The worst security SNAFUs of 2013
- 17 December, 2013 19:16
This year's award for "Biggest Security SNAFU" can only go to the National Security Agency. Since June, NSA officials have winced as former NSA contractor Edward Snowden began dispensing secrets to the media about how NSA carries out massive surveillance around the world using advanced technology.
The NSA wasn't using enough security technology internally to even begin to stop Snowden from roaming through its super-secret networks to fish out what's now believed to be many thousands of sensitive documents related not only to NSA's massive data collection practices across the Internet but also traditional spy vs. spy operations, much of which has not yet gone public.
The Snowden revelations so far have generated a backlash against the intelligence agency from privacy advocates everywhere as well as the U.S. high-tech industry, which has to cooperate with the NSA under U.S. law. And foreign leaders of countries considered friends to the U.S are enraged their private calls and data were intercepted for years. There's no reason to think that there won't be more on this score.
There have been plenty of "security SNAFUs" to go around this year. The media, too, were on the receiving end as the New York Times, Wall Sreet Journal, CNN, Washington Post and others all reported that networks used by their employees had been hacked by attackers from China, likely for cyber-espionage, or the Syrian Electronic Army, out of political anger. Also, the stability and security of a key part of the financial system, the electronic stock exchanges, was sometimes shaky.
+ MORE ON NETWORK WORLD The biggest security SNAFUs of 2013...so far +
There are so many SNAFUs, in fact, we listed details about the ones occurring the first half of 2013 in our June story. From there, we now pick up the trail of data breaches, cyber-espionage, cyber-extortion and infrastructure collapse. And sometimes it was simply just plain cyber-stupidity.
The U.S. Department of Commerce's Economic Development Administration (EDA) destroyed about $170,000 worth of IT equipment including computers, printers, keyboards and computer mice last year on the mistaken belief that the systems were irreparably compromised by malware. According to the Commerce Department's Inspector General that looked into what happened, the bureau was poised to destroy an additional $3 million worth of IT equipment but was prevented from doing so by a lack of funding for the effort. EDA, whose computer network had been infected by viruses, thought it was under an intense cyber-attack, and employees there spent months without e-mail of access to Internet servers and databases as they sought to build a new network. The Inspector General, however, said the disruption was simply due to a common malware infection on six computers that could have been erased with anti-malware tools and other steps.
The Michigan Department of Community Health notified more than 49,000 individuals that a server was hacked, exposing their names, birth dates, Social Security numbers, cancer-screening test results and testing data.
New York State's Office of the Medicaid Inspector General announced that an employee there sent 17,743 records of Medicaid recipients to a personal e-mail account, an action wholly unauthorized by supervisors.
The University of Delaware said its investigation into a cyberattack determined that confidential information on more than 74,000 individuals was stolen by attacks exploiting a website vulnerability. The data breach is expected to cost the university millions of dollars.
St. Mary's Bank, a credit union in New Hampshire, disclosed that malware discovered on an employee computer may have spread to two dozen other computers there. The malware was designed to capture information. The credit union notified 115,775 customers their personal information may have been exposed.
The U.S. Internal Revenue Service mistakenly posted tens of thousands of names, addresses and Social Security numbers -- perhaps as many as 100,000 -- on a government website, a discovery made by a group called Public.Resource.org.
Game maker Ubisoft disclosed that an account database was breached, revealing user's personal information.
The U.S. military blocked access to the Guardian's website for troops in Afghanistan, the Middle East and South Asia because the Guardian was filled with new stories about the NSA disclosures from Snowden. By way of explanation why it was doing this, US Army Lt. Col. Steve Wollman told the Guardian, "U.S. Central Command is among the DoD organizations that routinely take preventative measures to safeguard the chance of spillage of classified information on to unclassified computer networks, even if the source of the information is itself unclassified. One of the purposes for preventing this spillage is to protect Centcom personnel from inadvertently amplifying disclosed but classified information. Classified information is prohibited from specific unclassified networks, even if the information has already been published in unclassified media that are available to the general public, such as online news organizations."
WellPoint agreed to pay the U.S. Department of Health and Human Services $1.7 million to settle potential violation of HIPAA data security rules related to a data breach involving personal information on more than 612,000 policyholders that occurred three years ago.
