2011's biggest security snafus
- 02 December, 2011 06:27
Perhaps it was an omen of what was to come when the city of San Francisco on New Year's Eve 2010 couldn't get a backup system running in its Emergency Operations Center because no one knew the password.
But as 2011 begins to fade to black, we look back at the biggest security snafus that made headlines, from the numerous service outages to data hacks attributed to everything from the shadowy group Anonymous to China. Some might even want to label 2011 the year of the advanced persistent threat.
Beware the Ides of March
When RSA Executive Chairman Art Coviello in mid-March announced that RSA had been hacked and information stolen linked to its SecurID token authentication, that was just the start of trouble. In what can be considered the data breach of the year, it became clear later on that the attacker was going after RSA customers, including Lockheed Martin. Credit Coviello (who has since blamed a "nation-state" without using the name China, though at least one security vendor, SecureWorks, claims analyzed evidence points strongly in that direction) for popularizing the phrase 'advanced persistent threat" (APT).
APT is an expression first used by the Air Force to describe the unremitting attacks on its networks. The cost of the RSA breach for parent company EMC was reported at $55 million in the second quarter of last year.
APTS were bursting out all over in 2011. In just one example, Norway's National Security Agency in November disclosed that oil, gas and defense firms there had been targeted by sophisticated attacks in which industrial secrets and information about confidential contract negotiations were stolen. 10 companies in Norway were said to have been hit by customized email containing viruses that didn't trigger anti-malware detection systems. The Norwegian security agency didn't state any probable source for the APTs there.
Patch that hole!
The YGN Ethical Hacker Group, the Burmese group which claims to do only "ethical" hacking to expose software vulnerabilities, spotted vulnerabilities in McAfee's website and quietly contacted McAfee to tell the company about it. But when McAfee didn't fix the website, YGN went public in March, causing some embarrassment to the security vendor, which says its customers weren't in danger. YGN, whose practices doing unauthorized vulnerability testing of public-facing websites does defy U.S. law on the practice, also got Apple, which had also been a bit lax, to fix its developer website.
Open sesame! Open source hacked
These open-source bastions were scaled and taken last year: MySQL.com, the Linux Foundation with Linux.com and Linux.org, and Kernel.org; plus open source OS Commerce software was compromised with malware. A Russian hacker claimed to be selling root access to the My.SQL domain for $3,000.
Can you hear me now?
Verizon's 4G LTE network, which came online in December 2010, suffered a nationwide outage. They weren't the only one last year. The four-day global outage of the BlackBerry data services in October was not the kind of attention that RIM wanted, already struggling to keep the BlackBerry looking smart in the face of the Apple iPhone publicity barrage. But when RIM's "dual-redundant, dual-capacity core switch" failed and its backup failed to activate, causing BlackBerry users around the world to either receive weak or no service at all, RIM co-CEO Mike Lazaridis was compelled to issue a public apology to customers, acknowledging the outage as the worst in the company's history.
In November, Internet outages were briefly suffered across North America and Europe that were apparently related to bugs in Juniper routers receiving a Border gateway protocol update, impacting carriers such as Level3. A reminder about how easy it can be to lose what most of us take for granted every day.
Not exactly floating on a cloud either ...
Microsoft BPOS cloud-hosted communications and collaboration suite suffered an outage in June, while Amazon's EC2 service in April suffered availability issues and a shorter outage in August. VMware's Cloud Foundry service suffered an outage in beta. And don't forget Northrop Grumman. It agreed to pay almost $5 million to 26 Virginia state agencies after an outage related to data-center services it was providing to them.
Russian cyberattack on Illinois water facility, or just a contractor who happened to be on a trip to Russia?
Was it a foreign cyberattack originating from an IP address in Russia that hit an internal SCADA system at the Curran-Gardner Townships Public Water District in central Illinois, causing a water pump, turned on and off remotely, to burn out in November? The Illinois Statewide Terrorism & Intelligence Center (STIC) issued a confidential report to this effect, which was leaked in November by energy industry analyst and author Joe Weiss who read its contents to a reporter at the Washington Post. But in the media uproar that followed, the FBI and Department of Homeland Security said it investigated the Illinois STIC claims and could find nothing to validate them. Sources say the network access from Russia is now linked to a contractor working for Curran-Gardner Townships Public Water District who happened to be in Russia when he remotely accessed Curran-Gardner's network. But DHS indicates "analysis of the incident is ongoing ..."
