2010: security bungles, breaches & blitzes
With 2010 all but behind us, we take a look at the year that was from the eye of best (or worst) data breaches, blitz attacks and plain stupid security.
(Doh image by Hobvias Sudoneighm, CC2.0)
Swiss banks busted
What: Breach
When: February
Headlines broke around the world that the German Government had bribed a Swiss bank employee to obtain a list of its citizens that had embezzled euros in the notoriously secret banks to avoid paying tax. The news left the government red-faced but the names were kept according to a report by the Swiss Review, a whopping CHF 1.7 trillion was able to be made taxable and pulled out of the country.
ATM jack hits paydirt
What: Blitz
When: July
Barnaby Jack enjoyed victory as his proof-of-concept attack caused an automatic teller machine to pump-out cash onto a stage, in front of a rapt Blackhat audience. He spent a year poring over codes from four ATMs and found vulnerabilities in each that allows cash to be dumped.
Social security
What: Blitz
When: July
An Australian penetration- tester managed to smooth talk his way past perhaps a million dollars worth of security training and hardware designed to prevent espionage and obtain enough information to pop a beverage giant's network open.
It was all for fun, though, being part of the Defcon Capture the Flag event in the United States this year.
Filet-O-Phish: details stolen in Maccas hack
What: Breach
When: December
McDonalds lost thousands of customer details to a hacker, including names, phone numbers and street and email addresses after a hacker broke into the fast-food restaurant's US marketing partner and stole customer details. The fast-food chain issued warnings of pending phishing scams.
Bad signals
What: Breach/Bungle
When: During 2010
It seems shocking that telcos can get their wires crossed so often. Telstra managed to reveal customer data via electronic and snail-mail errors, while internet provider TPG revealed a list of its business customer emails.
Apple loses intellectual property in a pub
What: Bungle
When: April
Perhaps Apple is just too laid back, too cool, too hip. Why else would you let a staffer take a prototype iPhone 4 into a pub? Gizmodo reportedly purchased the phone for US$5000 from a student who found it at a Redwood City pub.
McGaffe
What: Bungle
When: April
If you think pressing send on a vindictive email is gut-wrenching, spare a thought for McAfee. It sent out a dodgy antivirus signature that crashed millions of machines, sending many into continuous reboot cycles. Coles supermarkets were in turmoil, Commonwealth Bank staff couldn't use computers and many other organisations had issues too. Then came the compensation claims.
Elementary error
What: Breach
When: March
The names and addresses of some 3.3 million United States students were taken from the headquarters of a Minnesota loan guarantor via portal media. Educational Credit Management Corp lost the names, addresses, date of birth and Social Security numbers of borrowers in what is said to be the largest-known data breach of the year.
Corker Gawker hack
What: Bungle
When: November
Media publication Gawker made faceless online collective Anonymous angry one time too many and was hacked, with its source code and 1.3 million reader accounts stolen, including usernames and passwords. The information was released on infamous Bittorrent website The Pirate Bay.
The company weathered the breach well, but its users are now potentially at risk of fraud and identity theft if they've been using the same log-in information to access external accounts. Some users linked to the hackers responsible had allegedly planned to hold onto government user information for future attacks.
Wikileaks
What: Breach
When: If you don't know that, you must live under a rock...
Whether you consider the leaking of United States diplomatic cables a catalyst for a quantum shift in government transparency or a dull cheap read, the shake-up within global politics is undeniable. The fall-out saw calls by radical US Republicans for whistleblower Julian Assange to be executed and internet users decide to hack and attack organisations that blacklist Wikileaks.
Stuxnet
Why: Blitz
When: July
Stuxnet is arguably the latest, greatest case-in-point for cyberwar-believers. IT security analysts discussed who could have the resources to make the Stuxnet malware, whether it is seen as an act of war, and whether it was targeted specifically at Iranian nuclear plants, and what the mysterious 'i' embedded into the code could mean. Iran admitted Stuxnet had infected machines but denied claims it had taken down more than 100 frequency converters that control motors in Iran's uranium enrichment production facilities.
It is widely acknowledged to be the most technically advanced and potentially devastating piece of malware ever seen.