Top 10 Security Incidents and Vulnerabilities of 2014

by Sean Michael Kerner

WireLurker, first disclosed in November by Palo Alto Networks’ Unit 42 research group, is an interesting hybrid attack that takes aim at both Apple OS X and iOS users. To be exploited, a user needs to download a malicious file on a Mac OS X machine and then connect to an iOS device.

In July, Bluebox Security revealed the Fake ID flaw in Android, which gives an attacker the ability to impersonate a valid app developer.

The POODLE, or Padding Oracle On Downgraded Legacy Encryption, vulnerability was first disclosed by Google security researchers on Oct. 14. POODLE is a vulnerability in the SSL 3.0 cryptographic protocol that can enable an attacker to access and read encrypted communications.

Among the many Microsoft vulnerabilities patched in 2014 is one dubbed Sandworm by security firm iSight Partners. The vulnerability, which also is known as CVE-2014-4114, is a flaw in Microsoft’s Object Linking and Embedding (OLE) that was used in attacks against NATO and the European Union.

The Shellshock vulnerability, first disclosed on Sept. 24, is a flaw in the open-source BASH (Bourne Again SHell). The Shellshock flaw gave an attacker the ability to execute arbitrary commands on vulnerable servers. Adding to the panic surrounding Shellshock was the fact that it took several days for complete patches to emerge that protected users.

On Oct. 1, the open-source Xen hypervisor project disclosed XSA-108, a security vulnerability that gave access to the resources of other virtual machines on the same host. It’s a flaw that was patched by the major public cloud providers, including Amazon, Rackspace and IBM, before it was first publicly disclosed.

On Oct. 2, financial giant JPMorgan Chase publicly acknowledged that its systems were hacked in an attack that exposed 76 million households and an additional 7 million small businesses to a data compromise.

Many big-name retailers were exploited by point-of-sale (POS) retail malware in 2014, including Home Depot, Staples, Neiman Marcus and UPS. One of the leading POS malware attacks in 2014 came from the Backoff malware, which the U.S. Secret service warned in August had impacted more than 1,000 retailers.

The Heartbleed vulnerability, which was first disclosed on April 7, is a flaw in the open-source OpenSSL cryptographic library. Due to the fact that OpenSSL is widely deployed and embedded within multiple forms of technology, the impact of Heartbleed was widespread, affecting VPNs, Webservers and mobile devices.

No attack has captured the imagination and attention of the general public as much as the attack on Sony Pictures. First disclosed at the end of November, the Sony Pictures attack shut down many IT operations at the company and led to the accusation by the FBI that North Korea was behind the attack.