More than 1 billion records of personally identifiable information were leaked in 2014, compared to 800,000 in 2013.
That is the worrisome finding of a threat intelligence report from IBM’s security research group X-Force, which examined 2014 year-end data and ongoing research into security trends.
Personally identifiable information (PII) is information that can be used to identify or locate a person. The finding lends credence to many people’s belief that we already live in a Big Brother state.
The report catalogues more than 9,200 new security vulnerabilities affecting more than 2,600 unique vendors – a 9.8% increase over 2013 and the highest single year total in the 18-year history reporting.
Researchers attribute these growth numbers largely in part to increasing security apathy amongst developers, who have been slow to patch applications despite warnings and increasing awareness of vulnerabilities.
In fact, ten of the 17 (59%) banking applications using Apache Cordova that were initially tracked in October 2014 were still vulnerable in January of this year.
The report also shows the rise of ‘designer’ vulnerabilities that are increasingly lethal, highly recognisable and tagged with catchy names and logos, such as Heartbleed and Shellshock. These vulnerabilities revealed easily exploitable cracks in the foundational systems and underlying libraries that support nearly every common web platform and content management system.
At 74.5%, the number of incidents in the United States is far higher than in other countries, with the UK second on 3.4%. Meanwhile, 40% of the most common attack types were undisclosed, with malware and DDoS tying for second at 17.2% each.
Surprisingly, by mid-year 2014, IBM X-Force was prepared to declare a drop in the total number of reported vulnerability disclosures. However, in September, a researcher from a CERT coordination centre announced an automated tool he had created to test the security of Android applications.
Using this tool, he discovered vulnerabilities in thousands of Android applications that allow an attacker to perform man-in-the-middle (MitM) attacks, which is likely to lead to a debate on how disclosures should be recorded.
‘If the year 2014 felt to you like a never-ending roller coaster ride of thrills and excitement within the world of Internet security, you wouldn’t be the only one,’ said Leslie Horacek, threat response manager at IBM X-Force. ‘We witnessed over a billion records of personally identifiable information leaked this past year, with attackers applying creative new approaches to fundamental attack types such as SQLi, malware and DDoS.
Speaking of the Android vulnerabilities, she added, ‘This effort has so far produced literally thousands of disclosures of individual applications vulnerable to MitM attacks. In other words, these reports represent the same fundamental vulnerability affecting a wide variety of individual applications. They do not represent thousands of unique methods of attacking different applications; they represent one way of attacking thousands of applications.’
