The 10 Biggest Security Stories Of 2011
In 2011, no one was safe from cybercriminals -- even security vendors. Hackers also went after entertainment companies, social networks, banks and universities in their search for bounty. As a result, millions of people found their personal information compromised and at least one company declared bankruptcy as a result of failing to build adequate defenses. Besides the usual search for the numbers of credit cards and bank accounts, criminals made cyber-espionage a priority, targeting corporate and government networks.
So, as Sgt. Phil Esterhaus of the hit TV series "Hill Street Blues" use to tell cops heading out to the streets, "Hey, let's be careful out there." Those that don't could end up like one of the organizations featured in the 10 biggest security stories of 2011.
Whistleblower site WikiLeaks made news this year as perpetrator and victim. The site published in August another batch of U.S. diplomatic cables that came from a comprehensive cache of 250,000 State Department documents. The site released the first batch in November 2010.
Within days after the August release of 134,000 cables, WikiLeaks was struck by a denial-of-service attack, apparently in retaliation. About 170 cables named U.S. diplomats whose identities were protected, including a United Nations official in West Africa and a foreign human rights activist working in Cambodia. The release-attack scenario was similar to what happened in 2010, when a hacker calling himself The Jester took credit for shutting down the site. The perpetrators of this year's attack are not known.
Chinese hackers launched in July a massive attack against the Cyworld social network in South Korea and the Nate Web portal run by SK Communications. SK owned Cyworld, which was used by renowned Korean socialites and celebrities, as well as average Koreans. The attacker compromised the accounts of 35 million people, stealing phone numbers, email addresses, names and encrypted information. The Korean Communication Commission traced the attack back to computer IP addresses based in China. The huge hack followed a series of cyber-attacks against South Korea's government and financial institutions. Institutions targeted included a government-backed bank, Hyundai Capital, Korean government ministries, the National Assembly, the country's military headquarters and networks of U.S. Armed Forces based in Korea.
In August, Yale University sent letters to alumni, faculty and students, warning them that the names and social security numbers of 43,000 people associated with the school had been available on Google search for the last 10 months. A 1999 computer file containing the information was moved to an insecure section of a server, where it could be searched by Google. The file was later removed and Google purged it from its search engine. The university said there was no evidence that the publicly disclosed information was misused or that the information had been available to other major search engines, such as Yahoo and Microsoft Bing.
Security firm HBGary, which had publicly declared war on the hacker group Anonymous, reported in February that the infamous group had defaced HBGary's homepage and stole 60,000 corporate e-mails and posted them to Pirate Bay, a Swedish site that lets millions of people share multimedia, computer games and software via BitTorrent. Anonymous also hacked the Twitter account and LinkedIn profile of Aaron Barr, chief executive of HBGary Federal, the subsidiary of HBGary that had been working to uncover the identities of the actors behind Anonymous. The company had been boisterous in its campaign to unmask Anonymous. HBGary had reportedly been preparing to turn information over to the FBI, which was investigating attacks on PayPal and Amazon. The companies had become targets of Anonymous after they cut ties with whistleblower site WikiLeaks.
DigiNotar, the Dutch certificate authority owned by Illinois-based Vasco Data Security, was forced to declare bankruptcy three months after the company's computer systems were hacked and 500 fraudulent digital certificates were issued for major Internet companies, including Google, Mozilla and Skype. A hacker entered the corporate network in June, but the intrusion wasn't detected until a month later. By then, the intruder had the certificates. DigiNotar didn't disclose the breach until late August, about the time Google revoked DigiNotar certificates. Microsoft soon followed suit by blocking Windows computers from accepting DigiNotar's certificates.
Google took the action after receiving reports from Iranian users that someone had tried to get between them and encrypted Google services. An audit by security Fox-IT in the Netherlands showed that DigiNotar had failed to implement effective passwords, up-to-date software patches and anti-virus protection.
In May, hackers broke into CitiGroup online banking system and stole personal data from more than 200,000 credit-card customers, or roughly 1 percent of the bank's 21 million customers in North America, which is here the hack occurred. The thieves took customer names, account numbers and email addresses, but failed to abscond with social security numbers, card expiration dates and CVV codes, all of which would have made the stolen information even more useful. Nevertheless, security experts said what was stolen could give hackers enough fodder to trick people into revealing more info through phishing scams. The break-in sparked increased scrutiny from federal regulators concerned whether current requirements were enough to protect bank customers.
Duqu emphasized once again the cyber-threat against computer-run industrial control systems. Discovered in October, the malware was believed to be an electronic spy meant to gather information for a more serious attack later. Duqu is similar to the Stuxnet malware, but didn't have the destructive payload of the latter. Discovered in 2010, Stuxnet is believed to have damaged the control systems in Iran's nuclear facility. Duqu was found in the systems of industrial suppliers and factories. Its purpose was to steal electronic documents and send them to a command and control server operated by hackers, experts believed. At least six organizations in as many as a dozen countries had Duqu-infected computers. The malware took advantage of a zero-day vulnerability in Windows. Microsoft released a patch for the security hole shortly after the flaw was discovered.
In March, email marketing firm Epsilon Data Management disclosed that hackers had penetrated corporate databases and stole e-mail addresses of roughly 2 percent of its 2,500 customers. A division of Alliance Data Systems, Epsilon had many high-profile customers, including Best Buy, Citibank, J.P. Morgan Chase, TiVo and the Walt Disney Co. A total of 50 companies were affected by the breach, which occurred via a spear phishing campaign. While personal data was not stolen, Epsilon warned customers that the booty could be used to create fraudulent email in an attempt to get people to open malware-carrying attachments. CyberFactors, a risk and analytics firm, estimated the breach would cost Epsilon as much as $225 million in liabilities and $45 million in lost sales.
Also in March, customers of EMC's security unit RSA were scrambling to protect themselves against a security vulnerability in SecurID tokens, used for two-factor authentication for remote VPN access. EMC said cybercriminals had targeted the flaw in sophisticated attacks against defense contractors and government organizations. Weapons manufacturer Lockheed Martin acknowledged that it was targeted by hackers looking to exploit the vulnerability. EMC said it shelled out $66 million in the second quarter for reparations following the attacks. A Gartner research analyst said the security breach cost the banking industry from $50 million to $100 million to hand out to employees new SecurID devices used to access corporate networks.
Sony suffered two major security hacks this year that exposed millions of customers to cyber-criminals. The first occurred in April, compromising up to 70 million customer records connected to the Sony's PlayStation Network and Qriocity services, which had to be taken offline temporarily. Stolen information included user names, passwords, online IDs, customer addresses and email addresses. Sony said profile data may also have been taken, including purchase history, billing addresses and answers to security questions. While the company didn't believe that credit card data was stolen, it couldn't rule out the possibility.
The second attack occurred two months later when hackers broke into the computer networks of Sony Pictures and stole personally identifying information from 1 million customers. The hacker group LutzSec claimed responsibility for the breach.