The biggest security snafus of 2013 (so far)

From Verizon FIOS hack to the National Security Agency debacle, it's been one busy year in the security snafu arena

1 2 3 Page 2
Page 2 of 3

- Microsoft said a botched firmware update led to the partial outage lasting about 16 hours. Some detail about it from Microsoft said a temperature spike impacting the servers played a role in it all in a data-center area where, and SkyDrive infrastructure is located, “so some people trying to access those services were impacted.”

- Computer networks of banks and some broadcasters in South Korea suffered a cyber-attack that disrupted business there. While at first pointing to North Korea as a possible source of the attacks South Korea investigators later backed down from that stance saying they had no proof.

- Several Xbox Live accounts for former and current Microsoft employees were compromised by attackers using social engineering techniques, Microsoft said. This may be related to another attack based on social engineering that targeted security reporter Brian Krebs, whose reporting on Russian crime sites likely gained him some enemies. One day Krebs' residence was surrounded by a police SWAT team after a caller falsely reported a break-in there.

- Google Drive, the cloud storage and applications suite used by millions at home and at work, suffered three outages in one week, apparently caused by a bug in the Google network’s control software.

- A former Defense Department contractor in Hawaii, 59-year-old Benjamin Pierce Bishop, was convicted of espionage in giving his 27-year-old Chinese lover classified information about nuclear weapons, missile defense and radar systems. In a separate case, Sixing Lui, a Chinese citizen who worked at L-3 Communications’ space and navigation division, was sentenced in federal court in Newark to over five years in jail for taking thousands of files about a disk resonator gyroscope, designed to support precision targeting without satellite guidance, and other defense systems to China in violation of a U.S. arms embargo. Lui had told his supervisor he was going on vacation to Chicago but instead went to China, where federal prosecutors believe he may have wanted to get a job at a Chinese aeronautical institute.

- Wisconsin resident, 37-year-old Eric Rosol, was charged with participating in a distributed denial-of-service attack in Feb. 2011 against Koch Industries by hacker group Anonymous. If convicted, Rosol faces up to five years in federal prison and a total fine of $500,000.

- A large and prolonged distributed denial-of-service (DDoS) attack hit The Spamhaus Project, a European spam-fighting group. A month later, a Dutch man with the initials “SK” was arrested in Spain by Spanish authorities and charged with participating in the attack. Later in May, “SK” — identified by one official as Sven Kamphuis, a spokesman for the Stophaus movement — was extradited to the Netherlands as the investigation into the attack proceeds.

- Wells Fargo’s banking website suffered disruptions after a group calling itself the al-Qassam Cyber Fighters said it had stepped up efforts to prevent access to it by Wells Fargo customers. American Express also said its website had been hit by a DDoS attack.

APRIL 2013

- Security vendor Sophos said it updated the software for its Web gateway security appliance in order to address three serious vulnerabilities that would allow attackers to gain access to configuration files containing sensitive information like plaintext passwords for other internal network services, and other issues.

- Two of Japan’s major Web portals were hacked, with one warning that as many as 100,000 user accounts were compromised. Goo, the portal owned by network operator NTT, said it had no choice but to lock 100,000 accounts to prevent illicit logins. Separately, Yahoo Japan said it discovered a malicious program on company servers that had extracted user data for 1.27 million users, but was stopped before it leaked any of the information outside of the company.

- Online Bitcoin storage service, Instawallet, said it was accepting claims for stolen bitcoins after the company’s database was fraudulently accessed.

- The Department of Defense Inspector General issued a report critical of how the U.S. Army was handling security for mobile devices, including tablets and smartphones, calling the efforts so far a failure.

- North Korea’s official Flickr and Twitter pages were vandalized, with the hacker collective Anonymous taking credit. The group posted an image of North Korean leader Kim Jong-un with pig ears and a Mickey Mouse tattoo on his stomach. The images said Kim is “wanted” for “threatening world peace with ICMBs and nuclear weapons.”

- In Florida, food delivery service Gainesville2Go said a fired ex-employee was to blame for an obscene message sent one morning to all customers in the company’s e-mail list and subsequent Facebook and Twitter posts. The delivery service manager, apologizing to customers, said the former employee had been fired a few days earlier but had passwords to access the accounts and decided to try and ruin the business. Also in Gainesville, Fla., the University of Florida sent out letters to 14,339 patients of the UF&Shands Family Medicine at Main practice, telling them they might be the victims of identity theft. Two people have been arrested in connection with that, including an employee at the medical clinic.

- Digital library and document-sharing website Scribd said it was hacked, though it believes only a small number of users, less than 1%, were impacted. Scribd recommended users change their passwords and said it was conducting a comprehensive security review.

- Apple’s iMessage and Facetime messaging systems were hit by a glitch that took the services offline for several hours in early April.

- American Airlines grounded all its flights the afternoon of April 16 after experiencing numerous outages in its reservation system. The airline carrier said it resolved issues with its Sabre system later that day.

- Office supply store chain Staples had to lock down its corporate systems one day when it discovered a malware attack spreading on its systems, according to CRN, which reported on it based on a notification in e-mail to Staples employees.

- Store chain Schnuck Markets revealed that 2.4 million credit and debit cards used at its stores may have been compromised in a cyber theft in which criminals may have installed malware in the company’s “processing environment,” as payment cards were awaiting authorization. The company said 79 of its 100 stores were impacted.

