The dance among blackhat, whitehat, and greyhat hackers grew ever more intricate in 2012, thanks to a steady stream of exploits, vulnerability discoveries, and data breaches. In-the-wild attacks against Internet Explorer, the Java software framework, and other perennial favorites continued, of course. They inflicted plenty of damage on end users, but given their familiarity, they hardly stood out.

What got our attention were attacks on entirely new classes of devices or victims, or in the case of passwords and cryptography, the culmination of new exploit techniques quickly eroding the protection we once took for granted.

From our perspective, here are the five biggest security stories this year.

Flame espionage malware ushers in the age of cyber warfare

If Stuxnet and Duqu malware represented the dawning of nation state-sponsored computer attacks, the discovery in 2012 of Flame and several other espionage programs ensured electronic warfare wasn't a passing fad.

To security researchers' amazement, Flame remained undetected on high-value computers in Iran and elsewhere for at least two years. Even more impressive were the engineering feats it used to propagate and steal sensitive data. The malware wielded what's believed to be the only in-the-wild "collision" cryptography attack to hijack the Windows update mechanism so it could spread from machine to machine over networks. What's more, the collision attack was carried out using a previously unseen technique, showing it could only have been accomplished by world-class cryptographers.

This year's discovery of another state-sponsored piece of malware dubbed Gauss was also significant.

TV-based botnets? DoS attacks on GPS devices? Insecurity comes to everyday devices

Whether it was Samsung smart TVs, mission-critical GPS receivers, or electronic door locks in hotels, it seemed that just about any device with an electrical current running through it was hacked this year.

The growing insecurity of everyday devices comes as engineers endow them with more and more powerful embedded computers. Yet, the device makers fail to incorporate the types of defenses Microsoft and Apple have spent the past decade developing. Expect to see more such hacks in the coming years.

Mac malware goes mainstream

Viruses targeting Macs have been around for decades, but they had always been relegated to a decidedly niche category. That all changed this year as malware targeting OS X users finally went mainstream. Malware dubbed Flashback, which was suspected to be used in click-fraud scams, infected 650,000 Macs by one security firm's estimates. Surveillance spyware that's been common for years on Windows machines also migrated to OS X, particularly in campaigns used to spy on Chinese dissidents.

Apple engineers responded by removing Java from OS X Web browsers.

The death of the password

As Ars reported in August, 2012 was the year passwords became weaker than ever. Yes, the fall from grace had been years in the making, but in 2012 it reached a tipping point. The inefficacy of passwords was brought about by a confluence of events, including increasingly inexpensive graphics cards and a growing body of real-world passwords retrieved from high-profile websites. New techniques that accelerated the rate of some password cracking and several attacks on software that exposed plaintext passwords only strengthened the trend.

The growing vulnerability of passwords was underscored by the saga of Wired reporter Mat Honan, who chronicled it in a powerful article headlined Kill the Password: Why a String of Characters Can’t Protect Us Anymore. Earlier in the year, the combined breach of more than 8 million passwords from LinkedIn and eHarmony offered further evidence.

Crypto attacks get meaner

This year brought about several attacks that undermined cryptographic protections many of us have come to take for granted. The most devastating was an exploit dubbed CRIME that was able to silently decrypt website credentials used to protect e-mail and e-commerce accounts. Short for Compression Ratio Info-leak Made Easy, CRIME was able to defeat the secure sockets layer protections offered on Github.com, Dropbox.com, Stripe.com, and other popular websites until website engineers were privately warned of the vulnerability. CRIME came a year after BEAST, another exploit that also showed the limitations of the SSL and transport layer security protocols. Together these form the basis for virtually all encryption used to authenticate websites and to encrypt data traveling between them and end users.

This year's crypto attacks were by no means limited to SSL and TLS. Researchers also devised an exploit that can extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for employees to store sensitive credentials. Attacks against virtual machines also exposed cryptographic keys. This was also the year that researchers in at least two different studies uncovered inadequate encryption protections in apps used by millions of people.

Think we overlooked a noteworthy development? Let us know below.