The 10 Biggest Security Stories Of 2014
Dangerous Flaws, Government Surveillance And Historic Breakups
The fallout over the National Security Agency documents leaked by former NSA contractor Edward Snowden continued in 2014, raising awareness about data security and control, the protection of content in Web-based services, and whether the tools used to protect sensitive communication can truly be trusted. Meanwhile, high-profile data breaches, starting with retail giant Target, dominated the headlines. The public was outraged over the state of funding to help maintain open-source projects despite widespread use of open-source code in proprietary systems sold by for-profit technology vendors, including Cisco Systems, Hewlett-Packard, Juniper Networks and others. It took a dangerous vulnerability called Heartbleed to raise attention to the funding gap. Security incidents, dangerous vulnerabilities and costly data breaches were relentless in 2014, and even the most optimistic security experts expect much of the same next year. CRN pulled together the biggest security stories in 2014.
10. Windows XP Retirement
Microsoft’s Windows XP operating system was finally retired with the last official security update for the venerable operating system and its Office 2003 suite in April. Windows XP had been a favorite target of attackers, with more than 70 percent of Microsoft’s security patches impacting the operating system. Leading up to the retirement, Microsoft urged businesses and consumers to upgrade to a more modern operating system. Windows 7 and 8 platforms have built-in security defenses that Windows XP lacked. Those who clung to Windows XP until the very end were given one last out-of-band emergency update in May, fixing a critical Internet Explorer flaw that was being used in targeted attacks.
9. Zeus-Gameover Botnet Takedown
Law enforcement from at least 10 countries struck a blow against the cybercriminals behind the Zeus-Gameover botnet in June. Investigators believed that the malware infections driven by the powerful botnet may have been responsible for stealing more than $100 million globally. Zeus, a banking Trojan, was designed to steal account credentials and drain back accounts. A federal grand jury in Pittsburgh unsealed a 14-count indictment against Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation, charging him with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Zeus-Gameover botnet. Bogachev remains at large. He’s one of 10 cybercriminals on the FBI Cyber’s Most Wanted list.
8. Shellshock Bug, POODLE
The security of widely used open-source software was again hoisted front and center. In September, a 22-year-old vulnerability in the command line of the Linux Bash (Bourne Again) shell impacted virtually every flavor of Linux and Unix. Unlike the Heartbleed bug, security experts warned that the flaw was more dangerous because it could give an attacker complete control of a victim’s system. Making matters worse, the vulnerability was thought to have impacted roughly half of the servers running websites globally. It was in a variety of devices and systems. POODLE is a weakness in SSL 3.0, a decades-old encryption protocol, that prompted browser makers to pull the plug on it after Google researchers revealed an attack technique that could break the implementation. The dangerous weakness could have fueled man-in-the-middle attacks, enabling attackers to get small bytes of data and ultimately gain access to the sensitive information in HTTPS browsing sessions. While the SSL weakness impacted only 0.3 percent of HTTPS connections, it still amounted to millions of transactions a day, according to security experts interviewed by CRN.
7. RSA Admits NSA Link
RSA has gone on record denying allegations that it was paid $10 million to deliberately set a flawed encryption implementation as the default in its Bsafe developer toolkit. The allegation stems from documents leaked by former NSA contractor Edward Snowden that describe a back door in the implementation, enabling the government to snoop on sensitive communication protected by the weakened algorithm.The allegations prompted eight speakers to boycott the annual RSA Conference, the security industry’s largest annual conference. RSA Executive Chairman Art Coviello was forced to address the issue head-on in his keynote address to attendees. He defended his company’s use of the flawed encryption algorithm, calling it necessary to meet government certification requirements.
