From new malware infection vectors, to catastrophic Internet-wide vulnerabilities, to mobile passcode bypass attacks, these weren't necessarily the biggest security stories of the year, but they were the 10 most popular in 2014 on Threatpost.
10. Audit Project Releases Verified Repositories of TrueCrypt 7.1a
The open-source file encryption service TrueCrypt abruptly shut down in May, causing much anxiety among its users and security experts worried that popular software might be backdoored. Within a month, a verified version of the last supported TrueCrypt repository was published. Tracking down this repository was easier said then done, considering that TrueCrypt's developers operated anonymously, but this discovery let cryptography experts move forward with a full audit of the service. That audit aimed to illuminate if TrueCrypt had indeed contained a backdoor, a possibility widely speculated upon in the days and months following its shuttering.
9. UltraDNS Dealing with DDoS Attack
The SANS Institute's Internet Storm Center back in April said it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps distributed denial of service attack targeting one of UltraDNS' customers that resulted in latency issues for other UltraDNS users. Neustar, of whom UltraDNS is a subsidiary, managed to quell the giant DDoS attack, but this story and its popularity underscore an alarming trend that emerged in 2014: DDoS attacks are getting bigger, and big DDoS attacks are becoming more commonplace as attackers learn how to reflect and amplify massive amounts of IP traffic.
There was no shortage of iOS and Android lock screen bypass bugs in 2014. This flaw affected iOS version 7.1.1, enabling the bypass of both the iPhone 5's security lockscreen and its TouchID sensor via voice command. An Egyptian neurosurgeon and self-proclaimed iPhone hacker, Sherif Hashim, demonstrated the attack on YouTube. By mashing the TouchID button and asking Siri to make a call when prompted for a passcode, Hashim could access his entire contact list. Whether this constituted a full lockscreen bypass was and remains highly debatable.
7. The Internet is Broken–Act Accordingly
At Kaspersky Lab's Security Analyst Summit, the head of Kaspersky's Global Research and Analysis Team, Costin Raiu, explained that he assumes he is the target of constant surveillance. "I operate under the principle that my computer is owned by at least three governments," Raiu said during a presentation.
Some in the crowd laughed when he said it, but Raiu wasn't joking. As the head of a top-tier research team heavily involved in uprooting and analyzing nation-state and criminal-backed advanced persistent threat campaigns, Raui and his colleagues are targets for government and criminal hacking groups alike. Raiu's claim is bolstered by the increasingly clear reality that the Internet itself is broken. Ubiquitous bugs may not be omnipresent on the Internet, but they are out there. That reality along with a booming vulnerability marketplace means that anyone with deep enough pockets can compromise anything.
6. Researcher finds Tor Exit Node
In October, security researcher Josh Pitts of Leviathan Security Group determined that at least one Tor exit node was actively patching binaries downloaded by users and dynamically adding malware to those files. While he found and subsequently reported to the Tor Project only one bad exit node, located in Russia, Pitts and the Tor project said that there could be other nodes behaving similarly. More broadly, experts noted Pitts' discovery underscored the dangers of downloading files from unknown sources and the potential for attackers to exploit user trust in the Tor network.
5. Hacker Puts Hosting Service Code Spaces Out of Business
In the fog of a distributed denial of service attack back in June, attackers compromised the Amazon Elastic Compute Cloud panel belonging to Code Spaces, a code sharing and software collaboration platform. The attackers quickly backed up all the data stored on Code Spaces' servers — making copies for themselves and deleting the original versions as well as Code Spaces' own backups. The attackers issued extortion demands but the damage was already done. In an announcement on its website, Code Spaces informed their users and customers the cost of resolving the compromise, including recovering what data they could and refunding customers for the services they had paid for, would effectively put the company out of business. This story demonstrates two harsh realities: that security mistakes can end a business and — considering its fifth place position — that Threatpost readers love some bad news.
4. OpenSSL Fixes Serious TLS Vulnerability
On April 7, the OpenSSL Foundation, developers of a widely deployed cryptography library used to implement SSL and TLS connections online, fixed a serious vulnerability called "Heartbleed" in the protocol and suggested that site operators using OpenSSL do the same immediately. The foundation explained that Heartbleed related to "a missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server." The announcement emerged without fanfare but quickly elevated. In the end, Heartbleed garnered serious attention from the mainstream media, which is a rare feat for a story about a vulnerability in an encryption protocol that the vast majority of Internet users had never heard of.
3. Major Bash Vulnerability Affects Linux, UNIX, Mac OS X
In September, the year's second catastrophic, Internet-wide bug emerged in the Bourne-Again Shell, known as Bash. Bash is present in most Linux and UNIX distributions and in Apple's Mac OS X. The flaw allows an attacker to remotely attach a malicious executable to a variable that is executed when Bash is invoked. The bug was said to be easily exploitable but only under a very specific set of circumstances. A big part of the problem with Bash is that it exists in places that many of the administrators tasked with patching it won't even think to look. Like that of Heartbleed, the story of the Bash bug is a predictable entrant among our most popular stories, and it's likely to be featured among our list of the biggest stories of 2014 as well.
1. PNG Image Metadata Leading to iFrame Injections