With data breaches, hacks and not to mention more revelations on NSA surveillance, IT security was near the top of the agenda throughout the whole of 2014. Here, Computing looks back at some of the more significant IT and enterprise security stories to take place this year.
10. eBay hacked…twice
It wasn’t a good year for security at eBay, which was affected by multiple security incidents throughout 2014. In September, eBay was the victim of a cross-site scripting attack, which sent some of its users to a malicious website designed to steal their credentials.
The firm was reportedly slow to close the security issue, with the compromise remaining in place for 12 hours after a customer first alerted eBay to the problem.
Worryingly, it wasn’t the first time that eBay saw its security credentials questioned during 2014. In May, it faced criticism over an attack that compromised users’ passwords and personal data – and over the three-month delay in disclosing the attack to users.
“It feels to me like eBay isn’t handling this very professionally,” wrote independent security analyst Graham Cluley at the time of the reveal.
9. Bank of England employs hackers
It’s a well known “secret” in the IT industry that large organisations will often employ computer hackers; ethical hackers whose job it is to poke and prod at systems to ensure the company is as secure as possible.
However, while it may be common knowledge, there aren’t many firms that openly talk about employing hackers – discussing security protocol could be seen as risky, after all.
So when, in April, the Bank of England announced it was to hire ethical hackers to help it to test the defences of more than 20 major banks eyebrows were raised.
The move was, however, welcomed by Charles Sweeney, CEO of web security firm Bloxx. “It is great to see the UK leading the way in cyber protection programmes that can make a real difference to consumers, enterprises and the economy,” he said.
8. JP Morgan hack affects most US citizens
Perhaps JP Morgan, America’s largest bank, should have employed the ethical hacking techniques used by the Bank of England, something which could have perhaps prevented one of the largest data breaches in history.
The cyber attacks against the bank initially occurred in August, which led to the FBI probing Russian government links to the JP Morgan hack.
However, regardless of who carried out the attack, the results were extremely far-reaching, with the names, addresses, phone numbers and email addresses of 76 million households and seven million small business accounts exposed.
“Until now the assumption has been that the companies that get breached are the ones that have poor security practices, but we know that JP Morgan had a good security programme and that they invest heavily in this area,” said Tal Klein, VP of cyber security firm Adallom.
“So what we are waking up to is that the fundamental nature of security is broken,” he added.
7. Target CIO resigns after huge data breach
JP Morgan might have been subject to the biggest data breach in US history, but it’s hardly the first American company to fall foul of cyber criminals in such a way. American retailer Target can attest to that, following a data breach that could have affected as many as 110 million people.
It was ultimately Target CIO Beth Jacob who paid the price as Target looked to restructure its operations following the breach. Jacob resigned from her role in March this year.
6. Edward Snowden warns on social media surveillance
However, 2014 wasn’t just a year in which big businesses needed to be concerned about surveillance, the ongoing revelations about NSA, GCHQ and other government surveillance schemes continued to appear via the man who first revealed them to world, Edward Snowden himself.
While government continues to be the main focus of the revelations, Snowden has spoken out about the risk of using high profile cloud service, search engine and social media providers, suggesting Google and Facebook are in cahoots with government surveillance and are “dangerous services”.
July also saw Snowden speaking negatively of Dropbox, accusing the company of being “hostile to privacy” and a “wannabe” collaborator in the US government’s PRISM snooping programme.
5. Bash security vulnerability
2014 was very much the year of the security vulnerability, with a plethora of new bugs including Bash and Heartbleed (more on that later) leaving businesses and security experts worried.
Details on Bash, AKA Shellshock, first appeared in September, with security experts warning it could wreak havoc on everything from IT systems to internet-connected devices, with a total of over 500 million devices potentially at risk when it was discovered.
The threat was viewed as so severe that the United States Computer Emergency Readiness Team (US-CERT) has issued a warning to system administrators, recommending that they apply patches to combat the bug.
