Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

2011's biggest security snafus

Ellen Messmer | Dec. 2, 2011
Perhaps it was an omen of what was to come when the city of San Francisco on New Year's Eve 2010 couldn't get a backup system running in its Emergency Operations Center because no one knew the password.

Perhaps it was an omen of what was to come when the city of San Francisco on New Year's Eve 2010 couldn't get a backup system running in its Emergency Operations Center because no one knew the password.

But as 2011 begins to fade to black, we look back at the biggest security snafus that made headlines, from the numerous service outages to data hacks attributed to everything from the shadowy group Anonymous to China. Some might even want to label 2011 the year of the advanced persistent threat.

Beware the Ides of March

When RSA Executive Chairman Art Coviello in mid-March announced that RSA had been hacked and information stolen linked to its SecurID token authentication, that was just the start of trouble. In what can be considered the data breach of the year, it became clear later on that the attacker was going after RSA customers, including Lockheed Martin. Credit Coviello (who has since blamed a "nation-state" without using the name China, though at least one security vendor, SecureWorks, claims analyzed evidence points strongly in that direction) for popularizing the phrase 'advanced persistent threat" (APT).

APT is an expression first used by the Air Force to describe the unremitting attacks on its networks. The cost of the RSA breach for parent company EMC was reported at $55 million in the second quarter of last year.

APTS were bursting out all over in 2011. In just one example, Norway's National Security Agency in November disclosed that oil, gas and defense firms there had been targeted by sophisticated attacks in which industrial secrets and information about confidential contract negotiations were stolen. 10 companies in Norway were said to have been hit by customized email containing viruses that didn't trigger anti-malware detection systems. The Norwegian security agency didn't state any probable source for the APTs there.

Patch that hole!

The YGN Ethical Hacker Group, the Burmese group which claims to do only "ethical" hacking to expose software vulnerabilities, spotted vulnerabilities in McAfee's website and quietly contacted McAfee to tell the company about it. But when McAfee didn't fix the website, YGN went public in March, causing some embarrassment to the security vendor, which says its customers weren't in danger. YGN, whose practices doing unauthorized vulnerability testing of public-facing websites does defy U.S. law on the practice, also got Apple, which had also been a bit lax, to fix its developer website.

Open sesame! Open source hacked

These open-source bastions were scaled and taken last year: MySQL.com, the Linux Foundation with Linux.com and Linux.org, and Kernel.org; plus open source OS Commerce software was compromised with malware. A Russian hacker claimed to be selling root access to the My.SQL domain for $3,000.

 

1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.