The Year in Security: A Recap of 2014's Biggest Security Stories
One hack after the next, large-scale data breaches, and high-risk vulnerabilities, are just a few of the many major security issues that have been chronically compromising organizations, users, and other businesses in 2014. Before we look forward to the rest of 2015, here's a recap of last year's biggest security stories—the ones that impacted a large number of users and various industries—so we can learn from past incidents.
One of the biggest security threats in terms of impact, the Heartbleed bug, which was disclosed in April 2014,is a critical vulnerability in the popular OpenSSL cryptographic software library that affected many websites.
The Heartbleed vulnerability allows an attacker to read the memory of systems that use certain versions of OpenSSL, potentially allowing the contents of the server’s memory to leak. Obtaining the keys allows malicious users to spy on all communications made on that system, enabling further exploits. While the use of OpenSSL is widespread, the impact of Heartbleed is mitigated depending on the configuration of the systems using it. Affected parties were encouraged to upgrade to OpenSSL version 1.01g, patch systems, and change or reset passwords for different websites accordingly.
Just a few months after the Heartbleed bug broke out, another major vulnerability known as Shellshock was discovered on September 2014. Shellshock is a flaw in the Bash shell, a standard component on most versions of UNIX and Linux operating systems as well as Mac OSX. The vulnerability allows attackers to run malicious scripts in systems and servers which compromises everything in it. The reach of affected systems is very broad since Linux powers over half the servers on the Internet, Android phones, and a majority of the devices in the Internet of Things (IoT).
The Hack of Sony Pictures
The Sony hack, is the massively controversial hack attack that happened in late November of 2014. The attack maimed the corporation and forced them to shut down their entire corporate network after a threatening message appeared on their computer screens. The hacker group calling itself the Guardians of Peace (GOP) took over the corporate network, stole a treasure trove of sensitive data and dumped them online to expose plenty of private information such as email exchanges of executives, names and passwords, and personal information of involved parties. US officials initially concluded that North Korea ordered the cyber-attacks. An ongoing investigation is still being held and the FBI is closely working with multiple departments and agencies to trace the source.
Recently, UK police arrested a suspected member of Lizard Squad, a group of hackers who admitted to carrying a major Distributed Denial of Service (DDoS) attack on the Sony Playstation and Microsoft Xbox games network.
iCloud Celebrity Photo Hack
Data breaches have become a rather anticipated security issue that occurs at least once every month. The iCloud hack that went down in September involved leaked nude photos of famous celebrities posted by an unnamed hacker at the time who managed to get into the A-list celebrities’ iCloud accounts. Interestingly, the hack could not have come at a worse time for Apple as they were just about to stage their biggest event of the year: the launch of iPhone 6, other smart devices, and new operating systems that links to new features of iCloud. After an investigation, Apple concluded that the leaked images were a result of compromised accounts using “a very targeted attack on user name, passwords, and security questions”.
Despite the security measures practiced by the Apple App Store, a newly discovered WireLurker malware affecting OS X and iOS devices was found. This malware first infects the computer and transfers the malware when iOS devices are plugged in. What makes WireLurker unique is how it was able to scale the “walled garden”: it used a designed feature, a Trojanized app, which resulted in the successful infiltration of both jailbroken and non-jailbroken devices.
- JP Morgan – the breach of this investment banking firm rocked the headlines in October 2014 as it has caused the leak of one of the largest numbers of records to date, reportedly reaching an estimated 76 million households and 7 million small businesses. The breach resulted in the compromise of user contact information that includes names, addresses, phone numbers, email addresses, and others.
- eBay – shortly after the chaos of Heartbleed passed, the giant online auction house, eBay, suffered a breach that compromised a database containing names, encrypted passwords, email addresses, physical addresses, phone numbers, and birthdates of customers. eBay notified customers to change their passwords immediately and to stay updated on the development of the investigation.
- Kmart – in October 2014, Kmart announced that its point-of-sale systems were breached. According to reports, Kmart’s PoS registers were compromised by malicious software that stole customer’s credit and debit card information. Affected and non-affected customers are encouraged to regularly check credit card reports and statements and make sure that operating systems and applications running across all devices are updated. The next to toss its hat into the PoS data breach ring is nationwide fast-food chain Dairy Queen. It took nearly six weeks after the report broke out about the breach before Dairy Queen confirmed the news. The malware installed on the PoS systems in 395 stores resulted in stolen customer account credentials.
- Home Depot – the Home Depot attack was carried out in September 2014 and it was suggested via Home Depot’s corporate website that the breach affected users who shopped in their US and Canadian branches from April 2014 onwards. It has been claimed that the information of up to 60 million cards may have been stolen. The Home Depot breach is by far the largest known breach of a retail company’s computer network.
- White Lodging – the company that manages 168 major hotels including Marriott, Hilton, and Sheraton suffered a data breach at 14 hotels that exposed customer credit and debit card information. Reports say that the breach mainly affected restaurants, gift shops, and other establishments within hotels managed by White Lodging.
Internet of Things (IoT) Insecurities
- Hacker Hijacks Baby Monitor – much has been said about how the Internet of Everything (IoE) can change how we live. However, with the gradual but certain advancement and adoption of IoT technologies, threats are inevitable. In April 2014, a man hacked into the baby monitor of a couple, yelling terrifying obscenities through the device. The intrusion highlights the security flaws within the IoT and why users must safeguard their connected devices and ensure a secure network.
- DEF CON 22 Turns up the Heat on Devices – the DEF CON conference 22 that happened in August 2014 underlined how important it is to secure the Internet of Things (IoT). Many sessions focused on individual device hacks of consumer devices such as home automation systems, cars, IP cameras, and media players. Other sessions discussed Industrial Control Systems (ICS)/SCADA, traffic control systems, mesh camera networks, and medical devices.
On April 8, 2014, Microsoft announced that Windows XP will no longer be officially supported. In the absence of any security patches from Microsoft, the potential for criminals to take advantage of the situation is significant for both users and enterprises as they will continue to be targeted.
ReginThe discovery of Regin, a sophisticated malware used as a spying tool against businesses, government, infrastructure operators and even private individuals, highlighted the reality and dangers of espionage and surveillance. Though Regin’s origin and existence is unclear, reports suggest that it has carried-out long-term stealthy surveillance on telecommunication companies. Known victims include a Belgian telephone company, leading to suspicions about the threat actors behind this attack.
2015 and Beyond
As we look back at the past security incidents in 2014, we should learn from them and be reminded of what to avoid, what to improve, and what to anticipate. In retrospect, while we’ve seen the bad and the ugly, some good still managed to come out of these incidents, such as improved authentication methods to enhance security and user privacy. Many high-profile companies like Facebook, Google, and Microsoft now support some type of two-factor authentication, while Apple has made a big leap in terms of device security and privacy. With these developments, we can expect many positive implementations in the security landscape for the year 2015
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale