The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evil that men -- and women, and others -- do.
In 2013, Snowden changed a conversation (and created careers for believers across a spectrum of dark and light). Some, but not all, survived security nightmares credited to Blackhole, the SEA, and Cryptolocker. We said goodbye to Silk Road, and popular consciousness said hello to the mega retail breach with Target.
In contrast, 2014 turned the dial to 11 for infosec disasters and threats -- and the egos all around them.
It was the year of super mega retail breaches, China coming to the fore in attacks, Facebook scams getting out of hand, Shellshock and Heartbleed (who brought a pet POODLE), and application security became the weakest link through a combination of its own faults and the time-honored practice of the irresponsible — the blame game.
Let's countdown the top security threats of 2014...
One email spiked with innocuous-looking malware to a vendor cost Target an estimated 40 million credit cards and 70 million user accounts at the crest of 2014, beginning a year which made our own employees, coworkers, friends and family one of the biggest security threats of the year.
Target's December disaster came from a phishing attack sent to employees at an HVAC firm it did business with. Phishing is an incredibly popular attack -- because it works. Non-technical people were 2014's favorite targets for malicious hackers, from data dealing crime rings to targeted corporate espionage attacks.
The Edward Snowden revelations have rocked governments, global businesses, and the technology world. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices that technology leaders can put to good use.Read now
F-Secure's Mobile Threat Report Q1 2014 was a bucket of cold water in terms of just how pervasive attacks on typical users are, and how they can spread through apps into businesses.
A March report from RAND Corporation "Markets for Cybercrime Tools and Stolen Data" (commissioned by Juniper Networks) correctly predicted that in addition to unpatched vulnerabilities, the human element will continue to increase as the weak point for attacks.
At the end of 2014, 95 percent of IT managers believe that they're struggling against the biggest threats in the form of mobile devices in the hands of careless employees.
It's no surprise that despite the fact that enterprise is rushing to the cloud, enterprise is terrified when it has to think about cloud security and trust in the cloud hit an all time low in 2014.
2014 brought big news of serious cloud security breaches, such as the Xen bug forcing Amazon to reboot its EC2 instances, and Xen making Rackspace do the same this weekend.
Consumer fears were fanned, investors panicked and Apple stock slipped in the aftermath of the "celebrity nudes iCloud hack". A well-reported exploitation of a known problem with Apple's iCloud security saw the private photos of A-list celebrities published; it was followed with an attack on China's iCloud customers. Apple made cloud security's image worse with a come-lately warning to consumers and after the fact activation of 2FA.
A BT study in September covering 11 countries revealed that more than three-quarters of IT decision makers are "extremely anxious" about security using cloud-based services -- yet 79 percent of U.S. enterprise execs (70 percent globally) are adopting cloud storage and web applications within their business.
Over seven million online service users had their privacy violated and their personal information exposed in just two of 2014's big data thefts -- Dropbox and Snapchat -- both of which used the blame game to evade critical PR.
A group of malicious hackers got their hands on 6,937,081 Dropbox account credentials and published 1,200 usernames and passwords before asking for Bitcoin to publish even more.
Dropbox issued a statement saying that it had not been hacked, and "These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts."
Dubbed "the Snappening" by users of the chat forum 4chan, in October a database containing over 100,000 photos and videos sent across Snapchat networks was leaked online. A third-party Snapchat client app was to blame, which was able to steal images after malicious software installation -- exactly what the FCC fined Snapchat for lying about. Snapchat said it was user's fault for the use of 3rd party apps, then tried to not look like absolute jerks by saying they were going to ban 3rd party apps like super really hard with a strongly worded letter from their PR department. In addition to this high-profile attack, the company apologized after 4.6 million Snapchat usernames and matched phone numbers were leaked at the beginning of the year.
Check the news yourself: a new Facebook scam was reported roughly once a week in 2014. Any news headline, scare, or new gadget gets turned into a Facebook scam.
A Facebook study by the security company Bitdefender released in late 2014 unearthed 850,000 Facebook scams running on the social network, dividing into five distinct trends.
Almost half of the scams pretended to allow users to track their profile views, an offer the company said was popular among people wishing to see if former lovers were keeping tabs on them. The problem, researchers concluded, was that due to Facebook's UI (and possibly its design intent), users can't tell what's real, and what's not.
The 2014 cost of these scams per year is estimated at "even higher" than the $12.7 billion global loss to Nigerian scams.
Drupal nearly won the prize in with a fairly horrible security blunder, when the Drupal team disclosed a really, really bad SQL injection vulnerability in Drupal 7 -- and warned that unless you patched within seven hours, you'd be hacked.
Drupal claims a million users on its project site drupal.org, and over 30,000 developers. Many prominent sites, including the whitehouse.gov, use Drupal.
After years of rubbing its secure operating system in everyone's faces, Apple finally rode that reputation into the ground in 2014 with a series of unforgiving security disasters.
February's Goto Fail: A shockingly overlooked SSL encryption issue left iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack and was upsettingly patched in stages. A well-reported exploitation of iCloud security to ruin the (little) privacy of A-list celebrities and a too little, too late warning to consumers (as well as after the fact activation of 2FA) made Apple stocks slide. The attack on China's iCloud customers. Rootpipe. Patching 144 severe vulnerabilities in one update. And much more.
Microsoft had a tough year, too. In the immortal phrasing of the Doge meme -- Microsoft: such 0day, many patches.
Microsoft fixed a severe 19-year-old Windows 0day bug found in pretty much everything since Windows 95, issued a bazillion patches, and revealed a vulnerability in most versions of Internet Explorer so bad that government security response teams in the US, the UK, and Sweden urged Windows users to consider Chrome or Firefox as their default browser until Microsoft delivered a fix.
