From data breaches and the ransomware epidemic to new regulation and an outcry around data privacy, 2019 has been a wild ride for the infosec community. Threatpost breaks down the top news stories, trends and topics for this year.
For a lightly-edited transcript, see below.
Lindsey O’Donnell-Welch: Everyone, welcome to the Threatpost podcast. You’ve got Lindsey O’Donnell-Welch, Tom Spring and Tara Seals here today with Threatpost; Tom and Tara nice of you to join the podcast today.
Tom Spring: Thank you Lindsey.
Tara Seals: Yeah, thanks, Lindsey. Great to be here.
Lindsey: Yeah, well, this is a big podcast because the end of 2019 is fast approaching and it’s a good chance to look back on the year and and look at some of the biggest security stories that we’ve written about and there’s certainly been a lot this year for sure. So, instead of a news wrap for the week, I was thinking we could do a massive news wrap for the year end, and talk about the biggest trends and issues that we saw in 2019. And there’s really been a lot, right. Everything from from ransomware to misconfigured databases to privacy, definitely been a lot there.
Tom: Yeah, it’s been a really super interesting year. I will say that, you know, I was really surprised at a lot of the security and especially the some of the privacy news that popped up, this year specifically. You know, you read the predictions for, you know, 2019 from last year, and I was genuinely surprised by some of the issues that we had to deal with this year.
Lindsey: Yeah, we really did. And I know from a privacy standpoint, there were definitely a couple of different events there that that showed kind of a increasing level of suspicion against large brand connected devices. So I think people were kind of moving past, not just being suspicious of insecure IoT devices that are manufactured in China that are coming with default hard coded passwords that you might expect that from, but really kind of bigger brand names like Ring, like Alexa, Amazon Echo, Google Home, things like that. So there was definitely a lot in terms of data privacy and how consumers are reacting to that and where that’s going to go in the future.
Tara: I thought that the Amazon Alexa stuff kind of lead the way earlier in the year, especially when it was revealed that to hone their algorithm, [and Alexa’s] response to people’s queries, they were actually employing manual oversight on that, just to kind of spot-check and make sure that the algorithm was performing the way that it should. But the the side effect of that was that you had people basically listening to Amazon Alexa interactions on a constant basis — and several different tendrils came out of that right? At one point it was found out that they were actually recording interactions with children (which they’re not supposed to do); and that there was continuous recording and not just when the wake word was used [Google Home was also accused of this]. A bunch of different things all happened at the same time.
Tom: I feel like it’s such an emerging technology that hasn’t proven itself or really sort of matured in any way shape or form. It really does feel like a little bit of a wild west with so many of these digital assistants, you know, vying for market share to be the best and using those those human beings to listen in is something that I never anticipated would be would be sort of part of their quality control. I guess I should have assumed that that would be taking place, but it really does give me the heebie jeebies when considering using these digital assistants, and how there’s this new privacy problem taking place in my living room.
Tara: Yeah, well, I think it’s really driven a lot of consumer interest in privacy, which I feel had stagnated just a little bit in the wake of all the GDPR conversations and things the year before. And I think that all of a sudden privacy has really come to the forefront. And it’s driven a lot of interesting conversations. Not to mention the fact that, of course, we have that huge piece of legislation in California that’s going into effect January 1, the California Consumer Privacy Act. And Lindsey, I think you wrote about that. But I mean, that is that’s going to be a bellwether probably going forward.
Lindsey: Yeah, I think that’s a good point to bring up. And you know, definitely there’s been a lot of kind of these privacy challenges over the past year, but there has also been regulation and a lot more discussion around data privacy and what the implications are for consumers and a lot more pressure in my opinion on some of the bigger tech coming companies like Google, like Amazon, and we were mentioning before that those stories about the contractors listening in on Amazon audio. And that story was interesting too, because, you know, it also happened with, the same exact thing occurred with Apple’s Siri and Google Home. And both of those devices came under fire for similar reasons. And that story actually has, in my opinion, a little bit of a positive side to it. Because after all those incidents occurred, Google and Apple actually ended up updating their audio privacy preference control so that users could opt out of their audio being collected. So in my opinion, that is kind of a positive spin to this and goes to show that while data privacy was a big issue in 2019, there is a little bit more pressure on these tech vendors and now potentially with regulation, with pressure from consumers, there’s going to be some changes in the future. But who’s to know.
Tom: The lessons that we learned from Facebook are good in that we all started using Facebook and social media and we didn’t realize what was going on until it was too late. And I feel like we kind of have these calluses, that we’re going into this new age of digital assistants and how these digital assistants are infiltrating our lives, our kitchens, to our bedrooms, to our cars, to our phones, and I feel like we’ve got our guard up already. But nonetheless, I am waiting for like the other shoe to drop in terms of what awful thing we never knew they were doing with our information.
