Late last December ended with a hacker leaking data on 300,000 Verizon FIOS customers which was apparently stolen via a marketing partner of Verizon.
Credit: REUTERS/Pawel Kopczynski
Late last December ended with a hacker leaking data on 300,000 Verizon FIOS customers which was apparently stolen via a third-party partner of Verizon. And now, the middle of 2013 ends with Edward Snowden, the former Booz Allen Hamilton contractor who worked for the National Security Agency (NSA), leaking secrets about NSA spying, including that Verizon, along other U.S. telecom companies, gives customer phone records to the NSA. It's been a busy six months for security chills and spills, and here's our semi-annual update on the "biggest security snafus so far" this year.
- Hacker group NullCrew brazenly broke into the Department of Homeland Security website through a section advising foreigners about studying at American schools, and dumped internal DHS information onto a public Pastebin page.
- When it was noticed that the Apple iOS 6’s new ‘Do not Disturb’ feature stopped resetting according to schedule on New Year’s Day, Apple said scheduling wouldn’t work until Jan. 8, 2013.
- A 27-year-old Romanian man, Cezar Butu, was sentenced to 21 months in prison after admitting he was part of a group that stole payment card data from hundreds of computers belonging to merchants in the U.S.
- A Chinese man, Xiang Li, 36, pled guilty in U.S. court to selling pirated software used by the U.S. defense, space and other industries that would have retailed for $100 million. Li and a partner sold the pirated software for between $20 and $1,200 though some of it would have retailed for $1 million. Buyers of the pirated software included a NASA electronics engineer and a scientist at a government contractor selling microwave technology and other products used in military equipment. Li had been nabbed by U.S. undercover agents from the U.S. Immigration and Customs Enforcement on the island of Saipan.
- The exploit for a Java-based zero-day vulnerability was added into popular attack toolkits, but Oracle didn’t have immediate plans to patch the vulnerability. Security experts, as well as the U.S. Computer Emergency Readiness Team (US-CERT), advised disabling Java in browsers. Oracle then issued an emergency patch advising customers to update Java 7 immediately.
- The programming framework Ruby on Rails was found to have two critical security vulnerabilities. The worse one was a hole that allowed anyone to execute commands on the servers running affected web applications. Developers were advised to patch to the latest update immediately.
- The Utah Health Department admitted data on 6,000 Medicaid recipients was compromised due to the employee of an outside contractor, Goold Health Systems, losing a USB memory stick containing the data.
- Restaurant chain Zaxby’s Franchising said it found malware on the systems of many of its restaurants after it was notified of potential fraud activity at dozens of its restaurant locations. Zaxby’s said it thinks the attacks originated outside the restaurant chain and is in touch with law enforcement about it.
- The U.S. Department of Health & Human Services fined the Hospice of North Dakota $50,000 for a data breach affecting fewer than 500 people due to a theft of a laptop containing patient data, the first time such a settlement had been reached in so small a data breach.
- In the United Kingdom, two former members of the Anonymous hacktivist collective were sentenced to jail for their roles in a series of denial-of-service attacks launched against financial and music-industry organizations. Christopher Weatherhead, 22, and Ashley Rhodes, 28, received prison sentences of 18 and 7 months respectively for conspiracy to impair the operation of computers.
- Server problems interrupted the New York Stock Exchange’s delivery of trading data for two day, Jan. 28 and 29. The outages impacted the NYSE’s ability to send stock trade and quote data on hundreds of traded securities.
- After security company Rapid7 detailed a major flaw in the UPnP standard that left tens of millions of network-enabled devices from manufacturers such as Cisco-owned Linksys, Netgear, Belkin and D-Link open to attack, US-CERT, part of the Department of Homeland Security, advised consumers and businesses to disable UPnP. The protocol is used to permit many consumer electronics to discover each other on the network for data sharing, communications and media streaming.
