Bad moon rising
Barely halfway through 2014, the year's already poised to become the scariest yet for digital security—topping even 2013's massive Target breach. We’ve seen hacks against big-name retailers like eBay, Michael’s, and Neiman Marcus—plus hotels, online forums, and numerous other websites. The current tally of compromised credit cards from major breaches is closing in on 5 million, and online accounts?—half a billion.
Beyond active attacks, go-to encryption tool TrueCrypt was lost, and we've suffered through the single biggest web security lapse ever. As we close in on the halfway point for 2014, here are the 10 biggest security stories so far.
Heartbleed bleeds the web
Thousands of major websites worldwide scrambled in April after a nasty little flaw turned up in OpenSSL—a widespread tool for securing online communications, including HTTPS websites. Dubbed Heartbleed, this devastating bug threatened to expose usernames and passwords, user data, and even the SSL keys sites use to securely identify themselves. The problem was widespread: affected sites included Instagram, Netflix, and Tumblr.
Although it was a serious flaw, Heartbleed also inspired several major tech companies to fund poorly-supported open source projects. The first group to receive assistance—surprise!—was the OpenSSL Software Foundation.
TrueCrypt shuts up shop
In May, customers were shocked to be suddenly rerouted from the TrueCrypt encryption software's website to the project’s SourceForge page. There, they found this message: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”
At first, it looked like a hoax or a hack, because TrueCrypt's advice to switch to Microsoft’s closed-source BitLocker encryption tool was diametrically opposed to the project's ideals. Several weeks later, however, TrueCrypt’s demise appears to be real. There are attempts to resurrect the project under new management, even as rumors about hidden Latin messages from TrueCrypt's developers swirl.
Breaches, breaches, and more breaches
A security review wouldn’t be complete without a roundup of major data breaches. EBay is the most notable victim: In May, the site announced a devastating data breach that included names, email and home addresses, phone numbers, dates of birth, and encrypted passwords. Reports put the number of affected users around 145 million.
Hobby retailer Michael’s joined eBay in the data breach Hall of Shame, along with AOL, Avast's online forums, Holiday Inn and Marriott Hotels, and Neiman Marcus. Restaurant chain P.F. Chang’s recently announced it was also investigating a data breach. And oh yeah, another 360 million usernames and passwords surfaced on hacker forums in February. Ugh.
But sometimes, a breach deserves individual recognition—like the hack that Seagate-owned LaCie announced in April. The hard drive and peripheral storage maker said its online storefront had endured a whopping year-long data heist from March 27, 2013 to March 10, 2014. LaCie said it wasn’t sure what kind of data had been pilfered, but it may have included customer names, email addresses, credit card numbers, and card expiration dates. Crazy.
Ransom goes rampant
If 2013 was the year of the personal data breach, then 2014 is shaping up to be the year of digital hostages and ransomware. Malicious software that threatens to ruin your PC if you don’t pay a certain amount of money is an old game, but hackers upped the stakes in the early part of 2014. In late May, iOS users around the world woke up to find their iDevices locked via Apple's Find My iPhone service, with hackers demanding money to restore them. Then in June, security firm ESET found the first example of file-encrypting ransomware on Android. Sites like project-management web app Basecamp were also held ransom unless they paid up to stop distributed denial of service (DDoS) attacks.
Heartbleed wasn’t the only significant SSL/TLS bug in 2014. In February and March, both Apple and the Linux community were scrambling to fix flaws in their implementations of online security protocols. In Apple’s case, someone had mistakenly included an extra 'goto fail' programming statement that left encrypted data sent via SSL/TLS open to capture by hackers.
In the Linux case, the GnuTLS library had a programming flaw exposing user data to potential breaches, similar to Apple’s 'goto fail' problem. In the case of GnuTLS, however, it’s suspected the programming flaw existed for as long as 10 years—prompting Linux community leaders to say, “Huh, Gnu knew?” ( Groan —Ed.)
Bitcoin security hit a road bump in February: A flaw dubbed “transaction malleability” led to attacks against several Bitcoin exchanges, according to Bitcoin news site Coindesk. The flaw could theoretically allow an attacker to substitute a phony transaction for the original one, thus redirecting Bitcoins from the intended recipient to the attacker.
Transaction malleability was serious enough that it was an early theory as to why embattled Bitcoin exchange Mt. Gox closed its doors. Mt. Gox’s problems were later revealed to go deeper than a software bug, however, and a fix addressing transaction malleability was issued in March.
The case highlights how American digital due-process is woefully inadequate. After all, private emails sitting on third-party servers should be considered just as private as those love letters stashed in the back of your closet.
Gameover for Gameover botnet
Two positive stories offer some hope.
In June, a global law-enforcement coalition temporarily disrupted a nasty botnet called Gameover ZeuS. Infected Windows PCs were harvested for personal data and also used to distribute Cryptolocker ransomware.
Gameover includes a peer-to-peer component, as well as online proxy servers and strong encryption, according to Krebs on Security. Gameover affects an estimated 500,000 to one million PCs worldwide, and the disruption—dubbed ‘Operation Tovar’—only served as a chance to clean up infected PCs. U.S authorities indicted Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia, on several criminal charges related to operating the botnet.
Google's end-to-end revenge
Revenge is a dish best served cold, and Google made sure its vengeance pie was well and truly cooled before serving it up to the National Security Agency. As the fallout over Edward Snowden's NSA revelations continues, Google announced it wanted to make end-to-end encryption for webmail easier to use with a new Chrome extension. Called End-to-End, the extension is currently in a public alpha phase and not yet ready for wide release. When it goes live, however, it will be one of several new projects promising to keep your most private emails secure from prying eyes and snooping government agencies.