Looking back, 2014 was not a good year for keeping things safe under digital lock and key. If a score was being kept, it might seem that the cybercriminals are in the lead, despite the valiant efforts — and own goals — from the cybersecurity profession worldwide.
Cast your mind back to March. Everyone was panicking about the HeartBleed bug. Based on an error in code upon which the majority of the world’s secure servers relied, experts had plenty of time to fix the issue. Sadly there was an array of conflicting information about changing passwords, leading to widespread confusion. While most IT administrators made sure this was managed in a professional manner, it created a stir that seemed to set the tone for the year.
In May, online auction giant eBay admitted to having been compromised. The site said its systems, with personal details of tens of millions of users, may have had been vulnerable for months. Everyone was advised, indeed forced, to change their password.
In the same month, iPhones were hijacked and their owners blackmailed by the cunning Oleg Pliss ransomware, locking phones and threatening to delete data unless cash was paid.
In this case, the criminals managed to acquire a database of usernames and passwords, maybe via HeartBleed, and cracked the passwords. As it’s well known that many users reuse the same passwords for many accounts, the Oleg Pliss attackers searched for iCloud e-mail accounts and simply stepped through their list of passwords until they were successful. Then they remotely locked the phones and demanded a ransom. What was clever about this attack is that it targeted the weak link — lax security among humans — rather than the tough target, the security of the iPhone itself.
Already 3-0 to the cybercriminals by half-time, it wasn’t looking too good for Team Cybersecurity. In June there was finally a score for law enforcement: Gameover Zeus, a prolific botnet, was brought down through a combined operation from the FBI, UK National Crime Agency and other international agencies. It gave security experts time to hose down their systems, upgrade security measures and re-group, knowing that it would be weeks before this botnet could rally.
The most popular mobile phone and tablet operating system, Android did not have a good year. With the most mobile malware, Android is seen as a system that needs to clean up its act, with vulnerabilities exploited through text messages, and potentially revealing intimate details left behind on second-hand devices that had been supposedly wiped.
In July, the focus was back on Apple’s iOS phone operating system, in which a back door was discovered, proving a major embarrassment for the company. It’s interesting that the subsequent release of iOS, version eight, brought full encryption to the phone, suggesting that Apple has tried to fill this hole — much to the annoyance of some national security agencies.
September arrived with a bang, as dozens of celebrities found naked pictures of themselves posted online. The issues earlier in the year that proved the potential to gain access to iCloud accounts had been realised, with the images stripped not from the phones themselves but from the iCloud accounts linked to them. Apple’s response was to generate a notification following any access to an iCloud account — but that may be too little too late if an intruder has already copied your more intimate snaps.
Later the same month, the discovery of the Shellshock bug makes it 7-1. This was another issue arising from decades-old code in the Bash shell software, since incorporated into millions of computers and embedded devices worldwide. It’s ironic that, after years in which Microsoft Windows was regularly compromised, 2014 was the year in which the heat was turned on open-source systems like Linux.
As November came around, we witnessed a spectacular own goal when a particularly complex and aggressive malware, Regin, was alleged to be the product of Western intelligence agency experts. Of course, nobody has come forward to take the credit, but it’s clear that there are very capable cybersecurity or cybercriminal experts out there who have the time and resources to create bespoke attacks for their own ends.
December brings the season for joy for many — but not for Sony Pictures, which suffered an attack that leaked unreleased films online, posted embarrassing internal e-mails for all to see, and brought the company’s internal systems to their knees. Perhaps most embarrassing is that this seems to be becoming a habit for Sony.
Come Christmas Day, the servers supporting the Xbox and PlayStation online gaming platforms were hacked.
All in all, such a 10-1 thrashing points to an eventful year, and unfortunately leaves no doubt that the criminals have the edge, leaving the security experts nursing their own goals and playing catch-up.
- Andrew Smith is lecturer in Networking at The Open University
- This article was originally published on The Conversation