The most interesting and important hacks of 2018

Each year a few hackers do something new that begs further examination. The general public and Hollywood paints most hackers as these uber-smart people who can take control of entire city’s infrastructure and crack any password in seconds. The reality is that most hackers are fairly average people with average intelligence. Most don’t do anything new. They just repeat the same things that have worked for years, if not decades, using someone else’s tool based on someone else’s hack from many years ago.

The stuff that we need to pay more attention to are the new, evolutionary or revolutionary hacking methods that gave hackers access to something they didn’t have before. Maybe it isn’t exactly new, but it’s being used more or in more innovative ways than in the past (like ransomware did a few years ago). With that said, here are my choices for most interesting hacks of 2018.

Increase in internet-of-things hacks

Though no surprise, the increase in hacks against IoT devices is coming on strong as long predicted. IoT devices are invading both our personal and professional lives and are getting hacked to attack us and our organizations. Even the devices placed in our companies and homes that are supposed to provide us more security are being used against us.

Here are two representative examples: When the U.S. special prosecutor put a specific Russian company and specific Russian names in one of his indictments this year, it wasn’t a guess. Turns out that the Dutch intelligence agency had hacked into the video cameras that monitored the Russians, revealing everything they did in detail. While I’m not against this particular hack, it is a cautionary warning to any company or person who has IP-connected devices in the buildings where they are conducting sensitive activities.

One amoral hacker recently took control of home-installed NEST cameras that new parents had installed to help keep watch on their baby. The hacker taunted the parents who were asleep in their own bed by fraudulently stating that he had kidnapped their baby. I hope someone punches that hacker in the face. A “good” hacker chimed in to tell the owners they needed to change their passwords, which were all over the internet.

This is just a continuation of the attacks against our home IP-connected devices that began a few years ago, but exemplified by 100,000 home routers taken over by GhostDNS malware this year. If a device in your house or company has an IP address, assume it can be hacked and defend accordingly.

Private data revealed and manipulated

Ransomware is pretty nasty. It encrypts your data and asks for money to unlock it. There’s no reason to panic if you have a good backup. Flip off the hackers, restore your data, and prevent it from happening next time.

However, those same hackers are regaining the upper hand by stealing your data and threatening to reveal it to the public or competitors if you don’t pay the ransom. Ask Sony Pictures how they felt and suffered after all their confidential data was released publicly.

On a related note, the United States government is worried about integrity attacks where attackers go in and maliciously manipulate data that the victim then relies on. Integrity attacks are less likely to be noticed until the damage and repercussions are revealed. Most integrity attacks are now in the realm of nation-state attacks, but computer security watchers expect this to start creeping into more organizations as a part of corporate espionage or in modified ransomware.

Deceptive advertising methods

Online marketing has always had its share of sneaky and deceptive advertisers, but 2018 revealed some new interesting techniques. One of the most sinister involves mobile banner ads where the “ad” is simply a brown dot or thin object that looks like a strand of hair. When the user sees it and tries to “clean” their screen, it activates the touch as a click and takes them to the related ad. Tricky and deceptive, and likely to be used by malware in the future.

Meme-based steganography being used for command and control

This is interesting. After a system is exploited by malware, it downloads a meme picture that includes embedded control-and-command instructions using steganograpy. This technique might prove useful for malware trying to avoid command-and-control channel detection.

Supply chain poisoning

Bloomberg’s report of hidden Chinese spy chips got many experts thinking about supply chain attacks, where an malicious intervener inserts rogue software instructions or hardware into a process that exploits a final product, which perhaps the vendor is not even aware of.

Ignoring for the moment that I still have not seen a single bit of real evidence saying the Chinese spy chip accusation is real, supply-side attacks do occur, although using software, not hardware. In one such example (use translation for the text in the link if you don’t understand simplified Chinese), a programming language was “poisoned” by a hacker so that when any application using the programming language was created, it created an exploitable weakness. Over 50 applications were poisoned and this led to over 100,000 WeChat payment ransomware infections. There have been dozens of attempts (some successful) to poison open-source programs to give attackers an inside channel to exploitation.

Printer spam

File this one away under more annoying than malicious, but still it’s interesting. After hearing about possible internet-connected printer abuse for two decades, some hacker finally created a widespread implementation. In this case, the hacker printed a spam message asking people to join YouTube’s most popular channel, PewDiePie. This was a stupid, harmless message, but perhaps another hacker might marry this type of exploit with a fake bomb threat and really cause a population freak out.

Drone hacks

Drones are big fun. My son and my best friend are eaten up with drone flying and antics. Drones are also becoming big business, replacing more expensive and more risky jobs (such as inspecting high voltage transmission lines) at an increasing rate. Now we’re starting to see drone-specific hacking. Since drones are definitely being used more in warfare, expect to see drone hacking become a regularly reported category of exploitation reports.

More hardware hacks

Easily, the most catastrophic-sounding computer security exploits were chip-level Meltdown and Spectre exploits announced in 2017. They worked on most processors built since 1995 and allowed malicious exploits that bypassed any computer protection (other than patching against the exploits) and would not show up in log files. It was largely only because the developed exploit code was not shared in the wild that some sort of world-wide, catastrophic, exploit did not occur before patches could get applied.

The announcement of those chip exploits seems to have led a re-awakening of interest in hardware and chip exploits in general. Many more Meltdown- and Spectre-like exploits have been found and Bluetooth has been hacked. Vulnerabilities in self-encrypting hard drives have been discovered, as has a rootkit for UEFI boot software.

Each of these newly exploited technologies and methods concerns me more than the latest mega-millions record data breach. Most data breaches occur because of social engineering or unpatched software. We still need to worry about these attack vectors more than anything else. Focus, focus, focus! Good computer security engineers keep their eyes out for the new and evolving threats, so that when they do make a big splash, they are ready.