- Hackers from China breached the network of the New York Times and stole passwords that allowed them to gain access to computers and e-mail accounts of 53 employees for about four months, the New York Times itself reported on Jan. 30. The Times, assisted by security firm Mandiant in the computer-breach investigation, believes the attacks were carried out mainly to target journalists reporting on subjects sensitive to the Chinese government. The Wall St. Journal and the Washington Post subsequently disclosed similar Chinese attacks on their networks had occurred for a number of years as well.
- Twitter said in a blog post that hackers hit Twitter and may have gained access to passwords and other information on as many as 250,000 user accounts. Twitter said the passwords were encrypted and it had already reset them as a “precautionary measure.” Twitter simply said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” implying other organizations were likely also attacked.
- A program to jailbreak Apple devices running iOS6 or higher was released Feb. 4, sparking over 100,000 downloads in the first 10 minutes of its availability. The program, said to have been devices by the iOS hackers known as the Evaders, continued the tradition of jailbreaking the security on Apple mobile devices in order to run apps not authorized by Apple.
- A faulty anti-virus update issued by Kaspersky Lab in early February disrupted many home and business customers, leaving them unable to access any websites via their computers. Kaspersky a week later also had to apologize for a subsequent patch that had been issued to correct the initial flawed update which also caused various computer problems.
- Hacker group Anonymous posted the personal information on about 4,000 people in the banking industry, from cashiers to C-level officers to bank presidents. The posted information contained logins and hashed passwords. Anonymous claimed it took the data from computers belonging to the Federal Reserve. A week earlier, Anonymous attacked the website of the U.S. Sentencing Commission in what it called its OpLastResort campaign, in retaliation for the suicide of computer programmer and Internet free-information advocate Aaron Swartz. Swartz, who faced a trial related to his arrest by MIT police on state breaking-and-entering charges for systematic downloading of academic articles, had hung himself in his apartment.
- Security firm Malwarebytes discovered malware in the wild that looked like a PDF invoice with a valid, signed digital certificate. The malware, a banking/password stealer that uses e-mail to spread, had a valid certificate issued to a real Brazilian software company by SSL certificate authority DigiCert, according to Jerome Segura, senior security researcher at Malwarebytes.
- The U.S. Department of Energy disclosed that personal information on several hundred employees and contractors was stolen in a hacking incident the month before. The DoE said it was leading “an aggressive effort” to prevent it from happening again.
- Authorities said they were investigating how a hacker got into the email accounts of former George H.W. Bush and a half dozen of his relatives and close friends, posting them in the public domain, where they revealed gossiping about another former president, Bill Clinton. A spokesman for the president said the hacker obtained photos, addresses, phone numbers and various e-mail addresses.
- Security firm Bit9 had to admit that its failure to install its own protective software to block malicious applications on its own servers led them to be compromised, as hackers were adept in finding weaknesses that let the attackers make use of stolen Bit9 certificates for their own malicious software. That way, the attacker’s software looked as though it had been issued by Bit9.
- Through its technology, Google warned a number of journalists using Gmail that their accounts might be the target of state-sponsored hacking by the country of Myanmar, a charge hotly refuted by the Myanmar president’s spokesman.
- Burger King’s Twitter account was hacked, with the attacker changing the Twitter photo to a McDonald’s logo and saying Burger King had been sold to McDonald’s.
- The non-profit education community membership organization EDUCAUSE said its server then maintains the .edu domain information and member profile information was breached, which may have compromised other EDUCAUSE website profiles, including names, titles, e-mail addresses, usernames, and passwords.
- The Financial Industry Regulatory Authority fined five affiliates of the ING Groep NV $1.2 million after finding that the units of the Netherlands-based banking company had failed to retain or review millions of emails for various periods between 2004 and 2012.
- The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed that it had been compromised by hackers who used it to launch attacks against its users. At about the same time, Facebook revealed its employees were also targeted and it apparently occurred “when a handful of employees visited a mobile developer website that had been compromised.” Apple also said a small number of the company’s systems had been compromised and infected with malware. Microsoft later said a small number of computers, including some on its Mac business unit, may have been infected the same way.
- Websites affiliated with broadcaster NBC were hacked for several hours on Feb. 21, serving up malicious software intended to steal bank account information.
