Worst security snafus of 2012
- 10 December, 2012 17:57
The first half of 2012 was pretty bad -- from the embarrassing hack of a conversation between the FBI and Scotland Yard to a plethora of data breaches -- and the second half wasn't much better, with events including Symantec's antivirus update mess and periodic attacks from hactivists at Anonymous. For a complete look at security snafus from the first half of the year, go here. Read on for a look at the rest of the year.
CATCH UP: Worst security snafus of 2012 - so far
- Symantec inadvertently crippled a large number of Windows XP machines when it shipped customers a defective update to its antivirus software. The security firm acknowledged the problem that impacted users of its Endpoint Protection software.
" Dropbox disclosed that one of its employee's accounts was compromised, leading to a raft of spam that irritated users of the cloud-storage service. "We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," said Dropbox engineer Aditya Agarwal in a statement, who added that a hacker stole a password. The company also found that usernames and passwords had been stolen from other websites and were used to access a "small number of Dropbox accounts."
- A widespread spam attack linked to malware hit Twitter, with malicious tweets reading "It's you on photo?" and the like, and many of the links having a .ru domain, according to security firm Sophos. A Twitter spokesperson acknowledged the problem and said it was seeking to resolve it.
- Gamigo, the German gaming service, suffered a password breached in which more than 8 million online credentials of its users were dumped online.
- Engineering and math software firm Maplesoft reported its administrative database was breached, apparently due to the Zeus Trojan.
- Nvidia suspended its software developer forum after attackers compromised an unknown number of login passwords used by its 400,000-strong user community, though Nvidia insisted it was only a "small proportion."
- Yahoo confirmed that about 450,000 unencrypted passwords and user names were stolen from its Contributor Network, taken by a group calling itself D33Ds Company. This followed the 5.8 million encrypted passwords taken from LinkedIn the previous month, as well as 1.5 million password hashes from dating site eHarmony.
- Internet user Bryce Kingsley Quilley, 29, of Tailem Bend, Australia, pled guilty to hacking the servers of an ISP there and on the same day, threatening to burn down its offices and threatened the owner with an ax.
- After there were complaints in Skype's users forum, Skype, a division of Microsoft, acknowledged a glitch in its software resulted in instant messages of users being shared with unintended parties.
- Knight Capital Group said electronic-trading glitches in its system caused wild price swings in dozens of stocks and would likely result in a $440 million loss to the brokerage firm, one of the biggest players in the U.S. stock market. The New York Stock Exchange canceled trades in six stocks that experienced the most pronounced price swings of more than 30% of their opening price one morning.
- The official social media accounts of several Major League Baseball teams were compromised, leading to some embarrassing messages appearing on their Facebook and Twitter accounts. A fraudulent post on the Facebook page for the New York Yankees, for instance, said the club's star Derek Jeter would miss the rest of the season due to "sexual reassignment surgery." The Twitter feeds of Chicago Cubs, White Sox, Miami Marlins, Washington Nationals, San Francisco Giants and San Diego Padres all posted similarly inappropriate messages.
- The news service Reuters was hacked and a phony interview with Riad al-Assad of the Free Syrian Army was posted, containing made-up information that his forces had pulled back from the northern provinces of Aleppo after battling the Syrian Army. Reuters confirmed the hack but did not indicate the source, though the Free Syrian Army blamed its adversary, the government of President Bashar al-Assad.
- A destructive computer virus intended to delete files struck internal network services at oil producer Saudi Aramco, affecting about 30,000 workstations, forcing a temporary system shutdown. A Qatari producer, Ras Laffan Liquefied Natural Gas Company, said a virus forced a shutdown of its computer system during the month as well.
- Hactivist group Anonymous disrupted several British government sites in protest against the handling of WikiLeaks' founder Julian Assange, because Britain indicated Assange would be arrested and deported if he emerged from the Ecuadorean Embassy in London, which granted him asylum following Swedish efforts to extradite him for questioning over rape allegations. Also in August, the WikiLeaks site itself was flooded with a DDoS attack, making it temporarily unavailable for about a week, with a group called AntiLeaks taking credit for the attack.
