The biggest security snafus of 2013 (so far)

Late last December ended with a hacker leaking data on 300,000 Verizon FIOS customers which was apparently stolen via a marketing partner of Verizon.

Credit: REUTERS/Pawel Kopczynski

Late last December ended with a hacker leaking data on 300,000 Verizon FIOS customers which was apparently stolen via a third-party partner of Verizon. And now, the middle of 2013 ends with Edward Snowden, the former Booz Allen Hamilton contractor who worked for the National Security Agency (NSA), leaking secrets about NSA spying, including that Verizon, along other U.S. telecom companies, gives customer phone records to the NSA. It's been a busy six months for security chills and spills, and here's our semi-annual update on the "biggest security snafus so far" this year.

[MORE: The nastiest cyber security stink-bombs of 2013 (so far)

RELATED: The worst data breaches ---so far for Q1 2013]

JANUARY 2013

- Hacker group NullCrew brazenly broke into the Department of Homeland Security website through a section advising foreigners about studying at American schools, and dumped internal DHS information onto a public Pastebin page.

- When it was noticed that the Apple iOS 6’s new ‘Do not Disturb’ feature stopped resetting according to schedule on New Year’s Day, Apple said scheduling wouldn’t work until Jan. 8, 2013.

- A 27-year-old Romanian man, Cezar Butu, was sentenced to 21 months in prison after admitting he was part of a group that stole payment card data from hundreds of computers belonging to merchants in the U.S.

- A Chinese man, Xiang Li, 36, pled guilty in U.S. court to selling pirated software used by the U.S. defense, space and other industries that would have retailed for $100 million. Li and a partner sold the pirated software for between $20 and $1,200 though some of it would have retailed for $1 million. Buyers of the pirated software included a NASA electronics engineer and a scientist at a government contractor selling microwave technology and other products used in military equipment. Li had been nabbed by U.S. undercover agents from the U.S. Immigration and Customs Enforcement on the island of Saipan.

- The exploit for a Java-based zero-day vulnerability was added into popular attack toolkits, but Oracle didn’t have immediate plans to patch the vulnerability. Security experts, as well as the U.S. Computer Emergency Readiness Team (US-CERT), advised disabling Java in browsers. Oracle then issued an emergency patch advising customers to update Java 7 immediately.

- The programming framework Ruby on Rails was found to have two critical security vulnerabilities. The worse one was a hole that allowed anyone to execute commands on the servers running affected web applications. Developers were advised to patch to the latest update immediately.

- The Utah Health Department admitted data on 6,000 Medicaid recipients was compromised due to the employee of an outside contractor, Goold Health Systems, losing a USB memory stick containing the data.

- Restaurant chain Zaxby’s Franchising said it found malware on the systems of many of its restaurants after it was notified of potential fraud activity at dozens of its restaurant locations. Zaxby’s said it thinks the attacks originated outside the restaurant chain and is in touch with law enforcement about it.

- The U.S. Department of Health & Human Services fined the Hospice of North Dakota $50,000 for a data breach affecting fewer than 500 people due to a theft of a laptop containing patient data, the first time such a settlement had been reached in so small a data breach.

- In the United Kingdom, two former members of the Anonymous hacktivist collective were sentenced to jail for their roles in a series of denial-of-service attacks launched against financial and music-industry organizations. Christopher Weatherhead, 22, and Ashley Rhodes, 28, received prison sentences of 18 and 7 months respectively for conspiracy to impair the operation of computers.

- Server problems interrupted the New York Stock Exchange’s delivery of trading data for two day, Jan. 28 and 29. The outages impacted the NYSE’s ability to send stock trade and quote data on hundreds of traded securities.

- After security company Rapid7 detailed a major flaw in the UPnP standard that left tens of millions of network-enabled devices from manufacturers such as Cisco-owned Linksys, Netgear, Belkin and D-Link open to attack, US-CERT, part of the Department of Homeland Security, advised consumers and businesses to disable UPnP. The protocol is used to permit many consumer electronics to discover each other on the network for data sharing, communications and media streaming.

- Hackers from China breached the network of the New York Times and stole passwords that allowed them to gain access to computers and e-mail accounts of 53 employees for about four months, the New York Times itself reported on Jan. 30.  The Times, assisted by security firm Mandiant in the computer-breach investigation, believes the attacks were carried out mainly to target journalists reporting on subjects sensitive to the Chinese government. The Wall St. Journal and the Washington Post subsequently disclosed similar Chinese attacks on their networks had occurred for a number of years as well.

FEBRUARY 2013

- Twitter said in a blog post that hackers hit Twitter and may have gained access to passwords and other information on as many as 250,000 user accounts. Twitter said the passwords were encrypted and it had already reset them as a “precautionary measure.” Twitter simply said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” implying other organizations were likely also attacked.

- A program to jailbreak Apple devices running iOS6 or higher was released Feb. 4, sparking over 100,000 downloads in the first 10 minutes of its availability. The program, said to have been devices by the iOS hackers known as the Evaders, continued the tradition of jailbreaking the security on Apple mobile devices in order to run apps not authorized by Apple.

- A faulty anti-virus update issued by Kaspersky Lab in early February disrupted many home and business customers, leaving them unable to access any websites via their computers. Kaspersky a week later also had to apologize for a subsequent patch that had been issued to correct the initial flawed update which also caused various computer problems.

