Today we released the first edition of the 2015 IBM X-Force Threat Intelligence Quarterly, where we focus on a year-end review of all the attack and breach activity that occurred in the previous year, along with some interesting new twists to the methodology of how vulnerabilities are disclosed.
2014 Saw a Surge in the Disclosure of ‘Designer Vulns’ and Security Incidents Targeting More Than Financial Gains
If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one. We witnessed over a billion records of personally identifiable information (PII) leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.
The below graphic provides some perspective on what a billion or more records might look like when compared with population sizes. While each breached record doesn’t necessarily denote an individual user, it is still likely that a significant percentage of the Internet-connected population experienced some form of loss as a result of security incidents in 2014.
Key Themes of 2014 Security Incidents
While condensing and correlating the year’s many diverse security incidents, we found three distinctive, overarching themes:
Privacy in a Digital World
- Sensitive photos stored on a cloud service — which in itself is not fundamentally flawed — resulted in stolen data due to weak passwords, easy-to-guess security questions and service providers’ lax policies on brute-force authentication.
- Private email communications at a major Hollywood studio were released.
Cracks in the Foundation
- Critical vulnerabilities disclosed across several foundational systems (operating systems, open-source libraries and content management software) resulted in many exploited websites.
- Underlying libraries that handle cryptographic functionality on nearly every common Web platform — including Microsoft Windows, Mac OS X and Linux — were vulnerable to fairly trivial remote exploitations capable of stealing critical data.
Lack of Security Fundamentals
- End-user password reuse
- Leaving default passwords on admin systems
- Poor challenge questions for password reset procedures
While general attack types remain consistent year to year, creative applications of these fundamental building blocks can vary greatly. Focusing on security fundamentals, such as password diligence, can provide a base level of protection that is invaluable.
‘Designer Vulns’ Changed How We Talk About Vulnerability Disclosures
We’ve long been accustomed to the naming of popular worms and exploits; even exploit kits are well-known, marketed and discussed with clever names such as “Blackhole,” “Sweet Orange,” “Nuclear” and “Neutrino,” to name just a few.
However, in 2014 we were introduced to our first taste of the “designer vuln,” a critical vulnerability that not only proved lethal for targeted attacks, but also had a cleverly branded logo, website and call name (or handle) that would forever identify the disclosure.
These designer vulns appeared within long-held foundational frameworks used by the majority of websites, and they continued throughout 2014, garnering catchy name after catchy name: Heartbleed, Shellshock, POODLE and, into 2015, Ghost and FREAK. We began to discuss vulnerability disclosures with the ease of a branded name and logo rather than boring old CVE identifiers like CVE-2014-1060.
Dynamic Testing Is Shaking the Foundation of Vulnerability Reporting and Recording the Largest Count in History
Another surprising twist in 2014 came in September, when a disclosure by a CERT/CC researcher announced an automated tool to test the security of Android applications, known as Tapioca. Using this tool, he discovered security issues in thousands of Android applications. These vulnerabilities can allow an attacker to perform man-in-the-middle (MitM) attacks against affected mobile applications.
This effort has (so far) produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.
X-Force cataloged more than 9,200 new security vulnerabilities affecting over 2,600 unique vendors in 2014. This number includes the roughly 1,400 Android SSL issues that have CVE IDs and does not contain the potential 20,000+ that are still being tracked in the CERT/CC vulnerability disclosure. This tabulation represents a 9.8 percent increase over 2013 and is the highest single year total in the 18-year history of X-Force.
This announcement not only changed the 2014 year-end count, but also the discussion on how disclosures should be recorded and will likely be a matter of debate by the CVE editorial board until new choices are determined.
Continuing the discussion surrounding Android application development, within the report we also review the unusual apathy mobile app developers seem to be displaying, leaving important banking applications vulnerable to critical disclosures made at the midyear for the Android version of Cordova. Despite warnings, 10 of the 17 banking applications we tracked (59 percent) were still vulnerable four months later.
Finally, to round out the year-end review, we take a historical look back at how crowd-sourced malware is creating Citadel variants and pursuing industries beyond the original financial targets.
New X-Force Interactive Security Incident Website Announced!
In response to the high capacity, volume and nature of attacks that have continually increased over time, X-Force is launching the IBM X-Force Interactive Security Incident (ISI) website to help users gain an in-depth understanding of security events in the current year, as well as a historical perspective of how things have evolved year to year.
We encourage you to visit this site often to stay up-to-date on the latest breaches and security incidents as they are confirmed by public sources.
Stay tuned for an upcoming Security Intelligence article where we’ll give some behind-the-scenes insights into this interactive data visualization.