Canonical, which maintains the online Ubuntu Forums for the Ubuntu operating system, acknowledged a data breach in which about 1.82 million logins and e-mail addresses were stolen.
Apple announced an intruder broke into its developer website and downloaded the personal information of users registered at Developer Center, prompting a shutdown of the site for a week while Apple made security changes. An independent security researcher, Ibrahim Balic, claimed responsibility for the security breach incident in which it appears he gained access to about 100,000 Apple Developer center accounts but said "this is definitely not a hack attack; I have reported all the bugs. I am not a hacker, I do security research."
The U.S. Marshalls Service, a federal government agency, lost track of at least 2,000 encrypted two-way radios and other communications devices valued at millions of dollars, according to an investigative report by the Wall Street Journal.
French web hosting firm OVH disclosed that a hacker compromised the company's European customer database and gained access to an installation server in Canada. OVH said the attacker gained access to a system administrator's e-mail account, and from there used that account to gain access to another employee's VPN credentials, and kept moving through the internal network.
Microsoft apologized after a three-day outage of Outlook.com, saying the issues stemmed from a failure in caching service of Exchange ActiveSync. Microsoft had other troubles this month, too, having to withdraw an Exchange Server security patch because it was buggy, admitting it had failed to adequately test the patch.
Facebook founder Mark Zuckerberg had his Facebook page hacked by an irate security researcher who was frustrated in trying to report a security flaw to Facebook and got mad and used the flaw to hack Zuckerberg's Facebook wall instead.
Missouri Attorney General Chris Koster warned consumers in that state to be on the alert for fraud because computer problems that were identified at the Missouri Credit Union exposed personal information online. The credit union itself notified 39,000 members and former members about the data breach.
Ferris State University in Michigan disclosed that names and addresses for about 39,000 individuals -- mainly current, former and prospective students and employees alike -- were inadvertently accessible "after an authorized person evaded network security."
An unencrypted laptop was stolen from a Republic Services' employee's home which had personal information on about 82,160 current and former employees at the Phoenix-based waste management company.
Healthcare provider Cogent Healthcare disclosed in August that information related to about 32,000 patients seen by its doctor groups had been compromised after a security lapse by vendor M2ComSy related to its firewall allowed this patient data to be exposed to the Internet and even indexed by Google.
Aircraft manufacturer Northrop Grumman disclosed an unauthorized access to a database containing personal information occurred between November of last year to May of this year. Separately, the company's retiree health plan reported 4,305 enrollees were impacted in a paper-records data breach involving CVS Caremark.
Virginia Polytechnic Institute and State University had a server in the human resources department illegally accessed, which held information on 114,963 individuals who had applied for jobs there. Associate vice president for university relations, Larry Hinckler, said, "The issue is someone on our staff goofed."
The U.S. Department of Energy told its employees that hackers had gained personal information, including Social Security numbers on about 14,000 current and former employees. The DoE earlier in the year said computer systems were hacked to steal information on contractors.
In late August, China was hit by what was described as the "biggest cyberattack in its history," according to the China Internet Network Information Center, the state agency managing the country's .cn domain. The large-scale distributed denial-of-service attacks were said to be so substantial they slowed down Internet response time noticeably for the country's Internet users accessing some targeted websites with the .cn domain.
Texas television station KXAN investigated and reported how Texas-based homebuilder D.R. Horton had dumped a large amount of documents related to loans, copies of checks, purchase orders and site plans into large dumpsters on school campuses. After the TV station's report, D.R. Horton said it simply wanted to help the school's re-cycling program which gets paid for each ton of paper it collects. The company eventually went back to retrieve the outdated D.R. Horton files.
The Los Angeles school system was providing Apple iPads to students at Westchester and Roosevelt high schools but decided to take them back after students there managed to skirt security measures that were intended to block free browsing of the Internet. Students explained they simply wanted to get to social networks and music streaming sites.
Bitcoin, the crypto-based electronic currency that surged in value this year, saw a growing number of thieves managing to make off with stolen BitCoin, which exists digitally and generally only password-protected. A popular Bitcoin forum, Bitcointalk.org was hit by a cyberattack in which attackers calling themselves "The Hole Seekers" left a video followed by the message, "Hello friend, Bitcoin has been seized by the FBI for being illegal. Thanks, bye." The hack occurred just after the FBI seized $3.6 million worth of the digital currency as part of its shutdown and arrest of the alleged operator of the Silk Road, an online market of mostly illicit goods.
