SecurityKnox New York Post

2014 was a year like no other for technology. Security was on the forefront of many people’s minds, all while Android truly came into its own in the public eye – not just for enthusiasts but for the typical consumer as well. Numerous verticals received the Android treatment, namely in the domain of wearables and the living room, with automobiles and the home not too far behind.

Google’s push to assist us in all aspects of our lives continued its march forward, with the release of the first Android Wear smartwatches, Android TV for the living room, Android Auto for the car and their purchase of Nest, bringing smarts to the home, if only your thermostat and smoke detector, for now. These efforts have been fairly worry free for users, and Google pushes forward making it even more secure with rumors of future integration of Nest with services from the home security provider ADT.

Google and Android are not alone in expanding the offerings of technology around the globe. As more and more of our lives sync across the web, in our push for the internet of things, so too do the risks of a security breach increase.

freescale-internet-of-things-wm-aa

Although 2014 was not a huge departure from years past in terms of the magnitude and severity of hacks and security breaches, there was an impressive shift in the approach to these attacks.

In previous years it was not uncommon to see security breaches resulting in the loss and exposure of millions of usernames, passwords, credit card numbers and other private user data. These attacks had an air of financial gain for the hackers.

A number of the larger events in 2014 did not seek to attack us as individual users, instead, an idealism behind hacks presented itself, with the target seemingly to free information for the public from governments and large corporations.

The White Hat Hacker Bundle

Without further adieu, here is our list of the top 11 hacks and security breaches of 2014:

11. Secret

The app that allows you to anonymously share your thoughts and confessions was hacked, revealing email addresses and phone numbers of users. Not so anonymous after all.

10. eBay

User information, including usernames, passwords, phone numbers and even home addresses were compromised for over 145 million users. If you haven’t changed your eBay password since before March, you really should get on that.

9. Tinder

tinder

Praying on individuals looking to find their soul mate, seductive photos found their way onto Tinder, but instead of reading a profile and potentially hooking up, users were directed to malware infected websites.

8. Target 

The large retail chain is popular for its great prices on your average everyday stuff, they are also popular for a major breach at the end of 2013 that bled well into 2014. About 110 million records were compromised, including customers’ personal and banking info, with an estimated total loss for the company coming in, coincidentally, at about $110 million. The scary part about this breach is that it was not a vulnerability of a server or database, hackers managed to install malware on the POS (Point of Sale) machines, directly collecting credit and debit card info as customers swiped to pay.

7. Sony and Microsoft

Christmas day is a great day of the year for many video game enthusiasts, receiving brand new video games to enjoy. However, Christmas day in 2014 saw an attack that brought down both the Sony Playstation network and the Microsoft Xbox network. As a result, the services were taken offline for as long as three days, leaving all players of cloud saved games out in the cold.

6. Celebrity iCloud

Ellen celebrity selfie at Oscars 2014

At least one of these celebrities, from the 2014 Oscars, lost private photos in the 2014 iCloud breach.

Hackers managed to breach Apple’s iCloud service in 2014. The culprits stole hundreds of private photos and videos, and I do mean private, from a long list of celebrities. These images were then released to the world. While the event itself was likely the most embarrassing thing to ever happen to the victims, the reach of this attack sparked the conversation of privacy and even ones legal rights as pertains to cloud storage.

5. Snapchat

In the same light as the celebrities in the iCloud attack, hackers managed to score almost one hundred thousand private images and videos from the Snapchat service. While many users shared in a moment of embarrassment all their own, this brought to light the unfortunate and disturbing reality that many of the under-aged users of the service have posted content that has been classified as child pornography.

sony xperia z3 compact camera sample (8 of 9)

If I may take a moment to speak to the under-aged users, and the parents of those users, please be aware of how you are using these services. I will not place any moral judgement or opinion here, but please be aware of what actions and content are against the law, no need getting in some serious trouble that can haunt you for the rest of your life.

4. NSA

While we can debate the ethics of a certain Mr. Edward Snowden’s actions, that’s not what we are here to do, we cannot overlook the impact he has had. The extent to which the NSA has stopped at nothing to grab every single bit of electronically communicated data, both in the US and abroad – regardless of whether it is encrypted or not – is simply staggering. No one can deny that these revelations shocked the world, with massive geopolitical and financial implications for the US and its incumbent tech industries.

3. Heartbleed

heartbleed logo

If you have ever received instruction on computer usage, I am hoping that your instructor explained the difference between HTTP and HTTPS. While the ‘S’ is there to keep you and your data safe, the Heartbleed bug was found this year that compromises the SSL that is behind the ‘S’ of most websites. The vast reach of this bug did not rightly mean that you or your data was ever compromised, but if you have not changed your passwords for most of your online accounts in the last 10 months, well, you should change your password by this point regardless the Heartbleed bug.

2. U.S. Dept. of Homeland Security

If you thought that all U.S. governmental agencies took care of their own business in-house, you’d be wrong. A private contractor for Homeland Security was hacked in 2014. The contractor was responsible for conducting high-level background checks of government officials, allowing hackers to walk away with personal information for employees.

1. Sony

sony xperia z3v first look aa (1 of 30)

Yes, Sony is on the list once again. As the target of a major breach in December 2014, Sony lost a significant amount of crucial data to hackers. Private business affairs, salary info, employee Social Security Numbers, scripts for potential new films, private communications, a few full length movies and more all walked out the door. In all, nearly a full terabyte of information was compromised.

