Despite my love for the pseudo-holiday, October isn’t all about Halloween tricks and treats: it’s also cyber security month, and this year has seen it’s fair share of cyber security scares, hacks, vulnerabilities and leaks. But, because October also puts me in the Halloween spirit, I thought what better way to merge two of October’s most notable events than to recount some of the more haunting cyber security breaches of the year and find out whether or not they’re still lurking.
Probably one of the biggest security bugs of the year, Heartbleed exposed a huge security flaw that affected the majority of the web. The bug was found in the OpenSSL encryption library, an open-source software library that protects usernames and passwords when browsing online. The flaw meant that hackers eavesdropping on a potentially compromised (ie. not properly encrypted) connection could collect your username and password. The scariest part of the whole ordeal wasn’t only that 66% of the web used (and still uses) OpenSSL encryption, but that the bug went unnoticed for 2 years. This means hackers could have been collection usernames and passwords for a long time.
Since its discovery in April, many of the most popular affected sites have patched the bug, once again making their websites (relatively) safe.
Although the app itself was hacked earlier this year exposing the usernames and phone numbers of over 4 million users, Snapchat users faced the potential of more damaging exposure when the popular third-party website Snapsaved was compromised. The website, staying true to its name, let users save Snapchat photos and videos. The hacked exposed over 200,000 images and videos which were published on website 4chan anonymous messaging board earlier this month.
The sensitivity of photos typically sent using Snapchat posed a risk, especially to minors sharing risque images using the app. Snapsaved.com has since shut down its website, and 4chan has taken down the photos, but that doesn’t mean you’re 100% safe. Snapsaved and similar unauthorized apps use a publicly available reverse engineered application programming interface (API) of Snapchat to intercept and save your photos. It’s probably best to stay away from these third-party Snapchat apps (and the security-flawed Snapchat) if you don’t want to be exposed.
This leak made mainstream news because of the high-profile celebrities that were targeted in the attacks. But September’s iCloud breach was enough to scare even the everyday user. The leak wasn’t attributed to a vulnerability per se, but hackers found a loophole in the iCloud system that made it relatively easy for them– purportedly using third-party software– to access iCloud backup accounts, which they used to target celebrities. It’s main scare included the potential for anyone to access ‘sensitive’ photos stored on an iOS device. A lack of two-factor authentication was said to have been one of the weak points of the iCloud system.
Since then, Apple’s made big changes to its iCloud storage services with the release of iOS 8. It will now send you an email if it thinks your iCloud account has been accessed somewhere else, and has made it much more difficult for any potential hacker to get a hold of your account. Two-factor authentication is now standard and Apple requires you to generate app-specific passwords for apps that don’t support its two-factor authentication.
In May, eBay announced that its website had been compromised in a breach that happened months prior to its discovery. Using an employee’s account, hackers found a way to access user data. The data, however, was non-financial and included things like users’ email and physical address, password and date of birth. Luckily, eBay’s pay partner PayPal was not compromised during the attack, which could have been much more damaging.
eBay claimed not to have detected ‘increased fraudulent account activity’ in the months prior to discovering the breach, but urged its 145 million affected users to change their passwords.
A quarter of the browser market was affected in April when Microsoft announced a critical security vulnerability in Internet Explorer versions 6 to 11. In fact, Microsoft deemed the vulnerability critical enough to issue a security update to XP users even after having stopped supporting the outdated operating system weeks before.
The vulnerability itself basically left users exposed by giving hackers the same elevated user rights to their PCs as the user themselves, allowing them to access and potentially install malware. Luckily, the vulnerability was patched just days after its discovery.
Adobe issued an emergency Flash update early this summer after discovering an exploit that left browser cookies vulnerable. Cookies basically store browsing info to make navigating the web a bit quicker, like remembering log-in details without having to type them in every time you navigate to another page. The technically complicated vulnerability basically made this type of data vulnerable to interception, allowing hackers to impersonate users online.
Because Flash is such an integral part of thousands of websites including YouTube, Google, and Tumblr, the exploit left many people at risk. Luckily, the patch was updated quickly without any large-scale problems.
What had the potential to be the scariest and largest security breach ever, Shellshock Bash popped up late last month as a vulnerability in Mac OS X, Linux, and Unix systems, giving hackers the potential to remotely execute commands to computers, devices, and websites.
Bash, a kind of interpreter used to carry out commands in anything from laptops, to routers, to websites, meant that the Shellshock bug had the potential to put hundreds of millions of devices at risk. After the discovery of the bash bug, hackers immediately began probing websites to find which ones were vulnerable. Many companies, including Apple, patched the bug immediately, but the bash bug still has the potential to affect a majority of the web servers running the internet’s websites.
Don’t panic though. You’ll likely be safe from the bug since most major software companies have patched the bug. You can, however, take steps to protect yourself by updating your computers and devices to the latest software.
Don’t be scared
It seems like security breaches come and go much too often these days, but despite most of these issues being out of your control, you can do simple things to protect yourself.
Most notably, using password managers to make sure that all your passwords are unique and secure is probably the easiest and best thing you can do. Use two-step verification where you can for extra security, always update your software to its latest version, which usually includes and security patches and bug fixes, and wherever you can, avoid using third-party apps or services with murky privacy settings or terms of service.
Follow me on Twitter @suzieblaszQwicz