- Zendesk said a hacker gained access to support information for some customers of its online helpdesk software. The company has more than 20,000 customers, including Sears, Xerox and Groupon.
- Microsoft’s Azure cloud suffered a worldwide outage in storage services on Feb. 22 because of an expired SSL certificate. The company took steps to update the SSL certificate and apologized for the “inconvenience this causes our customers.”
- Bank of America (BoA) said a data breach of internal e-mails related to monitoring of the hacktivist group Anonymous was basically the fault of a third-party contractor which was compromised but wasn’t named. Some of the e-mail correspondence showed that TEKsystems had been working with BoA to monitor public activity by hacker groups targeting the bank. The hacker group that claimed to have posted more than 500 emails went by the name Par:AnoIA.
- Evernote, which makes business and consumer productivity software, forced all its 50 million users to change their passwords after detecting a hacker intrusion on its systems. The attacker is said to have gained access to Evernote accounts’ usernames, email addresses and passwords, though the passwords were encrypted. The company said there’s no evidence the hackers got hold of user content or customers’ payment information.
- CloudFlare, the company whose service speeds up delivery of web pages, briefly dropped off the Internet for about an hour after its Juniper routers choked on a slight programming change that had been designed to deflect a distributed denial-of-service attack that had been underway against one of its customers.
- The European Union Commission fined Microsoft the Euro equivalent of about $733 million for breaking the terms of an earlier agreement made in 2009 to offer users a choice of Internet browser.
- Prison inmate Nicholas Webber, said to be a convicted cybercriminal, hacked into his prison’s mainframe after being allowed to take an IT course in 2011, it was learned during a tribunal in Great Britain related to an unfair dismissal claim in which the IT teacher at the time, Michael Fox, said it wasn’t his fault though he believes the incident contributed to his being laid off.
- A website called Annualcreditreport.com that provides U.S. consumers with a free annual credit report was apparently the source used by hackers to download credit reports of celebrities Beyonce and government officials, including FBI director Robert Mueller.
- Google agreed to pay a $7 million fine to settle a multi-state investigation into Google’s interception of personal e-mails, passwords and other sensitive information transmitted several years ago over unprotected wireless networks in neighborhoods. Google didn’t acknowledge any wrongdoing in the settlement that covers 38 states and the District of Columbia.
- The U.S. national Vulnerability Database was temporarily taken down by its managers at the National Institute of Standards and Technology after malware was discovered on the site and traced to a software vulnerability.
- Microsoft said a botched firmware update led to the Outlook.com partial outage lasting about 16 hours. Some detail about it from Microsoft said a temperature spike impacting the servers played a role in it all in a data-center area where Hotmail.com, Outlook.com and SkyDrive infrastructure is located, “so some people trying to access those services were impacted.”
- Computer networks of banks and some broadcasters in South Korea suffered a cyber-attack that disrupted business there. While at first pointing to North Korea as a possible source of the attacks South Korea investigators later backed down from that stance saying they had no proof.
- Several Xbox Live accounts for former and current Microsoft employees were compromised by attackers using social engineering techniques, Microsoft said. This may be related to another attack based on social engineering that targeted security reporter Brian Krebs, whose reporting on Russian crime sites likely gained him some enemies. One day Krebs' residence was surrounded by a police SWAT team after a caller falsely reported a break-in there.
- Google Drive, the cloud storage and applications suite used by millions at home and at work, suffered three outages in one week, apparently caused by a bug in the Google network’s control software.
- A former Defense Department contractor in Hawaii, 59-year-old Benjamin Pierce Bishop, was convicted of espionage in giving his 27-year-old Chinese lover classified information about nuclear weapons, missile defense and radar systems. In a separate case, Sixing Lui, a Chinese citizen who worked at L-3 Communications’ space and navigation division, was sentenced in federal court in Newark to over five years in jail for taking thousands of files about a disk resonator gyroscope, designed to support precision targeting without satellite guidance, and other defense systems to China in violation of a U.S. arms embargo. Lui had told his supervisor he was going on vacation to Chicago but instead went to China, where federal prosecutors believe he may have wanted to get a job at a Chinese aeronautical institute.
