Cybersecurity — or the lack thereof — dominated the headlines throughout this year. Hundreds of millions of records got stolen and over a dozen of companies got hacked in the past 12 months.
The year 2014 was arguably one of the most eventful years from the security standpoint where we saw some of the biggest companies with much sophisticated securities struggle to keep their services safe from cyber criminals. Starting from January to last week in on-going December, the year saw a series of cyber attacks, data breaches, and theft of millions and billions worth of data.
What does the new year hold for us? Will our security continue to struggle next year as well? What are the challenges that we are bound to face next year? Let’s find out.
Cyber hacks in 2014
Target, the second-largest discount retailer in the United States, announced late in 2013 that about 110 million records were stolen from the company. In the aftermath, the company noted that its sales had severely slumped after the hack, making the company lose as much as $110 million by the mid-year.
Ebay gets hacked, 145 million users affected
Earlier in May, shopping portal eBay got hacked. The massive hack affected 145 million users whose login credentials were dumped on shady networks. The hack, while didn’t make anyone’s financial data public, did cost the company suffere a loss of $200 million in its annual revenue.
Snapchat hacked, data posted on 4chan
The photo and video sharing social network Snapchat saw one of its biggest hacks in recent times earlier this year. Around 13GBs of stolen user data were dumped on image sharing website 4chan. The company warned 100 million active users using trusting 3rd-party unauthorized services, and later botched the public API to prevent third-party apps from accessing Snapchat. The hack, widely known as ‘The Snappening’ affected millions of users.
U.S. Postal Service networks hit, employee data grabbed
Last month, U.S. Postal service also took a hit. The government-run department announced that data of more than 800,000 employees had been compromised pilfering their social security number and other details.
iCloud hacked, nude images of celebrities leaked
In one of the biggest hack attacks this year, several private photos from Hollywood celebrities got stolen in a “brute-force” attack on targeted iCloud accounts. The attack, popularly known as ‘The Fappening’ saw explicit images of celebrities including Jennifer Lawrence, Kim Kardashian among others dumped on the image sharing network 4chan. While Apple denied any breach on its iCloud service, the Cupertino-based company rolled out additional security features to strengthen its cloud-based storage service.
Sony Pictures hacked; private information, unreleased movies leaked
In the biggest hacks in recent times, all the computers in Sony Pictures, the entertainment arm of the Japanese media conglomerate got hacked and more than 1,000GBs worth of data got stolen and leaked. The data in question included private information like the salary of Sony’s top executives, security pins and contact details of Hollywood stars, and DVD screeners of several yet-to-be-released movies.
While FBI finds North Korean regime responsible for the attack citing their disapproval of the satirical title The Interview, security experts say that it could be the work of an insider.
Bugs and other exploits
Besides these hack attacks, there were several more threats that affected the end-consumers. These attacks were targeted at users to steal bank information from their computers.
Heartbleed, ‘the biggest security threat the web has ever seen’
Often referred as “the biggest security threat the web has ever seen”, Heartbleed is a bug discovered in April which allowed hackers to attack two-third of Web servers that used the open source OpenSSL security certificates. OpenSSL is a piece of cryptographic program which is utilized across the web to protect our communication and identities. Not only did the bug made communications vulnerable, it also forced servers to leak sensitive data including passwords, private cryptographic keys among others from its memory. Google and several other major corporations issued patches to fix the vulnerability, though, according to estimates, hundreds of thousands of machines are still left unpatched.
Discovered in September, Shellshock is a vulnerability found in Bash — a widely used software by millions — that enabled hackers to directly attack servers, routers, and several Linux and OS X-based computers and steal personal information from them. Within a day since the discovery of the bug, several vicious minds started to take advantage of the vulnerability. Since then, several network gear companies have updated their drivers to block the vulnerability, but experts believe that effects of Shellshock will be felt in years to come.
“Consequently, even though my light scan found only 3,000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. One key question is whether Mac OS X and iPhone DHCP service is vulnerable — once the worm gets behind a firewall and runs a hostile DHCP server, that would “game over” for large networks,” a researcher had said.
BadUSB turns USB-connected devices into attack platforms, lives in the BIOS
Earlier this year researchers warned people about an exploit named “BadUSB” that turns flash drives, external hard-drives, keyboards and other USB-connected devices into attack platforms and has managed to fool the best security suites. What’s even more scary about this exploit is that it targets the BIOS of a computer, as a result of which, even if a user has wiped clean the operating system and all the computer’s data from the primary hard drive, the malware still lives at the core of the computer.
Ransomware moves to cloud, now affects mobile handsets as well
One of the nastiest type of malicious software, ransomware locks up all the personal documents and files in the victim’s computer and demands payment in exchange for regaining access. Known as Cryptolocker, we now have several clones of the malware. While several security suites are now capable of detecting this malicious software, it has been reported that the said malware has found its way to the cloud and is now also affecting mobile handsets.
What happens next?
What happens next? Will the security firms keep struggling against cyber criminals next year? It’s a cat-and-mouse race between the security firms and cyber criminals says Sam Bowne, professor at City College, San Francisco who teaches ethical hacking and computer networking. “I think every company is taking security more seriously every year, but the attackers are constantly improving, so the balance of power will remain the same for the near future.” he told BGR India. “Each company can repel weaker attackers, but not all of them, and has to make calculated risk acceptance decisions.”
Users privacy at stake
Last year, a U.S. spy agency contractor Edward Snowden revealed the existence of mass surveillance programs such as PRISM and an organization called NSA which has been spying on all of the internet’s conversations and traffic. The United States government’s contention is that the agency helps it monitor the web and find terrorists. Should users worry about their privacy?
“I think the privacy concerns people have about NSA spying are very exaggerated. Most people aren’t doing anything the NSA cares about, especially people outside the US, so it really won’t make any difference to them if the NSA reads their email, etc.” said Bowne. “There is a legitimate internal concern for US politics, that allowing the NSA to spy too much will degrade the US political system and cause the system to decay towards tyranny, but that has very little immediate impact on most individuals.”
The move which directly jeopardizes everyone’s privacy has been widely criticized, and many experts urge people to stop using US-based services. Which doesn’t sound as challenging until you realize that a vast majority of services and products you use including Windows OS, Mac OS X, Facebook, Twitter, Google, Gmail, are all US-based. “I agree with something Bruce Schneier said: every company has to operate within some country, and that country’s spy agency will spy on them. So you will have an opponent, and the NSA is a fairly benign opponent. What alternative is there? Do you want to use Chinese services instead?” Bowne added.