" Some AT&T customers were affected by a failure in the carrier's Domain Name System (DNS) servers, and AT&T later ascribed the problem to a distributed denial-of-service attack that required mitigation.
- Microsoft decided to temporarily stop publishing new apps for Windows Phone on Marketplace due to an issue associated with digital certificates used to sign apps that prevented some phones from installing some apps for a few days.
- A 60-year-old civilian employee for NATO at the Ramstein Air Force Base in Germany, whose name was only given as "Manfred K.," was arrested on suspicion of espionage after he downloaded classified data top his personal computer and copied it. Prosecutors in Germany said they believed he stole "state secrets" intended to be passed to Russia's Federal Security Service for $10 million.
- Blizzard Entertainment, maker of the popular multiplayer online games such as World of Warcraft, Diablo and Starcraft, warned that its internal network had been breached, revealing scrambled passwords and email addresses. Blizzard apologized for the data breach.
- Google agreed to pay a $22.5 million fine to settle U.S. government charges that it violated privacy laws when it tracked users of Apple's Safari browser through cookies. In its legal complaint, the Federal Trade Commission (FTC) said Google falsely told Safari users that it wouldn't place tracking cookies on their devices or serve them targeted ads. But instead, Google actively circumvented Safari's cookie-blocking settings in order to track the users, the FTC said.
- Wired journalist Mat Honan suffered a round of torment by hackers after they compromised and took over his iCloud account at Apple. The hackers had simply called Apple and bluffed their way into getting Honan's iCloud account, and Apple admitted "internal policies were not followed completely," promising changes to prevent this from happening again.
- A former head of fraud and security for digital banking at Lloyds bank, Jessica Harper, admitted to committing what amounts to millions of dollars in fraud by filing false invoices to claim payments for more than three years.
- Chinese search engine Baidu fired four employees, three of whom were under arrest, for allegedly accepting bribes to delete content on its popular online forum. The content deletion occurred on the company's online forum, Baidu Tieba, and it has become a common practice in China to pay individuals to delete controversial or negative posts.
- Websites of broadcaster Al Jazeera were knocked offline as its Domain Name Servers were attacked. A group called Al-Rashedon claimed responsibility, displaying a Syrian flag and large red stamp reading "Hack."
- After police in Cambodia arrested one of the founders of The Pirate Bay file-sharing website, Gottfrid Svartholm Warg, a group calling itself NullCrew began hacking into Cambodian government and commercial websites there.
- Anti-malware firm Sophos was forced to apologize to customers after a faulty antivirus software update caused false positives for certain malware, resulting in disruptions that lasted for more than a week for some customers. Sophos CEO Kris Hagerman apologized.
- A Romanian researcher discovered a data breach in an FTP server owned by the Institute of Electrical Engineers that exposed the user names and passwords of almost 100,000 members. The IEEE organization apologized, and said it fixed the problem.
- Hackers with the Antisec group leaked a million ID numbers from Apple Inc. devices, numbers they claimed to have taken from the computer of an agent with the FBI. The leaked data included the ID numbers, the device name, and a code that allows developers to push information to the devices.
- The Federal Trade Commission brought down its punitive regulatory hammer on seven rent-to-own companies on charges they used spyware on computers they rented to customers. The FTC singled out software vendor DesignerWare LLC because software it supplied for rented computers to secretly monitored renters' online activities, including user names and passwords for social-networking sites and financial institutions, medical records and photos of family members, sending the information to an email account designated by each store. The proposed FTC settlement with DesignerWare and the computer rental companies bars use of the monitoring software and prohibits use of geolocation tracking without consumer notice and consent. However, DesignerWare owner Timothy Kelly said the FTC has "grossly misunderstood" the purpose of software PC Rental Agent, which he said is intended to track down stolen computers.
