2014: The year everyone's security took a hit

The past year has shown that each and every person is less secure than they thought on January 1, 2014, and for popping that bubble, we should be thankful.
Written by Chris Duckett, Contributor

In the pigpen of security during 2014, all hogs, regardless of affiliation and technology choices, found themselves covered in muck at some stage. The amount of muck involved varied from platform to platform, but no one could claim to remain untarnished by year's end.

Whether it was the widely distributed OpenSSL Heartbleed vulnerability, OS X and iOS being caught in man-in-the-middle SSL attacks, or Windows' recent Schannel remote code execution issues, the common thread that ran through each platform was what was once referred to as Secure Sockets Layer, but would be more aptly dubbed Swiss cheese when all was said and done.

With all players suffering, and each new vulnerability revealing only what not to use rather than what techniques and technology should be used, regular users would be forgiven for feeling less sure of the security with each passing day. But such are the experiences that must be worked through in order to learn that an incorrectly perceived reality is nothing but self-delusion.

If 2013 was the year the world learned through whistleblower and former NSA contractor Edward Snowden that the United States and its Five Eyes allies were monitoring communications worldwide, then 2014 was the year that we learned how easily those agencies, and other actors no doubt, could do it.

In the POODLE flaw discovered in September, Google's Security Team found a flaw in the outdated RC4 ciphers used in SSL 3.0 — ciphers that Microsoft said in November 2013 were used by 43 percent of sites surveyed in a 5 million site sample.

Widespread and long-lived flaws such as POODLE are the sorts of vulnerabilities exploited by commercial spyware such as FinFisher. But even spyware wasn't immune from hacking this year, as FinFisher suffered a hack revealing its price and client list, which includes organisations such as the NSW Police and Singapore's PCS Security Pte Ltd, along with the intelligence arms of the Hungarian, Italian, and Bosnian governments.

As Julian Fay, chief technology officer of Australian encryption company Senetas told ZDNet, the general public has awoken to the threats posed to their privacy.

"What I think is really clear now is that a technical capability exists that's well within the reach of every nation state, and frankly within many large organisations, to actually easily eavesdrop and conduct surveillance on a scale that was previously unimaginable," he said. "There's been a tangible change, I'd suggest globally, in terms of people's awareness and their desire to do something about it.

"Suddenly, people are interested for the first time, they are more informed, and they actually want to understand what they should do about it ... that is definitely reflected in what we are hearing from our customers around the world."

Fay said that the industry is maturing, and, thanks to more privacy-minded movements by the likes of Apple to encrypt their devices by default, security and privacy are finally being considered and included "from the ground up" in mainstream products for the first time.

"For the last 20 years, we've basically added security on as an afterthought when we've needed to do it, and we've tried to protect our perimeters to prevent breaches by building a great big moat.

"What we are learning now is that that's not good enough, that's not going to work," he said. "You've got to identify what are the crown jewels, what is worth protecting within your organisation ... and then you've got to embed protection with that asset, and then actually protect it throughout its life cycle: When it's at rest on the servers, make sure it is compartmentalised, segmented; when you send it across networks, make sure it is encrypted; make sure it is encrypted at rest et cetera, and get in place the right mechanisms for those crown jewels."

If there is any hope to be found from our current predicament, it is that the industry is seeing the act of increasing users' privacy as a competitive advantage. Regardless of whether that stems from benevolence or a desire to merely increase profits, it is a good thing. With major players like Apple and Android moving to encrypt file systems by default on their consumer devices, it is sure to have a wider influence — no company wants to be seen to offer less privacy than privacy-whipping-boy Google.

When federal police bodies such as the Australian Federal Police and the US Federal Bureau of Investigation are incessantly complaining that device encryption will lead to a "dark, dark place", then users can be safe in the knowledge that the encryption is pretty decent.

Such initiatives are positive steps, according to Fay, and represent a reaction to the lessons learned since Snowden first revealed what the Five Eyes were up to.

"I think it has sometimes been characterised as a war between the bad guys and the good guys," said Fay. "And I fully expect that that will continue, in the extent that it's a race to find problems, to find zero days, and then to fix them.

"We are going to have to keep fighting this war for a long time into the future, but I'm positive about some of the changes that are happening at the moment."

Bugs and security issues are never going to fully disappear, but if 2014 revealed the true extent of our naivety, hopefully 2015 is a year where we can make it harder for the same violations to happen again.

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener

Editorial standards