Looking back in despair
It is often customary at this time to look back with a fond eye at the year as it wanes, as we face once more into the holiday season that culminates in the mid-winter festival, or Christmas, or whatever you like to call it.
This practice is often good for the soul, and allows us to see our accomplishments through the year and face into a new one with a little warmth in our hearts and a glow to our cheeks, to meet challenges anew.
Or, as is just as enjoyable, you can look back and see what unmitigated disasters have occurred through the year to bring a bout of schadenfreude, as we think that for some reason, we are ourselves are immune to the stupidity, carelessness and hubris that were so clearly the causes of others’ misfortunes.
Looking back at all of these incidents, accidents, vulnerabilities, outages and revelations tells us one thing very clearly. 2014 has not been a good year for information security
2014 was quite a year when it comes to outages, vulnerabilities and hacking, with a whole new cadre of terms to add to the list that will see security admins shudder and reach for the can of resurrection strength energy drink as they prowl their own log analysers looking for the tell-tale signs of intrusion, breach or exfiltration.
A very useful tool for this list produces a guiding, though by no means exhaustive list. Simply go to our web site, TechCentral.ie and click on the TechPro channel and then in the search box type in ‘vulnerability’, ‘outage’ or ‘breach’ and hit the button for a roll of less than stellar performance.
I carried out this exercise and below is a summary of the results at time of writing. Let us start with outages.
January saw a Dropbox outage that led to the company having to deny rumours it had been hacked.
March saw a report that said a fifth of large companies across the US, Canada and the UK fire IT staff after a major outage, with an average financial loss of just over €100,000.
April saw a major outage for Instagram, due to what was termed a ‘feed’ issue.
May came with a ‘fat finger’ incident at cloud service provider Joyent that resulted in an entire data centre’s VMs being rebooted due to operator error.
June saw a brief Facebook outage, while Office 365 suffered a 9 hour outage blamed on network infrastructure.
July arrived with problems for BBC’s iPlayer which suffered a major outage just as a new CTO was about to take up the cudgels.
August again loomed dark for Microsoft with a Windows Azure outage affecting Cloud Services, VMs and web sites. Azure suffered again in November as a performance update resulted in service interruptions.
2014 started poorly on the vulnerability side of things, with a report from High-Tech Bridge which found that while critical flaws were being patched quicker, there was still much to be done on the discovery side.
In February, Snapchat revealed a vulnerability that could be exploited to crash iPhones.
The same month saw Synology admit that its DiskStation Manager had a vulnerability that could compromise file access authority. Later that month OSX 10.9.2 arrived with fixes to SSL and mail problems.
April saw the arrival of the Heartbleed SSL vulnerability, which led to a flurry of activity that would last for months. The same month saw a report from Coverity that found open source software was well ahead of proprietary software, with fewer bugs in projects of all sizes. April also saw a new Internet Explorer bug that affected versions 6-8.
June saw another OpenSSL vulnerability that could allow encrypted traffic to be monitored, discovered by a Japanese researcher for the company Lepidum.