The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it’s time to scramble again. In 2014, those small moments of downtime were hard to come by. There was a seemingly endless parade of major vulnerabilities, data breaches and high-profile hacks. It was a year filled with Heartbleeds, POODLEs, Shellshock and a lot of pain for users, administrators and anyone else who likes to do things on the Interweb. Thankfully, the network is still standing after all that, so we went back and looked at all the stories we did this year and picked out the 10 most popular ones, put a fresh coat of paint on them and put them together to give you a picture of the year that was in security. Enjoy.
As Code Red once was the standard for Internet worms, Heartbleed has become the bar to which other Internet-wide bugs must now aspire. The vulnerability in the heartbeat extension of OpenSSL caused Web-wide panic when it was disclosed in April and its effects are still being felt eight months later. OpenSSL is deployed in an untold number of products, and the bug affects both clients and servers, so attackers had a Cheesecake Factory menu of targets at their disposal. Rumors of Heartbleed’s discovery by the NSA appear to be exaggerated, but the bug can be blamed for starting the vulnerability-as-celebrity trend. So, thanks, Heartbleed.
These are not words you want to hear when a new vulnerability is disclosed: “It’s super simple and…It’s extremely serious.” That’s how a security engineer at Red Hat described the Shellshock flaw in the Bash command line tool, a bug that affected Unix, Linux and OS X and allows attackers to execute whatever code they want on target systems. Which, as it turns out, is undesirable. Vendors scrambled to patch their products, while hackers did what they do: hack. Shellshock also carried on the proud tradition of vulnerability branding and logo production.
2014 was not a great year for SSL. And by not great, we mean terrible. Really, really terrible. As if the Heartbleed bug wasn’t enough, in October researchers from Google revealed a new attack on SSLv3 that could let attackers decrypt secure connections in some circumstances. In response to the disclosure, browser vendors have begun disabling SSLv3 support, a move that was long overdue. The protocol is older than half the kids trying to exploit it using POODLE. But news came out recently that TLS—the replacement for SSL—is also vulnerable to the attack in some implementations. But the good news is, well, nothing.
Most high-profile attacks these days result in data being stolen and sometimes leaked online (see: Sony). But in June we saw an attack on Code Spaces, a hosting and collaboration platform provider, that forced the company to go out of business. The company was hit with a DDoS attack that was quickly followed by a compromise of its Amazon EC2 control panel. The hackers destroyed the company’s data, including its backups, and Code Spaces informed customers within a few hours that it was going to cease operations. This kind of devastating attack is a rarity, but not unique.
Tor has become a safe haven for people eager to protect the privacy of their online activities. In turn, hackers have taken to Tor not only to carry out DDoS and spam campaigns, but also to load malware on unsuspecting users’ machines. Security researcher Josh Pitts in October identified a Tor exit node that was surreptitiously adding malware to binaries users downloaded using the Tor browser. The exit node was subsequently flagged by the Tor Project, but not before it infected machines with code that opened ports listening for commands and sent HTTP requests to a remote server.
Now that the curtain has been thrown back on the depth and breadth of government surveillance of Internet activities, the time has come to heed some cautious advice: Behave online as if someone is monitoring you—because they are. Security researchers are particularly aware of this dynamic because their work is of keen interest to intelligence outfits, hackers and defenders—all of whom would like to know what they know. No one can afford to be complacent or indifferent to Internet threats, whether they’re state-sponsored or criminally motivated. As Kaspersky Lab senior research Costin Raiu advises: The Internet is broken, act accordingly.
An Egyptian neurosurgeon and self-proclaimed baseband hacker disclosed the details of an iPhone lockscreen bypass technique that allows an attacker in physical possession of an Apple iPhone 5 device running iOS 7.1.1 at the time to access contacts and make phone calls. The vulnerability allows an attacker to bypass not only the lockscreen, but also the new TouchID fingerprint sensor that arrived with the latest iPhones. The trick to beating these protections is to use the device’s voice-recognition program Siri which after some prompting, presented the good doctor with the ability to scroll through contacts. The Siri bug was a double whammy for Apple, which also had to deal with a separate issue in iOS 7.1.1 that prevented email attachments from being properly encrypted. Both issues were patched.
Big DNS service provider UltraDNS in April was put on its heels having to beat back a DDoS attack that kept many of its customers offline. It was a hectic day for website operators who relied on UltraDNS’ services. Ultimately, it turned out that a massive 100 Gbps DDoS attack against one of UltraDNS’ customers resulted in latency issues for others. The attack against UltraDNS was just the latest volumetric DDoS attack to be reported. Attacks ranging between 70 Gbps and more than 400 Gbps were happening with greater frequency against high value financial targets, as well as core infrastructure providers such as UltraDNS. Many such DNS amplification attacks take advantage of the millions of open DNS resolvers listening online to amplify traffic exponentially, spoofing requests to the intended target. UltraDNS mitigated its situation within hours.
In a year of bizarre stories, hacks and Internet-wide vulnerabilities, there may not have been a stranger story than in May the abrupt shutdown of TrueCrypt, the popular open source encryption software package. TrueCrypt’s maintainers’ decision to shut down the project kicked off speculation about whether the software had been hacked or infiltrated by the National Security Agency. In an attempt to get some answers, the Open Crypto Audit Project was formed with the express mission of auditing the TrueCrypt code looking for a backdoor. In June, OCAP posted a verified repository of TrueCrypt 7.1a, the last known good TrueCrypt archive. The experts involved in the project created the verified repository by comparing the SHA2 hashes with files found in other TrueCrypt repositories, ensuring their integrity.