Software failures

Software Fail Watch, Q2 2017: Hacking and Cyber Attacks are the New Normal

Q2 2017 is, without a doubt, one of the most sensational quarters we have recorded in the Software Fail Watch to date. (And that’s after a 2017 Q1 of defects impacting divorces, the deceased, and the dark web!)

In the past years, we have observed both an increase in the number of hacks reported, as well as the public attention those hacks gain. In October 2016, an unprecedentedly wide-scale DDoS attack crippled much of North America’s internet for the better part of a day, taking down global power players such as Twitter, Netflix, CNN, and more. It was one of the biggest software fail stories we recorded in 2016.

And yet that story pales in comparison to WannaCry.

WannaCry was the name given to a ransomware cyber attack that took place in mid May and hit more than 230,000 computers in over 150 countries – making it the largest ransomware attack in history. The virus, which primarily targeted a common but out-of-date version of Microsoft Windows, locked operating systems, holding the contents for ransom until the users paid a fine. As reported by CBS News,

“Hackers tricked victims into opening corrupt links in emails disguised as invoices and security warnings. The attack held entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. By encrypting files, hackers rendered them unreadable, and demanded $300 in ransom to decode them. The amount would double after three days. If ignored, hackers warned, the data would be destroyed.”

The WannaCry virus spread stunningly fast. Within less than 24 hours, the British National Health Service (NHS), Germany and Russia’s national railway, Chinese universities, Spanish and Russian phone companies, Brazilian social security agencies, Slovenian factories, and many more had fallen victim.

It took 3 days and a 22-year-old British security researcher (now being hailed as a hero) to finally halt the attacks. Global financial damage is estimated to reach upwards of $4 billion.

Welcome to the new normal.

Analysts worldwide stated that the most frightening aspect of WannaCry was not the severity of the attack, but the fact that it was likely just the beginning of the new generation of cyber attacks. The perpetrators behind WannaCry were never identified, and there are many more people in the world capable of orchestrating new attacks that are just as sophisticated.

This should force us all to stop and reconsider the way we approach cyber defense and security. Unfortunately, however, any positive changes will not come overnight, and all too often, security is shelved in favor of quick product roll-outs and quick profit.

WannaCry was not the only cybersecurity story to make our jaws drop this quarter. Q2’s software fail stories clock in at 101, 25% of which are security vulnerabilities.

Some of the other highlights include:

“Bug discovered in software could ‘do a lot of damage’ if exploited”

This rather vague headline is alluding to a critical vulnerability discovered in the software used to control sensitive Australian government sites. Those sites include nuclear plants, air force bases, and more. Source

“Report: Facebook bug revealed employees’ identities to suspected terrorist groups”

A Facebook bug revealed the identities of over 1000 members of Facebook’s counter-terrorism department contractors, forcing some into hiding. A Facebook representative stated that the bug had been fixed, however the damage done may be irreparable.  Source.

“Eavesdropping Malware Discovered Gathering Audio Data in Ukraine”

A new malware dubbed “Operation BugDrop” turns every computer into a listening device – making it today’s most effective spy. The malware installs itself through a phishing attack, circumventing antivirus software and planting a key into the computer’s registry. Not only does the software record and back up conversations to an external server; it can also search a hard drive and extract files.  Source.

“GE fixing bug in software after warning about power grid hacks”

General Electric discovered a bug that could allow hackers to control and shut down parts of the electric grid. According to the article, “Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.”  Source.

Really, we shouldn’t be surprised. For years now, techies and science fiction fans alike have been speculating about the future of defense, intelligence gathering, terrorism, and security in light of our increasingly interconnected world. Cyber security experts have long been warning that wide scale, debilitating cyber attacks and hacks were on the horizon. Cyber security has become enough a part of the public dialogue that the topic has made its way into Hollywood in the form of hit shows like Mr. Robot.  Now, it’s made the leap from science fiction and ominous warnings to current events with palpable impacts. The question remains: will the way we build and test software take a parallel leap forward as well? More on Software Failures:

Software Fail Watch: Q1, 2017
Software Fail Watch: 2016 in Review
Software Fail Watch 2016, Quarter Three
Software Fail Watch 2016, Quarter Two
Software Fail Watch 2016, Quarter One
Software Fail Watch: 2015 in Review
Software Failures of 2015: Quarter Three
Software Failures of 2015: Quarter Two
Software Failures of 2015: Quarter One


Check out our Tricentis Tosca factsheet today to see how you can make sure you never experience a newsworthy software failure.