Finally with only a few days remaining in 2014, filled with mega hacks, major vulnerabilities and astonishing security breaches; we believe there wouldn’t be any more jaw-dropping events on the Internet.
Without any doubt, 2014 has been a tiresome and exciting year for security experts across the world. With back to back vulnerabilities surfacing in the span of few months, this year has got as wackier as it could. In this article we round-up all the various security stories that the Internet has witnessed in the past 12 months.
List Of The Biggest Security Stories :
The GoTo Fail:
In February, finally Apple did fix the ‘GoTo Fail’ bug a SSL vulnerability a whooping seventeen months after it appeared in iOS 7.0 and OS X Mavericks. This bug triggered a short circuit which meant that users were left vulnerable to a man-in-the-middle attack. Through which a potentially malicious system could trick the user using false credentials thus, eavesdropping into communications between systems.
This was the actual code snippet that leads to this vulnerability:
If ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) ! = 0)
Somehow, this extra goto statement means that, the last step of the SSL/TLS handshake algorithm was skipped thus turning out to be massively compromising.
It surely was an embarrassing mistake as to how this code could actually be put into production, in such a big organization like Apple. Anyways, it is one of the major bug fixes of all time.
Revealed in April, the Heartbleed bug was definitely one of the massive vulnerabilities of 2014. It is called so because this bug is located in the TLS/DTLS heartbeat extension which is an implementation of the OpenSSL. When abused, this bug leads to leak of information from the server to client and client to server.
The large hype this bug created is because it almost left all such encrypted information and secrets open to the internet. If misused, this bug provides the attacker all the information he needs without leaving any traces, and that only means damage and more damage.
Though Heartbleed could be fixed using a software patch, researchers say this vulnerability could remain in the Internet for many more years. This is mainly because of the ignorance of webmasters running smaller sites, to update their server software.
Soon after the Heartbleed bug surfaced and security experts strived hard and foiled its bad effects, there came up the other biggest disaster, Shellshock (also called Bashdoor). This vulnerability is identified in the Bash shell, an interpreter that allows arranging commands in Linux and Unix systems.
This vulnerability as observed by researchers was by then already being exploited in the wild, which made it more dangerous than the heartbleed vulnerability. On exploiting, Shellshock hands over all the access of the target machine to the attacker.
We surely love the USB technology. USB devices have made life easier with their plug and play interface and their portable nature. But in July, the Berlin-based Security Research Labs revealed that there is a fundamental flaw in USB devices which could be turned against us. The firmware in these devices is reprogrammable and hence can act as vehicles for delivering malware.
This flaw can be used to make a USB Pen Drive act as a keyboard and automatically press keys (as programmed) thus executing malware of the sources. The worst part is while exploiting more about this vulnerability, researchers published tools openly on the Internet, making it easy for attackers to exploit these vulnerabilities.
Wirelurker is a malware which hit thousands of iOS devices through a Chinese third-party app provider in November. This malware is designed to collect call logs, contacts and other private data from iOS devices. This malware resides in a PC, waits for iOS device to communicate with this PC via USB and enters into that device regardless of whether it is jailbroken. Wirelurker is only the second known malware that attacks iOS devices through USB. It’s also the first malware that installs other applications on iOS devices.
Apple quickly managed to address this malware, blocking all the infected apps from running. With in a few days of the outbreak of this malware, Chinese authorities arrested three people, who were suspected to have developed this malware.
1.2 Billion Accounts Hacked:
In August this year, a Russian group has hacked 1.2 billion usernames and passwords which is the first time ever in the internet history, as reported by Hold Security. The company claimed that this stolen information is from over a 420,000 websites which include many top-notch industries.
The company has denied publicly announcing information of all the affected websites but charge for this information, which was quite unusual. With such high number of websites taking the hit, it would obviously be difficult to contact each of them securely. But there were few voices that this data could have been spanned over from years, many of them weren’t valid now and that it could just be a profiting scheme on part of the company.
Sony Pictures Hack:
Surely, the Sony Pictures hack is the biggest security stories of 2014. This attack meant that the entire studio was sent into total chaos mode in the month of November. The main intention behind this attack still remains unclear but there is evidence that this attack originated in North Korea.