4. Sony Pictures hacked, films and confidential emails leaked
November saw Sony Pictures Entertainment targeted by hackers in an incident that led to the firm switching off its systems. It was yet another blow to Sony, which doesn’t have the best reputation for security, following a string of attacks against its PlayStation Network.
As details about the attack emerged, it became apparent that information ranging from employee details – including personal information and emails of celebrities – to unreleased films being made public.
The attack against Sony Pictures led to the FBI warning US businesses that computer hackers or other cyber criminals have used malicious software to launch “destructive” attacks against American organisations.
At the time of writing, the culprit still isn’t known. Fingers were initially pointed at North Korea, where the authorities are furious about an upcoming Sony film depicting an assassination attempt on the country’s leader.
A North Korean spokeperson’s response to accusations was initially “wait and see”, but now the country is denying any involvement.
“At this point, the attacks seem to be a few hackers and not the North Korean government,” said security expert Bruce Schneier.
Whoever perpetrated the attack, it’s been yet another embarrassing security incident for Sony.
3. iCloud security breach leaks naked celebrity photos
Apple tends to pride itself on the security of its devices and services, but the iPhone and iPad producer was left red faced – as were a number of celebrities – when its iCloud service was compromised in August.
The theft of hundreds of private photos belonging to well-known celebrities – including naked pictures of The Hunger Games star Jennifer Lawrence – left Apple facing searching questions about the security of its iCloud service.
With so many businesses and individuals increasingly willing to trust cloud services, it came as a stark reminder that sensitive files may not be stored as securely as first seemed.
“It is a stark reminder of the potential consequences of having sensitive material lying around in the cloud,” said Chris Boyd, malware intelligence analyst at Malwarebytes, who pointed out that individuals may not be aware that their smartphones are automatically backing up their files to a cloud server.
“With today’s devices being very keen to push data to their own respective cloud services, people should be careful that sensitive media isn’t automatically uploaded to the web, or other paired devices,” he said.
2. US uses internet surveillance for industrial espionage
The NSA surveillance revelations continued to cast a shadow over both IT and governments throughout 2014.
But arguably one of the more chilling revelations from Edward Snowden this year came in January, when he claimed the United States, the self-styled bastion of democracy, used internet surveillance for industrial espionage.
Snowden claimed that the industrial espionage was not limited to “issues of national security”, but any engineering and technology that may have value to corporate America.
Citing German industrial giant Siemens as an example, he said: “If there’s information at Siemens that’s beneficial to US national interests – even if it doesn’t have anything to do with national security – then they’ll take that information nevertheless.”
Much like other security incidents this year, Snowden’s comments no doubt had many questioning if there’s sound logic behind storing sensitive information in the cloud.
1. Heartbleed
Heartbleed, the a security bug at the very heart of OpenSSL, caused widespread panic throughout the IT industry and wider business when it was discovered in April. The weakness allowed “anyone on the internet” to read the memory of systems protected by “vulnerable versions” of OpenSSL.
German programmer Robin Seggelmann claimed that he was “responsible for the error” that led to the flawed OpenSSL code. However, there are those who blamed the fact fact it had slipped through the on the web giants that use the code, but don’t bother helping the open source community examine it for bugs.
“It has been said that 90 per cent of websites are using this code but very few are contributing,” said Peter Pizzutillo, director of product marketing at software quality analysis firm CAST.
But while news of the bug first appeared in April, even by June there were still hundreds of thousands of systems which hadn’t yet been secured.
“We found 600,000 systems vulnerable when the Heartbleed vulnerability was announced. A month later, we found that half had been patched, and only 300,000 were vulnerable. Last night, about two months after Heartbleed, we scanned again and found 300,000 still vulnerable,” said security researcher Robert Graham, who believes the vulnerability could remain for years to come.
“Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable,” he stated.
In the aftermath of the Heartbleed crisis, technology firms including Google, Facebook and Amazon united in a bid to support “critical” open source projects, although whether systems are any more secure remains to be seen. Especially given that the NSA was exploiting the bug in order to spy on internet users the whole time.

Leave a Reply