Time flies. It is already late February in 2015 as we reflect on 2014 as the year the Internet fell apart at IBM InterConnect. It feels like it was just yesterday that Heartbleed, the information disclosure vulnerability in OpenSSL, was announced. At the time, IBM quickly sprang into action and released multiple network intrusion prevention system signatures that covered all the threat’s permutations. Exploitation was swift and seemingly relentless. Even as the year progressed, from a managed security services perspective, IBM still observed customers being attacked, but not exploited, by Heartbleed.
There are many things that make Heartbleed fascinating. One of the key aspects is that it is not a remote code vulnerability in itself. Rather, the vulnerability permits an unauthenticated attacker to obtain a small but useful amount of system RAM data in the response. Heartbleed was just one of a few notable major vulnerability disclosures in 2014.
The next, Shellshock, was just as shocking — if not more so — because of how long it had gone unnoticed. In the case of Heartbleed, the vulnerability had only been introduced two years or so earlier. With Shellshock, the vulnerability in the bourne-again shell had already been around for 25 years. This vulnerability facilitated the practical exploitation of Common Gateway Interface-based Web servers, OpenSSH servers, some Dynamic Host Configuration Protocol clients and other software to run commands as unauthenticated users or, in some cases, escape from a restricted shell, if authenticated. The scary thing is how many embedded devices (I suppose we call them the Internet of Things these days) are vulnerable and will be exposed for a very long time, since the devices won’t receive a firmware update or be updated by their users for whatever reason.
At the IBM InterConnect session “2014: The Year That the Internet Fell Apart” at 2 p.m. on Monday, February 23rd, I will dive into these two vulnerabilities and how attacks using them progressed. Additionally, I will share the highlights of the Unicorn bug, a vulnerability in Microsoft Windows I discovered and reported to Microsoft late last year. The goal is to discuss mechanisms and processes companies can use to gain better defenses in an interactive session. If you think you won’t be the next big breach story, let’s preview where the panel discussion is going to head.
In 2015, there have already been some highly noteworthy bugs, such as GHOST and JASBUG. It seems that bugs that are so old someone should have stumbled upon them sooner will continue to be discovered and disclosed throughout the year. Perhaps 2014 is not the year the Internet fell apart and 2015 will be.
Join me, our guest speaker, Alain-Désiré Kamenyero from Scotiabank and my esteemed IBM colleagues, John Kuhn and Jamie Licitra, at InterConnect 2015 to learn more about our thoughts and data on how the major vulnerabilities of 2014 affected organizations from around the world.