In 2014 we were witness to a massive rise in cyber crime and critical security bugs. This year unfortunately the problem continues to rise and is getting more and more out of control. One of the major preliminary issues to overcome is that many businesses don’t understand or even care about security, and this is the first major problem to overcome in the battle to create a safer internet. Over the last few years I have spoken with people about online security and to my amazement, and horror, I have come to realize that keeping visitors, client and staff data safe is not a priority for most businesses. The truth is that in this day and age if you don’t understand or care about security, then you should not be handling peoples data or providing online services. Some of the most common things that people think is that security doesn’t apply to them, no one would want to hack them, it is too much trouble to learn about modern vulnerabilities and protect against them, they don’t have time and it won’t happen to them.
None of the above are good ways to think if you want to run a business that is responsible for handling client and staff data or providing online services to the general public. Everyone is at risk and business owners that do not keep up to date with modern security implementation not only put themselves and their staff at risk, but also their clients. Even if you are not storing data on your website, you run the risk of infecting visitors to your website if you do not use modern encryption methods.
Here are a few of the main security issues and hacks that have happened over the last year:2014:
Heartbleed is a cyber vulnerability which is a global issue that affected millions, and probably billions of people. The bug was a vulnerability in a cryptographic software called OpenSSL one of the most commonly used forms of encryption used on the web, a lot of websites you visit that had https in the address were affected by this bug (By now all websites should use encryption, if a website doesn’t use https you should not use it, apart from anything websites that do not use encryption are now penalized by Google). Still today I am sad to say that I have tested sites that are still vulnerable to this bug.
ShellShock is a bug that could of been around for the last twenty years. ShellShock uses Bash scripts to communicate with vulnerable servers. Once they have accessed a server they can launch programs and basically do a lot of bad stuff. Although this bug targeted at only web admins and hosting companies, it is a lot more dangerous than The Heartbleed Bug.
The Poodlebleed bug is a bug that allows MITM (Man In The Middle) access to data sent around affected websites that use SSL 3.0. Poodle stands for Padding Oracle On Downgraded Legacy Encryption and allows naughty people to view encrypted data over what is supposed to be a secure connection.
2014: Microsoft Schannel vulnerability
The Schannel vulnerability was a bug that was found in the Windows Operating system that affected every single Windows computer in the world. The bug allowed remote code execution meaning that hackers could put what ever code they wanted on your computer and execute it.
2014: Sony hackedIn late 2014
Sony was hacked a number of times. The hackers retrieved addresses, email addresses and other personal information including Social Security numbers of over 3,803 Sony employees and leaked them online. Members of staff received emails threatening them and their families:“Please sign your name to object the false (sic) of the company at the email address below if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”In addition to this a spreadsheet of salaries was leaked online, five Sony films including Still Alice and Annie, and thousands of passwords were stolen from a folder stupidly named passwords.
2014 / 2015
GaloreI believe that WordPress is a very dangerous system as it gives people the impression that anyone can build websites. Website development should be handled by professionals who are trained to make sure that systems are well built and secure. A recent example of hacks made through WordPress vulnerabilities are where compromised WordPress sites were exploited by the Nuclear exploit kit which injected them with an iframe that redirected unknowing customers to a Pirate Bay clone site. Another more recent and more worrying attack was announced by the FBI after a number of news organizations, commercial entities, U.S Federal/State and Local Government, and also Foreign Government WordPress sites were hacked by people that are said to support ISIS.
2015 White House hacked
Earlier this year Russian hackers broke into the White House system and stole details of President Obama’s schedule as well a emails. The hackers were able to infiltrate the White House system using a kind of phishing attack that broke into a State Department network giving them access through to the White House system.