As 2009 draws to a close some are saying good riddance. To say 2009 was an active year for security breaches would be quite an understatement. The number of personal records exposed skyrocketed to 220 million records this year, compared with 35 million in 2008. 2009 saw historically high levels of security breaches, worms and malware attacks; let's hope the next decade isn't more of the same. Here is a list of my favorite security breaches of 2009.
1) Conficker - Conficker is the most widespread botnet ever recorded. Sure it isn't a specific breach persay but I just had to make it my number one. It still infects millions of PCs. In fact, according to a report recently released by shadowserver.org, china telecom's chinanet still has over a million infected PCs or about 1% of its total IP address space. Conficker exploited a Microsoft vulnerability described in the Microsoft Security Bulletin MS08-067.
2) Phishing attacks on banking sites - A recent report by Trusteer shows that phishers are making huge bank by phishing banks. The report shows that only a very very few bank customers actually click on a phishing email, in fact it is only 0.000564%. Of these people that do click though 45% of them divulge their personal credentials to the fake phishing site. The report calculates that even though the click rate is super low the scale of users involved makes this a significant loss for our banks. They estimate that banks loose between 2.4 and 9.4 million dollars (per million online bank users) to phishing fraud Annually!
3) Heartland Payment Systems - I'm sure you all know about this one already. It occurred in January 2009 when attackers where able to steal more than 130,000,000 credit card records. Many of the attacks used were basic SQL injection exploits. Just a few days ago Heartland agreed to pay AMEX $3.6 million to settle claims related to the breach. Heartland has set aside $12.6 million more to settle other claims it is anticipating from Visa, Mastercard, etc.
4) Terrorists intercept US Drone unencrypted Video Feeds - Using $26 off the shelf software called SkyGrabber terrorists were able to intercept live video feeds from U.S. predator drones. I was floored when I learned that the military does not encrypt their feeds!! So of course our enemies are going to intercept them. You just can't make this stuff up. It gets worse, the system used in the drones, called ROVER, is also used in our fighters, bombers and other drones! Come on guys even our satellite TV providers encrypt their video streams!
5) Ransomed! Virginia State Prescription Monitoring Program Records - Hackers stole 8.3 million records, erased the originals and created an encrypted backup of VPMP's database. The records were patient records and 35 million drug prescriptions for their patients. For a twist, the hackers defaced the VPMP's website with a ransom note demanding $10 million bucks! They never got it (probably would have been cheaper to pay it ☺) but here's the note they posted: "I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password."
There were tons of breaches I could have chosen for my list so yes I probably missed your favorites. Let me know what you consider the most high profile, destructive or just weird breaches in 2009.
The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.
More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Why you should always shred your boarding pass
* Video rental records are afforded more privacy protections than your online data
* The truth about new SSL attacks
* 2009 Top Urban Legends in IT Security/a>
Go to Jamey’s Blog for more articles on security.
Jamey Heary, CCIE #7680, sits on the PCI Security Standards Council- Board of Advisors where he provides strategic and technical guidance for future PCI standards. Jamey is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access. (Check out all of Jamey Heary's books from Cisco Press.) He also has a patent pending on a new DDoS mitigation technique.
Jamey sits on several security advisory boards for Cisco Systems and is a founding member of the Colorado Healthcare InfoSec Users Group. He is an experienced speaker who is recognized as an expert in network security architecture, regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and he is a Certified HIPAA Security Professional. He has been working in the IT field for 15 years and in IT security for 10 years. Jamey is currently a Distinguished Systems Engineer at Cisco Systems.