The worst security snafus of 2012 – so far

In the first half of this year, mayhem prevailed, from hacker exploits to bad corporate behavior

1 2 Page 2
Page 2 of 2

• Automotive manufacturer Nissan admitted a data breach involving employee user account credentials had occurred, and that it had to spend some time cleaning its network of the malware apparently responsible for that before disclosing the breach.

• The hacker who stole Facebook's source code, Glenn Mangham of York, England, offered an explanation of why he did it, saying, "I was working under the premise it is sometimes better to seek forgiveness than to ask permission." He said he did little to hide his actions and that even if he got caught, Facebook would let him off the hook. But that didn't happen, and Mangham was sentenced to eight months in prison in February, though the sentence was reduced to four months by an appeals court in April. He said he only had the source code for three weeks, but never had any intention of selling it to anyone who might exploit it for scams, for example. Mangham even made the grandiose claim that his basic good intentions saved Facebook from "potential annihilation."

• Payments processing services company Global Payments acknowledged a data breach of up to 1.5 million card numbers had been stolen in a data breach, and in June also said it was investigating whether a server containing merchant applicants' information had also been breached. Global Payments said its PCI compliance status had been revoked by some of the card brands because of the breach and it was working to regain it.


Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank did not make an extortion payment of $197,000. Elantis confirmed the data breach but said the bank will not give in to extortion threats.

Meanwhile, Anonymous claimed it hacked a U.S. Department of Justice website server tied to the U.S. Bureau of Justice Statistics and claimed to release 1.7GB of stolen data from it, with the statement, "We are releasing it to end the corruption that exists, and truly make those who are being oppressed free." The data was offered on The Pirate Bay.

And then Yahoo accidentally leaked the private key that was used to digitally sign its new Axis extension for Google Chrome. Axis is a new search and browsing tool from Yahoo. Security blogger Nik Cubrilovic discovered the package included the private crypto key used by Yahoo to sign the extension, noting it offered a malicious attacker the ability "to create a forged extension that Chrome will authenticate as being from Yahoo." Yahoo was forced to release a new version of its Axis extension for Google Chrome after that.


The University of Nebraska in Lincoln acknowledged a data breach that exposed information of more than 654,000 files of personal information on students and employees, plus parents and university alumni. The information was stolen from the Nebraska Student Information Systems database; a student is the suspected culprit.

Other June snafus:

• Hacker gang Swagger Security strikes again, this time breaching the networks of Warner Bros. and China Telecom, releasing documents and publishing login credentials. The group said it notified China Telecom of the hack by planting a message in the company's network. "Fortunately for them, we did not destroy their infrastructure and rendered [stet] millions of customers without communications," Swagger Security, also known as SwaggSec, said in a note.

• About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email.

• Right after the LinkedIn fiasco, dating site eHarmony also confirmed a breach of 1.5 million passwords that were hashed.

• The Federal Trade Commission announced that data broker Spokeo will pay $800,000 to settle FTC charges it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.

• The New York Times article asserting that the cyber-weapon Stuxnet is a creation of the U.S. with Israel, and was launched in a covert action authorized directly by President Barack Obama against an Iranian facility suspected of developing a nuclear weapon, has stirred up a firestorm of controversy in Washington about leaked information. Now that another cyber-weapon for espionage, Flame, has been discovered and linked directly with Stuxnet, there's more concern, with the United Nations division International Telecommunication Union warning countries that Flame is dangerous, and some saying the U.S. is losing the moral high ground as its secret cyberwar efforts become known.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)