- Wisconsin resident, 37-year-old Eric Rosol, was charged with participating in a distributed denial-of-service attack in Feb. 2011 against Koch Industries by hacker group Anonymous. If convicted, Rosol faces up to five years in federal prison and a total fine of $500,000.
- A large and prolonged distributed denial-of-service (DDoS) attack hit The Spamhaus Project, a European spam-fighting group. A month later, a Dutch man with the initials “SK” was arrested in Spain by Spanish authorities and charged with participating in the attack. Later in May, “SK” — identified by one official as Sven Kamphuis, a spokesman for the Stophaus movement — was extradited to the Netherlands as the investigation into the attack proceeds.
- Wells Fargo’s banking website suffered disruptions after a group calling itself the al-Qassam Cyber Fighters said it had stepped up efforts to prevent access to it by Wells Fargo customers. American Express also said its website had been hit by a DDoS attack.
- Security vendor Sophos said it updated the software for its Web gateway security appliance in order to address three serious vulnerabilities that would allow attackers to gain access to configuration files containing sensitive information like plaintext passwords for other internal network services, and other issues.
- Two of Japan’s major Web portals were hacked, with one warning that as many as 100,000 user accounts were compromised. Goo, the portal owned by network operator NTT, said it had no choice but to lock 100,000 accounts to prevent illicit logins. Separately, Yahoo Japan said it discovered a malicious program on company servers that had extracted user data for 1.27 million users, but was stopped before it leaked any of the information outside of the company.
- Online Bitcoin storage service, Instawallet, said it was accepting claims for stolen bitcoins after the company’s database was fraudulently accessed.
- The Department of Defense Inspector General issued a report critical of how the U.S. Army was handling security for mobile devices, including tablets and smartphones, calling the efforts so far a failure.
- North Korea’s official Flickr and Twitter pages were vandalized, with the hacker collective Anonymous taking credit. The group posted an image of North Korean leader Kim Jong-un with pig ears and a Mickey Mouse tattoo on his stomach. The images said Kim is “wanted” for “threatening world peace with ICMBs and nuclear weapons.”
- In Florida, food delivery service Gainesville2Go said a fired ex-employee was to blame for an obscene message sent one morning to all customers in the company’s e-mail list and subsequent Facebook and Twitter posts. The delivery service manager, apologizing to customers, said the former employee had been fired a few days earlier but had passwords to access the accounts and decided to try and ruin the business. Also in Gainesville, Fla., the University of Florida sent out letters to 14,339 patients of the UF&Shands Family Medicine at Main practice, telling them they might be the victims of identity theft. Two people have been arrested in connection with that, including an employee at the medical clinic.
- Digital library and document-sharing website Scribd said it was hacked, though it believes only a small number of users, less than 1%, were impacted. Scribd recommended users change their passwords and said it was conducting a comprehensive security review.
- Apple’s iMessage and Facetime messaging systems were hit by a glitch that took the services offline for several hours in early April.
- American Airlines grounded all its flights the afternoon of April 16 after experiencing numerous outages in its reservation system. The airline carrier said it resolved issues with its Sabre system later that day.
- Office supply store chain Staples had to lock down its corporate systems one day when it discovered a malware attack spreading on its systems, according to CRN, which reported on it based on a notification in e-mail to Staples employees.
- Store chain Schnuck Markets revealed that 2.4 million credit and debit cards used at its stores may have been compromised in a cyber theft in which criminals may have installed malware in the company’s “processing environment,” as payment cards were awaiting authorization. The company said 79 of its 100 stores were impacted.
- The 21-year-old hacker found guilty of a long string of crimes, including distributing a keylogger Trojan disguised as a Call of Duty software patch, has pleaded guilty to launching DDoS attacks on the websites of Oxford and Cambridge universities, which indicated they spent two weeks dealing with the attacks. Separately, Lewys Martin was also accused by police of harvesting 300 credit cards during his keylogging campaign.