U.S. officials said Iran hacked unclassified Navy computers as part of an escalating cyber-espionage operation, according to a Wall Street Journal article based on unnamed sources.
Some NSA workers abused their surveillance privileges by electronically spying on spouses, girlfriends and boyfriends at least 12 times over the last decade, according to the NSA's own Inspector General.
A 19-year-old man, Jared James Abrahams, of Temecula, Calif., was charged with hacking webcams at the home of Miss Teen USA, Cassidy Wolf, and other women to extort nude photos and videos from them. According to the FBI affidavit, Abrahams used malicious code to remotely operate webcams of at least seven women as they changed clothes. Some he knew personally and others he found by hacking Facebook pages. Abrahams, a college freshman majoring in computer science, allegedly threatened to post the photos on hacked social media accounts unless they sent him nude photos or logged into Skype video and followed his orders for five minutes. Some under-age girls complied. The Abrahams case follows similar recent cases, including that of Karen "Gary" Kazaryan who pled guilty in July to hacking into hundreds of social media and e-mail accounts to get women to pose naked for him.
A seven-month investigation by security reporter Brian Krebs revealed that an organization calling itself SSNDOB compromised networks associated with Dun & Bradstreet, LexisNexis and Kroll Background America which all aggregate personally-identifiable information on people for purposes that include credit reporting.
In its announcement about shutting down, Nirvanix, the now-defunct cloud storage company, gave its customers two weeks to get their data out of the cloud.
A glitch in Google Talk routed instant messages incorrectly one day, exposing private text chats to unintended recipients, a problem that Google did manage to fix within a few hours. The problem followed a Gmail bug that took about 10 hours to fix and hit close to 50% of the webmail users. Amazon Web Services also suffered an outage on Friday the 13th.
Personal information on more than 2 million Vodafone Germany customers was stolen by a hacker, the company acknowledged, saying the attacker got names, addresses, bank account numbers and birth dates.
The press release distribution outlet PR Newswire used by tens of thousands of companies confirmed that hackers stole a database containing customer credentials and contact information. The database was discovered on the same hacker server where stolen source code for Adobe was found.
The Malaysia Network Information Center announced that a compromised re-seller account resulted in www.google.my and www.google.com.my being re-directed for a few hours to a page controlled by a group of hackers calling themselves Team Madleets. MYNIC did not identify the impacted re-seller. A week earlier, a pro-Palestinian group got entry to Network Solutions' network and modified its DNS records for the websites of the security firms AVG and Avira, the messaging platform WhatsApp, RedTube (a porn site) and Alexa, a Web metrics company. In August, hackers claiming to be the Syrian Electronic Army compromised an Australian IT services company, Melbourne IT, and modified DNS records that affected Twitter, the New York Times, the Huffington Post and ShareThis.
A 28-year-old British man, Lauri Love, was charged with hacking thousands of computer systems in the U.S. and elsewhere, allegedly inserting backdoors into compromised systems so he could return at a later date to steal confidential data. He was released on bail until Feb. 14, 2014, according to reports.
Adobe disclosed that about 38 million usernames and encrypted passwords of customers were stolen in a cyberattack and that the attacker had decrypted some accounts' credit-card systems using Adobe's own internal systems.
A glitch in Walmart systems in Louisiana temporarily removed the spending limits on food stamps recipients' cards, which led to a food shopping frenzy in Walmart stores in Springhill and Mansfield there. The Louisiana Department of Children and Family Services says Walmart has to foot the bill because it's their responsibility to take action when glitches happen, such as calling a number to verify customers' card limits.
CryptoLocker malware encrypts the victim's files so they can't be opened before paying a ransom, usually several hundred dollars in electronic BitCoin money, for the encryption key. CryptoLocker started spreading via e-mail attachments in the September timeframe, and many were shocked when even the Swansea Police Department in Massachusetts paid extortion money to in Bitcoin the CryptoLocker attackers to decrypt its police files.