Hackers from -- or working for -- China took center stage in 2014 as the role of China's hackers in everything from malware, IP theft and state-sponsored attacks snowballed in headlines up to the end of the year.
In May 2014 the US DoJ indicted five Chinese hackers for committing economic and cyber espionage against several American companies — hacking by members of the Chinese military — and it represented the first-ever charges against a state actor for this type of hacking. All five are wanted by the FBI but three of them made the FBI's top ten most wanted hackers list (Wen Xinyu, Huang Zhenyu, and Sun Kailiang).
In July, the CrowdStrike team went public saying that several national security-based think tanks were compromised in the defense, finance, legal and government arenas by the Chinese cyberattack group Deep Panda, which the security researchers called "one of the most advanced Chinese nation-state cyber intrusion groups." It was only one of several Chinese hack attacks and groups CrowdStrike found in 2014.
The Chinese government has been accused of backing cyberattacks against Apple's iCloud, initiated in order to steal user credentials. The finger has also been pointed at China for the 2014 hacking of the US Postal System (over 800,000 employees), NOAA, as well as the White House and US State Department.
The Shellshock Unix/Linux Bash security hole emerged in September and immediately was recognized widely as a serious problem: It was estimated to potentially affect around half of the internet's websites. Shellshock serves as a highway for worms and malware to attack Unix, Linux, and Mac servers, as well as affecting mail servers. The bug had been in the Bash shell for 20 years and was widely deployed in a configuration that made it easy to exploit -- and it was exploited in the wild within a day of its public debut.
2014 started on the tail end of Target's massive breach, then continued with Home Depot, Kmart, Michael's, Dairy Queen, Staples, Goodwill, Nieman Marcus, JP Morgan Chase, Verizon, EA Games and many more -- heralding the rise of POS malware. To give you an idea of scale, Home Depot said that 53 million email addresses were swiped in its recent data breach where 56 million credit card accounts were also compromised.
The Identity Theft Research Center's 2014 report summary of data breaches paints a disturbing picture of 2014 to date -- as of October, there have been 621 known and reported major breaches and 77,890,487 records stolen.
The Banking, Credit and Financial sector saw 24 breaches for 2014, with 1,172,320 records compromised; Business is at a stunning 215 breaches with 64,407,359 records stolen; Medical/Healthcare has also been hit hard this year with 263 successful hacks and 7,464,611 records pilfered.
Research from security analysts at BitSight found that in 2014, the retail industry encountered an increase in infections in every threat indicator it monitors. Malware distribution saw the largest increase, followed by botnet infections. As for the prevalent malware strains, BitSight says it detected an abundance of Maazben, ZeroAccess, Zeus, Viknok, Conficker and Cutwail.
A report conducted by Ponemon Institute on behalf of RSA at the end of 2014 confirmed that in the wake of mega breaches, consumers are reaching a point of "breach fatigue."
The Hollywood star of SSL's worst year ever was Heartbleed, the OpenSSL vulnerability that showed up with its own logo and branding -- and pissed off companies when the headline-friendly bug was revealed before patches could be delivered for it. Google, AWS, and Rackspace were affected by Heartbleed OpenSSL flaw - but Azure escaped.
Heartbleed is an encryption flaw which can theoretically be used to view apparently secure communication across HTTPS; the data at risk includes everything from passwords and encryption keys to financial details and personal identifiable information -- allowing a hacker to dip in, swipe data, and leave no trace of their existence.
The programmer responsible for code leading to Heartbleed said the flaw was accidental.
But before Heartbleed, there was Apple's February's Goto Fail, a massive oversight in SSL encryption that left iPhone, iPad and Mac users open to MiTM attacks and -- in poor form -- was patched in stages.
Late in the year Google released 'nogotofail' (named in honor of the 'goto fail' bug that affected Mac and iOS systems in early 2014) a tool which offers a way to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and secure sockets layer (SSL) encryption issues, such as known bugs or misconfigurations.
It was no Heartbleed, but in late fall, Google's Security Team revealed that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol has a major security flaw. In an example attack called Padding Oracle On Downgraded Legacy Encryption (POODLE), an attacker can steal "secure" HTTP cookies or other bearer tokens such as HTTP Authorization header contents. According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker." The OpenSSL Initiative issued a patch.
Microsoft got invited to the SSL-in-Hell party as 2014 came to a close. November's Patch Tuesday for Microsoft disclosed vulnerability CVE-2014-6321, named by the community "WinShock" -- a severe 19-year-old Windows 0day bug found in pretty much everything since Windows 95; Microsoft reports that the SChannel security package is vulnerable on both Windows servers and clients (SChannel is a Security Support Provider (SSP) that implements SSL and TLS authentication protocols.)
It's easy to see which of 2014's big bad threats will be confined to 2014, and which will continue if things don't improve in security education for the ordinary user (especially BYOD attacks), application security, blame games and accountability problems among startups, and the security practices of retailers.
Other things not mentioned on this list are sure to see an increase -- such as the tanking state of Android security in 2014 and the end-of-year realizations about Android malware (responsible for 70 percent of all mobile attacks in 2014).
Healthcare security will most certainly be in 2015's attack spotlight: A late 2014 report from BitSight Technologies analyzed the cybersecurity practices of companies on the S&P 500, with those in the healthcare sector coming in at the bottom of a four-industry pack.
It's also easy to predict that 2015 will see attacks increase in trends toward larger Internet of Things (IoT) attacks: A late 2014 report shows 95 percent of enterprise are stressed about IoT security.
The end of 2014 saw the FTC shut a scam security company that duped consumers out of $2.5 million by falsely detecting computer viruses and selling bogus antivirus software: With hacking, surveillance and retail breaches in every other headline, we can expect to see much more of this in 2015.