape, but struggle with inadequate budgets and a lack of skilled personnel. The question isn’t “Will it happen again” but “Who’s next”?Read More
California bans facial recognition
Lawmakers in California passed a three-year ban on the use of facial recognition technology in police body cameras, driven by concerns over citizen privacy and civil liberties. California wasn’t the first state to pass such a law — Oregon and New Hampshire had already done so — but given the size of the state’s economy as well as its political power, this law could have national repercussions. Congress has already considered facial recognition legislation as a consumer protection measure, but the California law moves the discourse into the realm of constitutional rights, and may encourage other states and municipalities to follow suit. In terms of the wider significance of the debate over facial recognition technology, these discussions provide evidence that the public and its elected representatives are waking up to the need to address the role of technology in the lives of citizens — especially where privacy is concerned.Read More
Data breach at Capital One
News broke this summer of a large-scale data breach at Capital One — one of the worst ever for a financial institution. Over 100 million customer records were stolen in the breach, including thousands of Social Security numbers, bank account numbers, and Canadian social insurance numbers. While credit card numbers were (thankfully) not stolen, the Capital One data breach put millions of people at risk for identity theft — and of course compromised their privacy in the process. All in all, the incident confirms what security researchers and data breach experts have been saying: Organizations of all sizes can suffer data breaches, and businesses still have a lot of work to do in order to protect the privacy of their customers. Unfortunately, all of this means that we can probably look forward to more big breaches in 2020.Read More
British Airways hit with massive GDPR fine
The government of the United Kingdom came down hard on British Airways after the airline exposed the personal information of over 500,000 customers in a data breach. The proposed penalty of £183 million (approximately $234 million) was one of the largest ever handed out under the new European digital privacy law, and a sign that EU regulatory bodies are taking the issue very seriously. Meanwhile, across the pond in the United States, California moved forward with their own data privacy law, the California Consumer Privacy Act. The law, slated to take effect in January 2020, is not as far-reaching as the GDPR, but is a sign that the movement toward digital privacy is gaining momentum worldwide.Read More
Depressing news about password awareness
When Google introduced their Password Checkup extension for Chrome, they were sure they’d come up with a way to help people whose accounts had been compromised in data breaches. The extension automatically checks usernames and passwords at sign-in, and alerts those whose credentials have been part of a known data breach. Google kept statistics to track how well their extension was working. Shockingly, when notified that they were using compromised credentials and then given an opportunity to do a reset, a full 25% of users just went on using the old, unsafe credentials! The story was a sobering reminder that there is still much work to be done in 2020 to raise awareness of cybersecurity issues (good news for hackers and security podcasters alike).Read More
Cyberwarfare has IRL effects
For the first time, a nation-state retaliated to a cyberattack with conventional military action, when Israel launched an airstrike on a target in Gaza in response to a purported cyberattack. This marks another escalation in the trend of cyberattacks having physical or “real world” consequences. Nation-state actors have already been implicated in the Triton malware attacks on industrial facilities in Saudi Arabia, and just this year, the US flexed its cyberwarfare muscles by infiltrating Russia’s power grid more aggressively than ever before. It remains to be seen if Israel’s action was a one-off, but if more countries begin stepping up their responses to cyberattacks to include physical retaliation, this year may be remembered as the start of a dangerous new phase in cyberwarfare.
A hacker finds redemption
Marcus Hutchins, a 25-year-old British security researcher who goes by the handle MalwareTech, had been facing a lengthy prison sentence due to his role in creating malicious software when he was a much younger man. Hutchins had been arrested in the United States after the DEF CON security conference in 2017, and has been in a kind of legal limbo ever since. The case was complicated by the fact that Hutchins had since mended his ways and become an important figure in the security research community, discovering a way to stop the devastating WannaCry ransomware which had been wreaking havoc with UK hospital networks in the same year he was arrested. After an outpouring of support and testimonials from the international security community, the judge presiding over the case sentenced Hutchins to time served and a year of supervised release, noting that Hutchins had clearly turned a corner in his life, and that he now had the potential to make a positive impact on the world, particularly since people with his skills are needed on the side of the “good guys”. It was nice to see a happy ending to Hutchins’s legal saga, but also significant, as it indicates that even our legal system is starting to recognize the vital contributions made by white hat hackers.Read More
Apple opens up
Ending the year in review on another positive note, Apple seems to have opened up to the wider security research community more fully, expanding the iOS bug bounty program, making iOS developer devices available to researchers, and at long last implementing a Mac bug bounty program. The move marks a philosophical shift in Apple’s approach to macOS security in particular, which had previously leaned heavily toward “going it alone”, without seeking much in the way of outside help. In the words of Mac security researcher Patrick Wardle, Apple appears to be “growing up a little bit in terms of their security posture” and taking “a more emotionally mature approach to security”. That’s good news for security researchers, for Apple, and, of course, for Mac users.Read More
These stories are important in their own right, but are doubly significant in that they may shed some light on what’s in store for us in 2020. And while no one can predict the future, we can say one thing with certainty about the coming year: SecureMac will be there to provide you with news, updates, and commentary on the world of digital privacy and security!