The top security threats of 2014 include equal parts old mistakes, new adversaries, innocent human nature and the evil that men -- and women, and others -- do.
In 2013, Snowden changed a conversation (and created careers for believers across a spectrum of dark and light). Some, but not all, survived security nightmares credited to Blackhole, the SEA, and Cryptolocker. We said goodbye to Silk Road, and popular consciousness said hello to the mega retail breach with Target.
In contrast, 2014 turned the dial to 11 for infosec disasters and threats -- and the egos all around them.
It was the year of super mega retail breaches, China coming to the fore in attacks, Facebook scams getting out of hand, Shellshock and Heartbleed (who brought a pet POODLE), and application security became the weakest link through a combination of its own faults and the time-honored practice of the irresponsible — the blame game.
Let's countdown the top security threats of 2014...
10. Normal people
One email spiked with innocuous-looking malware to a vendor cost Target an estimated 40 million credit cards and 70 million user accounts at the crest of 2014, beginning a year which made our own employees, coworkers, friends and family.
Target's December disaster came from a phishing attack sent to employees at an HVAC firm it did business with. Phishing is an incredibly popular attack -- because it works. Non-technical peoplefor malicious hackers, from data dealing crime rings to targeted corporate espionage attacks.
F-Secure's Mobile Threat Report Q1 2014 was a bucket of cold water in terms of just how pervasive attacks on typical users are, and how they can spread through apps into businesses.
A March report from RAND Corporation "Markets for Cybercrime Tools and Stolen Data" (commissioned by Juniper Networks) correctly predicted that in addition to unpatched vulnerabilities, the human element will continue to increase as the weak point for attacks.
At the end of 2014,believe that they're struggling against the biggest threats in the form of mobile devices in the hands of careless employees.
9. Cloud disasters
It's no surprise that despite the fact that enterprise is rushing to the cloud, enterprise is terrified when it has to think about cloud security and.
2014 brought big news of serious cloud security breaches, such as the Xen bug forcing Amazon to reboot its EC2 instances, and Xen making Rackspace do the same this weekend.
Consumer fears were fanned, investors panicked and. A well-reported exploitation of a known problem with Apple's iCloud security ; it was followed with an attack on . Apple made cloud security's image worse with a come-lately and .
A BT study in September covering 11 countries revealed that more than three-quarters of IT decision makers are "extremely anxious" about security using cloud-based services -- yet 79 percent of U.S. enterprise execs (70 percent globally) are adopting cloud storage and web applications within their business.
8. Application security, aka blame the "other services"
Over seven million online service users had their privacy violated and their personal information exposed in just two of 2014's big data thefts -- Dropbox and Snapchat -- both of which used the blame game to evade critical PR.
A group of malicious hackers got their hands on 6,937,081 Dropbox account credentials and published 1,200 usernames and passwords before asking for Bitcoin to publish even more.
Dropbox issued a statement saying that it had not been hacked, and "These usernames and passwords were unfortunatelyand used in attempts to log in to Dropbox accounts."
Dubbed "the Snappening" by users of the chat forum 4chan, in October a database containing over 100,000 photos and videos sent across Snapchat networks was leaked online. A third-party Snapchat client app was to blame, which was able to steal images after malicious software installation -- exactly what the FCC fined Snapchat for lying about. Snapchat said it was user's fault for the use of 3rd party apps, then tried to not look like absolute jerks by saying they were going towith a strongly worded letter from their PR department. In addition to this high-profile attack, the company apologized after 4.6 million Snapchat usernames and matched phone numbers were leaked .
7. Facebook scams
Check the news yourself: a new Facebook scam was reported roughly once a week in 2014. Any news headline, scare, or new gadget gets turned into a Facebook scam.
A Facebook study by the security company Bitdefender released in late 2014 unearthed, dividing into five distinct trends.
Almost half of the scams pretended to allow users to track their profile views, an offer the company said was popular among people wishing to see if former lovers were keeping tabs on them. The problem, researchers concluded, was that due to Facebook's UI (and possibly its design intent), users can't tell what's real, and what's not.
The 2014 cost of these scams per year is estimated atto Nigerian scams.
6. The Drupal boogeyman
Drupal nearly won the prize in with a fairly horrible security blunder, when the Drupal teamin Drupal 7 -- and warned that , you'd be hacked.
Drupal claims a million users on its project site drupal.org, and over 30,000 developers. Many prominent sites, including the whitehouse.gov, use Drupal.
5. Apple's rot
After years of rubbing its secure operating system in everyone's faces, Apple finally rode that reputation into the ground in 2014 with a series of unforgiving security disasters.
made Apple stocks slide. The attack on . . Patching . And much more.: A shockingly overlooked SSL encryption issue left iPhone, iPad and Mac computer users open to a man-in-the-middle (MITM) attack and was . A well-reported exploitation of iCloud security to and a (as well as )
Microsoft had a tough year, too. In the immortal phrasing of the Doge meme -- Microsoft: such 0day, many patches.
Microsoft fixedfound in pretty much everything since Windows 95, issued a bazillion patches, and revealed so bad that urged Windows users to consider Chrome or Firefox as their default browser until Microsoft delivered a fix.
