Back to 2018, my former VICE Motherboard colleague Joseph Cox and I started publishing a list of the best cybersecurity stories published elsewhere. It wasn’t just a way to tip our hats to our friendly competitors. by showing the stories of other publications, we gave our readers a more complete picture of what had happened in the world of cybersecurity, privacy and surveillance in the year just ended.
Our original inspiration was Bloomberg Businessweek’s Jealousy Listone summary in progress of the best stories published in other media, as selected by Bloomberg reporters and editors.
Now that both Cox and I have moved on from Motherboard, we at TechCrunch are picking up our Cyber Jealousy List to recap the best cybersecurity stories of the year — and the ones we envied the most. — Lorenzo Franceschi-Bicchierai.
If you were online in October 2016 and lived on the US East Coast, you probably remember that day when major websites like Twitter, Spotify, Netflix, PayPal, Slack and hundreds of others went down for a few hours. As it turned out, this was the work of three enterprising young hackers who had created one of the most effective distributed denial of service tools ever created.
In this long piece, Andy Greenberg profiles the three young hackers and tells the untold story of their lives, from teenage computer nerds to accomplished cybercriminals — and, in the end, to reformed cybersecurity professionals. Sit in a comfortable chair and devote yourself to what you need to read.
In September, an unholy alliance of Russian cybercriminals and Western teenagers with exceptional social engineering skills reportedly hacked and crashed MGM’s casinos in Las Vegas, causing widespread disruption. This was one of the most talked about cyberattacks of the year and several posts went down in history. Jason Koeblerformer editor-in-chief of VICE Motherboard and now one of the co-founders of the employee-owned shop 404 Media, had the bright idea to fly to Las Vegas and see the chaos with his own eyes. The result of his trip was a piece that showed just how badly MGM was hit, resulting in a “nightmare” for casino workers, as Koebler put it.
NPR’s cybersecurity correspondent Jenna McLaughlin reported from Kiev, documenting a series of excellent news and audio stories about life in wartime Ukraine from those who defend the country after the Russian invasion. Cyberwarfare played an important role in the war, with cyber attacks affecting Ukraine’s energy sector and its military operations. McLaughlin’s missions are expanding meetings with leading cyber advocates in reporting on Ukraine’s defensive (and offensive) operations against its Russian aggressors, coupled with highlights of normal Ukrainian daily life with football, of course.
In a surprising about-face, electronics maker Anker admitted that its supposedly always-encrypted cameras weren’t always encrypted. Long story short, a security researcher found a bug that showed it was unencrypted customer video streams can be accessed, despite Anker’s claims that its Eufy cameras were end-to-end encrypted. The Verge verified and replicated the findings of the security researcher and Anker he finally admitted that his cameras were not end-to-end encrypted as it claimed and indeed had produced unencrypted streams. Hats off to The Verge for its impressive and tenacious reporting that gets to the bottom of it Anker’s misrepresentations and poor attempt to cover it up.
In 2020, Russian government hackers secretly injected malicious code into the supply chain of software made by SolarWinds, a technology company whose customers range from large corporations to federal government agencies. The hack was stealthy and incredibly effective, giving the Russians the opportunity to steal secrets from their rival country. Veteran cyber security reporter Kim Jeter spoke to the people who helped investigate the incident and reconstructed the stealth hack almost blow-by-blow in an incredibly detailed and in-depth investigation. Zetter also published an easy-to-use and thorough schedule of events in its Substack, which is worth signing up for if you haven’t already.
For years, very few people knew about the existence of an Indian company called Appin. But thanks to an investigation based on “interviews with hundreds of people, thousands of documents and investigations by various cybersecurity firms,” as Reuters put it, its team of journalists reported and published evidence showing Appin as a hacking-for-hire operation. which helped obtain information on executives, politicians, military officials and wealthy people around the world. This is one of the most detailed and exhaustive looks at the shadowy world of hacking-for-hire companies, which don’t work for governments like Hacking Team or the NSO Group, but instead for wealthy private clients. The story itself made headlines when Reuters was forced to delete the story to comply with a New Delhi court order. Reuters said an editor’s note sticks to the report.
Trickbot is one of the most active and damaging Russian cybercrime syndicates, having hit thousands of companies, hospitals and governments in recent years. In this investigation, based on interviews with cyber experts as well as an analysis of a trove of data from the ransomware gang leaked online, WIRED’s Matt Burgess and Lily Hay Newman revealed one of Trickbot’s ‘keys’. Reporters identify him as a Russian who says he is “addicted” to Metallica and likes the classic movie “Hackers.” A week after the publication of the journalists, the US and UK governments announced sanctions against 11 people for their alleged involvement in Trickbot — including the man identified in WIRED’s original story.
“I was amazed at how easily someone could steal my phone,” wrote Business Insider Avery Hartmans, whose phone number was compromised by someone who tricked her carrier, Verizon, into thinking it was her. Our phone numbers are linked to our bank accounts, password resets and more, so switching SIMs can have a terrifyingly damaging impact on a person’s life. In this case, by exploiting this single point of failure, the hacker was able to collect thousands of dollars in fraudulent purchases in Hartman’s name. Hartmans’ amazingly detailed first-hand account of tracking down the SIM swapper with unwavering determination—with help along the way—was an incredible way to raise awareness of these kinds of targeted SIM swapping hacks, and mostly to show how useless can most companies help.
Data containing about a year’s worth of facial recognition requests obtained by a Politico reporter Alfred Ng show that in the year after police in New Orleans began using facial recognition, the practice failed to identify suspects most of the time and was used almost exclusively against black people. The use of facial recognition by police, law enforcement and government agencies remains a highly controversial practice throughout the United States. While critics say facial recognition is deeply flawed on a technical level because it is almost always trained on white faces, Ng’s report confirms what civil rights advocates have also argued for years: that facial recognition reinforces the human biases of authorities using this technology. Or, in the words of one New Orleans council member who voted against facial recognition, that New Orleans’ use of facial recognition is “totally ineffective and blatantly racist.”
Just last year coming to an end, password manager LastPass confirmed that cybercriminals stole its customers’ encrypted password vaults, storing its customers’ passwords and other secrets during a previous data breach. The full impact of this theft remained unknown until September 2023 when cybersecurity reporter Brian Krebs reported that several researchers had identified a “highly credible set of clues” that appeared to link more than 150 victims of crypto theft linked to stolen LastPass password vaults. According to Krebs’ extensive reports, over $35 million in crypto has been stolen so far. One of the victims, who had been using LastPass for more than a decade, told Krebs that they were robbed of about $3.4 million worth of various cryptocurrencies.