- A fake press release went across the Internet, claiming that Chinese search giant Baidu had made an offer to acquire social-gaming company Zynga. The fake release said Baidu was offering to buy Zynga for $10 a share and contained made-up quotes from executives to that effect. The hoax, refuted by the firms, didn’t get much attention, and the website, PR Urgent, that was hosting the bogus information took down the fake press release.
- After someone hacked an Associated Press (AP) Twitter account and posted a bogus tweet saying the White House had been attacked, the Dow, which had been up about 130 points, fell into the red for two minutes, erasing $200 billion of stock value, but bounced back quickly when it came clear the “news” was a hoax. A group called the Syrian Electronic Army too credit for the fake AP message. Other news organizations whose Twitter accounts were hacked that month include CBS and NPR. And oh, the fake news site The Onion was hacked, too.
- Sears, which owns Kmart, said a robbery the month before at a Little Rock, Ark., store resulted in a thief taking from a safe not just $6,000 in cash but the day’s backup disk that was unencrypted and apparently not password-protected. It included the full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers, according to Sears, and some customer Social Security numbers.
- LivingSoocial, the daily deals site owned in part by Amazon, acknowledged it suffered a cyberattack which it “resulted in unauthorized access to some customer data from our servers.” That information included names, e-mail addresses, date of birth for some users, and encrypted passwords. The company, which admitted 50 million customers were impacted, did say no credit-card and other financial information was affected or accessed,
- An unknown perpetrator launched wide-scale brute-force attacks against WordPress installations at hosting providers in order to build a large botnet. “Tens of thousands to hundreds of thousands of these shared servers have been cracked by these techniques,” said the Anti-Phishing Working Group in its report. ”Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing.”
- The U.S. Department of Labor website was hacked and malware loaded onto the Department of Labor’s server, attempting to compromise visitors through an IE vulnerability. The problem was later fixed.
- Personal information on 1,350 patients at Sonoma Valley Hospital in California was exposed after a hospital employee accidentally uploaded the data to the hospital’s public website on Feb. 14 but became aware of the breach on April 17.
- The Chicago Board Options Exchange (CBOE) for trading suffered system problems on May 2 that affected trading, and the glitch followed an outage the previous week that forced CBOE to delay trading for more than three hours.
- The Financial Times website and Twitter feed were hacked, with responsibility for that claimed by a group called the Syrian Electronic Army, which supports Syrian President Bashar al-Assad, apparently angered by the publication’s coverage of the Syrian civil war conflict.
- A 41-year-old man, Michael Meneses, was arrested for allegedly disrupting his former employer’s network after he was passed over for promotions and quit his job, causing an alleged $90,000 in damages by breaking into it with captured passwords and corrupting data, according to FBI information. Meneses, whose job at Spellman High Voltage Electronics Corp. entailed developing and customized software, denied the allegations and was released on $50,000 bond.
- Eonline, the online entertainment news site, acknowledged its breaking-news Twitter and SMS accounts were compromised, and on May 4 said, “We apologize for any confusion that the enormous news alerts may have caused.” Other media website, some for Federal News Radio and WTOP and the Dvorak blog site, were also compromised and pushing fake anti-virus malware.
- The defense contractor QinetiQ was compromised and information and intellectual property vital to national security was stolen by hackers associated with the Chinese People’s Liberation Army, over a three-year period, according to Bloomberg.
- A bi-annual report from the Pentagon to Congress said the Chinese government has targeted U.S. government computer systems for intrusion, a more direct accusation than had been made previously.
- A hacker named “Guccifer” hacked into the online accounts of the Council on Foreign relations and also broke into e-mail and Twitter accounts of “Sex in the City” author Candace Bushnell, later posting images of a Word document containing the first 37,000 words of Bushnell’s next novel.
- Domain registrar Name.com forced its customers to re-set their account passwords following a security breach on the company’s servers that might have resulted in customer information being compromised, including usernames, email addresses, encrypted passwords, and encrypted credit-card information.
