This year has been a busy one for cybercriminals and their foes. As more of our economy moves online both the crooks and the police have shifted their focus, resulting in more extreme breaches and more extensive legal action. For those who slept through the year in cybersecurity, here are the highlights.
1. Support ends for Windows XP
As arguably the most successful desktop and laptop OS ever invented, Windows XP is still widely used in domestic and corporate settings. Launched in 2001, it had survived 13 years when Microsoft decided to pull support for it in April of this year, hoping that its customers would switch to newer software.
At the time as much of a quarter of desktop and laptop users were still using it, and many public services such as the NHS had to scramble deals with Microsoft to continue support for a few more years. That said much of the panic over security implications turned out to overblown, with only a few big hacks connected to the sustained use of Windows XP.
2. Heartbleed breaks the internet
Few of the discussions in the cybersecurity industry make their way directly to the mainstream, but the Heartbleed OpenSSL bug was an exception to that rule. The flaw, which had existed since March 2012, allowed hackers to listen into conversations between web servers and users, facilitating the easy theft of passwords.
Websites as big as Facebook, Instagram and even Google swiftly issued patches, advising users to change their passwords as soon as possible. The hack also highlighted how rife password reuse across sites was, meaning that hackers could take one credential and use it to break into multiple accounts belonging to one person – a theme that has persisted since.
3. Antivirus declared ‘dead’
Perimeter security has often taken flak for the weakness of cybersecurity, partly because it is the first line of defence. Yet until Brian Dye, SVP of information security at Symantec, told the Wall Street Journal in May that antivirus "is dead", few people had been so brazen as to admit it to their customers.
Dye added that antivirus software only catches 45% of attacks, and that the company no longer thought of it as a good means of making money. Though for Symantec it was a repositioning exercise, for the rest of the world it was a huge admission that the hackers could get in if they wanted.
Content from our partners
4. eBay breach leaks masses of data
The auction site eBay had a nasty shock later that May as 145 million of its customers were hit by a breach of the database that contained customers details, including names, encrypted passwords, physical addresses, phone numbers, emails and dates of birth.
Despite the breach happening between February and March it took the company months to find out, and slightly longer still to let its customers know. This prompted a group in the US to file a class action lawsuit against the company in July, alleging the security measures in place had been inadequate.
5. Chinese hackers indicted by US jury
The US and China have spent much of the year warily eyeing one another up, each investing time and money in developing weapons and defences online while accusing the other of behaving badly.
This standoff reached a climax in May as a grand jury in Pennsylvania indicted five Chinese hackers for attacking American industry in energy and metal. The move was strictly symbolic, but annoyed the Asian superpower nonetheless. Yet since then the cold cyber-war has continued unabated.
6. GameOver Zeus botnet taken down
The trojan GameOver Zeus gained infamy in the cybersecurity industry for its botnet, a network of infected computers that helped to distribute CryptoLocker, the most significant piece of ransomware in the wild at that time.
A coalition of international police decided to make a move against the criminals, which were thought to be operating out of Ukraine and Russia. The subsequent takedown of the botnet in June crippled the virus for some weeks, though cybersecurity workers observed it returning some months later, and other ransomware has also surfaced.
7. Naked celeb photos leaked from iCloud
The internet went crazy this August when it was revealed that naked photos of numerous celebrities had been leaked to the internet via the image board 4chan, in an event that came to be known as CelebGate or, more amusingly, "the Fappening".
It transpired was that various iCloud accounts had been hacked, with some websites reporting that such photos had circulated for some time before the story became mainstream. The result was a stream of recriminations from the press and the celebrities involved, with Jennifer Lawrence labelling the hack "a sex crime".
8. Shellshock shakes up system admins
After Heartbleed many thought other zero days would emerge from hiding, but few would have predicted another bug on the same scale. As it happened, a flaw with an even bigger potential to disrupt came along at the end of September, affecting the Bash command line used by Linux, Unix and Mac.
Estimates for how many machines could be affected went as high at 500 million, with security experts warning that some legacy systems would be difficult to patch. Various permutations suggested it created a range of vulnerabilities, including remote hacking, but little has been heard of it since.
9. Home Depot suffers Target-esque breach
The breach against US retailer Target at the end of 2013 highlighted the dangers facing point-of-sales (PoS) terminals, and it was only a matter of time before more shops were compromised.
Halfway through September Home Depot, a US hardware store, revealed that 56 million cards had been exposed in a five month long attack on its payments systems. Even though the store had started to fully encrypt its financial data earlier in the year, the hackers ultimately proved faster.
10. 83 million JP Morgan customers hacked
In October JP Morgan revealed to US authorities that 83 million of its customers had been hit in a cyber-attack earlier in the year, in one of the most serious hacks against a bank ever perpetrated.
Warnings that the company had suffered an intrusion began circulating earlier in the year as the company tried to ascertain the damage. Fortunately the bank did not see any "unusual customer fraud" in relation to the attack, which included mere contact details as opposed to more sensitive social security information and dates of birth.
11. Silk Road brought down for second time
The Tor anonymity network was originally developed for political campaigners, but quickly attracted the attention of those looking to sell illegal items online. One such site, Silk Road, was particularly successful at aiding the drug trade until the FBI arrested Ross "Dread Pirate Roberts" Ulbricht, accusing the young man of running the dark website.
After the arrest another iteration of the site sprang up in its place, with Blake "Defcon" Benthall alleged by the police to have been heading it up. A mole planted in the admin team eventually allowed the FBI to shut down the site again in November, though many think others like it will surely take over its role.
12. Sony films and employee data plundered
Sony has been victim to a number of attacks on their systems, including a previous hit on the PlayStation Network that landed them a £250,000 fine from the Information Commissioner’s Office.
This time round the breach was far more serious, with Sony Pictures systems being rendered unusable for a week, and reams of company data being stolen. Five of the company’s films waiting to be released to cinema or DVD were leaked online, and data dumps revealed that 47,000 employee social security numbers had been stolen, in what may be the worst corporate hack ever.
