The worst security snafus of 2012 – so far

In the first half of this year, mayhem prevailed, from hacker exploits to bad corporate behavior

Could things really be this bad? From the embarrassing hack of a conversation between the FBI and Scotland Yard to a plethora of data breaches, security snafus have ruled the first half of 2012. Here's a look at some of the worst snafus month-by-month.

MORE: Worst Data Breaches of 2012 -- So Far

January

The year started off with the FBI raiding the cloud file-sharing and storage Megaupload site, based in Hong Kong and founded by 38-year-old New Zealand resident Kim Dotcom, on content piracy charges to the tune of $175 million. And that action, supported by the U.S industries which hailed it as bringing down a big fish that was devouring their intellectual property, has triggered a year's worth of lawsuits and retributions from all even remotely involved. It turned confrontational when outraged users of Megaupload were invited by hactivist group Anonymous to attack law enforcement and industry websites supporting the raid by downloading do-it-yourself denial-of-service software such as Slowloris.

But by March it was apparent some of this DoS advice came from hackers who were merely tricking users into downloading Trojan software, such as Zeus, from infected links. Another twist: A New Zealand judge in March ruled an order granted to law enforcement allowing them to seize luxury cars and other personal effects of Dotcom is invalid mainly because the local police commissioner applied for the wrong type of seizure order that was requested by the U.S. That ruling mean Dotcom has a chance to get back some of his enormous bling, like his Rolls-Royce and pink Cadillac, seized during his arrest at his mansion outside Auckland. But of course, attorneys for the U.S. are arguing otherwise,. Dotcom, free on bail but subject to electronic monitoring, is expected to undergo extradition proceedings in August.

Other January Snafus:

• Online retailer Zappos disclosed hackers had likely broken into its network and stolen information on Zappos.com customers, including name, address, billing and shipping address, phone number and the last four digits of credit-card numbers and cryptographically scrambled passwords stored in hash form. Zappos informed customers all passwords were expired and customers should create a new one.

• Researchers from Seculert discovered what they say is a botnet command-and-control server holding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infecting Windows and designed to infect computers and steal social networking usernames and passwords.

• Source code used in older Symantec enterprise security products, Symantec Endpoint Protection 11.0 and Symantec AntiVirus 10.2, as well as older versions of pcAnywhere and Norton Internet Security, was exposed online by hackers calling themselves Lords of Dharmaraja with a leader named Yama Tough in Mumbai. The gang claimed to obtain the code from a third-party associated with the Indian military. Symantec, acknowledging the authenticity of the source code, also said the security firm had been subject to the hackers vainly trying to extract an extortion payment of about $50,000 in exchange for not posting the stolen code. Symantec engaged in a cat-and-mouse game to catch them, with help from law enforcement -- but so far without apparent success. Symantec said it isn't certain where the hackers obtained the stolen cache of source code, and the security incident did prompt Symantec to devise security patches it advised some customers using older software to apply, with additional outreach to customers around the incident related to the stolen source code.

February

Right in the midst of a conference call the FBI was having with its agents and law-enforcement officials overseas at Scotland Yard, cybercriminals hacked their way into the phone conversation, recorded it and posted it online. The conversation was about hackers facing charges in the U.K. The group Anonymous took credit for the intercepted call. The FBI said it appeared likely the cybercriminals may have hacked into a law-enforcement official's email to get the information for the conference call dial-in.

Other February Snafus:

• Brazilian banks were targets for distributed denial-of-service attacks, with massive assaults against HSBC Brazil, Banco da Brasil, Itau Unibanco Multiplo SA and Banco Bradesco SA. Hactivists took credit for the DDoS spree.

• Whistleblowing website Cryptome.org, dedicated to exposing confidential information, was compromised by an intruder that loaded an attack code that tried to launch drive-by exploits at visitors to the site.

• The University of Florida had to notify 719 individuals that their Social Security numbers were improperly stored on a state website operated by the Bureau of Unclaimed Property for more than six years.

• Verizon had to acknowledge the Verizon 4G LTE network was knocked offline again just two months after its last serous outage. The outage on Feb. 22 lasted from about 10 a.m. to 1:20 p.m.

Microsoft's Azure cloud infrastructure and development service experienced a serious worldwide outage on Feb. 29. Microsoft later blamed the outage on a "Leap Year Bug" that was triggered in a key server housing a certificate that had expired on midnight on Feb. 28, and a time-calculation control hadn't taken into account the extra day in the month of February this year.

• Taiwan-based Apple supplier Foxconn was hacked by a hacker group calling itself Swagg Security, apparently in protest related to media reports about poor working conditions at the electronics manufacturer's factories in China. The hackers posted usernames and passwords that they said would allow attackers to place fraudulent orders under other companies' names, including Microsoft, Apple, IBM, Intel and Dell.

• The FBI arrested a computer programmer in New York and charged him with stealing proprietary software code from the Federal Reserve Bank of New York (FRBNY). The software is known as the Government-Wide Accounting and Reporting Program (GWA), which handles all kinds of U.S. government financial transactions, and it cost over $9 million to develop. The accused thief, Bo Zhang, a contract employee at FRBNY, used the GWA code in a private business he ran to train individuals in computer programming. Zhang, a Chinese citizen in the U.S. on a work visa since 2000, is also known as "Bryan Zhang," and in a plea agreement in April he pled guilty to theft of government property, admitting he'd copied the code onto an external hard drive and then transferred the GWA program to a home computer, knowing that was wrong.

