Getty Images
Dealing with the discovery of new software flaws, even those that leave users open to serious security exploits, has long been a part of everyday life online. But few years have seen quite so many bugs, or ones quite so massive. Throughout 2014, one Mothra-sized megabug after another sent systems administrators and users scrambling to remediate security crises that affected millions of machines.
Several of the bugs that shook the Internet this year blindsided the security community in part because they weren’t found in new software, the usual place to find hackable flaws. Instead, they were often in code that’s years or even decades old. In several cases the phenomenon was a kind of perverse tragedy of the commons: Major vulnerabilities in software used for so long by so many people that it was assumed they had long ago been audited it for vulnerabilities.
“The sentiment was that if something is so widely deployed by companies that have huge security budgets, it must have been checked a million times before,” says Karsten Nohl, a Berlin-based security researcher with SR Labs who has repeatedly found critical bugs in major software. “Everyone was relying on someone else to do the testing.”
Each of those major bug finds in commonly used tool, he says, inspired more hackers to start combing through legacy code for more long-dormant flaws. And in many cases, the results were chilling. Here’s a look at the biggest hacker exploits that spread through the research community and the world’s networks in 2014.
Heartbleed
When encryption software fails, the worst that usually happens is that some communications are left vulnerable. What makes the hacker exploit known as Heartbleed so dangerous is that it goes further. When Heartbleed was first exposed in April, it allowed a hacker to attack any of the two-thirds of Web servers that used the open source software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data. Even after systems administrators implemented the patch created by Google engineer Neal Mehta and the security Codenomicon—who together discovered the flaw—users couldn’t be sure that their passwords hadn’t been stolen. As a result, Heartbleed also required one of the biggest mass password resets of all time.
Even today, many vulnerable OpenSSL devices still haven’t been patched: An analysis by John Matherly, the creator of the scanning tool Shodan, found that 300,000 machines remain unpatched. Many of them are likely so-called “embedded devices” like webcams, printers, storage servers, routers and firewalls.
Shellshock
The flaw in OpenSSL that made Heartbleed possible existed for more than two years. But the bug in Unix’s “bash” feature may win the prize for the oldest megabug to plague the world’s computers: It went undiscovered, at least in public, for 25 years. Any Linux or Mac server that included that shell tool could be tricked into obeying commands sent after a certain series of characters in an HTTP request. The result, within hours of the bug being revealed by the US Computer Emergency Readiness Team in September, was that thousands of machines were infected with malware that made them part of botnets used for denial of service attacks. And if that weren’t enough of a security debacle, US CERT’s initial patch was quickly found to have a bug itself that allowed it to be circumvented. Security researcher Robert David Graham, who first scanned the Internet to find vulnerable Shellshock devices, called it “slightly worse than Heartbleed.”
POODLE
Six months after Heartbleed hit encrypted servers around the world, another encryption bug found by a team of Google researchers struck at the other side of those protected connections: the PCs and phones that connect to those servers. The bug in SSL version 3 allowed an attacker to hijack a user’s session, intercepting all the data that traveled between their computer and a supposedly encrypted online service. Unlike Heartbleed, a hacker exploiting POODLE would have to be on the same network as his or her victim; the vulnerability mostly threatened users of open Wifi networks—Starbucks customers, not systems administrators.
Gotofail
Heartbleed and Shellshock shook the security community so deeply that it may have almost forgotten the first mega-bug of 2014, one that affected exclusively Apple users. In February, Apple revealed that users were vulnerable to having their encrypted Internet traffic intercepted by anyone on their local network. The flaw, known as Gotofail, was caused by a single misplaced “goto” command in the code that governs how OSX and iOS implement SSL and TLS encryption. Compounding the problem, Apple released a patch for iOS without having one ready for OSX, in essence publicizing the bug while leaving its desktop users vulnerable. That dubious decision even prompted a profanity-laden blog post from one of Apple’s own former security engineers. “Did you seriously just use one of your platforms to drop an SSL [vulnerability] on your other platform? As I sit here on my Mac I’m vulnerable to this and there’s nothing I can do,” wrote Kristin Paget. “WHAT THE EVER LOVING F**K, APPLE??!?!!”
BadUSB
One of the most insidious hacks revealed in 2014 doesn’t exactly take advantage of any particular security flaw in a piece of software’s code—and that makes it practically impossible to patch. The attack, known as BadUSB, debuted by researcher Karsten Nohl at the Black Hat security conference in August, takes advantage of an inherent insecurity in USB devices. Because their firmware is rewritable, a hacker can created malware that invisibly infects the USB controller chip itself, rather than the Flash memory that’s typically scanned for viruses. A thumb drive, for instance, could contain undetectable malware that corrupts the files on it or causes it to impersonate a keyboard, secretly injecting commands on the user’s machine.
Only about half of USB chips are rewritable and thus vulnerable to BadUSB. But because USB device makers don’t reveal whose chips they use and often switch suppliers on a whim, it’s impossible for users to know which devices are susceptible to a BadUSB attack and which aren’t. The only real protection against the attack, according to Nohl, is to treat USB devices like “syringes,” never sharing them or plugging them into an untrusted machine.
Nohl considered his attack so serious that he declined to publish the proof-of-concept code that demonstrated it. But just a month later, another group of researchers released their own reverse-engineered version of the attack in order to pressure chip makers to fix the problem. Though it’s tough to say whether anyone has made use of that code, that means millions of USB devices in pockets around the world can no longer be trusted.
No comments:
Post a Comment