Fastest Payroll in N.Z

A Decade of Security Issues + SQRL solution

Details

Last Updated: Wednesday, 26 February 2025 14:40

Hacks, Leaks and other security events since 2010

Stuxnet

A worm developed by the USA and Israel to successfully destroy centrifuges used by Iran to enrich nuclear fuel and its discovery proved that cyber-war was real.

Aurora

Attacks on US business and infrastructure by China were detected and revealed by Google leading to them dropping search censoring of Google.cn and eventual shutdown of the service.

Sony Playstation 2011

In one of the largest breach of security, Sony announced that 77 million play-station user accounts along with their personal and financial details had been captured by a hacker requiring complete shutdown of the playstation service for 3 weeks for IT to resolve the issues.  Sony then had to deal with lawsuits by users who had then suffered credit card fraud as a result.  It turned out as a very expensive event for Sony to appease users by giving away free games and caused many business lawyers to add CYA clauses to future service agreements. 

Diginotar

A Dutch Certificate Authority was hacked by the Iranian Government and access to its certificate signing servers allowed creation of valid certificates for any domain name in order to invisibly impersonate any website. Discovered when encryption on Google's Gmail servers in Iran were bypassed. Many other high-value domains: Yahoo, Mozilla and other were also hacked. Eventually Diginotar was shutdown.

Edward Snowden 2013

Wiki-Leaks revealed the Snowden documents that the USA and Five Eyes partners had been running a global surveillance network and various government use of cyber-espionage, leading to many other countries implementing their own methods.

Target Hack

The first major retailer to discover that point-of-sale malware on Target store computers had provided credit card details of some 40 million of its shoppers. More businesses were later to also get infected.

Adobe Hack

In November Adobe discovered that over 150 million of their users had been stolen and eventually published on-line and their passwords cracked revealing the plain text versions. This lead to warnings about using weak and words in dictionaries.

Silk Road Taken down

A dark web marketplace hidden behind the TOR network selling illegal merchandise was discovered and shut down. Demonstrating to the world that such sites were not as secure and anonymous as portrayed. 

Launch of Have I Been Pwned

An Australian security researched created a website where users could easily check their passwords against a database initially built from the Adobe data breach. This had grown by including data from over 400 hacked sites and now contains information for over 9 billion user accounts. Checking for such unsafe passwords is now built into many browsers and password managers via a published API.

Sony Pictures Hacked 2014

Guardians of Peace (A branch of North Korea Intelligence) hacked into Sony when they planned a release of a comedy  "The Interview" about Kim Jong-un. When Sony refused to abandon its release and in retaliation its studio data and private emails were published on-line.  Later it was established the break-in by the Guardians had occurred much earlier and they had been freely spying for some time.

Mt. Gox Hacked

Remains the biggest cryptocurrency exchange to get hacked. The details are still a mystery, but hackers made off with 850,000 bit coins worth over $6.5 billion today. As these funds were effectively in trust by many owners, it lead to the end of Mt Gox who at the time was the biggest exchange in the world. Other hackers then realised such exchanges had much easy money and others then became a frequent attack target.

Heartbleed

A data extraction vulnerability in SSL that allowed discovery of a servers private keys. Once public the method was immediately jumped on before the weakness could be patched and lead to many more hacks to servers as operators were slow to apply them. At the time it was thought that about 500,000 internet servers were vulnerable and it took years for this to decline.

RowHammer

In June that year, academics demonstrated a method of flipping bits in DRAM memory without accessing them.  Because servers are accessed by many unrelated and different users at the same time, being able to alter another users data was a potential disaster. For years everyone assumed that the hardware parts of computers was bullet proof and lead researchers to focus on hardware issues and the later discovery of further industry wide chip problems.

Ashley Madison breach 2015

A dating website oriented towards extra marital affairs was hacked by a group called "Impact Team" and their internal client database was exposed to the world.  This sadly caused a number of suicides after their private affairs were suddenly revealed.

SIM Swapping

This practice was for a hacker to convince a mobile phone provider to transfer a victim's phone number to a SIM controlled by the attacker.  This gave them access to most of the victims email, accounts, with passwords and then to their cryptocurrency or real bank accounts where they could steal large sums of money. This is still an ongoing threat in 2020.

Ukraine power grid attacks

This was a cyber-attack on their power grid and caused blackouts across western Ukraine and was the first successful attempt to control a countries power grid. Similar to Stuxnet which aimed at an industrial target this was the first to affect the public in general.  This threat continues to be possible today.

