2014 Security Review: The Year in Breaches, Hacks and Exploits
Some of the security incidents that dominated headlines in 2014 were predictable. Others came as a complete surprise.
- By Chris Paoli
- December 15, 2014
When it comes to IT security incidents in 2014, what's past is prologue. Most of the high-impact events that dominated the headlines this year so far had their origins in the last few years or tended to continue trends that emerged in 2013. That said, there were a few sideswipes that raised new questions about old security assumptions.
Here's a look at some of the major breaches, hacks and exploits for which 2014 will be remembered.
It was hard to miss the fact that Microsoft was finally calling it quits on its 13-year-old OS. For the past three years the company had continuously reminded customers that the time to upgrade was fast approaching, and the tone and cadence continued to rise as that fateful date in April approached.
Company officials painted a bleak picture of what life would be like once support was pulled. A legion of hackers would be at the ready, prepared to unleash a barrage of attacks and exploits on April 8. Speaking of the risks to the millions still on Windows XP, Tim Rains, director for the now-defunct Trustworthy Computing Group at Microsoft, said that users should brace themselves for a constant and unstoppable wave of attacks.
"After April 8, 2014, organizations that continue to run Windows XP won't have [an] advantage over attackers any longer," wrote Rains in a blog post. "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities. If it does, attackers will attempt to develop exploit code that can take advantage of those vulnerabilities on Windows XP. Because a security update will never become available for Windows XP to address these vulnerabilities, Windows XP will essentially have a 'zero day' vulnerability forever."
Once April 8 finally arrived, the estimated 29 percent of those Windows users still on XP at the end of February, according to a market trend study by Net Applications, braced for the worst. And the worst appeared to be greatly exaggerated.
Thanks to third-party vendors that were ready and willing to pick up Microsoft's slack (at a price, of course), many antivirus and anti-malware makers continued to provide support for Windows XP, and a whole market of security firms, including names like Arkoon Network Security, Avast Software and Kaspersky Lab, were at the ready to keep the beloved Windows XP secured. Microsoft offered its own pricey service to continue providing patches for the OS.
Even Microsoft balked a bit on cutting off Windows XP cold turkey. The company extended its free anti-malware offering until July 2015. It even issued a critical security patch to a zero-day Internet Explorer flaw for Windows XP in the beginning of May.
Last year's slow drip of detail concerning secret government surveillance programs continued all through 2014. Former U.S. National Security Agency (NSA) contractor Edward Snowden confirmed many conspiracy theorists' worst fears via the trove of secret documents he leaked to select journalists last year. While few of the subsequent reports rose to the blockbuster level of the June 2013 revelations about phone metadata snooping and the PRISM program, Snowden's documents, and reporting inspired by those documents, have filled out a picture of a voracious and massive U.S.-backed surveillance and data acquisition campaign and raised serious questions about the adequacy of existing controls on that campaign.
A late 2013 revelation about a program called MUSCULAR, involving government tapping of intra-datacenter communications at Google Inc. and Yahoo Inc., appears to have helped change Microsoft's attitude toward governments in general. Shortly after that revelation, in December 2013, Microsoft announced it was strengthening its own internal encryption, and General Counsel Brad Smith wrote on his blog, "Government snooping potentially now constitutes an 'advanced persistent threat,' alongside sophisticated malware and cyber attacks."
The ongoing stream of revelations in 2014 included reports that the NSA was working on a quantum computer to help it break sophisticated encryption, along with reporting on significant programs such as Dishfire, Squeaky Dolphin, TURBINE and ICREACH, among many others. In all, according to a summary produced by the public interest journalism organization ProPublica, roughly 50 previously secret programs have come to light as part of the Snowden-driven NSA revelations.
JPMorgan Chase & Co.
The 2013 holiday shopping season provided a valuable and costly lesson to retailer Target after its compromised point-of-sale (POS) terminals swiped financial information from an estimated 40 million users. Target learned the hard way that not securing your systems will end up costing you quite a bit in the long run. The company put the cost of the incident (which includes the loss of revenue and other breach-related costs) at $148 million. This ended up being an expensive lesson and a cautionary tale for other companies to make security a top priority. Unfortunately, the message wasn't received and 2014 was plagued with a string of high-profile data breaches from fellow retailers and financial institutions.
