5 Worst Security Fails of 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.tomsguide.com/us/security-fails-2014,news-20049.html

> From start to finish, 2014 was chock-full of embarrassing security
failures. Executives' emails, starlets' nude photos and your credit-card
numbers all got into the hands of bad people who seemed to run rampant over
the Internet without restraint.

The sad fact is that many of these failures could have been avoided. Each
of our top five flubs was made possible by a lapse in judgment or oversight.

Snapchat should have listened to the white-hat hackers who alerted the
company to problems with its apps. Sony Pictures should have noticed
terabytes of information escaping from its servers. Apple should have
studied how Google and Facebook protected their users' online data. Home
Depot should have studied the Target data breach to learn what not to do.
And open-source software coders should have reviewed the security protocols
whose flaws came to be known as Heartbleed and Shellshock.

Here's hoping that 2014's hard-learned lessons lead to a less eventful
2015. In the meantime, here are our top five security fails of the past
year.

Snapchat

The ephemeral-messaging service Snapchat celebrated New Year's Day 2014
with a massive data breach it could have avoided. More than 4 million
username-and-phone-number combinations were uploaded to the Internet, a
small slice of Snapchat's tens of millions of users. The credentials were
gathered using methods Snapchat had been alerted to back in August 2013,
but didn't fully address. Just before the breach, Snapchat executives had
dismissed the threat as "theoretical."

Snapchat went on to suffer more security woes in 2014, such as the October
"Snappening" that saw hundreds of supposedly deleted photos and videos
taken by Snapchat users posted online. The company even had its business
secrets revealed in December, when emails written by Sony Pictures CEO
Michael Lynton, who sits on Snapchat's board, were leaked as part of the
Sony Pictures hack (see below).

Heartbleed, Shellshock and POODLE

Much of the Web's security is handled by free, open-source protocols
maintained by a handful of unpaid volunteers. Nevertheless, people were
shocked in April when a devastating flaw, quickly dubbed "Heartbleed," was
discovered in the OpenSSL code library, which encrypts communications
between Web servers and Web browsers. The flaw had been accidentally
introduced by a German coder on New Year's Eve of 2011. The discovery of
Heartbleed prompted a closer look at other open-source security protocols,
leading to the uncovering of the Shellshockflaw in the Bash command-line
interface in September and the POODLE vulnerability in the SSL protocol in
October.

Apple iCloud Celebrity Nude Breach

Labor Day weekend was disastrous for Jennifer Lawrence, Kate Upton and a
hundred other young starlets as nude photos they'd privately taken of
themselves started appearing online. The data dump offered a peek at a
thriving underground trade in nude selfies, many of which were obtained by
easily bypassing Apple's online security to access other people's
automatically created iCloud backups of iPhone photos. Apple blamed the
breach on sloppy user practices, but then tightened iCloud security two
weeks later.

Home Depot Data Breach

Rumors that payment-card data had been stolen from Home Depot stores first
appeared Sept. 2, yet the company took nearly a week to admit that anything
had gone wrong. In the end, it turned out that 56 million credit and debit
cards, and 53 million customer email addresses, had been compromised due to
malware that infected company-wide payment systems in both the United
States and Canada. Surprisingly, there was no corresponding media panic
like that around Target's similar data breach nine months earlier; experts
ascribed the public apathy to "breach fatigue."

Sony Pictures Entertainment Database Theft

On Nov. 24, staffers at Sony Pictures Entertainment, the television- and
movie-producing division of Sony, had their computer screens hijacked by a
grinning skull. Within days, gigabytes of internal Sony Pictures data began
to appear online, including actors' and executives' Social Security
numbers, corporate emails, unpublished scripts, financial and legal
information, and even four entire unreleased Sony movies.

The data breach placed 47,000 staffers, freelancers and former employees at
risk of identity theft, and rival Hollywood studios got details of Sony
Pictures' finances and future plans. As of this writing, new data was being
leaked daily, along with vague threats that caused five national cinema
chains to pull bookings for a Sony movie.

U.S. officials blamed North Korea for the data theft, while security
experts suspected disgruntled insiders. Whatever the cause, the incident
threatens Sony Pictures Entertainment as a company and may be the most
damaging corporate data breach ever.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!