Highlights and lowlights of 2014, a golden year for cybercrime

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://theconversation.com/highlights-and-lowlights-of-2014-a-golden-year-for-cybercrime-35508

Looking back, 2014 was not a good year for keeping things safe under
digital lock and key. If a score was being kept, it might seem that the
cybercriminals are in the lead, despite the valiant efforts – and own goals
– from the cybersecurity profession worldwide.

Cast your mind back to March, everyone was panicking about the HeartBleed
bug. Based on an error in code upon which the majority of the world’s
secure servers relied, experts had plenty of time to fix the issue. Sadly
there was an array of conflicting information about changing passwords,
leading to widespread confusion. While most IT administrators made sure
this was managed in a professional manner, it created a stir that seemed to
set the tone for the year.

In May, online auction giant Ebay admitted to having been compromised. The
site said its systems, with personal details of tens of millions of users,
may have had been vulnerable for months. Everyone was advised, indeed
forced, to change their password.

In the same month, iPhones were hijacked and their owners blackmailed by
the cunning Oleg Pliss ransomware, locking phones and threatening to delete
data unless cash was paid.

In this case, the criminals managed to acquire a database of usernames and
passwords, maybe via HeartBleed, and cracked the passwords. As it’s
well-known that many users reuse the same passwords for many accounts, the
Oleg Pliss attackers searched for iCloud email accounts and simply stepped
through their list of passwords until they were successful. Then they
remotely locked the phones and demanded a ransom. What was clever about
this attack is that it targeted the weak link – lax security among humans –
rather than the tough target, the security of the iPhone itself.

Already 3-0 to the cybercriminals by half-time, it wasn’t looking too good
for Team Cybersecurity. In June there was finally a score for law
enforcement: Gameover Zeus, a prolific botnet, was brought down through a
combined operation from the FBI, UK National Crime Agency and other
international agencies. It gave security experts time to hose down their
systems, upgrade security measures and re-group, knowing that it would be
weeks before this botnet could rally.

The most popular mobile phone and tablet operating system, Android did not
have a good year. With the most mobile malware, Android is seen as a system
that needs to clean up its act, with vulnerabilities exploited through text
messages, and potentially revealing intimate details left behind on
second-hand devices that had been supposedly wiped.

In July, the focus was back on Apple’s iOS phone operating system, in which
a back door was discovered, proving a major embarrassment for the company.
It’s interesting that the subsequent release of iOS, version eight, brought
full encryption to the phone, suggesting that Apple has tried to fill this
hole – much to the annoyance of some national security agencies.

September arrived with a bang, as dozens of celebrities found naked
pictures of themselves posted online. The issues earlier in the year that
proved the potential to gain access to iCloud accounts had been realised,
with the images stripped not from the phones themselves but from the iCloud
accounts linked to them. Apple’s response was to generate a notification
following any access to an iCloud account – but that may be too little too
late if an intruder has already copied your more intimate snaps.

Later the same month, the discovery of the Shellshock bug makes it 7-1.
This was a another issue arising from decades old code in the Bash shell
software, since incorporated into millions of computers and embedded
devices worldwide. It’s ironic that, after years in which Microsoft Windows
was regularly compromised, 2014 was the year in which the heat was turned
on open source systems like Linux.

As November came around we witnessed a spectacular own goal, when a
particularly complex and aggressive malware, Regin, was alleged to be the
product of Western intelligence agency experts. Of course, nobody has come
forward to take the credit – but it’s clear that there are very capable
cybersecurity or cybercriminal experts out there who have the time and
resources to create bespoke attacks for their own ends.

December brings the season for joy for many – but not for Sony Pictures,
which suffered an attack that leaked unreleased films online, posted
embarrassing internal emails for all to see, and brought the company’s
internal systems to their knees. Perhaps most embarrassing is that this
seems to be becoming a habit for Sony Corporation.

Come Christmas Day, the servers supporting the XBox and PlayStation online
gaming platforms were hacked.

All in all, such a 10-1 thrashing points to an eventful year, and
unfortunately leaves no doubt that the criminals have the edge, leaving the
security experts nursing their own goals and playing catch up.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!