March

At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorized that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it.

Other March snafus:

• The Vatican found its websites and internal email servers subject to a weeklong attack after the Anonymous collective said it was felt justified in this by the fact that the Vatican Radio System has powerful transmitters in the countryside outside Rome that allegedly constituted a health risk, including supposedly "leukemia and cancer," to people living in the vicinity. Another justification given were claims the Vatican allegedly helped the Nazis, destroyed books of historic value and that the clergy sexually molested children.

• Hackers in the LulzSec group associated with the broader Anonymous movement found the tables turned when they were arrested by the FBI and European law-enforcement agencies -- and it was LulzSec leader Hector Xavier Monsegur, alias "Sabu," who turned in his friends as part of a deal to work as a stooge for the FBI after being arrested in New York City last year.

• By the end of March, LulzSec claimed to be "reborn" and took credit for hacking a dating website for military personnel, MilitarySingles.com, leaking more than 160,000 account details from its database.

• Dutch police arrested a 17-year-old suspected of compromising the account data on hundreds of servers belonging to telecommunications operator KPN. The teenager, arrested in the Dutch town of Barendrecht, "made a confession," according to Dutch authorities. In the wake of the hacking spree, KPN said it would appoint a chief security officer and set up a permanent control center to monitor its systems.

• A flaw was discovered in Barclays contactless bank cards that could allow customers' data to be stolen and used fraudulently with them knowing about it, according to an investigation by ViaForensics in conjunction with Channel 4 News. But Barclays dismissed the claims as inaccurate.

• Security firms knew there was trouble when Kaspersky Lab identified code-signed Trojan malware dubbed Mediyes that had been signed with a digital certificate owned by Swiss firm Compavi AG and issued by Symantec. Symantec said it found out that the digital certificate's private key held by Compavi had indeed been stolen; whether by an insider or an outside attacker wasn't known.

• A security firm based in Slovakia, ESET, asserted a website operated by the country of Georgia has been used as part of a botnet to conduct cyber-espionage against that country's residents. But ESET researchers admitted they aren't sure whether the Win32/Georbot they have been monitoring is being directly operated by the Georgian government or by cyber-spies through a compromised Georgian agency.

April

The Federal Communication Commission fined Google $25,000, asserting the search-engine giant impeded an investigation into how Google collected data while taking photos for its Street View mapping feature. The FCC maintained in a report that Google "deliberately impeded and delayed" the investigation for months by not responding to requests for information and documents. But the FCC also said it won't take action against Google over its data collection because it still has questions it wants answered. The FCC had subpoenaed an unnamed Google engineer -- now known to be Marius Milner -- but he had apparently declined to testify, invoking his Fifth Amendment rights against incriminating himself.

Other April snafus:

• Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections.

• A U.S. grand jury charged two residents of China with 46 criminal counts, including infringing software copyrights and illegally exporting technology to China, for allegedly operating a website that sold pirated software used in engineering, manufacturing, space exploration, aerospace simulation and design, and other fields, with a commercial value of other $100 million. Xiang Li, 35, was earlier arrested by agents from the U.S. Immigration and Customs Enforcement's Homeland Security Investigations in Saipan, Northern Mariana Islands. Chun Yan Li remains at large. Both face charges in the U.S. District Court for the District of Delaware.

• A 31-year-old Russian national living in New York, Petr Murmylyuk, was charged with hacking into accounts at Fidelity, Scottrade, E*Trade and Schwab in a complex scheme that involved making unauthorized trades that profited the gang he recruited to open bank accounts to receive the illegal proceeds. The brokerage firms said they lost $1 million because of Murmylyuk's fraud.

• VMware's ESX source code was stolen and posted online, but VMware said the code, amounting to a single file from sometime around 2003 or 2004, doesn't mean any increased risk to VMware customers. Security firm Kaspersky said it believes the code was stolen from a Chinese company called China Electronics Import & Export Corporation during a March breach.

• A terminal at New Jersey's Newark Liberty International Airport was shut down for more than an hour on April 27 after officials discovered that a baby hadn't been properly screened. The baby in question had been handed back and forth between the parents after a metal detector went off sounding an alarm with the mother holding the baby. The father had already gone through the screening, and the parents and baby left the checkpoint to head to the gate. But Transportation Security Administration officials decided to "err on the side of caution" to shut down the terminal and go locate the baby to make sure it went through screening. Some passengers that had already boarded flights said they had to evacuate it and go through security screening again. Speaking of the TSA, one of the agency's critics, security expert Bruce Schneier, who is involved in a lawsuit with the agency to get them to stop the TSA's full-body scanner program, had been invited to testify before Congress about the TSA but the House Committee on Oversight and Government Report then "uninvited" Schneier last March after the TSA formally complained about him, obviously preferring not to be challenged directly by him right in front of Congress.

1 2 Page
Join the discussion
Be the first to comment on this article. Our Commenting Policies