DNC hack 2016

The Democratic National Committee admitted it had suffered a security breach when copies of documents and emails on its servers had been freely published. It was later determined that two Russian Bears were responsible and the stolen data was used by intelligence in an attempt to influence the upcoming US presidential election.

Yahoo hacks revealed 

Later that year Yahoo finally admitted that it had suffered two breaches over the previous four months, one of which proved to be the biggest in the history of the internet. N.Z. users may remember that Xtra.co.nz had contracted Yahoo to provide their email services and many of us received lots of spam originating from these clients. After repeated occurences this eventually lead Xtra to cancel the contract and appoint a NZ based company instead.

The Shadow Brokers

Still unidentified to this day, the group discovered hacking tools developed by the Equation Group (a codename or alias for the US NSA) and leaked and sold by auction to the world. These high quality tools had instant impact, with one named EternalBlue gave the WannaCry worm the ability to infect millions of computers throughout the world.

Birth of IoT botnets

In the last quarter of 2016 Mirai, a strain of Linux malware designed to infect routers and IoT devices was released. With near a million devices infected, one of the biggest DDos (Denial of service) attacks ever seen occurred. By attacking DNS services almost all the internet in the USA was brought to a halt for much of the working day. (DNS translates names like Google.com into machine addresses, and prevents any new connection to that name.)  It affected many of the larger services such as Google, Microsoft, Facebook, and others.

WannaCry 2017

In May the first wave occurred and using the leaked NSA EternalBlue exploit through Windows SMB file sharing, installed ransomware on millions of vulnerable PCs and brought Hospital services in the UK to a halt and forced them back to using manual systems. Virtually all versions of Windows were affected with Microsoft having to release patches for the long discontinued Windows XP. Unfortunately, because the update methods used had been changed, XP machines had to be manually updated in order to receive them. Windows 7 initially used the same update methods, but M.S updated them to the new system and they were patched automatically if such updates were enabled. However, many businesses that delayed update patches until thoroughly tested became infected.

Vault 7 leaks

This was WikiLeaks last good release. A whistle-blower provided documentation about cyber-weapons and tools used by the CIA which were able to hack IPhones, major desktop systems and browsers, including smart TVs.  Another event to proving that the Government is not able to keep any secrets and therefore cannot be trusted with having back-doors.

MongoDB exposed   

The first example of leaving a non-password access database exposed to the internet. When discovered, hackers were able to delete content and leave ransomware messages demanding cryptocurrency payments for return of data which many couldn't supply. Once knowledge became publicly known, other in-securely configured databases including MySQL, Cassandra, Hadoop, and others became under attack. Fortunately, researchers known as "Breach hunters" stepped up and began reporting such misconfigurations to their owners with many being discovered over the next two years.

Equifax 

Due to a failure to patch an Apache Struts vulnerability the personal details of almost 150 million American, British and Canadian citizens were stolen. Once again another demonstration of the folly of not apply patches when released.

Coinhive and Cryptojacking 

Non destructive and in some ways actually a good idea. Coinhive provided a service to enable web-sites to easily install "Monero" mining software via JavaScript into a users browser.  This software used the unused processing power of the user to mine for bitcoin or other cryptocurrency and return any monies to the original website after a small cut to Coinhive. The hope was that with a user's permission they could allow this instead of being flooded with advertising on that site and seemed a fair trade. Unfortunately many hackers just installed it anyway and left it running whenever the users browser was active.  The extremely high value of the mined coins made mining attractive, but the computing power needed to succeed required so much electric power that harnessing other peoples computers instead made it profitable for a while. However, lack of profit caused Coinhive to shutdown after a few months.

Meltdown, Spectre, and CPU side-channel attacks. 2018

The biggest security event in 2018 and perhaps ever affected the hardware in computers. For many years, Intel and to some extent AMD and major CPU makers, in the race for more speed, sacrificed security. Computer code is basically a list of steps to achieve a goal and by checking conditions or state at the time can reach that goal much quicker.

Take your daily commute for example. Once en-route you discover the motorway is blocked for some reason and you waste much time on the journey. Adding a step in your routine before departure to check Google maps, allows a different and faster route. However, when listening to the radio while breakfasting you note a motorway accident. This knowledge means you can skip checking Google maps and save even more time. Its similar with computer code. By reading code in advance before executing, statistically depending on the odds, can allow skipping entire sections completely.  As humans we do this all the time without thinking - is the weather outside good? is it school holidays? If so, the odds are the motorway traffic will be clear so we skip other time-consuming checks. We might be wrong, but mostly its the correct decision.  The same applies to computer code and with pre-analysis much speed can be gained.

