2019 is almost over. On many levels, it has been a memorable year; technology continued to show its prowess and agility, especially given the number of security threats. These security threats came in many forms, from the standard to the “I never thought that could happen,” but no matter how the data breaches occurred, we are still far removed from living a life where technology is secure. Let’s look at the year of insecurity that was 2019.
1. Container threats
Containers have become the darling of the enterprise–they make it possible for businesses to deploy microservices and applications at an unheard-of rate and scale–but with that popularity comes the threat of attack. One of the most obvious points of entry is the container image. There was a significant rise in security issues within container images in 2019.
Many developers are removing unofficial images from official repositories, which illustrates that the initial point of entry needs serious vetting and security. Considering how many containers are deployed from vulnerable images (until the likes of figured out how to better secure the images housed on the platform) containers continue to include a level of risk many businesses aren’t willing to take.
The lesson? If you’re serious about your container security, use only official images or build your own.
2. The rise of Kubernetes tools
Tools like Harbor, Clair, Istio, and Grafeas have been cast into the spotlight to bring some much-needed security to the Kubernetes landscape. Although some of these tools have been around a while, it wasn’t until 2019 they received the attention they deserved. If this year was any indicator, look for these tools to become even more popular, and I expect more new security platforms will join the fray.
Kubernetes will remain at the top of the enterprise heap and will be the target of more attacks. Security tools will be at a premium in 2020–you can count on that.
According to IDC, the global Android market share rose to 87% in 2019. With over 2.5 billion active Android devices, logic dictates that it is the biggest target for attacks, and logic is correct. Attacks like xHelper and Joker, as well as the adware attacks found in Google Play Store apps, prove that Android has a way to go before it can claim to be a fully secure platform.
Fortunately, Google is always working to harden the operating system; only recently, it announced that it is looking into moving toward the Linux mainline kernel. If that happens, the Android kernel could be updated in a timely fashion, giving it a much-needed security boost.
4. Capital One breach
In the Capital One breach, over 106 million records were stolen–in fact, it’s one of the biggest breaches in history. The hacker, Paige Thompson, breached the servers of a third-party cloud company used by Capital One. Thompson then exploited a misconfigured web app to gain access to the Capital One data, which included names, addresses, ZIP codes, phone numbers, email addresses, birthdates, self-reported income, and over 140,000 Social Security numbers and 80,000 linked bank account numbers. This breach cost the company between $100-$150 million. After the breach, Capital One provided the affected customers’ free credit monitoring to prevent a landslide of legal actions.
5. Evite breach
If it had not been for Capital One, the Evite breach would have been the largest in history. One hundred million records were breached from an inactive data storage file. The information was from 2013 and earlier, and it included names, usernames, email addresses, passwords, birthdates, phone numbers, and mailing addresses. Fortunately, Social Security numbers, bank account information, and credit card numbers were not part of the information stolen because the company doesn’t store that information.
6. DoorDash breach
DoorDash was the victim of a much smaller breach than the previous two. At only 4.9 million affected people, the DoorDash breach might seem like a pittance, but it included driver’s license numbers for around 100,000 users, as well as names, email addresses, delivery addresses, phone numbers, and passwords. This dangerous breach affected only those who joined DoorDash prior to April 5, 2018.
7. American Medical Collection Agency breach
This could be one of the most disturbing breaches of the year. American Medical Collection Agency collects overdue payments for various medical labs and found itself the victim of a long-running breach that stole information, including Social Security numbers and bank account information. The breach affected more than 20 million people, and the stolen information was discovered on the Dark Web. The breach most likely occurred in the company’s online portal. American Medical Collection Agency has filed bankruptcy protection citing IT costs, lawsuits, and the loss of business.
8. Georgia Tech breach
Compared to the rest of the breaches, Georgia Tech’s 1.3 million user data theft might seem like a junior league effort, but this is another instance where Social Security numbers were stolen. The attacker accessed a central database maintained by the university that contained Social Security numbers, names, addresses, and birthdates of current/former students, faculty, and staff.
9. In-auto mobile phone use detection
From the office of “Big Brother is most certainly watching” comes the news that two UK police forces have launched technology that detects if drivers are using their mobile devices when driving. The use of phones while driving has been illegal in the UK since 2003, although the use of hands-free devices remains legal. This new technology detects GSM signals across 2/3/4G networks. The use of Bluetooth is also detected, so the system doesn’t trigger when a hands-free device is in use. A problem with the current system is that it cannot detect whether it is the driver or a passenger using the mobile device, so at the moment it is being used only as a warning system.
How is this security-related? Put yourself in the shoes of pedestrians or other drivers when someone is using their device while behind the wheel, or consider how the tech could be used if it were stolen.
10. Juice jacking
When I first heard the term juice jacking, I was fairly certain it was a news piece about an elementary school ruffian stealing juice boxes from innocent children. That is not the case.
Juice jacking was first implemented back in 2011 at a Defcon event called The Wall of Sheep, and it was front and center in 2019 when the Los Angeles district attorney warned travelers to avoid public USB charging stations because they could contain malware. It was reported that the malware could lock a device or export data and passwords. After issuing the warning, the chief prosecutor announced it had no cases of juice jacking on the books, and it eventually came out that this was nothing more than an ongoing fraud education campaign.
Although juice jacking is a reality, it’s an incredibly complicated hack to pull off, but this proof-of-concept illustrates that no device is truly secure.
There you have it–just a few of the security highlights that helped paint the tech canvas in 2019. Hundreds of millions of records were stolen, technology was created to assist the rising tide of data theft, and we’re seeing a rise of Black Mirror-type tech.
What does 2020 have in store for us? Only the shadow knows.