2016: Maybe Everything Wasn’t Completely Terrible

Let’s face it: 2016 has been pretty rough year. Things didn’t go all that well for humans in the last 12 months, and computers didn’t make out much better. Lots of things broke, and it seemed like whatever didn’t break was compromised, stolen, or lost.
But not everything was terrible. There were some encouraging developments along the way, so as 2017 looms on the horizon, here’s a look at some of the positive things that emerged this year in the world of security and privacy.
Phone fraud and robocalls hit a wall. Researchers and government agencies both made some serious progress on the problem of phone scams. The FCC has been working with carriers to address robocalls–which are often tied to phone fraud schemes–through various policy and technical solutions and AT&T has now rolled out a free app that blocks phone fraud calls. These scams, which include things like fake Google listings and the venerable IRS scheme, cost consumers and businesses billions of dollars a year. On the research front, the Jolly Roger bot emerged as a simple, easy way for potential victims to lead robocallers down a rabbit hole of pre-recorded responses and questions that mimic human interaction.
Silicon Valley pushes encryption. While the year didn’t begin on the most encouraging note for encryption supporters with the protracted Apple-FBI fight, things definitely trended upwards overall. Apple officials pushed back hard against the FBI’s demands to build a backdoored version of iOS to unlock a phone used by a terrorist, saying that doing so would endanger all of its customers. “I don’t know where this stops, but I do know this isn’t what should be happening in this country,” Apple CEO Tim Cook said. Other tech vendors got behind Apple and legislators such as Sen. Ron Wyden spoke out against weakening strong encryption. Meanwhile, encrypted messaging apps such as Signal enjoyed a major boost, as users looked for secure systems that don’t open the door to government surveillance. And the Let’s Encrypt movement, which offers free certificates for HTTPS connections on websites, went from less than 500,000 certificates issued in January to more than 22 million at the end of the year. That’s progress.
Progress continued on two-factor authentication. Many popular web services and apps have added or improved the way that they implement two-factor authentication recently. In June, Google changed the way its two-step verification process for account logins, adding a push-button system that doesn’t rely on short codes sent over SMS. Just a month later, NIST released new guidance saying that it would deprecate SMS as a method of 2FA. The reasoning behind the change is that SMS messages can be intercepted or diverted by attackers. “We’re continually tracking security research on the evolving threat landscape. Following on our approach to limit scalability and remote attacks, security researchers have demonstrated the increasing success (read: lower cost in time and effort and higher success rates) of redirecting or intercepting SMS messages en masse,” Paul Grassi of NIST said. Researchers have been focusing on 2FA issues, too. Arne Swinnen found a way to make a pile of money by forcing the automated systems at Facebook, Google, and Microsoft to call premium-rate numbers, rather than legitimate ones, during a two-step verification process. After he reported the issues to the companies, they improved the way their systems run.
That isn’t a long list and the one with all of the not-so-great things that went down this year would take days to compile. And it would be really depressing to read. Security is not easy, and there is plenty of work left to do, but it’s worth remembering that there are some things that actually do work.
Image: Ben Ostrowsky, CC By license.