In-depth

2014: the year that security broke

Davey Winder takes a look back at how insecure we all were in 2014...

OPINION: Let me be very clear about this from the get go: 2014 has been a disastrous year for IT security. Ironically, while the Edward Snowden revelations the year before were bad enough, at least they led to a sea change in the way that businesses and the public alike viewed the privacy of their data. They also prompted big technology players like Apple and Google to do something about it by bringing device encryption to the fore. This latter development was the only real positive I can pluck from the insecure mess that was 2014.

So, let's start with Apple. OSX and iOS users got caught out by man-in-the-middle attacks, twice. Back at the start of the year it was discovered that the Apple implementation of SSL was vulnerable to man-in-the-middle attacks, leaving users potentially at risk of sensitive transactional data theft even though they assumed their connections were secure. That flaw got patched, but then in November news emerged of the DoubleDirect threat which used ICMP redirects to change the routing tables on the victim host and once again left iOS and OSX users at risk.

This time though, Android users were also implicated in the threat spectrum. Android is generally accepted as being more insecure than iOS (it's OK, I am wearing my tinfoil hat and hiding in a bunker so should escape relatively unscathed) so there was little surprise that it got caught in the insecurity tsunami of 2014.

Perhaps though, the most worrying report was the one that surfaced in September involving the open source WebKit-based Android Browser. It was found to have a flaw leaving it open to malicious JavaScript injection attacks. It turns out that the Same Origin Policy, designed to prevent scripts from accessing content from other sites, was broken in the Android Browser before Android 4.4 onwards.

Advertisement
Advertisement - Article continues below

If the year confirmed mobile as a threat vector on the up, it proved beyond any reasonable doubt was that SSL was not only badly named (a Secure Sockets Layer it was no longer) but pretty much dead in the water. First there was the OpenSSL Heartbleed shocker at the start of the year, and which come the end of it is still a cause for concern.

Then there was the revelation from the Google security folk about outdated RC4 ciphers being used in SSL 3.0 -  the so-called POODLE vulnerability, which was just as much of a hammer blow. Why so? Well, according to Microsoft, more than 40 per cent of global websites were using these flawed ciphers. No surprise then that plenty of malware quickly found its way into the market in order to exploit this fact. That decades old flaws were one of the biggest threats to IT security in 2014 is enough to make us hang our collective heads in shame. That decades old threat techniques continued to be successful in system breaches equally so.

There's no denying that the bad guys, be they criminal enterprises or state sponsored teams, continue to become more sophisticated in terms of the malware code they use the simple fact is that they also continue to have great success with the oldest of confidence trick methodologies.

Call it social engineering, phishing, an advanced persistent threat, the semantics are irrelevant; scamming your way into the network remains the preferred route of entry for the cyber-crims. Individual, small business and right up to the largest enterprises have fallen victim to such techniques. Unfortunately, for many businesses, they also discovered the hard way that another route of entry to their data is through their business partners. Hey, why bother attacking what appears to be a secure enterprise when you can attack an insecure one that is trusted by them? It worked in many of the major retail breaches that were disclosed across the year.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/cloud/amazon-web-services-aws/354223/what-to-expect-from-aws-reinvent-2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Visit/hardware/354232/raspberry-pi-4-owners-complain-of-broken-wi-fi-when-using-hdmi
Hardware

Raspberry Pi 4 owners complain of broken Wi-Fi when using HDMI

29 Nov 2019
Visit/mobile/google-android/354189/samsung-galaxy-a90-5g-review-simply-the-best-value-5g-phone
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019