Six alleged participants in a $45 million global Automated Teller Machine (ATM) fraud operation were arrested by federal prosecutors in New York, including one man caught on video who was supposedly stuffing $800,000 into a suitcase. The defendants allegedly used bogus payment cards and had managed to raise the withdrawal limits on the cards after breaking into prepaid Visa and MasterCard credit-card processors in the U.S. and India, which handled transactions for the Bank of Muscat, based in Oman, and the National Bank of Ras Al Khimah PSC, also known as RAKBANK, in the United Arab Emirates. The defendants, who include Anthony Diaz, 24; Saul Franjul, 23; Saul Genao, 24; Jaindhi Polanco, 29; and Jose Angeley Valerio, 25, all pled not guilty to charges of conspiracy to commit access device fraud.
The web software site PHP.net acknowledged some servers were compromised and used to attack visitors. The incident began to come to light after Google flagged PHP.net for suspected malware.
Futures-exchange operator CME Group acknowledged it had been the victim of a "cyberintrusion" in July which compromised some customer information, and was working with the FBI. Other stock exchanges had their own kinds of data-stability troubles this year. The Nasdaq on Nov. 1 had to halt trading on its Nasdaq Options Market due to technical problems following a problem a week earlier with the Nasdaq Composite indexes. In August, the Nasdaq Stock Market froze trading for three hours, with a shorter outage following a week later. Also that month, CBOE Holdings, operator of the U.S. options exchange by trading volume, said it was also hit by a data glitch that upset some trading. In December, the group called the World Federation of Stock Exchanges, which has 62 members across the globe, set up a new cybercrime unit to combat what it says are rising cyber attacks on the financial market infrastructure.
A French government agency was suspected of deliberately spoofing Google certificates but the Agence Nationale de la Securite des Systemes d'Information (ANSSI) says the bad certs were all a mistake. After Google noticed the unauthorized certificates, it immediately updated Chrome's certification revocation list to block the certs and notified ANSSI and other major browser vendors. A Google security engineer said ANSSI found at least one cert had played a role in inspecting encrypted traffic without the knowledge of the users on the network. An ANSSI spokesperson reportedly said "no incident of this kind will ever happen again."
A botnet dubbed "Pony" collected about 2 million login credentials for Facebook, LinkedIn, Twitter, and other online services directly stolen by dropping malware on users' computers across the world, according to Trusteer, which discovered the stolen credentials on a server in the Netherlands. Payroll processor ADP said it reset the passwords of 2,400 clients related to the information provided by Trusteer, but doesn't believe its internal network was compromised.
JP Morgan warned that about 465,000 pre-paid cardholders were affected in a data breach, but since there was no evidence of fraudulent activity related to these cards and accounts, the bank will not be issuing replacement cards.
Over the course of the year, the Syrian Electronic Army (SEA), a hacking group thought to back Syrian President Assad in the bloody civil war there, made several successful strikes, mainly against the media, often with the goal of inserting false information into the news stream. SEA broke into the Twitter accounts of the Associated Press, Reuters, the Onion, and ITV News, plus President Obama's Organizing for Action Twitter account. SEA also broke into servers belonging to Trucaller, Viber, and also executed a phishing attack against Outbrain. SEA also managed to disrupt the DNS server for the New York Times, causing it to go offline, and Twitter itself, where SEA registered itself as admin and tech control. At various times, the NY Times, Huffington Post and Twitter were knocked down online by SEA. The hacking group also broke into the web server of the U.S. Marines.
A Pennsylvania man, Andrew Miller, pled guilty to hacking into multiple corporate, university and government computer networks and trying to sell the access for a profit. As part of the so-called Underground Intelligence Agency hacking group, Miller was nabbed after he tried to sell access to Lawrence Livermore National Laboratory's network to an undercover FBI agent for $50,000. The FBI didn't "buy" this but did have proof Miller had accessed two supercomputers there used by the Department of Energy. The BFI did "buy" access to computer servers from RNKtel.com, a Massachusetts telecom provider, plus servers from the Colorado ad agency Crispin Porter and Bogusky. In all, the FBI bought from Miller what court documents describe as a "massive database of thousands of log-in credentials into hundreds of computer networks," said to have been obtained by Miller while hacking into servers from Texas Internet service provider Layered Tech. For his crimes, Miller got 18 months in prison.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org
Read more about wide area network in Network World's Wide Area Network section.