The Weird and Wild Stories of 2016

There are any number of adjectives one could employ to describe 2016, most of which can’t be printed here. One of the gentler descriptors we can use is “interesting”. This year was nothing if not interesting. There were data breaches of epic proportions, companies getting owned in new and creative ways, and all kinds of really unusual research projects.
Given the way 2016 has gone down, it may be dangerous to put together a list like this when there’s still time on the clock. We could be tempting fate, but here’s a list of some of the more interesting stories we came across this year.
Yahoo. Seriously? In September, Yahoo announced that it had been the victim of a massive data breach that dated back to 2014. The company said that the ever-popular state-sponsored attackers had compromised Yahoo systems and stolen data from 500 million user accounts. That number makes it one of the larger breaches of all time. Within days, a group of senators asked Yahoo CEO Melissa Mayer for answers about the breach. And then, in November, Yahoo said that some of its employees might have known about the breach back in 2014, two years before the company disclosed it. The story just kept getting weirder. But there was more to come. Just two weeks ago, Yahoo disclosed a second breach, this one affecting more than a billion users. The scope of the two incidents is truly staggering, even in an era of unrelenting breach headlines.
That was only one piece of the Yahoo story, though. The other, even weirder, part involves reports that  the Justice Department in 2015 served the company with an order to search all of its users’ incoming emails for a specific set of terms. Yahoo officials said there was no email scanning system in place, but didn’t say whether it had existed in the past. Then things got truly weird. Yahoo sent a letter to the Director of National Intelligence asking him to say publicly whether the email scanning order exists and to declassify it if it does. That hasn’t happened yet, but given the way this story has played out, it wouldn’t be a major surprise if it did.
The future of hacking arrived in one tiny device. Samy Kamkar has created a long list of cool gadgets that do unusual things. There was the toy drone that can hack other drones, the USB wall charger that’s actually a remote key logger, and the kids’ toy that can open any garage door. In November he released his latest creation, PoisonTap, a USB device that can hijack all of the Internet traffic to and from a computer, install a persistent backdoor, and steal web cookies, along with many other things. The capabilities are all packed onto a tiny Raspberry Pi Zero board and Kamkar released all of the code for PoisonTap publicly and said that there’s probably more that can be done with it. This is the kind of cheap, powerful, stealthy tool that shows how quickly and easily attackers can do their thing with victims being none the wiser.
Smart devices kept getting dumber. Few things have become more annoying more quickly than the Internet of Things. The race to add WiFi radios, GPS units, and computers to every device under the sun has created a huge population of incredibly insecure machines just waiting to be hacked. And many, many, millions of them were hacked in 2016. A lot of those devices wound up in the Mirai botnet, a network of hacked IoT devices, mostly DVRs and IP-enabled cameras. The botnet was linked to several of the larger DDoS attacks ever seen, including one against DNS provider Dyn, which  knocked many popular sites offline in October. Mirai wasn’t alone. There are other IoT botnets operating right now, and there certainly will be more coming, because embedded device security isn’t showing any signs of improvement.
The ransomware problem got weird. Crypto ransomware has been a major problem for several years now, and the pace of development and infections didn’t slow down in 2016. New strains of ransomware emerged on an almost weekly basis and the malware began infecting all kinds of non-PC devices, including smart TVs, phones, and even some vehicles. But there was a lot of progress on the other side too. The creators of the TeslaCrypt ransomware shut the operation down and released the keys in May, and researchers were able to publish the master decryption key for the CrySis ransomware, as well. New tools emerged to address the problem, too, including Ransomwhere?, a generic ransomware detection tool for OS X. The research community has done a lot of good work on the problem this year, but with all of the money being made by the ransomware groups, the problem isn’t likely to disappear.
Image: Dafne Cholet, CC By license.