Heartbleed. Shellshock. Backoff. These aren’t titles to the latest Halloween thriller, but for those who know, they’re scary enough to be. 2014 has been a terrifying year for security. With attacks on Retail, eCommerce, Healthcare, Finance and even non-profits, no one is safe, and it feels like we are falling into our own digital version of World War Z. Security breaches are coming, and they want blood.
Here Comes the Slasher
In January of this year, officials arrested a data thief who stole the names, numbers, addresses and other private data of over 20 million people from three major South Korean credit firms, sparking 27 top executives to submit their resignations. All of this damage was done by one contract employee and his trusty USB drive because KB Financial left the data unencrypted.
On April 1st (a notoriously terrible day to report real bad news), Neel Mehta of Google’s security team reported the bug in OpenSSL that is now known as Heartbleed. This bug in an extension of OpenSSL (known as the Heartbeat Extension) affected roughly half a million secure internet servers, including some big names such as Amazon Web Services, Akamai, GitHub, Pinterest, Reddit, Wikipedia and more. This flaw also affected internet-facing software from many companies including HP, LogMeIn, and Oracle. The bug allowed an attacker to gain access to the private SSL keys of these systems, potentially handing over the keys to the kingdom.
In May, hackers broke in to several EBay employee’s remote access accounts and compromised 145 million records. EBay required users to change their passwords in response to what is currently the second largest attack in history of a U.S. company by number of records accessed.
Attacks in September and October continued at a frenetic pace. Hackers posted over 5 million Gmail usernames and passwords, Home Depot lost the credit and debit card numbers of 56 million people, and JPMorgan Chase announced just this month that they lost the information of 76 million households in a direct web attack. Other financial institutions such as CitiGroup, E*Trade Financial, Fidelity Investments, Regions Financial, and ADP may have also been targeted as part of the same sweep against JPMorgan Chase. Also this month, Dairy Queen lost hundreds of thousands of customers’ credit card information through point of sale systems that were compromised by Backoff malware. The slashers are attacking us from all directions, so how can we survive this?
Stop the Bleeding
Do not run upstairs alone. In slasher films, leaving the group is the surest way to die a gory death. We’ll need to work together as a community to fight off these attackers and send Jason back to Hell for real this time (okay, I might have gotten a little carried away there). F5 Networks’ DevCentral provided a great example in the wake of the Heartbleed vulnerability. Any F5 customers running the security module were protected from Heartbleed, but what about those stragglers that were not using SSL offload? The community saved them. Within hours of the breaking news, F5 launched an iRule to DevCentral that mitigated the vulnerability.
The community also regularly posts new iRules to fix all kinds of problems. You can bet that they will have a fix for the next zero-day vulnerability, but the community is not limited to that. They also post other helpful information like this threat intelligence report on Shellshock.
Many of these attacks could have been prevented by securing these internet-facing applications in a stronger way. F5 Networks’s web application firewall sits atop their scalable hardware architecture that is robust enough to handle these attacks. But even beyond the hardware, the DevCentral community and iRules allow you to quickly mitigate zero-day attacks. After all, survival isn’t luck and hiding won’t work. Tools matter, but it’s community and proper training that will dramatically increase your survival rate in 2015.