Sony’s breach itself may not have placed it as number one on a list like this if it were not for the circumstances surrounding the event. Sony had a new film scheduled to release on December 25th called The Interview. Due to the nature of this film, many believe that North Korea is responsible for the breach on Sony.

What is more important, and scary, is the follow up threat by the hackers for terrorist acts upon individual movie theaters, and innocent lives, should they air the film. If nothing else, because of these threats, the hack on Sony almost led to international conflict between nations.

The Interview

Honorable mentions

With a list like that, it is scary to think that there were more attacks out there in 2014. Sadly, we only scratched the surface of it all. Our honorable mentions list includes a few big ones as well:

  • JPMorgan – The banking firm was hacked, exposing credit card info for more than 80 million Chase bank customers. The ‘attack’ survived for a couple months, dodging all the security checks.
  • Shell shock – Proving that nothing is safe, a vulnerability was identified in Linux and Unix based operating systems, like Apple’s OS X. The Bash injection bug was quickly patched, but proved once again that no system is perfect.
  • LinkedIn – With a little bit of elbow grease, researchers found that faking one’s own address book could trick LinkedIn into revealing actual email addresses of users in their system. Nothing end-of-the-world here, but a patch was issued for our protection.

linkedin logo Credit: TheSeafarer/Flickr

  • Forbes – Putting your published content behind a pay wall means collecting customer info, which was compromised by the Syrian Electronic Army (SEA), who then posted online all 1,071,963 user email addresses and passwords stolen.
  • Kickstarter – Unaware of any wrongdoing until law enforcement brought it to their attention, a whopping two accounts were maliciously accessed. Of course, Kickstarter‘s entire user base had their usernames, email addresses, mailing addresses, phone numbers and encrypted passwords accessed.
  • Network Time Protocol (NTP) – the service that nearly every computer and router uses to keep the clock in sync was found to allow a little code injection of its own. With carefully crafted packets, a hacker could run code with the same permissions as the NTP service. Patches have been issued.
  • European Central Bank – A rather minor breach occurred early in the year, resulting in the theft of customer email addresses, postal addresses and phone numbers.

european union flags Credit: tiseb/Flickr

  • Home routers – An estimated 300,000 home routers have been hacked, resulting in a change to the DNS settings. Look for DNS servers 5.45.75.11 and 5.45.75.36 on your router, as these servers are known to perform man-in-the-middle attacks, providing you fake web results and ads designed to steal your info.
  • Fingerprints – Including a fingerprint scanner on a few high-end smartphones, bio-metrics appeared to take a giant leap forward for device security. Too bad hackers are now stealing your fingerprints from your photos, defeating the scanners with faux fingerprints and U.S. courts determining that law enforcement does not require a warrant to search a fingerprint protected phone. Otherwise, great work manufacturers.

security-breaches

Near miss:

BadUSB – With no known hacks yet found in the wild, a vulnerability was found this year in many USB devices. Called BadUSB, the potential hack allows code to be saved onto a USB device, such as a USB flash drive. The malicious data is even saved such that it is immune to a full formatting of the drive. Scary stuff.

Of course, if you are not scared off, why not check out this how-to article showing how to connect a USB flash drive to your Android device.

Android USB OTG flash drives

Conclusions (how you can be more secure in 2015)

If you are reading this, you obviously have not been scared away from the internet. And you shouldn’t be. There are always lessons to be learned about online security and the rights and obligations of both the users and the companies behind the services, but it still remains true that some common sense will keep you and your data safe and happy.

The topic of security is a dear one for us. We’ve looked at many tools, tips and tricks to keep your devices and your data safe. We even frequent deals on tools in our AA Store, like Sticky Password Premium from a couple weeks back.

I could ramble on about our other stuff, but I best just link you over to our long list of security related posts from throughout the year, 17 apps to secure your Android device and this great video:

Google, as well as other smartphone OS developers, have taken action within Android to help you stay secure. One option has been available for some time now, but Android 5.0 Lollipop is the first Android release to ship by default with full device encryption. This means that without your password, not even Google can crack into your phone to view your stored data.

While device encryption is a powerful tool, it is not a means to secure your communications over the internet. With this in mind, one might follow my simple rule, if it goes online, there is a chance it can go public. This goes for communications through SMS, chat, email and social media, all the way through to the files you store on your private cloud storage.

Protecting yourself from hacking is also the same formula as yester-year, change your passwords frequently, and be certain that they are well structured and not easily guessed. Where possible, employ two-factor authentication, just as Google offers through the Authenticator app for Android.

VPN Unlimited

Another great tool that users around the globe have been using not only for security, but for anonymity and as a way to get around regional restrictions, is VPN. VPN is a method of routing your internet traffic through another computer. The result is for the web sites visited believing you are is located at the location of the VPN server, instead of your actual location. This really isn’t supposed to be a sales pitch, but we’ve got VPN solutions in our AA store as well.

If all else fails, you might consider looking at the Boeing Black phone, it is designed for government grade privacy, and will be coming soon infused with a little BlackBerry enterprise encryption technology.

What do you think, is online security a personal matter, or should companies, or the government, be doing more to protect us?