Hackers from -- or working for -- China took center stage in 2014 as the role of China's hackers in everything from malware, IP theft and state-sponsored attacks snowballed in headlines up to the end of the year.
In May 2014 three of them made the FBI's top ten most wanted hackers list (Wen Xinyu, Huang Zhenyu, and Sun Kailiang).for committing economic and cyber espionage against several American companies — hacking by members of the Chinese military — and it represented the first-ever charges against a state actor for this type of hacking. All five are wanted by the FBI but
In July, the CrowdStrike team went public saying that several national security-based think tanks were compromised in the defense, finance, legal and government arenas by the Chinese cyberattack group Deep Panda, which the security researchers called "one of the most advanced Chinese nation-state cyber intrusion groups." It was CrowdStrike found in 2014.
The Chinese government has been accused of White House and US State Department., initiated in order to steal user credentials. The finger has also been pointed at China for the 2014 hacking of (over 800,000 employees), , as well as the
The Shellshock Unix/Linux Bash security holeand immediately was recognized widely as a serious problem: It was estimated to potentially affect around half of the internet's websites. Shellshock serves as a highway for worms and malware to attack as well as . The bug had been in the Bash shell for 20 years and was widely deployed in a configuration that made it easy to exploit -- and it was exploited in the wild .
2. Mega Retail Breaches
2014 started on the tail end of Target's massive breach, then continued with Home Depot, Kmart, Michael's, Dairy Queen, Staples, Goodwill, Nieman Marcus, JP Morgan Chase, Verizon, heralding the rise of POS malware. To give you an idea of scale, Home Depot said that in its recent data breach where 56 million credit card accounts were also compromised.and many more --
The Identity Theft Research Center's 2014 report summary of data breaches paints a disturbing picture of 2014 to date -- as of October, there have been 621 known and reported major breaches and 77,890,487 records stolen.
The Banking, Credit and Financial sector saw 24 breaches for 2014, with 1,172,320 records compromised; Business is at a stunning 215 breaches with 64,407,359 records stolen; Medical/Healthcare has also been hit hard this year with 263 successful hacks and 7,464,611 records pilfered.
Research from security analysts at BitSight found that in 2014, the. Malware distribution saw the largest increase, followed by botnet infections. As for the prevalent malware strains, BitSight says it detected an abundance of Maazben, ZeroAccess, Zeus, Viknok, Conficker and Cutwail.
A report conducted by Ponemon Institute on behalf of RSA at the end of 2014 confirmed that in the wake of mega breaches, consumers are reaching a point of "breach fatigue."
1. 2014's threat theme: White-knuckle flaws in TLS/SSL protocols: Goto Fail, Heartbleed, POODLE, WinShock
The Hollywood star of SSL's worst year ever wasthat showed up with its own logo and branding -- and pissed off companies when the headline-friendly bug was revealed before patches could be delivered for it. - but Azure escaped.
Heartbleed is an encryption flaw which can theoretically be used to view apparently secure communication across HTTPS; the data at risk includes everything from passwords and encryption keys to financial details and personal identifiable information -- allowing a hacker to dip in, swipe data, and leave no trace of their existence.
The programmer responsible for code leading to Heartbleed.
But before Heartbleed, there was Apple's, a massive oversight in SSL encryption that left iPhone, iPad and Mac users open to MiTM attacks and -- in poor form -- was .
Late in the year(named in honor of the 'goto fail' bug that affected Mac and iOS systems in early 2014) a tool which offers a way to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and secure sockets layer (SSL) encryption issues, such as known bugs or misconfigurations.
It was no Heartbleed, but in late fall, has a major security flaw. In an example attack called , an attacker can steal "secure" HTTP cookies or other bearer tokens such as HTTP Authorization header contents. According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker." The OpenSSL Initiative issued a patch.that the long obsolete, but still all too used, Secure Sockets Layer (SSL) 3.0 cryptographic protocol
Microsoft got invited to the SSL-in-Hell party as 2014 came to a close. November's Patch Tuesday for Microsoft disclosed vulnerability CVE-2014-6321, named by the community "WinShock" -- SChannel security package is vulnerable on both Windows servers and clients (SChannel is a Security Support Provider (SSP) that implements SSL and TLS authentication protocols.)found in pretty much everything since Windows 95; Microsoft reports that the
2015: The year ahead
It's easy to see which of 2014's big bad threats will be confined to 2014, and which will continue if things don't improve in security education for the ordinary user (especially BYOD attacks), application security, blame games and accountability problems among startups, and the security practices of retailers.
Other things not mentioned on this list are sure to see an increase -- such as the tanking state of Android security in 2014 and the end-of-year realizations about Android malware (responsible for 70 percent of all mobile attacks in 2014).
Healthcare security will most certainly be in 2015's attack spotlight: A late 2014 report from BitSight Technologies analyzed the cybersecurity practices of companies on the S&P 500, with those in.
It's also easy to predict that 2015 will see attacks increase in trends toward larger Internet of Things (IoT) attacks: A late 2014 report shows.
The end of 2014 saw the FTC shut a scam security company that duped consumers out of $2.5 million by falsely detecting computer viruses and selling bogus antivirus software: With hacking, surveillance and retail breaches in every other headline, we can expect to see much more of this in 2015.