- The 21-year-old hacker found guilty of a long string of crimes, including distributing a keylogger Trojan disguised as a Call of Duty software patch, has pleaded guilty to launching DDoS attacks on the websites of Oxford and Cambridge universities, which indicated they spent two weeks dealing with the attacks. Separately, Lewys Martin was also accused by police of harvesting 300 credit cards during his keylogging campaign.

- A fake press release went across the Internet, claiming that Chinese search giant Baidu had made an offer to acquire social-gaming company Zynga. The fake release said Baidu was offering to buy Zynga for $10 a share and contained made-up quotes from executives to that effect. The hoax, refuted by the firms, didn’t get much attention, and the website, PR Urgent, that was hosting the bogus information took down the fake press release.

- After someone hacked an Associated Press (AP) Twitter account and posted a bogus tweet saying the White House had been attacked, the Dow, which had been up about 130 points, fell into the red for two minutes, erasing $200 billion of stock value, but bounced back quickly when it came clear the “news” was a hoax. A group called the Syrian Electronic Army too credit for the fake AP message. Other news organizations whose Twitter accounts were hacked that month include CBS and NPR. And oh, the fake news site The Onion was hacked, too.

- Sears, which owns Kmart, said a robbery the month before at a Little Rock, Ark., store resulted in a thief taking from a safe not just $6,000 in cash but the day’s backup disk that was unencrypted and apparently not password-protected. It included the full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers, according to Sears, and some customer Social Security numbers.

- LivingSoocial, the daily deals site owned in part by Amazon, acknowledged it suffered a cyberattack which it “resulted in unauthorized access to some customer data from our servers.” That information included names, e-mail addresses, date of birth for some users, and encrypted passwords. The company, which admitted 50 million customers were impacted, did say no credit-card and other financial information was affected or accessed,

- An unknown perpetrator launched wide-scale brute-force attacks against WordPress installations at hosting providers in order to build a large botnet. “Tens of thousands to hundreds of thousands of these shared servers have been cracked by these techniques,” said the Anti-Phishing Working Group in its report. ”Access and use of these boxes is then metered out in the criminal underground for all sorts of activities, including DDoS, malware distribution, and of course, phishing.”

- The U.S. Department of Labor website was hacked and malware loaded onto the Department of Labor’s server, attempting to compromise visitors through an IE vulnerability. The problem was later fixed.

- Personal information on 1,350 patients at Sonoma Valley Hospital in California was exposed after a hospital employee accidentally uploaded the data to the hospital’s public website on Feb. 14 but became aware of the breach on April 17.

MAY 2013

- The Chicago Board Options Exchange (CBOE) for trading suffered system problems on May 2 that affected trading, and the glitch followed an outage the previous week that forced CBOE to delay trading for more than three hours.

- The Financial Times website and Twitter feed were hacked, with responsibility for that claimed by a group called the Syrian Electronic Army, which supports Syrian President Bashar al-Assad, apparently angered by the publication’s coverage of the Syrian civil war conflict.

- A 41-year-old man, Michael Meneses, was arrested for allegedly disrupting his former employer’s network after he was passed over for promotions and quit his job, causing an alleged $90,000 in damages by breaking into it with captured passwords and corrupting data, according to FBI information. Meneses, whose job at Spellman High Voltage Electronics Corp. entailed developing and customized software, denied the allegations and was released on $50,000 bond.

- Eonline, the online entertainment news site, acknowledged its breaking-news Twitter and SMS accounts were compromised, and on May 4 said, “We apologize for any confusion that the enormous news alerts may have caused.” Other media website, some for  Federal News Radio and WTOP and the Dvorak blog site, were also compromised and pushing fake anti-virus malware.

- The defense contractor QinetiQ was compromised and information and intellectual property vital to national security was stolen by hackers associated with the Chinese People’s Liberation Army, over a three-year period, according to Bloomberg.

- A bi-annual report from the Pentagon to Congress said the Chinese government has targeted U.S. government computer systems for intrusion, a more direct accusation than had been made previously.

- A hacker named “Guccifer” hacked into the online accounts of the Council on Foreign relations and also broke into e-mail and Twitter accounts of “Sex in the City” author Candace Bushnell, later posting images of a Word document containing the first 37,000 words of Bushnell’s next novel.

- Domain registrar forced its customers to re-set their account passwords following a security breach on the company’s servers that might have resulted in customer information being compromised, including usernames, email addresses, encrypted passwords, and encrypted credit-card information.

- Federal prosecutors in New York charged  eight suspects in what was described as a cyber theft ring with stealing $45 million from banks around the world by hacking into them and committing crimes such as drastically increasing amounts available through credit cards. Their crimes are said to include withdrawing $400,000 in 750 separate ATM transactions at more than 140 locations in New York City in less than three hours and later withdrawing $2.4 million in 3,000 ATM withdrawals in just over 10 hours.

- After Goldman Sachs Group complained that the Bloomberg news division had access to Bloomberg customer log-in and usage data, Bloomberg decided to “disable journalistic access to this customer relationship information for all clients.”

- U.S. officials froze an account tied to the largest bitcoin exchange after regulators warned that organizations of this type should follow traditional rules on money laundering.

- It was learned that the U.S. Justice Department secretly examined two months of phone records of more than 20 lines belonging to the Associated Press and its reporters in what the Justice Department indicates is an investigation into whether any government officials gave the AP classified information about the CIA’s infiltration of an al Qaeda cell in Yemen. It triggered widespread condemnation that the Obama Administration was infringing upon free-press protections.

1 2 3 Page 2
Page 2 of 3
SD-WAN buyers guide: Key questions to ask vendors (and yourself)