Mega vulnerabilities of 2014 and even more mega predictions for 2015

Featured article by Debbie Fletcher, Independent Technology Author

As the New Year begins, we all have such grand plans don’t we? We’re going to get in shape, eat healthily, pay down our debts, be better partners, better friends, and better people. We’re going to set lofty goals and by hook or by crook we’re going to reach them. This is the year. Right?

The bad news is that approximately 99% of people are going to abandon their big New Year’s goals by the end of January without having incurred much success. The worse news is that the other 1% of people, the ones who are going to do everything they set out to do and exceed expectations at every turn, are hackers. That’s right – if there’s one group we can expect big things from in 2015, it’s hackers.

Here’s a look back at some of the biggest occurrences in 2014 internet security, as well as a few predictions for 2015 and how it’s possible to prepare, based on some insights from the security firm Incapsula.

Bleeding hearts, battle trauma and yappy dogs

In other words, the mega vulnerabilities of 2014. What classified each of these vulnerabilities as “mega” was that instead of affecting a particular operating system, application or browser, they affected the core internet infrastructure in the form of SSL and Linux devices and therefore had the potential to impact almost every internet user in the world.

The mega vulnerability onslaught began in April when the Heartbleed vulnerability was discovered. Heartbleed is a bug in the OpenSSL transport layer security that allows hackers to access information – namely encryption keys, usernames, passwords, and private content and data including intellectual property – from both client and server memory. At the time of the vulnerability’s disclosure, it was believed that 17% of the internet’s secure servers were at risk.

For six months, Heartbleed reigned supreme as the most potentially catastrophic vulnerability on the internet. Then came Shellshock. In September of 2014 a family of bugs in the Bash command shell were discovered. These bugs allowed attackers to completely and easily take over servers to delete or steal information, execute DDoS attacks and install malware. Since Bash is a command shell used in Linux, Unix and OS X systems, the damage was widespread and the threat is still potent. Incapsula has tracked Shellshock’s evolution from a high-profile attack to a vulnerability that is routinely probed by hackers.

Shellshock dominated internet security headlines for about one month. Then came the Poodle vulnerability of October 2014, which exploited security holes in SSL 3.0, a transport layer security protocol known for its flaws. For the sake of interoperability, SSL 3.0 was a fallback option for many internet and security software clients. This ultimately left those clients vulnerable to the security holes in SSL 3.0, allowing attackers to decrypt and extract sensitive information, including credit card and financial information, usernames, email addresses and passwords.

Source and Hi-res image: Incapsula

Squinting ahead

If 2014 was the year of the mega vulnerability, it’s looking as though 2015 will be the year of the mega-mega vulnerability. Only it will probably be given a better name.

The reasons Incapsula is predicting even more and even bigger vulnerabilities for 2015 are fairly straightforward. The first is that these attacks are effective and efficient. Attackers have realized the immense ROI that can accompany the exploitation of vulnerabilities that impact the majority of internet users. The second reason we’re going to see these kinds of attacks grow in size and impact is that the security researchers who discover – and disclose – these major vulnerabilities will be able to base their entire academic or professional careers on it. Once a vulnerability is disclosed, it’s open season for attackers.

Basically, these mega vulnerabilities are being hunted down by the good guys and the bad guys.

Why these attacks can be so hard to stop – and what we can do to reverse that trend

The best-case scenario when it comes to these vulnerabilities is that a patch already exists. Even so, it can take days or even weeks for an organization to roll out these patches completely, leaving servers, systems and applications open for exploitation in the meantime. And that’s the best-case scenario.

The worst-case scenario is what we see most often: the zero-day threat. These are vulnerabilities that are newly discovered and therefore have no patch or other response in place, giving internet security specialists ‘zero days’ to respond.

With Incapsula expecting even more mega vulnerabilities in 2015, they’re focusing in on fast responses to these zero-day threats, including new detection mechanisms and even sharper and more effective deployment solutions. By using a crowd-sourced security model which aggregates attack data from over 100,000 domains worldwide, and leveraging continuously updated IP reputation database in order to monitor traffic from botnets and other hubs of hacker activity, it will be easier to combat any attack on any vulnerability exploitation in the coming year.

 Debbie Fletcher is an enthusiastic, experienced writer who has written for a range of different magazines and news publications over the years.