Top 10 cyber security stories of 2020
The Covid-19 pandemic fundamentally changed the world of technology in 2020, and the cyber security sector was itself profoundly affected.
But that is not to say a microscopic virus had the headlines all to itself, with developments around data privacy and protection, cloud security, vulnerability and much more, all seizing their share of the spotlight. And as usual, we’ve not even begun to consider the impact of cyber crime.
Here are Computer Weekly’s top 10 cyber security stories of 2020:
Cyber criminals are targeting users of popular videoconferencing application Zoom as millions of office workers turn to collaboration tools to keep in touch with each other during the Covid-19 pandemic.
Check Point’s threat research team said it has seen a steady rise in new Zoom domains, with 1,700 created since January, but this has ramped up in the past few days, with 425 new domains registered in the past seven days alone.
Out of these, 70 have now been identified as fake sites, which are impersonating genuine Zoom domains with the intention of capturing and stealing personal information. The numbers reinforce a trend for cyber criminals to take advantage of home working via Zoom, which is used by over 60% of the Fortune 500 and has been downloaded more than 50 million times from the Google Play app store.
Less than 12 months after acquiring Symantec’s enterprise security business for $10.7bn, and barely two months after the deal was completed, Broadcom is selling the security services unit on to Accenture for an undisclosed sum.
Accenture said the deal would make its security unit a leading managed security services provider, enhancing its ability to help organisations “rapidly anticipate, detect and respond to cyber threats”.
It will take on a wide-ranging portfolio including global threat monitoring and analysis via a global network of security operation centres, real-time adversary and industry-specific threat intel and incident response.
Avon, the cosmetics brand that suffered an alleged ransomware attack in June 2020, has found itself at the centre of a new and significant security incident after inadvertently leaving a Microsoft Azure server exposed to the public internet without password protection or encryption.
Discovered by Anurag Sen of security tool comparison service SafetyDetectives, the vulnerability meant that anybody who possessed the server’s IP address could have accessed an open database of information.
The latest incident comes a little over a month after Avon confirmed a major security incident, although not confirmed to have been a ransomware attack, that took its back-end systems offline and left many of its renowned representatives unable to place any orders.
Electric automaker Tesla has rolled out an over-the-air patch for its Model X vehicles after being informed of a serious vulnerability in its keyless entry system, identified by Belgian academics, which could have enabled criminals to circumvent the $100,000 car’s onboard security systems.
The Tesla Model X’s key fob lets its owners automatically unlock their car when approaching it, or by pressing a button, using the Bluetooth Low Energy communications standard to talk to the car via a smartphone app.
This process was bypassed by PhD student Lennert Wouters of the University of Leuven’s Computer Security and Industrial Cryptography research group in a proof of concept using a self-made device built from a Raspberry Pi, a modified key fob and engine control unit from a salvaged Model X, and other components costing a total of $195.
The European Union is inching closer to formally ending the use of end-to-end encryption by web platforms such as Signal and WhatsApp, following a spate of Islamist terror attacks in Austria and France.
In a draft resolution document leaked to Austrian TV network ORF, which can be read in full here, the EU said it recognised the value of encryption as a “necessary means of protecting fundamental rights”, but at the same time “competent authorities in the area of security and criminal justice” needed to be able to exercise their lawful powers in the course of their work.
Previous European Council conclusions delivered at the beginning of October declared that the bloc planned to “leverage its tools and regulatory powers to help shape global rules and standards”, and that funds from its Recovery and Resilience Facility are to be used to enhance the EU’s ability to protect against cyber threats, to provide for a secure comms environment – possibly through quantum encryption – and, crucially, “to ensure access to data for judicial and law enforcement processes”.
The lack of care being taken to correctly configure cloud environments has once again been highlighted by two serious data leaks in the UK caused by misconfigured Amazon Simple Storage Service (S3) bucket storage.
As a default setting, Amazon S3 buckets are private and can only be accessed by individuals who have explicitly been granted access to their contents, so their continued exposure points to the concerning fact that consistent messaging around cloud security policy, implementation and configuration is failing to get through to many IT professionals.
The first leak related to several UK consulting firms. This was uncovered by Noah Rotem and Ran Locar, researchers at vpnMentor, who uncovered information such as passport scans, tax documents, background checks, job applications, expense claims, contracts, emails and salary details relating to thousands of consultants working in the UK.
The data processing policies and practices of two of the world’s largest software companies, Salesforce and Oracle, will come under scrutiny in the High Court of England and Wales in the biggest digital privacy class action lawsuit ever filed.
The suit, filed by privacy campaigner and data protection specialist Rebecca Rumbul, is seeking damages that have been estimated in excess of £10bn, which could conceivably lead to awards of £500 for every internet user in the UK. A parallel suit in the Netherlands backed by a Dutch group called The Privacy Collective Foundation could take the total damages to more than €15bn.
“Enough is enough,” said Rumbul. “I am tired of tech giants behaving as if they are above the law. It is time to take a stand and demonstrate that these companies cannot unlawfully and indiscriminately hoover up my personal data with impunity. The internet is not optional any more, and I should be able to use it without big tech tracking me without my consent.
The security risks associated with unified communications and collaboration (UCC) application Zoom have become one of the big stories of the Covid-19 coronavirus pandemic, but other UCC platforms are not immune from problems. According to AT&T’s Alien Labs, a vulnerability in cloud-native messaging service Slack could leave meetings open to disruption by malicious actors.
The vulnerability centres on Slack’s incoming webhooks, which let users post messages from various applications to Slack. If the user specifies a unique URL, a message body text and a destination channel, they can send a message to any webhook that they know the URL of in any workspace, regardless of their membership.
The Slack vulnerability was uncovered by Alien Labs cloud security researcher Ashley Graves, who said that although webhooks are considered a low-risk integration – the user must select a target channel, which reduces the scope of abuse, the webhook URL is secret, and webhooks only accept data, so cannot, on their own, expose data – this is not entirely accurate.
Smartphone devices from the likes of Google, LG, OnePlus, Samsung and Xiaomi are in danger of compromise by cyber criminals after 400 vulnerable code sections were uncovered on Qualcomm’s Snapdragon digital signal processor chip, which runs on over 40% of the global Android estate.
The vulnerabilities were uncovered by Check Point, which said that to exploit the vulnerabilities, a malicious actor would merely need to convince their target to install a simple, benign application with no permissions at all.
The vulnerabilities leave affected smartphones at risk of being taken over and used to spy on and track their users, having malware and other malicious code installed and hidden, and even being bricked outright, said Yaniv Balmas, Check Point’s head of cyber research.
A series of critical vulnerabilities in SaltStack’s open source Salt remote task and configuration framework will let hackers breeze past authentication and authorisation safeguards to take over thousands of cloud-based servers if left unpatched.
Salt is used in infrastructure, network and security automation solutions and is widely used to maintain datacentres and cloud environments. The framework comprises a “master” server acting as a central repository, with control over “minion” agents that carry out tasks and collect data.
The two vulnerabilities, which are assigned designations CVE-2020-11651 and CVE-2020-11652, were uncovered by F-Secure researchers in March 2020 while working on a client engagement.