2011: security's most spectacular stuff-ups

It has been a giant year in security, with numerous data breaches, a reassessment of whether certificate authorities are safe, accusations of hidden mobile spyware and companies given wake-up calls as to whether they're secure or not.

(IMG_3181 image by youngthousands, CC BY 2.0)

Sony's brands breached

Sony has not had a great year. After Anonymous threatened to target the company due to its controversial lawsuit against PlayStation 3 hacker George Hotz, the company's PlayStation Network (PSN) was hit with a breach that saw 70 million users' details put at risk.

The company received a taste of its own medicine, as that breach ignited a class-action lawsuit against it.

Although Sony claimed that the credit-card details were encrypted, hackers started trying to sell information that they claimed was stolen from Sony's systems.

From here on, Sony became the whipping boy for all hackers, with the breach spreading to its Sony Online Entertainment (SOE) brand.

Even once Sony was confident enough to bring the PSN back online, hackers found new exploits in the PSN, and continued to spread to Sony's other brands.

But despite the number and severity of the attacks, the Australian Privacy Commission found that Sony hadn't breached the Privacy Act.

Certificate Authorities found to be insecure

Companies that verify whether sites are who they say they are — Certificate Authorities (CAs) — have been in the spotlight after it was found that they are vulnerable to attack.

Comodo was the first to admit it had to revoke compromised certificates, getting the FBI involved. Two of Comodo's resellers were hit shortly after, but it wasn't until a fake certificate for Google surfaced in the wild that the wider community started to realise that the theoretical attacks that had been discussed were likely to be occurring in practice.

Dutch CA, DigiNotar, was badly hit, issuing 531 fraudulent certificates, and later being forced into bankruptcy.

The original "ComodoHacker" stepped forward, claiming responsibility for the attacks and saying that he had compromised GlobalSign, and, in his plans to expand globally, would attack more CAs.

GlobalSign quickly stopped signing certificates out of caution, but later found that its certificate-issuing infrastructure was safe.

Many CAs are trying to stay out of the limelight, however. The Electronic Frontier Foundation has already seen evidence that there are many more CAs that have been compromised, even though media reports have only picked up on a few.

Telstra exposes its customers

Telstra this year managed to accidentally expose its customers' details.

The privacy breach led Telstra to inform the privacy commissioner, and brought about criticism from security experts who claimed that the breach was worse than the Sony and Vodafone breaches. They highlighted the fact that Telstra's database system had no access control system in place, and, even worse, it had been indexed by Google Search, such that anyone could view it.

Telstra quickly pulled down the database and its email services over that weekend, and went into damage control, resetting over 60,000 customer passwords and forcing them to call Telstra to regain access.

Carrier IQ accused of spying on everyone

Analytics company Carrier IQ experienced the Streisand effect firsthand after it attempted to silence Android security-researcher Trevor Eckhart's claim that its software was being used to spy on users.

While Carrier IQ claimed that it did not and could not look at the contents of messages, photos and videos, Eckhart showed in a video how entire SMS messages were being recorded by the software. He claimed that the software provides participating carriers with information about how customers use their phones.

The software itself was also deeply embedded within the device, and was later found on iOS devices, albeit with the ability to turn it off.

Australian carriers have since been found not to use Carrier IQ's software, and further analysis of the Carrier IQ software in the US has found that there was no presence of a keylogger in the software, as previously thought.

The confusion over what its software is and isn't capable of has resulted in Carrier IQ coming clean and clarifying its services in a document (PDF), but not before Apple stated that it would remove Carrier IQ's software from future updates of iOS.

Shady RAT provides a wake-up call

System administrators for organisations around the world may have been double checking their security after McAfee security researcher Dmitri Alperovitch put out a report on "Operation Shady RAT", with the bold claim that "every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised".

The report (PDF) attracted criticisms from rival security companies and researchers, which stated that the attacks had been blown out of proportion and weren't even that sophisticated. In addition, there was speculation over whether China was behind the attacks — a key issue that was skirted in the report and debated in the community.

It was not the only issue left without closure. Of the 72 organisations, virtually none of them wanted to be named, Alperovitch told ZDNet Australia. He said that these would have been government systems, banking systems and major companies that had been compromised.

Distribute.IT bailed out

If security researchers were worried that hackers might start hacking to vandalise, without concern for financial gain or even recognition, their fears were realised with the attack on Distribute.IT.

Unfortunately for Distribute.IT, it learned the necessity of offline back-ups the hard way. The attacker, who went by the hacker alias "Evil", and was later arrested over an attack on Platform Networks, erased not only Distribute.IT's production data, but also key back-ups, snapshots and other information necessary for post-attack recovery.