The data-breach hit parade of 2011
- The so-called "Sony hack" in April allowed hackers to get customer information for 77 million members of Sony's online PlayStation network, including credit-card numbers, an act that forced Sony to take down its service. In May, Sony said the attack cost it $170 million.
- The once-obscure marketing firm Epsilon in April disclosed a hacker had stolen an estimated 2% of the customer names and addresses of its client base, impacting Walgreens, Best Buy, Citibank, JPMorgan Chase, Kroger's supermarket chain and more.
- When a string of SSL digital certificate providers, including Comodo, DigiNotar and GlobalSign, were breached, some of them allegedly by a 21-year-old Iranian student calling himself "Comodohacker," the fallout included the creation of a fake Google certificate (since revoked) that allowed the attacker to capture login details of a person's Gmail account without a warning from the victim's browser the site might not really be Google. DigiNotar, owned by Dutch-based Vasco Security Systems, went bankrupt as a result of the hack, especially after the Dutch government banned use of DigiNotar certificates.
- U.S. government research labs, long a target for attack, were hit, with Oak Ridge National Laboratory in Tennessee forced to shut down its email and Internet access in April following a cyberattack in which phishing email was sent to some 573 lab employees. The Department of Energy's Pacific Northwest Laboratory also shut down email and Internet connectivity after a similar type of spear-phishing attack in the summer.
- In June, Citigroup acknowledged that hackers broke in and managed to steal credit-card numbers from about 360,000 affected clients. The fraud loss: $2.7 million.
- The Texas State Comptroller's Office fired its heads of information security and of innovation and technology after an inadvertent data leak that exposed Social Security numbers and other personal information on more than 3.2 million people in the state.
- In November, a flood of porn - like photoshopped images of Justin Bieber in unmentionable acts - hit Facebook in what's believed to be a "clickjacking exploit" against users. Facebook got to cleaning it up.
- Romanian authorities arrested a 26-year-old hacker accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, said to use the handle "Iceman," is expected to be tried in Romania.
Who's minding the app stores?
It was something of a shock when Google in March was forced to yank down about 50 Android apps from its Android Market after finding out they were actually malicious applications. Dubbed the DroidDream malware episode, it was far worse than anything that had hit Google Android Market before.
Big year for Anonymous
Last but hardly the least, 2011 was a banner year for the shadowy hactivist collective Anonymous, which generally targets business and government organizations around the world whose practices are despised for one reason or another, typically by hacking into networks to steal data and post it, or launching attacks to take sites offline. In addition to the high-profile attack last winter against security firm HBGary, which was trying to track the hacker group, Anonymous is believed to have led attacks on Koch Industries, Bank of America and NATO, plus what ended up being a weak DDoS attack on the New York Stock Exchange. Anonymous played a role in spurring on the Occupy Wall Street movement demonstrations around the world, not to mention San Francisco's "Operation Bart."
Other actions this years from Anonymous are believed to have been against online resources associated with Tunisia, Brazil, Zimbabwe, Turkey, Australia, the Malaysian government and the Florida Chamber of Commerce. More recent Anonymous hactivism this year has focused on child-porn sites and the Mexican drug cartel, which is accused of taking an Anonymous participant captive.
Duqu: Something we're not looking forward to
The virus known as Duqu hit the security stage in October when the Hungarian research laboratory CrySyS shared its analysis of the new threat with the world's top antivirus vendors.
Security vendor Kaspersky Lab then identified infections with the new Duqu malware in Sudan and, more important, in Iran, the main target of the Trojan's predecessor -- Stuxnet. Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.
The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.
CrySyS ultimately released a toolkit to detect and remove the virus from affected systems. Microsoft too released a Fix-it tool to allow Windows users to manually patch their systems to thwart the Duqu threat.
Duqu is believed to have been created for targeted attacks against organizations and it is likely the malware will be a big story in 2012.
10 Days of Rain
A multi-tiered botnet attacked South Korean computers for 10 days in March, proving to be a stubborn force that couldn't be taken down. Then suddenly it just stopped, with the malware delivering a coup de grace to the zombie machines that destroyed files and rendered the machines unbootable. Security experts at McAfee say the attack was launched from North Korea, and that its level of sophistication -- 40 command and control servers, code updates to thwart detection, multiple encryption schemes -- was far beyond what was needed to run an effective DDoS attack. McAfee's spin: 10 Days of Rain was a reconnaissance mission designed to gauge how and how quickly South Korea's government and military contractors would react -- valuable information for a later, truly damaging attack.
Read more about wide area network in Network World's Wide Area Network section.