One of the largest breaches this year happened at a major financial institution. JPMorgan Chase reported in July that a security breach had occurred (though the actual start of the incident has yet to be disclosed) and that personal data, including names, addresses and e-mail addresses, of 76 million households and 7 million businesses was accessed by hackers, according to a follow-up report released by the company in October. While the institution assures customers and the markets that money wasn't stolen, the number of victims affected made this one of the largest data breaches ever committed.
If businesses hadn't gotten the message that attackers were stepping up their game when it comes to large-scale corporate data theft, Philip Lieberman, president and CEO of Lieberman Software Corp., says the JPMorgan Chase incident should be a wakeup call for businesses to fundamentally change how they go about securing customer info. "The lesson to be learned is that the financial services sector needs to up its cybersecurity game to move up from commercial security to military-level security," says Lieberman. "Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside."
The Home Depot
In what was reminiscent of last year's Target incident, major retailer The Home Depot in September revealed that it had been hit by a similar attack in which hackers were able to infiltrate sales terminals with custom malware that recorded and transmitted the credit and debit card information of 7.2 million customers. While not as wide-reaching as the theft of personal info from the JPMorgan Chase incident, the breach had a much bigger impact on customers. Shortly after The Home Depot's disclosure, many affected customers' financial institutions started to report that attackers were already busy trying to rack up fraudulent charges.
Attackers are having more success with POS machines thanks to the evolution of tools that not only collect data once a card is swiped, but now have the capability to receive the stolen info in real time. And with the advancement of attack techniques and success rates, look for the trend of POS infiltration to continue to rise in both the number and types of targets.
While The Home Depot hasn't released final cost figures associated with the breach, the incident demonstrated that a breach on a single institution has a rippling financial effect. According to a survey conducted by the Credit Union National Association, The Home Depot's breach cost credit unions an estimated $60 million in costs associated with reissuing cards, tighter monitoring of accounts and fraud.
An immeasurable cost associated with the rise of retailer breaches is the loss of consumer confidence that retailers and credit institutions have the capacity to protect the customer from theft. "If someone from Capital One was to ask me what's in my wallet, you know what I am saying today and going forward? Cash -- that is what's in my wallet," says Kyle Kennedy, CTO of STEALTHbits Technologies Inc. "How many more of these major retailer security breaches will it take until everyone starts marching to the same cash-only tune?"
Given enough time, patience and effort, vulnerabilities can be found in all hardware and software. That was the case on April 1, when a flaw called Heartbleed was disclosed in the OpenSSL cryptography library, used for data encryption in a large portion of active Web servers. If exploited, an attacker could intercept unencrypted data from server memory without leaving a trace. This posed a huge issue because it would be nearly impossible to detect if an attack occurred and what kind of information was stolen.
Early estimates put the affected number of active global Web servers at 17 percent, which translated to roughly half a million Web sites that could've been at risk for the two years the flaw had been present (but not accounted for) prior to this year's disclosure.
The most troubling facet of Heartbleed was that besides completely disconnecting from the Internet, there was little end users could do to protect themselves.
The burden was squarely on the Web server admins. While patches quickly rolled out to fix the 2-year-old error, it was up to the Web server admins to quickly apply the fix to the flawed OpenSSL. The big names like Google, Facebook Inc. and Yahoo were quick to react and assured users that servers were patched as soon as the patch was released. The issue, however, continued for those that were not quick to jump on the fix.
A week after the Heartbleed disclosure and five days after a public patch had been released, the Canadian Revenue Agency said that an attacker exploited the flaw to steal private, sensitive data of 900 individuals. The agency learned the hard way that keeping software up-to-date will save you a lot of trouble in the long run.
Heartbleed wasn't it for Internet infrastructure security headaches. September followed it up with Shellshock -- a flaw in the Unix-based Bourne Again Shell (Bash) that could allow those nefariously motivated individuals to run arbitrary script on affected Web servers. Interestingly, the Bash flaw, which was located in millions of Web servers, Linux and Apple OS X systems, webcams, and routers, had been around for more than 25 years without security experts catching on.