- GoDaddy, which suffered a service outage that made many customers' websites inaccessible, said the outage was not the result of an external hacker, negating claims by a supposed Anonymous affiliate who had claimed responsibility.
- Dallas law enforcement authorities arrested self-professed Anonymous spokesman Barrett Brown in what appeared to have been a dramatic raid of his apartment while Brown was in the midst of a live online video chat session. The Dallas County Sheriff's Office confirmed the arrest and Brown was transferred to an FBI facility.
" A small New York-based company named Bitfloor, which specializes in exchanging Bitcoins, was forced offline after hackers stole about $250,000 worth of the virtual currency. Though later returned online, Bitfloor's founder Roman Shtylman called the hack "devastating," saying the cost well exceeded revenues he made since launching BitFloor in October 2011. He laid blame on himself, saying he had left the private keys needed to unlock and transfer Bitcoins on an unencrypted disk.
- Unknown attackers compromised a download mirror server for the SourceForge software repository, rigging the installer package for phpMyAdmin, a popular admin tool, with a backdoor. SourceForge is a Web-based collaborative software development and repository system that hosts more than 324,000 software development projects and serves 46 million users. The affected SourceForge mirror server was based in Korea and was compromised around Sept. 22, the SourceForge team said, which advised users to check for the phpMyAdmin software and upload a fresh copy.
- Facebook agreed to delete all facial recognition data it had collected from European users and switch off the feature by Oct. 15 after hearing complaints about it raised by privacy regulators in Ireland and Germany that contend storing facial data violates European data-privacy laws.
" The Federal Trade Commission said in a report chastising Facebook that for close to a year, Facebook operated a for-profit application security testing service that was little more than a sham, taking money from application developers with false promises to vet their creations for security holes. Instead, the FTC concluded that Facebook banked the money and put a "Facebook Verified App" logo next the application, without bothering to do any additional auditing of the submitted application. Facebook said it wouldn't comment on the FTC report.
- Hackers grabbed 300,000 records from Northwest Florida State College computer systems, including names, Social Security numbers and bank routing numbers of students, teachers, staff and retirees, the school disclosed, saying the data breach apparently occurred between May and September, resulting in the identify theft of at least 50 employees.
- In a dubious stunt to promote his anti-DDoS kit, 28-year-old Tse Man-lai, owner of Pacswitch Globe Telecom, had launched cyberattacks against Hong Kong Exchanges and Clearing news sites, but in October a Chinese court sentenced him to nine months in jail.
- Adobe said it was investigating how user names, email addresses and encrypted passwords were stolen from a company database after an Egyptian hacker called "Virus_HimA" posted 230 of them on Pastebin.
- South Carolina disclosed a massive data breach in which about 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to taxpayers were exposed after a server at the state's Department of Revenue was breached by what was thought to be an international hacker, according to state officials.
- A crippling series of distributed denial-of-service attacks over the course of the month struck the websites of about a dozen U.S.-based banks, including Bank of America, Wells Fargo and JP Morgan Chase, effectively cutting online bank customers off from their services for extended periods. Some U.S. authorities, including Defense Secretary Leon Panetta, openly accused Iran of being behind the cyberattacks, though no specific evidence has yet been made public and Iran rejected the charges.
- Barnes & Noble, emphasizing its working with the FBI on the case, disclosed a data breach associated with compromised PIN pad devices used in some stores located in California, Florida, Illinois, Massachusetts, New Jersey, Pennsylvania and Rhode Island may have resulted in an unspecified amount of fraud against shoppers there.
- Amazon Web Services storage service, known as Elastic Block Storage, experienced performance degradation that resulted in some downtime for certain sites, including social-media site Reddit and photo-sharing site Imgur, among others.