- Federal prosecutors in New York charged eight suspects in what was described as a cyber theft ring with stealing $45 million from banks around the world by hacking into them and committing crimes such as drastically increasing amounts available through credit cards. Their crimes are said to include withdrawing $400,000 in 750 separate ATM transactions at more than 140 locations in New York City in less than three hours and later withdrawing $2.4 million in 3,000 ATM withdrawals in just over 10 hours.
- After Goldman Sachs Group complained that the Bloomberg news division had access to Bloomberg customer log-in and usage data, Bloomberg decided to “disable journalistic access to this customer relationship information for all clients.”
- U.S. officials froze an account tied to the largest bitcoin exchange after regulators warned that organizations of this type should follow traditional rules on money laundering.
- It was learned that the U.S. Justice Department secretly examined two months of phone records of more than 20 lines belonging to the Associated Press and its reporters in what the Justice Department indicates is an investigation into whether any government officials gave the AP classified information about the CIA’s infiltration of an al Qaeda cell in Yemen. It triggered widespread condemnation that the Obama Administration was infringing upon free-press protections.
- In London, four British men associated with the LulzSec hacker group received prison sentences of up to 32 months for their roles in cyberattacks launched by the group against government and corporate websites in 2011. Ryan Cleary, Jake Davis, Ryan Ackroyd and Mustafa Al-Bassam had pled guilty to charges of carrying out unauthorized acts with the intention of impairing the operation of computers. Some of LulzSec’s targets included Sony, Nintendo, News Corp., Bethesda Game Studios, the CIA, the FBI, the Arizona state Police and the U.K.’s Serious Organized Crime Agency. Another LulzSec member, Cody Andrew Kretsinger from Decatur, Ill., had been sentenced in April to one year in federal prison for his role in LulzSec’s attack against Sony pictures.
- The New York Times website came under a denial-of-service attack that made it unavailable for some users.
- Neither admitting nor denying wrongdoing, LPL Financial Holdings, Inc. agreed to pay a fine associated with failure to keep track of what brokers told clients by email and also agreed to create a $1.5 million compensation fund for clients, in order to end allegations by the Financial Industry Regulatory Authority, Wall Street’s self-regulator, that LPL had “systematic email failures” it did not adequately fix.
- The Department of Homeland Security warned employees and others that a years-old database hole since 2009 in software used by an unnamed contractor for background investigations for security clearances had put their personally identifiable information at risk.
- The CEO of pizza-delivery company Papa John’s apologized to a Sanford, Fla., customer after a delivery man accidentally dialed the customer and left a racist rant on the man’s voicemail as he complained about tips. In a video that later went viral, the customer played a recording of the voicemail and showed a receipt that he had given a $5 tip on a $15.26 delivery The driver was fired from his job.
- A New York Police Department detective, who thought his girlfriend was involved with another officer, was charged illegally using a restricted federal database and using an email hacking service to pry into others’ lives. Edwin Vargas, 42, is accused of buying more than $4,000 worth of illegal services between 2011 and 2012 in order to obtain email login credentials and cell phone numbers belonging to at least 30 individuals, including 19 current NYPD officers, to try and spy on them. He faces a two-year sentence on computer hacking if convicted.
- A former Anonymous member, Jeremy Hammond, 28, of Chicago, pled guilty to participating in more than a half dozen attacks carried out in 2010 and 2011 by Anonymous and affiliated groups. According to the U.S. Attorney for the Southern District of New York, Hammond pled guilty to one count of conspiracy to engage in computer hacking and has agreed to pay a $2.5 million fine in restitution. Hammond admitted to participating in the attack on Stratfor in which information on 860,000 subscribers, plus emails, credit-card numbers and encrypted passwords, were released. The card data was used to make $700,000 in purchases, according to prosecutors. Hammond is due to be sentenced Sept. 6.
- The University of Florida sent letters to 5,682 pediatric patients or their parents telling them they may be victims of identity theft after learning a former employee at a pediatric care facility in Gainesville compromised patient information.
- A medical facility run by Idaho State University was fined $400,000 by the U.S. Department of Health and Human Services after thousands of patient records were left unsecured when firewall monitoring was disabled for several months.
