2014: the year that security broke

Davey Winder takes a look back at how insecure we all were in 2014...

OPINION: Let me be very clear about this from the get go: 2014 has been a disastrous year for IT security. Ironically, while the Edward Snowden revelations the year before were bad enough, at least they led to a sea change in the way that businesses and the public alike viewed the privacy of their data. They also prompted big technology players like Apple and Google to do something about it by bringing device encryption to the fore. This latter development was the only real positive I can pluck from the insecure mess that was 2014.

So, let's start with Apple. OSX and iOS users got caught out by man-in-the-middle attacks, twice. Back at the start of the year it was discovered that the Apple implementation of SSL was vulnerable to man-in-the-middle attacks, leaving users potentially at risk of sensitive transactional data theft even though they assumed their connections were secure. That flaw got patched, but then in November news emerged of the DoubleDirect threat which used ICMP redirects to change the routing tables on the victim host and once again left iOS and OSX users at risk.

This time though, Android users were also implicated in the threat spectrum. Android is generally accepted as being more insecure than iOS (it's OK, I am wearing my tinfoil hat and hiding in a bunker so should escape relatively unscathed) so there was little surprise that it got caught in the insecurity tsunami of 2014.

Perhaps though, the most worrying report was the one that surfaced in September involving the open source WebKit-based Android Browser. It was found to have a flaw leaving it open to malicious JavaScript injection attacks. It turns out that the Same Origin Policy, designed to prevent scripts from accessing content from other sites, was broken in the Android Browser before Android 4.4 onwards.

If the year confirmed mobile as a threat vector on the up, it proved beyond any reasonable doubt was that SSL was not only badly named (a Secure Sockets Layer it was no longer) but pretty much dead in the water. First there was the OpenSSL Heartbleed shocker at the start of the year, and which come the end of it is still a cause for concern.

Then there was the revelation from the Google security folk about outdated RC4 ciphers being used in SSL 3.0 -  the so-called POODLE vulnerability, which was just as much of a hammer blow. Why so? Well, according to Microsoft, more than 40 per cent of global websites were using these flawed ciphers. No surprise then that plenty of malware quickly found its way into the market in order to exploit this fact. That decades old flaws were one of the biggest threats to IT security in 2014 is enough to make us hang our collective heads in shame. That decades old threat techniques continued to be successful in system breaches equally so.

There's no denying that the bad guys, be they criminal enterprises or state sponsored teams, continue to become more sophisticated in terms of the malware code they use the simple fact is that they also continue to have great success with the oldest of confidence trick methodologies.

Call it social engineering, phishing, an advanced persistent threat, the semantics are irrelevant; scamming your way into the network remains the preferred route of entry for the cyber-crims. Individual, small business and right up to the largest enterprises have fallen victim to such techniques. Unfortunately, for many businesses, they also discovered the hard way that another route of entry to their data is through their business partners. Hey, why bother attacking what appears to be a secure enterprise when you can attack an insecure one that is trusted by them? It worked in many of the major retail breaches that were disclosed across the year.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021