Top 10 Security SNAFUs of 2010
That old phrase SNAFU ("Situation Normal, All F---ked Up!") certainly describes our choices for 2010's top 10 security screw-ups.
Not surprisingly some of the biggest names in technology - Google, Cisco, McAfee, AT&T - are prominent on the list, either because they're obvious hacker targets or because whenever they make a security mistake, it's big news. Without further ado, the list:
Aurora attacks on Google. In what's come to be called the "Aurora attacks," Google in January acknowledges valuable intellectual property was stolen via a network break-in during that past December, intimating China to be the origin of the cyberattack. About a dozen other high-tech and industrial companies appear to have been struck in similar fashion. The Chinese government says it doesn't know what they're talking about. Outraged over the cyber-intrusion, Google, which had been adhering to Chinese dictates regarding search-engine censorship, says it will defy them, putting its search-engine license in China in jeopardy. But by year-end, under Chinese pressure, Google abandons its tactic of re-directing Chinese user traffic to its more liberal Hong Kong site and its renewed China license requires censorship.
China ISP takes Internet for a ride. A small Chinese ISP called IDC China Telecommunication briefly hijacked the Internet by sending out wrong routing data, which was re-transmitted by state-owned China Telecommunications, affecting service providers around the world. The event was noted in the "2010 U.S.-China Economic and Security Review" commission report presented this November to Congress, which pointed out for 18 minutes on April 8, China Telecom rerouted 15% of the Internet's traffic through Chinese servers, affecting U.S. government and military Web sites. Widely reported, media attention raised the question of whether China was somehow testing a cyberattack capability, but China Telecom rejected those claims, calling the April traffic re-direction an accident.
McAfee's oopsie. McAfee goofs up by issuing a faulty anti-virus update - the now-infamous McAfee DAT file 5958 - which wreaked havoc on PCs of countless McAfee customers by causing malfunctions like the Microsoft 'Blue Screen of Death' and creating the effect of a denial-of-service. With CEO and President Dave DeWalt apologized profusely, McAfee worked to rush out various fixes for the SNAFU it had caused by mistake, but some irate McAfee customers felt it all could have been done better.
Showtime for Cisco. Not the biggest data breach to be sure, but embarrassing for a networking company that wants the world to consider it a leader in security, having the sales to show for it -- and that's Cisco. Someone hacked into the list of attendees for the Cisco Live 2010 users' conference, a security breach that led Cisco to notify the customers as well as a broader group with dealings with the company. Though Cisco prefers to keep mum on some details, it appears a vendor told Cisco that someone had made "an unexpected attempt to access attendee information through ciscolive2010.com," the event site. Cisco said the breach was closed quickly, "but not before some conference listings were accessed." The compromised information consisted of Cisco Live badge numbers, names, title, company addresses and e-mail addresses. Cisco apologized by e-mail to both attendees and those who were invited but didn't attend.
Google sniffing. Google apologizes for wirelessly sniffing and collecting data from individuals on unencrypted Wi-Fi networks during its Street View car projects around the world to collect information for its map service. Amid outrage from privacy advocates and regulatory authorities in Europe and the U.S., Google says it was all done "mistakenly," vowing to destroy the data it collected, as explained in a blog post from Google's senior vice president of research and engineering, Alan Eustace. In a related case, Google acknowledged trespassing when it photographed a Pittsburgh-area house for its StreetView service and wound up paying a single dollar in damages to a couple who sued.
An iPad surprise. A group calling itself "Goatse Security" exploits a security flaw in an AT&T Web application to expose the e-mail addresses of over 100,000 iPad customer records. The FBI arrests one of the Goatse iPad hackers on felony drug charges after a home raid.
Unhealthy security. Massachusetts-based South Shore Hospital announces it's lost about 800,000 files related to 15 years worth of health and financial information on patient, business associates and staff, but after initially saying it would contact those affected individually, changes its mind and chooses not to reach out to notify the individuals affected by the data breach. The Massachusetts Attorney General objects and says that has to be done.
Spy drama. Anna Chapman, who was rounded up by the FBI with about a dozen other Russian spies in the United States and returned to Moscow in a spy swap, poses provocatively in black lingerie in a Moscow magazine, and lands a job as an information technology innovator for a Russian bank, despite the glaring gaps in her technical knowledge that helped the FBI nab her. Not only did the FBI during surveillance routinely sniff her wireless network, but Chapman also turned her laptop over to a U.S. undercover agent for repairs. Nevertheless, Russian bank FondServisbank hired Chapman upon her return to her country "to bring innovation to its information technologies."
Stuck with Stuxnet. First noticed in June, though it likely existed way before that, the Stuxnet worm surfaces as a highly-sophisticated piece of malware aimed at industrial Supervisory Control and Data Acquisition (SCADA) systems, primarily targeting Iranian nuclear facilities - possibly as a cyberwar weapon intended to stop suspected Iranian attempts to build a nuclear bomb. In October, Iran confirmed the worm had affected up to 30,000 systems in the country, and in November Iranian President Mahmoud Ahmadinejad went further saying that enemies of Iran had "succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts," adding, "They did a bad thing."
Return of WikiLeaks. A massive theft of U.S. State Department cables - more than 250,000 messages of various diplomatic correspondence related to relations with foreign nations and the shared confidences of world leaders -- is published on WikiLeaks. Secretary of State Hillary Rodham Clinton calls it "an attack," and rushes to apologize for the data breach to her counterparts around the world. Among the nuggets found in the quarter million State Department messages is one that cites an unnamed Chinese contact telling the State Department that the Chinese Politburo ordered the cyber-intrusion into Google. China says it doesn't know what they're talking about. China also blocks access to WikiLeaks, the Web site posting the leaked State Department cables.
Read more about security in Network World's Security section.