6. Apple iCloud Security Hack
There may have been more serious threats in 2014, but no attack got as much attention as the leak of nude celebrity photos in September. The photos, including those of Oscar winner Jennifer Lawrence, model Kate Upton and musician Ariana Grande, were backed up and stored in their Apple iCloud accounts, a service that was thought to be private. Apple, which was gearing up for its annual new product unveiling, blamed the security incident on a phishing attack and not a breach of its systems. The attackers gained access to the celebrity Apple iCloud accounts by targeting their user names, passwords and guessing the answers to their security questions. The news dominated the headlines for at least a week and shined a light on the need for stronger passwords and to be on guard for phishing attacks. No matter how much trust you have in a company, users are always at risk of being targeted and having their account hijacked, security experts told CRN. No service is bulletproof.
5. CryptoLocker Ransomware
CryptoLocker, the ransomware that encrypts the files of a victim’s machine and then demands the victim pay a fine to obtain the keys to the encrypted files, kept solution providers busy for months working to help small-business owners recover from the infection. The only known way to recover from the threat is to use the most recent backup. Researchers said the criminals behind CryptoLocker made millions and followed through on providing the decryption passcode to those victims who paid the fee. CryptoLocker was shut down following legal action in June, but new and dangerous ransomware families emerged. CryptoWall is equally as painful, solution providers said. The lesson: Ensure that your systems are backed up.
4. Sony Pictures Hacktivist Breach
An attack group calling itself "Guardians of Peace" struck Sony Pictures Entertainment in November, locking up corporate PCs and ultimately gaining seemingly unfettered access to the company’s databases. The details about the processes and technology that either broke down or were bypassed by the attackers are still unknown. The hacktivists' motives are being linked to Sony’s upcoming comedy, ’The Interview,’ in which two journalists go to North Korea to assassinate Kim Jong Un. The embarrassing breached leaked copies of pending film releases, top Sony executive salaries, actor contracts and the details on thousands of Sony Pictures employees. Experts also note the destructive malware used in the attack. Called Destover, the Trojan steals all the data on a system and then destroys it and wipes the boot loader, making the PC useless.
3. Heartbleed Bug
The OpenSSL Project issued an update to its widely used encryption protocol library in April, setting off a cascade of security updates in network devices, including hundreds of thousands of Apache servers behind some popular websites and social networks. The flaw, dubbed Heartbleed because of an error in its ability to process Heartbeat Extension packets, gave attackers the ability to steal the keys to digital certificates. Security experts urged the public to change their passwords, which could have been compromised by the two-year-old software coding error. But possibly more importantly, the attention given to the vulnerability prompted some of the world’s largest technology companies to create a multimillion-dollar fund to help bolster open-source software security and innovation.
2. Target Breach
The massive data breach at retail giant Target took place during the 2013 holiday shopping season. It impacted 40 million debit and credit card holders and 70 million records of other customers. The company didn’t officially acknowledge the security incident until January, when an investigation determined that memory-scraping malware removed the data from Target’s point-of-sale systems. The breach was the second largest at a U.S. retailer, being bested by TJX Cos Inc. in which thieves cracked the company’s Wi-Fi, gaining access to 90 million credit cards at its T.J. Maxx and Marshalls stores in 2007. The breach hoisted corporate responsibility into the limelight. In March, Target CIO Bob DeRodes resigned after serving in the role since 2008. Target CEO Gregg Steinhafel, who had been at the company for 35 years, resigned in May, announcing that he was holding himself personally accountable for the breach and pledging that Target would emerge a better company.
1. Symantec Woes
Symantec fired CEO Steve Bennett in March for not moving fast enough in turning around the beleaguered company. Bennett had overhauled the company internally, laying off thousands and causing a slew of executive departures. Under Michael Brown, the interim CEO who would be named the company’s permanent replacement in September, the company planned its breakup. In an historic announcement in October, the company announced plans to split its security and storage product lines into two publicly traded companies. Symantec acquired data storage vendor Veritas Software for $10.2 billion in 2005 in a move overseen by then-CEO John W. Thompson, making Symantec the largest software maker. Nearly a decade later it became clear, according to Brown, that Veritas had no real synergy with its security business. The breakup is slated to be completed at the end of 2015.