Review: 2014’s Security Breaches and Vulnerabilities
January 7, 2015
Remember 2014? Like it was just days ago, right?
It was an exciting year at SendThisFile. We’d even say that it was a time for meeting and exceeding challenges for Internet security. Others on the web weren’t so fortunate. Let’s take a look at the top security breaches and vulnerabilities of 2014:
- Target – At the end of 2013, Target learned that criminals had breached their systems, leaving behind malware that accessed customer data, including 40 million credit and debit card numbers. They later realized the hackers had also stolen names, mailing addresses, and phone numbers. More than 70 million customers were affected. The theft of these items put their customers not just at risk for fraudulent purchases, but with the latter information, they are also susceptible to web scams, intelligent phishing and social engineering. The investigation of this matter still continues more than a year later, and many of their customers took advantage of the year’s worth of credit monitoring they offered to those affected.
- Home Depot – a similar data security breach occurred at Home Depot in April of 2014 and was undetected for several months. The criminals used a vendor’s stolen log-on credentials to install malware that accessed 56 million credit and debit card numbers from self-checkout registers. The security breach was even larger than the Target breach. In the spirit of accountability, credit monitoring was again offered publicly to affected customers.
- JP Morgan Chase – Not to be outdone, an attack on JPMorgan Chase, the largest bank in the US, compromised 76 million households and 7 million small businesses in the summer of 2014. The attack started in June and was discovered in July. No money was taken and no fraudulent activity was seen. The hackers obtained a list of applications and programs that run on JPMorgan computers. It is believed that this information was to be used to look for an entry point into the bank’s systems. Names, addresses and phone numbers of customers were accessed. Customers were advised to change their passwords regularly and to beware of emails or phone calls that appeared to come from Chase.
- Heartbleed – This was probably the first time the larger public became aware of a security problem of such a grand scale, and was not the result of a data hack or a leak of any kind. It is a vulnerability discovered in the OpenSSL cryptographic software library, used all over the Internet. According to the Heartbleed site, the weakness allows stealing the information that is normally protected by SSL/TLS encryption. It is classified as a buffer over-read, or an instance where more data than intended can be read. Changes had to be made all over the web and consumers had to change passwords on many popular sites like Google and Facebook.
- Shellshock – is a family of security bugs first disclosed in September 2014. It affected Internet services that use Bash, a program that many Unix-based systems use to execute command lines and scripts. The bug would potentially allow an attacker to cause vulnerable versions of the affected “Bash shell” to execute arbitrary commands, allowing an attacker to gain unauthorized access to a computer system, effectively becoming a “Bashdoor.” It was compared to the Heartbleed vulnerability in terms of severity, but the public was mostly unaware of this potential problem.
- Poodle – an acronym for Padding Oracle On Downgraded Legacy Encryption, is described as, “a man-in-the-middle exploit which takes advantage of Internet and security software clients’ fallback to SSL 3.0.” It was disclosed in September 2014. Although not considered as severe as Heartbleed and Shellshock, it is still being remedied on many websites. At SendThisFile, we upgraded the encryption strength of our SSL certificates as a result.
Who knows where 2015 will take us? At SendThisFile, we’re shooting for a year of results! As far as security breaches and vulnerability bugs, here’s hoping for an uneventful 2015.