As a year-end wrap (aaaugh . . . where is the paper for all those grandchildren gifts awaiting attention and postage?), I thought a noncontroversial list of notable acts naughty and nice would be useful. But with publication deadline close upon me, I decided to further limit that scope’s list to just a few notable cybersecurity attacks from 2021. After all, I want to save time to peruse the (always entertaining) annual Manufacturer’s Edge Holiday Gift Guide and do a bit of shopping.
Here are deceptively easy questions: Who sees you when you’re sleeping? Who sees when you’re awake? Apparently, it’s not just Santa Claus. Less benign groups than Santa and his elves are watching us and looking to enter our digital lives. In some cases, those we trust with our digital information are not as diligent as one would hope.
2021 Cybersecurity Naughty List Candidates[i]
This year has been rich with candidates for the “naughty acts” list. Here is a really short list of evil deeds. Enough doom and gloom for today.
Targets: Private individuals
- Socialarks (database hack). No, this is no avian reference (á la “partridge in a pear tree”) but a Chinese social media company that leaked personally identifiable information (PII) of some 214 million social mediaphiles (i.e., users, influencers, celebrities). The PII came, in part, from Facebook, Instagram, and LinkedIn accounts. This attack serves as reminder that there is a permanent record—and it is spelled Internet. Only post what you want your great-great-great grandchildren to know. (And your parents probably taught you that sharing is a good thing.)
- Lesson learned: Check the robustness of your passwords by using the <haveibeenpwned.com> tool. Change your passwords. Use a unique password for each account. Challenge yourself to be original rather than just annotate current passwords with “2022” or other predictable sequence.
- Bonobos (database compromise). This “upscale, c-commerce-driven subsidiary of Walmart” was breached in January 2021 and 7 million customer records (containing addresses, phone numbers, account information, partial credit card numbers) were posted to a no-fee hacker website. (And who said the ShinyHunters hackers were only in the game for themselves?)
- Lesson learned: Read through the FTC’s consumer information website https://www.consumer.ftc.gov/taxonomy/term/938 for tips on securing your home WiFi network, reducing spam, and identifying scams. Also, verify your credit card transactions and report fraudulent activity.
Targets: Critical Infrastructure Companies
- Colonial Pipeline (ransomware). Delivery of approximately 45% of the East Coast’s petroleum, diesel, and jet fuel supply was disrupted, leading to shortages, inconvenience, and increased pump prices. Perpetrated by the DarkSide hacking group which received $2.3 million in bitcoin payment.
- Lesson learned: This attack underscored the vulnerability of a critical economic infrastructure sector.
- JBS (ransomware). This global food processing company (with a facility in Greeley CO) paid a $11 million bitcoin ransom demand to REvil hackers (yes, they “R Evil”). Meat supply chains were not seriously affected—unlike the current (December 2021) cream cheese shortage being experienced (October 2021 attack on Schreiber Foods).
- Lesson learned: Attackers waged a multi-level campaign against leaked credentials and vulnerabilities in the company’s remote desktop protocol (RDP) implementation. This protocol is commonly used to allow employees access to corporate resources.
- Android (misconfiguration). A major cybersecurity company discovered that data belonging to more than 100 million users was accessible to anyone due to misconfigured cloud services. The data included personally identifiable information (PII): names, email addresses, chats, location, payment information, phone numbers.
- Lesson learned: It’s not just external threats or intentionally evil individuals. Insiders trusted to “do the right thing in the right way” can make mistakes.
For me, one of the lessons here is that cybersecurity is complicated. No single tool can ensure an organization’s immunity to a successful cyberattack. We should each resolve to take a deep breath (while wearing a mask, depending on your surroundings) over this holiday season and resolve to practice better cybersecurity hygiene in 2022:
- Use robust, unique, unpredictable (from a computer processing/dictionary hacking tool perspective) passwords that you do not share or reuse for multiple accounts.
- Research whether any of your email accounts have been captured in a large data breach at https://haveibeenpwned.com/.
- Check privacy settings on all your applications <https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacy-settings/>.
- Disable chatty (e.g., Bluetooth) or tracking (e.g., geo-location) technologies when not in use.
- Segment your home network into a guest network (e.g., for streaming entertainment) and a protected network.
- Back up the information you cannot tolerate losing to three places (i.e., computing device, removable hard drive, cloud storage) after you’ve encrypted that information that contains personally identifiable information (PII) or intellectual property (IP).
- Protect your communications by using virtual private network (VPN) technology on any device with which you connect to the internet (yes, your smart phone also).
- Validate the appropriateness of message senders, destination websites, and attachments by checking over out-of-band channels.
- Encourage family and friends to be safer as well. Holiday season is prime time for cybercriminal activity.
Hopes for 2022
I wish you all good health—both physically and digitally. And now, enjoy the Holiday Guide! I’m stepping away from my computer.
References for Holiday Cyber Reading