The CPU however, to simulate multitasking, switches quickly between tasks to make them seem simultaneous. Whilst doing so it was discovered that the code being pre-analysed was visible to the alternate task and could, on a server, allow malware to inspect another users code or data. The immediate solution was to disable any prediction features and meant that speed could fall by 20-30%, a major issue for busy servers. CPU makers were able to update microcode in the latest chips to help, but a huge number of internet services needed new computers at great expense.  Various solutions were sort to safely minimise the effects but many were not updated.

This was always a theoretical threat, and in practice no malware has been found in the wild that exploits these issues. However, CPU makers were given a huge fright and actually kept the issue quite for many months after it was first discovered.

Marriott gets hacked

In November around 383 million of its guests had their details exposed.  While not on the same scale as the Yahoo breach, its still very significant.  Investigators eventually discovered a RAT, (A Remote Access Trojan) in the reservations system.   This allowed the use of the MimiKatz tool to determined usernames and passwords. It was never disclosed just how the RAT was introduced into the system.

2019 - The year of Ransomware

More issues affecting Intel CPU hardware have been discovered and published. The most frequent issue has been the rise of targeted Ransomware. Probably by extremely effective social engineering. The number of large groups infected and the size of the ransomware demands has been huge.  Rather than targeting individual consumers on their home PC's, (which are likely down due to the increased use of mobile devices instead) many larger businesses and organizations have been successfully infected with huge ($1,000,000) figures demanded. In several cases the groups shared cloud services for comon booking and data access through which the ransomware was able to spread knocking out their entire operations.

2021 - The big boys are hacked.

The Solarwinds hack is probably the biggest such event ever.  Solarwinds provide security software to many ISP's and large companies, including Microsoft. Hackers were able to make changes to their product and sign it with Solarwinds private key.  The infected software was then installed by all of Solarwinds clients. This backdoor then allowed the hackers access to all those clients and to install other backdoors on those clients. They were then clever enough to remove the changes to the Solarwinds software and no one suspected the infections for months, by which time the hackers had accessed information from any client they wished.

The exact details of the whole event has been publically documented by Microsoft as found by their thorough investigations. 

The USA Oil pipeline - Ransomware again reveals its ugly head. When will these companies learn that operational equipment must never be given access to writes from internet connected devices by ensuring any connection involves an air-gap. 

 SQRL (Secure, Quick, Reliable, Login)

After five years of development this project is now complete, in the public domain, and therefore available free to all. Versions are available for most devices with the native windows version on Steve Gibson's site at GRC.COM.  Virtually every website you visit today, in order to participate, require a login and password as authentication, and for the user its impossible to remember these leading to frequent use of the same ones everywhere allowing easy discovery by hackers for identity theft or worse. 

SQRL completely eliminates this weakness along with many other security issues. It allows an individual to create one very private identity for access to any supporting web-site without ever revealing that identity to anyone at all.  Supported web-sites will immediately recognise and automatically log you in whenever you return. It is expected that website support will grow rapidly.

Moreover, its impossible for anyone else to impersonate you or allow you to login to a rogue or imposter site. Also, if a web-site database gets hacked, (like the many as above in the last decade) the SQRL authentication system gives that site no password to keep. Instead the site holds a unique public key, which only (your) SQRL ID can generate and later confirm your identity by decrypting a random number challenge using your matching private key. These are generated on the fly during each visit, are different for each specific web-site, but identical each time and never stored locally. The key-pairs are generated by SQRL using elliptic curve encryption combined with your unique password protected ID and the website URL. These key pairs are therefore unique to every individual SQRL user and web-site in the world.

For very important and secure websites, such as your bank, they simply link your public key to your account and likely remove your password as its now redundant and was always a weakness.

SQRL allows your protected ID to be securely and easily transferred to your other devices so that they can authenticate you when visiting the same web-site from that device. Because your ID is password protected, it always needs to be first unlocked (with quick options) to enable SQRL to function, thus preventing use by anyone else. There are many other features with virtually every possible situation provided for.

In Human terms, this is like being able to prove to someone that your DNA signature is the same as previously without actually ever revealing your actual DNA profile.  For download or a full and detailed explanation with video tutorials (as deep as you wish) visit https://www.grc.com/sqrl/sqrl.htm      

• Next