Tara: Yeah, very good point. I guess it pays to be cynical and jaded on these things for sure. I was gonna say hand-in-hand with that is the other side of the privacy coin, right, which is basically the data-breach issue. It’s not just necessarily the tech companies or whoever, online companies, sharing our data or misusing it. But it’s also what happens when cybercriminals are able to break in and get it. And so, now we’ve seen a lot of new classes of vulnerabilities come to light this year, seen a lot of cloud misconfigurations. And we’ve seen a lot of dark web activity in terms of carding marketplaces and things like that, really ramp up. So, you know, the underground trade in consumer data also seems to be swelling.
Tom: The whole notion of misconfigured servers and the access that hackers have to this data, it’s still staggering, just when you thought the problem couldn’t get any worse, in 2018, it got worse. We’ve got to turn the corner on this. I’m feeling optimistic, much more optimistic about turning the corner on this and sort of turning off the spigot of insecure data on the internet. I think, it feels like something that we can do, you know?
Lindsey: Well, speaking of misconfigured databases, that has seemed to pop up almost every single day I would say. Most days that I’ve woken up this this year there’s been a new, either misconfigured database or ransomware attack, and it just seems like those are now happening almost daily, or weekly at this point. And I’m not sure how different that was from from last year, or if it’ll get even worse next year. But that was, in my opinion constant in 2019.
Tom: You know, one of the things that I’ve done some research on in terms of the cryptocurrency and the fluctuation within the cryptocurrency market, is that when cryptocurrency was booming, there was clickjacking and cryptomining that was taking place and it sort of stole a lot of the interest away from ransomware because it was such a profitable market. But as cryptocurrency struggled in 2019, I think that a lot of the criminals are turning back to ransomware as a amazingly great opportunity to make money.
Tara: It seems like the cryptomining has migrated towards more of the consumer market a little bit, whereas the ransomware scourge has really migrated in the opposite direction. It used to be that spray-and-pray tactics were really big in 2018 for ransomware, and now it seems as though the threat actors are really going after municipalities in particular. And, they’re looking to leverage supply-chain attack vectors and do more damage, more bang for their buck, and they’re getting wiser and savvier.
Tom: It is does seem like it’s very industry-specific. I know that last year, hospitals were targeted and they were basically shamed for having some of the worst security in terms of all their outdated devices. But now it seems like the big targets are municipalities, and [the attackers], seem to change their focus and it’s interesting to see how this focus has changed from consumer to larger institutions.
Lindsey: If you guys remember back, I think it was a couple months ago, when that coordinated attack against various Texas municipalities came to light, that was a huge deal too in terms of what that means for ransomware attacks becoming more coordinated, more targeted. And another point that I think is relevant to make is the fact that a lot of these victims are paying up as well. They’re still paying the ransom and that’s only going to be helpful for cybercriminals to continue to launch ransomware attacks and it will only really light a fire under them continuing this track. So that’s that’s something too that I think will continue in the new year.
Tara: That conversation around whether or not to pay the ransom got huge and just blew up in the fall, after it came to light that so many different victims were actually choosing to pay. And the conversation comes down to you know, can they afford the downtime? Can they afford to, in the case of municipality, can they afford to let public safety infrastructure lie dormant, things like that. And so there are a lot of considerations that go into whether or not you’re going to pay the ransom. It’s not a cut-and-dried thing, but the end result, according to the researchers that I’ve talked to anyway, is that certainly encourages this trend to continue and to continue to grow. So that’ll be interesting going forward.
Tom: Yeah, another thing that was really interesting was a lot of the stories around paying the ransom were around, some of insurance these companies had and doing the math on recovering the data versus risking dealing with the criminals behind the ransomware. But it’d be interesting to see how that matures and plays out. And we’re in the middle of an epidemic for sure on ransomware. I think we’ll have another podcast, looking into 2020, for sure, but I think we can anticipate many more ransomware attacks ahead.
Lindsey: Well, yeah, that was a whole story line in itself, kind of how cyber-insurance was really changing the way that companies that haven’t taken the appropriate steps for backup and recovery are changing the way they’re dealing with ransomware attacks, and then a lot of cases that actually led them to pay the ransom because it was cheaper for the cyber-insurance providers to encourage them to go that route. So, yeah, that’s definitely like you say, Tom going to be something that we should keep an eye on.
Tom: Yeah. Well, you know, I think it did also inform the security-minded folks when thinking about patching and thinking about the ways in which the ransomware is making it into these companies, whether it be a zero-day vulnerability, a patched flaw that never got patched, malicious spam emails, or, you know, maybe a weakness in the remote desktop protocol application. I think that defense-in-depth, it’s kind of jargony phrase, but I think that there was a lot of talk around new approaches to security. Considering that many of these problems can be mitigated considerably with better patch management and better cybersecurity practices.
Tara: We definitely saw some doozies in terms of the types of bugs that emerged. You know, BlueKeep obviously springs immediately to mind, but Tom you have pointed out in the past that BlueKeep is actually just one part of a broader set of types of vulnerabilities that came to light this year. Right?
Tom: BlueKeep really sort of kicked off the year and, you know, it’s it’s hard to think about because everything happened so fast in cybersecurity, but it wasn’t too long ago when we were there was really huge concern about this new, wormable BlueKeep vulnerability, that really targeted remote code-execution vulnerabilities in Microsoft’s Remote Desktop protocol.