- Back in May, CBS newswoman Sharyl Attkinsson revealed that her computer had been compromised, and in June, a cyber security expert hired by CBS News determined her computer had been accessed by “an unauthorized, external, unknown party on multiple occasions late in 2012,” and that the “intruder had executed commands that appeared to involve search and exfiltration of data.” The intruder also sought to remove traces of unauthorized activity and altered system times to cause further confusion, CBS said.
- Pirate Bay co-founder Gottfrid Svartholm Warg was sentenced to two years in prison by a district court in Sweden for multiple data intrusions, attempted aggravated fraud and aggravated fraud. The data-intrusion charge is related to the hacking of a mainframe belonging to Logica, now CGI, an IT firm that provided tax services to the Swedish government, and a mainframe of Nordea banks. The fraud charges stem from a number of attempted money transfers from accounts at Nordea, of which one was successful. Warg and his co-defendant in the case never disputed the intrusions were carried out from their computers but denied involvement, saying the computers were either remotely controlled or other people used them.
- A bug on Facebook leaked email addresses and phone numbers provided by some 6 million people on the site to certain other users, Facebook revealed, adding it had no information that this flaw had been exploited maliciously. The bug had been live for a year before it was discovered by Facebook’s security team, which fixed the problem.
- Southwest Airlines had a major glitch in its computer systems that forced the grounding of more than 60 flights for almost two days but did say it had straightened out its computer systems.
- The French government’s accounts payable system, based on SAP, finally was brought back online after a four-day outage, the French State Financial Computing Agency said on June 24. The difficulty was blamed on an error at a data center operated by services company Bull where a sub-contractor accidentally triggered the server room’s fire-extinguishing system. It wasn’t possible to recover all the data, the agency said.
- State regulators are warning virtual-currency exchanges and companies that deal with bitcoin that they could be closed down if their activities run afoul of state money-transmission laws, according to a Wall St. Journal article.
- Opera Software acknowledged that hackers stole from its internal systems at least one code-signing certificate that was used to sign malicious software. The Oslo-based company, which makes a mobile and desktop web browser, said it believes a few thousand Windows users may have automatically installed malicious software on June 19, the day the attack was detected and halted.
- South Korea suffered a volume of DDoS cyberattacks that coincided with the 63rd anniversary of the start of the Korean War. South Korean government websites were hit, which some security firms, including Symantec, traced to the DarkSeoul gang.
Credit: REUTERS/Bobby Yip
A poster supporting Edward Snowden, who leaked NSA secrets, on display in Hong Kong.
- In what we can easily call the biggest SNAFU for the first half of 2013, the super-secretive National Security Agency (NSA) found its spying methods on display as Edward Snowden, the former Booz Allen Hamilton contractor who worked at the NSA for three months, blabbed about its surveillance methods to the media. The world learned that not only does the NSA collect phone records from the U.S. telecom firms, it can get user data from Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple, including e-mail, chat, video, photos, stored data, VoIP, file transfer and other material under what’s called its PRISM program. The NSA’s massive global surveillance effort is done with help from Great Britain’s Menwith Hill facility as well as The Guardian’s journalist Glenn Greenwald, a main contact for Snowden, described.
Credit: REUTERS/Jonathan Ernst
Gen. Keith Alexander testifying before Congress in June about NSA spying
NSA director Gen. Keith Alexander had to go before Congress to defend the NSA’s operations. The U.S. government is now in pursuit of the 29-year-old Snowden as a traitor. Snowden had earlier shown up in Hong Kong, saying he wanted to defend his actions in a court of law. But he has now been on the run, as WikiLeaks supporters helped him fly to Moscow, where he’s holed up in an airport (his passport has been revoked) while negotiating asylum somewhere, perhaps Ecuador or Cuba. President Obama said he wouldn’t engage in “wheeling, dealing and trading,” or scrambling jets, to get Snowden extradited to the U.S., but he’s concerned over what other classified information Snowden may still try to disseminate. Obama said the fact that Snowden had these documents revealed significant vulnerabilities at the NSA. Clearly, this story, worthy of a Cold War spy novel, is spilling over into the second half of 2013!
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org