In-depth

2014: the year that security broke

Davey Winder takes a look back at how insecure we all were in 2014...

OPINION: Let me be very clear about this from the get go: 2014 has been a disastrous year for IT security. Ironically, while the Edward Snowden revelations the year before were bad enough, at least they led to a sea change in the way that businesses and the public alike viewed the privacy of their data. They also prompted big technology players like Apple and Google to do something about it by bringing device encryption to the fore. This latter development was the only real positive I can pluck from the insecure mess that was 2014.

Advertisement - Article continues below

So, let's start with Apple. OSX and iOS users got caught out by man-in-the-middle attacks, twice. Back at the start of the year it was discovered that the Apple implementation of SSL was vulnerable to man-in-the-middle attacks, leaving users potentially at risk of sensitive transactional data theft even though they assumed their connections were secure. That flaw got patched, but then in November news emerged of the DoubleDirect threat which used ICMP redirects to change the routing tables on the victim host and once again left iOS and OSX users at risk.

This time though, Android users were also implicated in the threat spectrum. Android is generally accepted as being more insecure than iOS (it's OK, I am wearing my tinfoil hat and hiding in a bunker so should escape relatively unscathed) so there was little surprise that it got caught in the insecurity tsunami of 2014.

Advertisement
Advertisement - Article continues below

Perhaps though, the most worrying report was the one that surfaced in September involving the open source WebKit-based Android Browser. It was found to have a flaw leaving it open to malicious JavaScript injection attacks. It turns out that the Same Origin Policy, designed to prevent scripts from accessing content from other sites, was broken in the Android Browser before Android 4.4 onwards.

Advertisement - Article continues below

If the year confirmed mobile as a threat vector on the up, it proved beyond any reasonable doubt was that SSL was not only badly named (a Secure Sockets Layer it was no longer) but pretty much dead in the water. First there was the OpenSSL Heartbleed shocker at the start of the year, and which come the end of it is still a cause for concern.

Then there was the revelation from the Google security folk about outdated RC4 ciphers being used in SSL 3.0 -  the so-called POODLE vulnerability, which was just as much of a hammer blow. Why so? Well, according to Microsoft, more than 40 per cent of global websites were using these flawed ciphers. No surprise then that plenty of malware quickly found its way into the market in order to exploit this fact. That decades old flaws were one of the biggest threats to IT security in 2014 is enough to make us hang our collective heads in shame. That decades old threat techniques continued to be successful in system breaches equally so.

Advertisement - Article continues below

There's no denying that the bad guys, be they criminal enterprises or state sponsored teams, continue to become more sophisticated in terms of the malware code they use the simple fact is that they also continue to have great success with the oldest of confidence trick methodologies.

Call it social engineering, phishing, an advanced persistent threat, the semantics are irrelevant; scamming your way into the network remains the preferred route of entry for the cyber-crims. Individual, small business and right up to the largest enterprises have fallen victim to such techniques. Unfortunately, for many businesses, they also discovered the hard way that another route of entry to their data is through their business partners. Hey, why bother attacking what appears to be a secure enterprise when you can attack an insecure one that is trusted by them? It worked in many of the major retail breaches that were disclosed across the year.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020