It created such a concern that I know that Microsoft did a lot of patching around Windows, not only their most recent operating system but even XP, Windows Server 2003, and Windows Server 2008, there was a real concern that we would have another WannaCry on our hands. And WannaCry and ransomware — getting it back to ransomware – I mean that was a huge concern at the time. And you know, the some of the BlueKeep issues continue throughout the year with DejaBlue. These are solvable problems that the industry needs to get better at patch management and just making sure that systems are updated.
Lindsey: Yeah, I thought the whole BlueKeep storyline was was really interesting. It almost felt like that was the security industry dealing with a little bit of PTSD from WannaCry the year before this, and what did they describe it as? A “mega worm?” I think it was definitely a big, big storyline in 2019.
Then there was a lot going on in the mobile sphere as well this year too. I know, between app security and everything going on there to Apple’s bug bounty program. There was just a lot that that occurred over the past year.
Tara: Yeah, I definitely feel like the light was really shown on the ecosystem for apps, in a new kind of way. You know, as you pointed out, the Apple bug bounty, that was really big news. Good news. And then, you just had all of these zero-day bugs that kind of came to light for Android. And those were just some of the conversations that I saw emerge over the course of the year.
Tom: Google continues to take a beating in terms of its app security, and… there are no excuses for weak security. But I just feel like Google is such a different animal in the way that it approaches apps than Apple, for better or for worse, just by the nature of how many millions and millions of apps, when you see a headline, like thousands of people impacted by mobile vulnerability x, I always take it with a little bit of a grain of sand, because when you think about the entire ecosystem, all security is extremely important. But relatively speaking, I don’t know – again, I’m not being paid to say it – But I think that Google does a pretty good job of aggressively addressing security issues and I think this year, it continued to take steps in the right direction in terms of locking down and protecting their mobile users from the bad guys.
Tara: That’s a really good point, Tom. And I think that gets lost among all of these conversations, because people want to talk about: Is Apple better? Is Google better? And in reality, the answer is that they’re just very different. I mean, Apple’s vertically integrated. Google has a much more open ecosystem, and they have a lot more OEM partners, or they have OEM partners to begin with, right, that are licensing their operating system. I think Google faces different challenges. And awareness is ramped up on that front, I feel like.
Tom: There have there been a couple bugs…where Google was a little bit late to patching and, you know, shame on them but, we could find bugs that Apple was was not patching very efficiently either. I think there’s enough blame to go around. But I will say that also, I feel like the whole patching process is getting a lot better for Google and its partners and wireless carriers for that matter.
Lindsey: Yeah. And I mean, I think that Apple iPhones had their own share of serious vulnerabilities this year, too. If you guys remember that one lockscreen bypass flaw that was amazingly easy [to exploit] and teenager discovered it earlier this year.
Tom: So there were a couple of those. There been a couple of those. And again, I think that you know, you’re bringing the point up where Apple is embracing the bug bounty program for its mobile side of the house, it’s a really big step for for Apple and and also for the, you know, for the platform itself, and for bug hunters to get a little bit of respect.
Lindsey: Yeah, for sure. I thought that was that was a pretty big news piece for sure over the summer when that happened, at I think it was Black Hat. So were there any other kind of bugs or stories that were sticking out to you guys?
Tara: I mean, the only other thing that I would say is, I would highlight fact that 5G for the first time this year really started becoming reality. And so there was a lot more focus on that, from the standpoint of broader networks and new attack vectors. So that had a lot to do with IoT because a lot of IoT devices in the future will be hooked up using 5G. So it just adds an entirely new threat surface.
Tom: Well, we are going to have an interesting year ahead of us when it comes to 5G. I mean, how quickly it gets rolled out and how it impacts consumers and how it impacts businesses, I’m not too sure what the timeline is in terms of when we will feel like we’re living in a 5G world. But certainly there are so many security implications and the rollout of 5G is something we’ll really be watching closely.
Lindsey: Yeah and Tara, you’ve really kind of spearheaded the coverage on that over the past year. But I know that some of the applications that come along with 5G like self-driving cars, like, you know, smart factories or remote surgery, and I don’t think those are too far in the future at this point, if not already in use at this point. So I think, it’s here and and it’s going to be a lot more prevalent in 2020.
Tara: Ups the ante on cybersecurity that’s for sure.
Lindsey: Well, Tom and Tara, thanks for coming on and talking a little bit more about some of the the biggest news stories and the biggest trends in 2019 so far, it’s been a crazy year.
Tom: Yeah, it has and I feel like we’re just starting to scratch the surface in terms of what went on last year. It was a pretty exciting year. A lot of good and a lot of things to be concerned about. But I feel like on a number of different fronts, we learned a lot and we’re well prepared to go into 2020 smarter and able to protect ourselves a lot better.
Tara: I love that optimistic tone to end our podcast and end our coverage for the year. And yeah, so thanks, Lindsey, for having us and happy holidays.
Lindsey: I agree and to all our listeners: Happy holidays and happy new year!