However, as is the problem of alerting the public to the dangers of a security hole, you're also informing the hackers of its existence. Within hours of disclosure by security expert Stephanie Chazelas on Sept. 25, attackers were already exploiting the flaw to leverage distributed denial-of-service (DDoS) attacks and botnet networks were set up to take advantage of the hole.
We now live in the era of the Internet of Things, and the Shellshock incident demonstrated the types of attacks we leave ourselves open to with the integration of non-computer devices to Web-connected networks. Just like the security responsibility falling to vendors and Web server admins to make sure users were safe from Heartbleed, hardware and software manufacturers need to be held accountable for securing customer devices. And end users need to keep the pressure on them to make security a priority.
"Just as with Heartbleed, users need to stay up on their vendors, credit card agencies and more to ensure that once the problem gets fixed and once it is, those users need to change their passwords," says Chris Stoneff, director of professional services at Lieberman Software. "If they don't, every time they do something on those Web sites or the businesses or agencies put the user's data through those servers, they are putting the people at risk."
Nude Celebrity Photos
According to a report released this summer by U.K.-based IT services firm BT Global Services, 70 percent of IT pros surveyed said their confidence in cloud security is at an all-time low. It comes as no shock that in a post-Snowden world, despite the best intentions and capabilities of a cloud vendor, we now know data that was once thought private might be being accessed by government agencies. No matter how vigilant you are about making sure your data is encrypted in-house, in transit and on cloud servers, it means very little if agencies like the NSA and FBI have capabilities to break that encryption.
However, this year's breach of the Apple iCloud helped to remind us that it's not only Big Brother who might have unfettered access to cloud data. In one of the first major breaches of a cloud service by traditional hackers, and the highest-profile case to date, the end of August saw the Apple cloud storage hacked by unidentified individuals to obtain and publish private nude celebrity photographs. While Apple tried to assure customers that only targeted individuals' accounts were compromised, the company provided very little detail on how the attackers were able to bypass the Apple security features and encryption.
To make matters worse, fellow attackers tried to take advantage of customer mistrust of Apple by launching widespread phishing e-mail campaigns spoofed to look like legitimate iCloud security messages.
One of the big security stories that carried over from 2013 was a success story. Cryptolocker was a particularly nasty piece of ransomware that emerged in September 2013. Symantec Corp., calling Cryptolocker the menace of 2013, explained that users usually contracted the Trojan by opening a .zip file in a socially engineered spam e-mail. The executable hidden in the .zip file would reach out to a command-and-control server for a public encryption key and use that key to encrypt all the files on the system and the files on any mapped network drives.
At that point, the victim would be prompted to pay hundreds of dollars in ransom using Bitcoin or MoneyPak to get the private key to decrypt the files and regain access to the system.
In June of this year, a consortium of law enforcement agencies, security software vendors and university researchers announced they had disrupted the Gameover ZeuS botnet, which had been used to distribute Cryptolocker, seized several of the Cryptolocker servers and filed charges against suspected perpetrators.
"Security researchers estimate that, as of April 2014, Cryptolocker had infected more than 234,000 computers, with approximately half of those in the United States. One estimate indicates that more than $27 million in ransom payments were made in just the first two months since Cryptolocker emerged," the U.S. Department of Justice said in a statement about the multi-national takedown.
Since then, other encrypting ransomware has emerged, including one threat called CryptoWall.
Just as many of the biggest security events of 2014 were foreseeable late last year, some of what will happen next year is probably already clear. For one thing, Microsoft is sunsetting support for Windows Server 2003 on July 14, 2015. More NSA-related revelations are also likely.
In a report, "The Invisible Becomes Visible," released in November by Trend Micro Inc. extrapolates from recent trends and news to make predictions for 2015.
The report calls out the increasing use of targeted attacks -- think of the spearphishing approach in Cryptolocker -- and anticipates the pace of such efforts will pick up. Mobile payment with the emergence of Apple Pay will be a major new target in criminals' ongoing, all-out raid on digital methods of payment, the report suggests, while criminals will continue to threaten online banking. Attackers' success in finding new vulnerabilities in old open source code (Heartbleed and Shellshock) will inspire redoubled efforts to find other open source flaws, the report also suggests.
Logical enough, but one other general prediction is sure to come true: 2015 will deliver a few security surprises.