The future looked bleak for the company, which had to admit that it didn't have the resources to transfer its customers' domains and accounts to other parts of its platform and would have to find some way to let them go.

Netregistry eventually came to Distribute.IT's aid, acquiring the crippled company and offering its customers the option of moving their services to the Sydney Global Switch datacentre. However, the events had caused many to reconsider what company they engaged for their hosting.

Lulzsec laughs at everyone

Earlier this year, no one felt safe, as a group identifying themselves as Lulz Security, or Lulzsec for short, went on a rampage across the internet. It leaked information from governments and businesses, not for money, but simply for a giggle, and to demonstrate that no one was really as safe as they thought they were.

It also "="" class="c-regularLink" target="_blank" rel="noopener nofollow">called it quits after 50 days of hacks, leaving the security industry to ponder what would happen next.

Law-enforcement agencies, including the FBI and Scotland Yard, had other ideas, however. They began a spate of arrests, catching group members such as T-Flow and Topiary.

To further make an example of the group, law-enforcement crews also went after anyone that had supported Lulzsec, including Cody Kretsinger, who was suspected of assisting in Lulzsec's attack on Sony, and Ryan Cleary, who ran the one of the group's chat channels that they used to communicate.

Microsoft attacks botnets

Microsoft has had a successful year in an entirely different field for the software company — botnet removal.

In March, it conducted a co-ordinated raid on the Russian Rustock spam botnet by working in concert with US marshals. It involved raiding seven hosting facilities and seizing the command-and-control machines that ran them.

While it didn't pick up the operators at the time, it put out a US$250,000 reward to anyone that came forth with information leading to the arrest and criminal conviction of whoever was responsible for the botnet. It put out advertisements in two Russian newspapers, advertising an intended civil lawsuit against the botnet operators, and later handed the case over to the FBI.

It wasn't the only dealing that the company had with the FBI. It helped the three-letter agency in cracking down against the Coreflood botnet, and made efforts to re-jig its anti-malware tools to remove Coreflood infections on Windows machines.

It again went the way of the courts with the Kelihos botnet, filing restraining orders to get court permission to sever the connection between infected computers and the command and control server. It accused a Czech resident of hosting part of the botnet, and was later able to settle the case with him and gain an inside look at how the Kelihos botnet operated.

Vodafone continues unlucky strike

Even without the continuing fallout surrounding network issues, Vodafone has had a bad year, starting with the exposure of its customers' details after it was discovered that they were stored in an online database, available via a staff log-in.

Each Vodafone store was given a username and a password to access it, but since the log-ins were shared, there was the potential for password misuse which could possibly lead to customer information being accessed. Indeed, an investigation by the privacy commissioner into the matter found that a small number of Vodafone staff may have breached Vodafone's internal policies relating to the appropriate use of log-in IDs and passwords.

Vodafone took action, starting its own investigation and sacking several employees that were involved in the privacy leak. However, it was not the only party to conduct an investigation. The privacy commissioner found that the telco had breached the Privacy Act.

If that were not harsh enough, the telco also topped the TIO's complaints list, due in part to its poor network performance, and lost 375,000 customers in the first half of the year alone.

RSA used as hacking springboard

RSA raised its already large profile in the security industry this year, but not necessarily in a good way.

In March, the company, a subsidiary of EMC, suffered what it called an Advanced Persistent Threat, specifically related to its two-factor authentication product, SecurID.

The tokens are widely used by companies, including defence contractors, to provide an additional layer of security over usernames and passwords, but RSA initially remained quiet on the details of the attack, attracting criticism from security experts. RSA said that the reason for remaining silent on what appeared to be critical issues was that full disclosure could compromise its customers.

Other security vendors saw the opportunity to take advantage of RSA's possibly shot reputation, with CA Technologies offering existing RSA customers a one-for-one swap for the SecurID hardware tokens with its own ArcotID software tokens.

It wasn't long, however, before an attack was attempted on a company using information gained from RSA. Lockheed Martin confirmed that it had been able to fend off an attack. While it didn't state at the time that the tokens were responsible, it began to replace all of its tokens shortly after.

Australian financial institutions began to follow suit, with the Commonwealth Bank considering a replacement of tokens and ANZ replacing 50,000 tokens, as well as Westpac, the Australian Taxation Office (ATO) and AMP.

Despite the Defence Signals Directorate (DSD) advising government agencies to replace their tokens, not all financial institutions have felt that they needed to follow the advice. NAB is one company that has kept its tokens.

Months after the attack, RSA warned that it wasn't the final target of the attack, which it confirmed was state sponsored. Speaking with ZDNet Australia, the company revealed that it had only been used as a springboard for a larger attack, and that companies should assume they are next in the firing line.