Top security incidents of 2011

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World editors.

Everyone will agree that 2011 was a busy year in the field of data security, so as the year draws to a close it seems appropriate to begin the process of distilling our experiences into "lessons learned" that we can take into 2012.

Of course, there isn't room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.

ROUNDUP: 2011's biggest security snafus

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Although vendor-written, this contributed piece does not advocate a position that is particular to the author's employer and has been edited and approved by Network World editors.

Everyone will agree that 2011 was a busy year in the field of data security, so as the year draws to a close it seems appropriate to begin the process of distilling our experiences into "lessons learned" that we can take into 2012.

Of course, there isn't room here to conduct a thorough examination of every significant event. Listing only the largest and most publicized events runs the risk of burying some of the more interesting items. So events are selected according to a combination of magnitude and ability to inform our thinking going forward.

ROUNDUP: 2011's biggest security snafus

"Tehran Bob"

In March we learned that the Comodo Certificate Authority had been compromised via one of its small regional resellers and tricked into issuing fraudulent certificates for a variety of high-profile websites such as Google. An independent Iranian hacker claimed responsibility.

In August, an alert user detected that fraudulent certificates were being used in a massive man-in-the-middle attack conducted against Gmail users in Iran. He found that Google's Chrome browser was giving warnings about the certificate appearing on Google's own websites. Word spread quickly that the Dutch CA DigiNotar had, in fact, been compromised for quite some time. In September DigiNotar earned the dubious distinction of being the first CA ever to be removed from browsers' list of trusted roots for weak security.

What we learned:


* The security of every browser user in the world really does depend on every little CA reseller and sub-CA that we've never heard of before.


* Current certificate revocation systems are simply not effective.


* CA "pinning" can provide improved security, but currently only browser vendors have access to it.


* One person can make a difference.

Sony

After retroactively banning Linux from their customers' previously purchased PlayStation 3 systems and filing a lawsuit against researchers GeoHot and fail0verflow whose work was poised to re-enable it, all of Sony's online systems (and then some) seemed to come under attack.

It started with DDoS attacks attributed to the Anonymous collective and went downhill from there. Other hackers found they could use a custom root CA to modify the messages exchanged between the PS3 and the PlayStation Network, reportedly enabling them to connect to internal developer systems.

In unrelated attacks, account information was breached from several of Sony's online systems, including 77 million customer records from the PSN. The scope of the breach was so great that Sony was forced to shut down the PSN entirely for several weeks until it could be brought back online in a secure manner.

Estimates for the total cost of the attacks range from $170 million into the billions.

What we learned:


* Systems may run just fine, vulnerable, for long periods of time.