X

Slasher or hacker? These 2016 hacks gave us nightmares

With so many frightening cybersecurity issues this year, it was hard to tell the difference between real life and a horror movie.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read
gettyimages-566440087.jpg

We've got spooky stories -- of the cyber kind -- to tell in the dark.

Getty Images

People love a good horror story this time of year. Streaming services see a surge in old favorites like "Carrie," "Saw" and "Children of the Corn," while basic cable networks show movies like "Halloween," "The Shining" and "The Evil Dead" in all-day marathons.

But real life can sometimes be scarier than anything Hollywood dreams up, especially when the scares point out how vulnerable we are to bad stuff. It can be downright spine-tingling to learn that strangers have rummaged through your email, held files for ransom or unleashed a ravaging horde of devices to bring down the internet. That's definitely more horrifying than watching Linda Blair's head turn 360 in "The Exorcist."

So grab some popcorn, gather round our digital campfire and get ready for the year's most gruesome tales of cyberattacks.

Held hostage

Ransomware has been around for a while, but it really gained attention this year when hackers sneaked into a Los Angeles hospital's computer system, encrypted its files and demanded $3.4 million to unlock the information. Hollywood Presbyterian Medical Center held out for three weeks before paying $17,000. Fourteen hospitals have been held hostage so far this year.

It's kind of like the kidnapping thriller "Taken," and unless you have a very particular set of skills, you'll probably have to pay up. According to the Institute for Critical Infrastructure Technology (PDF), other popular ransomware targets include churches, schools and people who visit porn or pirating websites. That last group of folks might not look like they belong with the others. Unfortunately for them, their favorite sites are often infected with malicious code that gets transmitted onto their computers.

The best defense against ransomware is frequent backups onto a device that spends most of its time offline. People who follow this practice can usually restore their systems in the event of an attack; people who don't do this have to pay up.

The hackable vibrator

Every summer, security researchers brave Las Vegas' blast-furnace heat for the Black Hat and Defcon hackfests, where they show all the ways they can break into sensitive systems. The most sensitive product they hacked this year could be the We-Vibe 4 Plus vibrator.

The sex toy, manufactured by Standard Innovation, pairs with a smartphone via Bluetooth and lets a partner control the sensations, from anywhere. Hackers who go by the names followr and g0ldfisk showed they could potentially take control of the device.

More worryingly, they showed that Standard Innovation was acting a bit like the villain of the teen horror flick "I Know What You Did Last Summer." How? Well, it knew what you did last summer... with your We-Vibe 4.

It turns out the company collects information about how people use the vibrator, including intensity settings and the temperature of the computer chip -- without even anonymizing user data. That changed after followr and g0ldfisk brought this all to the public's attention.

Standard Innovation has since said it would anonymize the data.

Political hacks

Hacking has had a huge impact on US politics this year. Sensitive emails were leaked after both the Democratic National Committee and the Democratic Congressional Campaign Committee were hacked this summer.

Those organizations, and US intelligence agencies, have blamed Russian government-sponsored hackers for the leaks, accusing the Russians of trying to manipulate the election.

Add to that fears that hackers could alter votes, or that people could cast fraudulent votes, and you end up with a political climate so paranoid it's like the cult classic film "They Live." In that flick, drifter Johnny Nada uncovers a startling reality: We're all being manipulated by aliens who've infiltrated the human elite, sending subliminal messages to tell us what to do and how to live. Johnny Nada just has to destroy the system broadcasting those subliminal messages to make things right again. But in real life, the US has a difficult balance to strike if it wants to keep foreign hackers out of politicians' inboxes.

Yahoo hack

The data breach Yahoo announced last month was monstrous -- affecting 500 million users in the biggest hack ever. It couldn't have come at a worse time for Yahoo, which Verizon has agreed to buy for $4.8 billion.

This was the Godzilla of hacks.

As in the original "Godzilla" movie, the Yahoo hack seems to have been born from humanity's mistakes. A test of a hydrogen bomb summons the movie monster from deep under the ocean. Yahoo's executives didn't give security the priority it deserves, half a dozen current and former company employees told The New York Times.

Yahoo hasn't responded directly to those claims, but a spokeswoman told the Times, "At Yahoo, we have a deep understanding of the threats facing our users and continuously strive to stay ahead of these threats to keep our users and our platforms secure."

DDoS attack on Dyn

We all got a wake-up call last week about the sorry state of cybersecurity, when massive internet outages swept across the US. It turned out Dyn, the company that manages internet traffic for many favorite websites, was being attacked by a horde of compromised cameras and DVRs, just like the swift legions of zombies in "28 Days Later."

Hackers took advantage of the internet of things to create the equivalent of a zombie army, using compromised devices to overwhelm Dyn with website requests. Known as a distributed denial of service, or DDoS, attack, the assault was startlingly effective.

And that's where there's another similarity to the zombie genre. The hordes of "28 Days Later" were some of the first "fast zombies" in cinema. Unlike their shambling counterparts in classics like "Dawn of the Dead," these packs of infected humans could chase down their prey in a speedy wave of death.

Last week's DDoS attack was also stronger and more powerful than anything before, showing an evolution in the tools hackers can use against their targets.

That power is spreading. The code that lets hackers enslave an army of internet-connected devices has been released publicly, making it that much easier to create a sequel to this attack.

Given how DDoS attacks are spiraling out of control, maybe we should call it "Zombie Tech-nado."