- Hacker group Anonymous posted the personal information on about 4,000 people in the banking industry, from cashiers to C-level officers to bank presidents. The posted information contained logins and hashed passwords. Anonymous claimed it took the data from computers belonging to the Federal Reserve. A week earlier, Anonymous attacked the website of the U.S. Sentencing Commission in what it called its OpLastResort campaign, in retaliation for the suicide of computer programmer and Internet free-information advocate Aaron Swartz. Swartz, who faced a trial related to his arrest by MIT police on state breaking-and-entering charges for systematic downloading of academic articles, had hung himself in his apartment.

- Security firm Malwarebytes discovered malware in the wild that looked like a PDF invoice with a valid, signed digital certificate. The malware, a banking/password stealer that uses e-mail to spread, had a valid certificate issued to a real Brazilian software company by SSL certificate authority DigiCert, according to Jerome Segura, senior security researcher at Malwarebytes.

- The U.S. Department of Energy disclosed that personal information on several hundred employees and contractors was stolen in a hacking incident the month before. The DoE said it was leading “an aggressive effort” to prevent it from happening again.

- Authorities said they were investigating how a hacker got into the email accounts of former George H.W. Bush and a half dozen of his relatives and close friends, posting them in the public domain, where they revealed gossiping about another former president, Bill Clinton. A spokesman for the president said the hacker obtained photos, addresses, phone numbers and various e-mail addresses.

- Security firm Bit9 had to admit that its failure to install its own protective software to block malicious applications on its own servers led them to be compromised, as hackers were adept in finding weaknesses that let the attackers make use of stolen Bit9 certificates for their own malicious software. That way, the attacker’s software looked as though it had been issued by Bit9.

- Through its technology, Google warned a number of journalists using Gmail that their accounts might be the target of state-sponsored hacking by the country of Myanmar, a charge hotly refuted by the Myanmar president’s spokesman.

- Burger King’s Twitter account was hacked, with the attacker changing the Twitter photo to a McDonald’s logo and saying Burger King had been sold to McDonald’s.

- The non-profit education community membership organization EDUCAUSE said its server then maintains the .edu domain information and member profile information was breached, which may have compromised other EDUCAUSE website profiles, including names, titles, e-mail addresses, usernames, and passwords.

- The Financial Industry Regulatory Authority fined five affiliates of the ING Groep NV $1.2 million after finding that the units of the Netherlands-based banking company had failed to retain or review millions of emails for various periods between 2004 and 2012.

- The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed that it had been compromised by hackers who used it to launch attacks against its users. At about the same time, Facebook revealed its employees were also targeted and it apparently occurred “when a handful of employees visited a mobile developer website that had been compromised.” Apple also said a small number of the company’s systems had been compromised and infected with malware. Microsoft later said a small number of computers, including some on its Mac business unit, may have been infected the same way.

- Websites affiliated with broadcaster NBC were hacked for several hours on Feb. 21, serving up malicious software intended to steal bank account information.

- Zendesk said a hacker gained access to support information for some customers of its online helpdesk software. The company has more than 20,000 customers, including Sears, Xerox and Groupon.

- Microsoft’s Azure cloud suffered a worldwide outage in storage services on Feb. 22 because of an expired SSL certificate. The company took steps to update the SSL certificate and apologized for the “inconvenience this causes our customers.”

- Bank of America (BoA) said a data breach of internal e-mails related to monitoring of the hacktivist group Anonymous was basically the fault of a third-party contractor which was compromised but wasn’t named. Some of the e-mail correspondence showed that TEKsystems had been working with BoA to monitor public activity by hacker groups targeting the bank. The hacker group that claimed to have posted more than 500 emails went by the name Par:AnoIA.

MARCH 2013

- Evernote, which makes business and consumer productivity software, forced all its 50 million users to change their passwords after detecting a hacker intrusion on its systems. The attacker is said to have gained access to Evernote accounts’ usernames, email addresses and passwords, though the passwords were encrypted. The company said there’s no evidence the hackers got hold of user content or customers’ payment information.

- CloudFlare, the company whose service speeds up delivery of web pages, briefly dropped off the Internet for about an hour after its Juniper routers choked on a slight programming change that had been designed to deflect a distributed denial-of-service attack that had been underway against one of its customers.

- The European Union Commission fined Microsoft the Euro equivalent of about $733 million for breaking the terms of an earlier agreement made in 2009 to offer users a choice of Internet browser.

- Prison inmate Nicholas Webber, said to be a convicted cybercriminal, hacked into his prison’s mainframe after being allowed to take an IT course in 2011, it was learned during a tribunal in Great Britain related to an unfair dismissal claim in which the IT teacher at the time, Michael Fox, said it wasn’t his fault though he believes the incident contributed to his being laid off.

- A website called Annualcreditreport.com that provides U.S. consumers with a free annual credit report was apparently the source used by hackers to download credit reports of celebrities Beyonce and government officials, including FBI director Robert Mueller.

- Google agreed to pay a $7 million fine to settle a multi-state investigation into Google’s interception of personal e-mails, passwords and other sensitive information transmitted several years ago over unprotected wireless networks in neighborhoods. Google didn’t acknowledge any wrongdoing in the settlement that covers 38 states and the District of Columbia.

- The U.S. national Vulnerability Database was temporarily taken down by its managers at the National Institute of Standards and Technology after malware was discovered on the site and traced to a software vulnerability.