A lot of online security debacles have branded the last few years as a turbulent period of constant cyber threats. Even the end users with no real technical background are quite familiar with Meltdown, Spectre and WannaCry. All codenames for cyber security disasters that have hit big players and their users in the past year or so.
For us, the end users, only one thing is important: “Have these corporations learned anything from the past attacks, and is our data safe and sound out there in the cloud?” Let’s see what the current situation is in the neverending war between cybercriminals and big corporations.
Meltdown and Spectre
The year has barely started and there are already two huge cybersecurity debacles on the scene – Meltdown and Spectre. These names stand for the newly discovered flaws in the AMD, AMR and Intel chips. Hackers can exploit these flaws to get their hands on the data.
In fact, this flaw makes kernel memory data accessible by other programs. Intel and AMD have designed their processors to become better at prioritising tasks, which has left a vulnerability in kernel and cache memory.
Cybercriminals can use this flaw to extract encryption keys and passwords from operating systems and programs. What’s even more important is that this flaw is present in all Intel processors, even the ones released in the mind 1990s.
This is the first time in history that a major flaw in hardware architecture has had consequences of this magnitude. What did Intel and AMD do? They have addressed the hardware problem by releasing a series of firmware updates to patch this vulnerability.
Now that we know where the problem lies, it will be easier to see if these two giants have learned their lesson after we get our hands on their new series of processors.
Is IoT an Darkweb Extension?
There are millions upon millions of sensors and devices connected to the internet. While this huge IoT network and devices make our lives much easier, one question still remains: “Is it safe?” History teaches us quite the opposite.
Don’t tell me that you have already forgotten the Mirai botnet attack from 2016? Let me refresh your memory. A group of hackers managed to bring down the majority of America’s internet by turning dozens of IoT devices into bots and using them for a massive DDoS attack.
Since the target was a company in charge of domain name system infrastructure, websites such as CNN, Twitter, Netflix, the Guardian and Reddit were down for more than a day.
And what was the public announcement to follow this unfortunate event? “We have a serious problem with the cyber insecurity of IoT devices and no real strategy to combat it,” said David Fidler, adjunct senior fellow for cybersecurity at the Council on Foreign Relations.
He then added: “The IoT insecurity problem was exploited on this significant scale by a non-state group, according to initial reports from government agencies and other experts about who or what was responsible. Imagine what a well-resourced state actor could do with insecure IoT devices.”
KRACK Wi-Fi Vulnerability
Finally when things had settled down by the end of 2017, we learned that the majority of our Wi-Fi networks can be used against us. Fortunately, the KRACK vulnerability was discovered by a “good” guy, Mathy Vanhoef, who immediately informed the companies that they have to make certain security updates to render the KRACK exploit unusable.
This time, the vulnerability was not related to hardware or specific software, but to the Wi-Fi protocol itself. What this means is that any device that is connected to Wi-Fi is exposed to vulnerability. Hackers can use it to hijack an entire network and the devices on it, or simply to sniff the communication on the network and extract passwords, credit card information, etc.
Have the Big Players Learned Anything?
It seems that the only thing that the big players have learned is that the war against the cybercriminals and exploits cannot be won in one battle. This is why all the big players hire ethical hackers to test their networks, services and products for vulnerabilities and exploits, and pay them serious money to do so.
At the end, since the big players are only driven by the ROI, the world’s governments have to push legislation that will hold these corporations responsible under serious penalties. Maybe then we will see a well-planned strategy and a co-joined effort in preventing cyber security debacles from occurring in the future.