Last year, the IT security field was pretty eventful. There were a lot of incidents: from global vulnerabilities which affected millions of computers all over the globe to showdowns with local cybercriminals. Every one of these events were, in one way or another, connected with social networks – especially Twitter since it also acts as a news service. We collected the 10 best tweets related to an IT security event in 2014.
- In March, a cybercriminal who acted on behalf of the ‘Pump Water Reboot’ hacker group started a series of DDoS attacks on several Russian web services — from popular online communities to some banks. Each victim was asked to pay a $1000 ransom to stop the attack.
In this particular tweet, the criminal threatened one Russian banker, Oleg Tinkov, founder of Tinkoff Credit Systems, which is an online specialized bank.
@olegtinkov На ваш сайт ведется DDoS – атака. Мы предлагаем решение этой проблемы. Атака прекратится если Вы готовы заплатить 1 000$.
— Pump Water (@PumpWaterReboot) March 24, 2014
(Translation from Russian: Your site is under DDoS attack. We offer a solution for this problem. The attack will stop if you are willing to pay $ 1,000.)
By the summertime, the cybervillain was caught by police and in a couple of months was sentenced to two and a half years of probation with a penalty of 12 million rubles (about $400,000). That’s a lot for a 19 years old student who, as it turned out, happened to be the extortionist.
- The Heartbleed vulnerability threatened two thirds of the Internet. You can learn more details in our blog posts. The short version of what happened and how it worked is best described by this xkcd comics author:
Heartbleed http://t.co/wxVnw6YK6Q http://t.co/j1iYb4DC7l pic.twitter.com/ekr3nFr1oW
— XKCD Comic (@xkcdComic) April 9, 2014
Heartbleed’s consequences will haunt us for a long time: there are tens of thousands of vulnerable servers still not updated. And many of them will never be able to get rid of this vulnerability.
- For us, the best tweet of the year was created by people from — you won’t believe it! — the CIA. It’s nice to see that even these tough guys have a sense of humor.
We can neither confirm nor deny that this is our first tweet.
— CIA (@CIA) June 6, 2014
- In mid-August, something that happens to almost everyone involved in modern politics struck Russia’s Prime Minister Dmitry Medvedv: someone hacked (and made fun of) his Twitter account.
(Translation from Russian: I resign. I am ashamed of the government’s actions. I’m sorry.)
At the same time, Medvedev’s other accounts were also hacked. This led to a leak of private photos and correspondences from Medvedev’s mobile devices. However, all tweets written by hackers were subsequently removed. What happened to the attackers – if they were even caught – is still unknown.
- Two weeks later, there was another leak and this one was massive: Somebody posted lots of private photos of several naked celebrities, including Jennifer Lawrence.
Someone apparently has hacked into Jennifer Lawrence's iCloud account and is releasing pictures from her camera roll pic.twitter.com/l0ua4bejIc
— Háider (@YahoodiSaazish) August 31, 2014
This leak was immediately named ‘The Fappening’ and rocked the whole world. Celebrities got way more attention than usual and web services that published photos got good profits from ads. In particular, one popular website, Reddit, got so much money in just a few days they had enough to support the project for a month.
- Autumn was especially eventful. In September, a new fundamental vulnerability was found in Bash shell. Now it is known as Bashdoor or Shellshock. It was the second time in one year that millions of computers, mostly servers, were compromised. The man who had discovered this bug didn’t post anything on his Twitter account immediately. But later he posted worthwhile tweets with an explanation that this vulnerability had probably originated as early as 1989, i.e. 25 years ago.
Shellshock was actually introduced in bash-1.03 (1989, 25y ago), not 1.13 as Chet, I and others have said earlier (http://t.co/LC5TEqpqkx)
— Stephane Chazelas (@SChazelas) October 4, 2014
The Bashdoor bug, as well as the above mentioned Heartbleed, will haunt us for a very long time.
- A couple of weeks later the world found out about another global threat. In early October, two researchers announced that every USB device on the planet is fundamentally vulnerable. For some reason, these guys didn’t talk about this discovery, but we did:
BadUSB research: "You can’t trust anything you plug into your PC, not even a flash drive" https://t.co/kOkdrw8dEZ pic.twitter.com/ANYpF01EY6
— Eugene Kaspersky (@e_kaspersky) October 3, 2014
It is still unclear what we should do globally to protect ourselves from this bug. There is only one known good practice for protection: do not use unknown USB devices, including, but not limited to, keyboards and mice.
- In mid-October there was another leak. This time, victims were Dropbox users. Company representatives promptly declared the service wasn’t hacked and the leaked data was collected in some other way.
Reports claiming we’ve been hacked aren’t true. Your stuff is safe. More info on our blog: http://t.co/vI6sfNjC4Z
— Dropbox Support (@dropbox_support) October 14, 2014
Many people believe Dropbox had been hacked though, and that the company preferred to “negotiate” with the intruders privately rather than lose its reputation.
- The end of October was marked by an event that many people didn’t pay enough attention to: Twitter announced plans to replace passwords with another, more advanced authentication system. And not only passwords for the accounts of its own users: Twitter offered third-party developers to use the Digits platform to authenticate users in their applications as well.
Forget passwords – use your phone to sign in to your favorite apps. Introducing Digits: http://t.co/G9wcZCqopv
— Digits (@digits) October 22, 2014
There have been many attempts to get rid of passwords and, as we have seen, nobody has been able to achieve this so far. But it is possible that Twitter will succeed and in a few years we will finally stop using this old authentication method.
10. As for passwords: Never store them in an unencrypted file on your PC. Otherwise, you will face the same consequences as Sony Pictures. The company was massively attacked by a GOP hackers group. Before the attack was launched, cybercriminals had stolen one of Sony Pictures Twitter accounts and mentioned the company’s CEO in a warning of the future hack.
Unfortunately, the hackers were not limited to threats and Sony Pictures has been in personal info leakage hell – and they weren’t ready for it at all. You can learn more about what happened with Sony in our blog post.