{"id":3497,"date":"2015-01-21T18:59:28","date_gmt":"2015-01-21T18:59:28","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3497"},"modified":"2020-02-26T10:59:20","modified_gmt":"2020-02-26T15:59:20","slug":"an-outlandish-top-10-of-cybersecurity-events-in-2014","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/an-outlandish-top-10-of-cybersecurity-events-in-2014\/3497\/","title":{"rendered":"An outlandish Top 10 of cybersecurity events in 2014"},"content":{"rendered":"

\u201cThreat landscape\u201d is a common phrase used in cybersecurity. It governs whether companies choose to buy new hardware or to spend money protecting existing infrastructure. Dependence is direct: If your trains get derailed all the time, buying new locomotives isn\u2019t a solution.<\/p>\n

There are various ways to assess this landscape on a scale of \u201camiable\u201d to \u201cgloomy \u201c. Here are a few assessments from our experts: 2014 summary<\/a>, predictions for 2015<\/a> and, for the number lovers, the figures<\/a>. But what do companies think? We poll them regularly (see here for details<\/a>), but this year we decided to use a non-conventional method as well.\u00a0<\/p>

An outlandish Top 10 of #cybersecurity events in 2014<\/p>Tweet<\/a><\/blockquote>\n

Our Threatpost<\/a> site follows all the meaningful news regarding IT security. We decided to pick the top 10 events of the past year by a single criterion: the popularity of the corresponding articles. The results were interesting. There was no politics (no Snowden, no NSA) and few topics of strategic nature. The problems that stand out are those that have to be considered when assessing the threat landscape right now.<\/p>\n

\n<\/p>

10. TrueCrypt: the first (relatively) verified distribution after the epic fail in May<\/strong><\/p>\n

The Story<\/a>. Drama in detail<\/a>.<\/p>\n

\u201cGuys, here\u2019s the thing. TrueCrypt\u2019s insecure, but we\u2019re not gonna tell you why. Use the standard encryption in Windows. And we\u2019re off. See ya\u201d.<\/p>\n

That\u2019s the loosely interpreted meaning of the message from developers of a popular TrueCrypt encryption system (it\u2019s still available here<\/a>, by the way). When you choose your protection \u2013 paid or free, encryption or antivirus \u2013 you assess the convenience, functionality, and effectiveness of the approach to security. But first you must trust it since auditing the code \u2013 even if it is freely available \u2013 is a bit too costly.<\/p>\n

In the case of TrueCrypt, we had an efficient, easy and free encryption tool, developed by an anonymous group of authors. It\u2019s still unclear what the hell happened. Either there was a bug that couldn\u2019t be fixed, or authorities \u201crecommended\u201d to desist, or they just got tired of coding. More than half a year has passed, and we\u2019re not apparently going to learn the truth in full.<\/p>\n

The only hope here is a collective initiative Open Crypto Audit Project<\/a>, which aims to audit TrueCrypt\u2019s code \u2013 and not just that. By the end of June, a verified distribution of TrueCrypt v.7.1a appeared on Guthub<\/a>. Does it mean that all bugs have been discovered and everything\u2019s alright now? Nope, far from it. For now, they have only learnt that sources and builds of this version are indeed sources and builds of this particular version. The 7.1a code was analyzed in the first part of the audit (results were revealed<\/a> in April). Now we\u2019re waiting for the next part. Progress can be followed here<\/a>.<\/p>\n

9. DDoS against UltraDNS<\/strong><\/p>\n

The story<\/a><\/p>\n

April 100Gbps DDoS attack on UltraDNS using DNS amplification rendered quite a few clients inaccessible for hours. There was nothing particularly special in comparison to other DDoS attacks that reached up to 400Gbps<\/a> (these used NTP protocol flaws). The problem is that such attacks became commonplace. Unlike the most complex, usually narrowly targeted threats (check out our report on Regin campaign<\/a> that has only 27 victims), DDoS is a universal problem. At least 18% of companies worldwide have been hit with DDoS, according to our data. And if spam (which is the number one problem) harms only indirectly, website inaccessibility has a real impact: It means missed sales and reputation losses. The primary trend of this year is amplified DDoS attacks, using the flaws in fundamental network protocols, along with a combination of DDoS and targeted attacks in a manner like \u201cstun and steal the wallet\u201d. We\u2019ll get back to this topic a bit later.<\/p>\n

Here\u2019s a detailed description of a DDoS Trojan for Linux<\/a>.<\/p>\n

\"darkhotel\"<\/a><\/p>\n

Dark Hotel<\/em><\/a>\u00a0APT \u2013 a non-conventional way to steal data from traveling employees<\/em><\/p>\n

8. Passcode bypass in iOS 7.1.1<\/strong><\/p>\n

The Story<\/a><\/p>\n

The April iOS update to version 7.1.1 as well as a Mac OS X patch actually fixed a serious flaw in Apple\u2019s implementation of SSL protocol (not this one<\/a>, though). As it often happens, new bugs arrived, one of which made it possible to partially circumvent locks on Apple iPhone 5\/5s and get access to the address book.<\/p>\n

As we all know, any Apple-related news is a potent traffic generator, so the flaws in Apple\u2019s devices couldn\u2019t help making their way into our top list. As with UltraDNS it is not the flaw itself that\u2019s notable, but the industry\u2019s attention to mobile devices. Companies increasingly see them as a threat, although they understand that prohibiting smartphones in the workplace isn\u2019t going to work.<\/p>\n

According to our data, 22% of companies faced security issues related to loss or theft of mobile devices. Thus, any circumvention of security measures is indeed a problem \u2013 especially if the corporate smartphones weren\u2019t protected well enough, or if the protection systems were out of commission. Besides the passcode circumvention there was yet another problem in the same version of iOS: e-mail encryption did not cover the attachments. Access to the phone\u2019s file system provided access to the attachments, too.<\/p>\n

\"epicturla\"<\/a><\/p>\n

Epic Turla \u2014 a research<\/a> of complex connections between different APTs.<\/p>\n

7. The Internet is broken, act accordingly<\/strong><\/p>\n

The Story<\/a><\/p>\n

If someone asked me to use non-verbal means to express the situation with security on the Web, using two music videos, I\u2019d do it the following way (you\u2019re welcome to offer your variants in the comments, let\u2019s talk about music associations!).<\/p>\n

The ideal situation:<\/strong><\/p>\n