Cyber Security Issues – 4 Major Vulnerabilities Discovered During 2014
The eight months prior to the start of 2015 saw no less than four major system-level vulnerabilities discovered – the latest being the incredible Kerberos Checksum Vulnerability. The scope of these four vulnerabilities is so great, and the potential for cyber attack damage on a nearly biblical scale (by digital standards, of course) so real, that we’ve taken to referring to them internally as Four Horsemen of the Apocalypse. And even though the Four may not actually be heralding Judgment Day, the cyber security community must consider them to be a wake-up call.
Just to remind you, the four vulnerabilities, in the order of their disclosure, were:
- Heartbleed (CVE-2014-0160)
- Shellshock (CVE-2014-6271 and CVE-2014-7169)
- Winshock (CVE-2014-6332) (aka “Windows OLE Automation Array Remote Code Execution Vulnerability”)
- Kerberos Checksum Vulnerability (CVE-2014-6324)
Herd of Unicorns: The Cyber Security Connection
As each of the vulnerabilities was disclosed, many cyber security experts rushed to categorize them as “black swan events,” or “unicorns.” The implication was that these were extremely rare and unpredictable phenomena – things one simply almost never encounters in the real world.
While these metaphors are undoubtedly reassuring, the fact that four such rare birds were spotted in just eight months would make a “flock of black swans” or a “herd of unicorns” more accurate nomenclature.
And this leads us to a disturbing question for 2015: What if these four potentially devastating flaws, just like the actual Four horsemen, are just the advance of something far, far worse?
The Four – Serious, Deep Cyber Security Issues
So, why are the Four considered such significant from a cyber security point of view? Let’s review what makes them unique:
Anything with a CPU and an internet connection was most likely directly affected one of these vulnerabilities. Just to clarify – yes, we did write “anything with a CPU and an internet connection.”
- Heartbleed – affects over 66% of web servers
- Shellshock – affects any UNIX/Linux server
- Winshock – affects any Windows workstation
- Kerberos Checksum – affects any Windows-based network
What this means is that anyone that knew about these vulnerabilities could have simply:
- Accessed any web server’s private certificate, which would allow eavesdropping on encrypted web traffic or man-in-the-middle (MITM) attacks
- Remotely executed code on any UNIX/Linux internet servers, which would let them do essentially whatever they want
- Run code with highest privilege on any Windows workstation once it surfs to a specially-crafted web page (known as a “drive-by attack”)
- Taken Domain Admin privileges over managed corporate networks
Malware and other recent and complex cyber attacks are downright fetal compared to our Four. Some of the four vulnerabilities were in existence when many of today’s high-powered cybercrime experts were literally still sleeping in cribs.
- Shellshock – 25 years old
- Winshock – 19 years old
- Kerberos Checksum Vulnerability – 14 years old
- Heartbleed – the “baby” of the group, only 2 years old
Incredibly, simple math tells us that these vulnerabilities which could (and may) have completely comprised the digital economy have been hiding in plain sight for an average of 15 years. Legions of cyber security experts performing code reviews and seeking weaknesses over the past decades did not find the Four, which were all the while providing “god mode” access to over 90% of the Internet.
Open Source and Proprietary
The Four were equal-opportunity flaws, covering all type of closed and open-source systems:
- Heartblead – open source
- Shellshock – open source
- Winshock – closed source
- Kerberos Checksum – closed source
The Optimistic Conclusion
If we’ve made ourselves clear, anyone reading this who takes cyber crimes or cyber security threats seriously is likely very, very worried. And well we should be. Because the fact is that the battle is already lost (this is not the optimistic part, bear with us). Cyber security professionals agree that our networks have more than likely already been breached, either through yet-unknown vulnerabilities or other malicious means.
So, here’s the optimistic part: the battle may be lost, but the war is far from over. And today’s security professionals have a whole new arsenal of tools to continuously and actively pursue attackers once they’ve breached the ramparts.
This new breed of active breach detection technology is already on the market (for example, LightCyber Magna). These new tools actively seek out and identify the subtle changes in user behavior that can indicate malicious activity, and produce high-quality alerts that help security teams address actual threats. And while we can’t claim to help stave off the actual apocalypse, tools like Magna can undoubtedly keep modern computer networks safer, even when the systems we rely on fail.