The month of January is often a time for reflection. We’ve wrapped up an entire year and look optimistically to the year ahead of us. What we also typically do is look to the past year to see what we can learn. Now that 2015 is upon us, it’s time for reflection. What can we learn when we look at the news from the website security landscape of 2014? Below are five events we think helped change the face of website security.
1. The Snapchat Hack
Snapchat is a popular photo-messaging app, known for letting its users send photos and videos that disappear from existence shortly after the recipient views them. In August 2013, Australian security firm, Gibson Security, contacted the Snapchat team to notify them of a vulnerability in their API that would allow hackers access to user data. Snapchat didn’t respond, and on December 31st 2013, Gibson Security released the source code for the API exploit publicly (a common Google practice)..
Snapchat was hacked immediately after the code was released, and over 4.6 million usernames and phone numbers were exposed as a result.
What did we learn from the Snapchat hack? First and foremost, never ignore web security threats or they will be exploited, resulting in data loss or data exposure. Secondly, it’s important to make sure that all of your APIs contain no loopholes or backdoors into your server. Employ an expert that specializes in API development if you have to.
Lastly, if your business does become victim to a cyber attack, respond appropriately in a transparent manner and take full responsibility – even if the hack wasn’t your intentional doing. Snapchat failed to respond appropriately, and it led to massive backlash from both its users and the press.
Heartbleed was perhaps the most infamous web security exploit of 2014. It alone put 17% (over 500,000) of the Internet’s certified web servers at risk causing mass panic and huge financial damages.
A member of Google’s Security Team, Neel Mehta, discovered the bug in April 2014. He learned that OpenSSL, a popular open-source cryptographic security software, could be exploited by allowing a hacker to easily retrieve private data on a web server, due to a programming bug. It was later named “Heartbleed” by an engineer at cyber security company, Codenomicon.
What did we learn from Heartbleed? Any software or business, including the well-established ones such as OpenSSL (around since before the dot-com era), is susceptible to a cyber attack. Regularly scanning your website for vulnerabilities, backing up private data, and archiving inactive data are all important things your business can do to help prevent and minimize cyber attacks.
3. The Fappening
During summer of 2014, The Fappening was one of the internet’s top trending stories – a massive leak of nearly 500 private (and mostly NSFW) celebrity photos originated on Imgur, Reddit and 4Chan. But, how did hackers get the photos?
According to several sources, the breach didn’t happen all at once – photos were slowly accumulated over a long period of time, using brute-force password cracking techniques to access celebrities’ iCloud (and other cloud computing) accounts. At the time, services such as iCloud were found to have a weak data access policy, giving hackers a backdoor into customers’ private data.
What did we learn from The Fappening? Ensuring that all of your business’s online access points are secure should be one of your top priorities, otherwise you risk exposure of customers’ private data. On the other hand, it’s worth educating your customers on the importance of secure passwords, lest they end up like these folks.
Shellshock became a popular security threat back in September of 2014, after being discovered by a few Unix/Linux technology specialists. Alternatively known as “Bashdoor”, Shellshock is a family of security bugs that allows hackers unauthorized access to someone’s computer through a backdoor in the Unix operating system. Once in, computers were used as part of a greater (and more dangerous) effort to create botnets and conduct DDOS attacks.
A patch for Shellshock was released within a matter of days but it was estimated that 1.5 million attacks and probes were executed per day during that time.
What did we learn from Shellshock? It’s important to have a Web Application Firewall (WAF) installed to block malicious traffic, such as “bad” bots and hackers, from attacking your website. Fortunately, SiteLock’s TrueShield WAF blocked Shellshock almost immediately after the threat was discovered.
2014 didn’t exactly go out with a bang – near the end of December, a new strain of malware called SoakSoak was discovered, compromising more than 100,000 WordPress websites. As a result, 10,000+ domains were also blacklisted by Google, making them inaccessible to the public.
How does SoakSoak work? The malware injects malicious code into local WordPress installation files using a vulnerability in the popular RevSlider plugin, to make the victim’s website redirect to an infected URL, soaksoak.ru. Since over 74 million websites are hosted with WordPress, the SoakSoak hack evolved to include multiple strains of malware.
What did we learn from SoakSoak? Keep all of your WordPress installations up to date, and more importantly, always make sure your plugins are updated as well. Thankfully, it’s a relatively easy since the WordPress community is quick to patch issues.
An eventful 2014 taught us…
- To stay educated about relevant security issues and respond to incidents appropriately
- That no software or system is invulnerable
- To secure data egress points as well as ingress
- A web application firewall is as important as a network firewall
- Update, update, update
Contact SiteLock today to start a free consultation with our website security specialists and learn how to protect your site.