- A 20-year-old Arizona man, Raynaldo Rivera of Tempe, arrested in August by FBI agents, pled guilty in a California court to intentionally causing damage to the website of Sony Pictures Entertainment in an attack carried out in May 2011. A former member of the hacker group Lulzsec, Rivera also admitted to launching a SQL injection attack against sonypictures.com that allowed him to extract confidential and personal information from the website's database, which was published online. The plea agreement noted this had resulted in losses of about $605,000 to Sony to cope with the attack, including computer forensics and staff call centers and credit monitoring for individuals whose personal information was compromised. In exchange for his guilty plea, Rivera, though facing 15 years in prison, could get a reduced sentence, with that decision expected to be determined at a hearing scheduled for March 14, 2013.
- Twitter sent notices of an attempted hijacking to China-based foreign journalist and analysts just hours before apologizing for resetting the passwords of more users than necessary in a recent break-in of accounts. Twitter provided no details on the hacking but some, including Voice of America, speculated it may have been a censorship crackdown associated with China's Communist Party.
- Until it made changes that were needed to fix the problem, Skype temporarily disabled the account password reset option on its website after reports surfaced that this feature can be abuse to hijack Skype accounts if the attackers know the email addresses associated with them.
- NASA disclosed how a stolen laptop taken Oct. 31 from a locked car contained "personally identifiable information" on a large number of NASA employees. Although password-protected, the laptop didn't have whole-disk encryption, according to the email to NASA employees from Associate Deputy Administrator Richard Keegan, who gave orders to ramp up disk encryption at once.
- The hactivist collective Anonymous inserted its own online firepower into the raging battle between Hamas in Gaza and Israel, which traded rocket bombardments for several days prior to a cease fire. Coming out on the side of what it said were the "innocent people of Gaza," Anonymous started its so-called "Operation Israel" campaign by organizing attacks on Israel Defense Forces, the Prime Minister's Office, Israeli banks, airlines, media outlets and security companies.
" Hackers compromised two servers used by the FreeBSD Project to build third-party software packages, and the project's team warned that anyone who has installed such packages since Sept. 19 should completely reinstall their machines.
- E-commerce giant eBay fixed two vulnerabilities in its U.S. website, a critical SQL injection hole that gave potential attackers unauthorized read and write access to one of the company's databases, and a cross-site scripting vulnerability that could have been exploited to steal other eBay users' access credentials.
- Criminals managed to hack the DNS records of an unknown number of GoDaddy-hosted websites, inserting ransomware and hacking the DNS records of the site. GoDaddy said its own DNS management systems were not compromised and said the attacks were likely caused by phishing attacks on the victims or other exploits and recommended U.S. and Canada-based customers "enable 2-Step Authentication to help protect their accounts."
- Printers manufactured by Samsung have a backdoor administrator account hardcoded in their firmware that could enable attackers to change their configuration, read their network information or stored credentials and access sensitive information passed to them by users, the U.S. Computer Emergency readiness Team (US-CERT) said in a security advisory. "Samsung has also indicated that they will be releasing a patch tool later this year to address vulnerable devices," US-CERT stated.
- Secret information on counter-terrorism shared among foreign governments may have been compromised in a massive data theft by a senior IT technician for Switzerland's intelligence service, known as the NDB. According to news reports, Swiss authorities said the IT technician, arrested last summer for alleged data theft, apparently downloaded terabytes of classified intelligence material onto portable hard drives, and carried them out in a backpack. Authorities aren't sure if he tried to sell this classified information or pass it on, but they describe the suspect, whose name hasn't been released yet, as a "very talented" technician who had "administrator rights" that granted him access to vast government resources. They think he may have been "disgruntled" because his advice on operating the network "wasn't being taken seriously."
- Retired Adm. Mike Mullen, who keeps an office at the Naval Institute, is cooperating in an investigation undertaken by the FBI that involves suspected foreign cyber-espionage on his computer, according to The Wall Street Journal.
- the International Telecommunication Union's meeting in Dubai to discuss its role in the Internet was disrupted by hactivist group Anonymous, which attacked an ITU server and cut off access to information the group made available for the meeting. Anonymous said it instructed its adherents to attack the website because it opposes the ITU, the United Nations standards-setting body for global telecom, from taking any control over Internet regulation.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.
Read more about wide area network in Network World's Wide Area Network section.