2011: The Year of Epic Hacking

We are only into the first month of 2011 and the hacks, cracks and breaches reported have been epic. Fortinet predicted 2011 would be a big year for cybercrooks to hire, but perhaps 2011 will be the year of the cracker, filled with all kinds of hacks and breaches?

Millions have been breached and when information that is supposed to be private becomes public, it can open the way to identity theft. Cut the chitchat and show you the hacks?

According to The Hacker News, The Mail and Guardian's website was shut down today after a hacking attack. The company posted:

Dear Mail & Guardian reader

The Mail & Guardian's website is under sustained attack by hackers. We are dealing with the problem, but to make absolutely sure that your security isn't compromised, we have decided to suspend the service temporarily. It's a drastic measure, but we really don't want to take any chances with security. We apologise for this interruption of service. We'll be back as soon as we have made certain that the problem has been effectively dealt with. We'll continue to update you as soon as we have news.

In India, Domino's Pizza database of online ordering customers was hacked. It sent a letter to customers, alerting them of the breach, yet the company sort of blew it off and considers the personal information collected by hackers to be non-confidential, by calling customers' phone numbers, delivery addresses, and email addresses -- the information breached -- "not classified." It has not commented on the number of customers affected. India has had Dominos Pizza for over a decade, noted Slippery Brick, but the online ordering system was launched late last year. The last time Domino's Pizza of India updated its privacy policy was in 2005.

Perhaps it was only India that seems to make light of privacy, so I contacted Domino's Pizza in the USA to find out. Domino's Pizza privacy policy in the U.S. states, "If you have questions about our privacy policy, please use the form on our Contact Us page."

Yet when I asked:

  • Can you tell me how USA customer verification process is different than India's?
  • When was your privacy policy updated?
  • How does a user be your customer but not submit PII to you as described in privacy policy?

Domino's Pizza replied that was "proprietary information." If Domino's won't even say when it last updated it's privacy policy, it seems to echo Domino's of India's casual disregard of its customers' privacy.

Not a pizza fan, but into makeup? The handmade cosmetic group Lush admitted the UK version of its website was hacked in the weeks leading up to Christmas, although it only recently gave customers the heads-up warning that thousands of them were at risk of having their credit card information stolen. The UK Lush website posted a note to the hacker: "TO THE HACKER If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job -- were it not for the fact that your morals are clearly not compatible with ours or our customers'."

Included in the information for its customers, Lush posted: "For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised." On the Lush Facebook page, angry customers were reporting fraudulent transactions showing up on their banking activity and asking Lush why there was such a "ridiculous delay" before alerting them to breach.

A bold hacker is setting up shop after bashing lax security. As Richi Jennings pointed out, a brazen hacker is making a fool of .mil and .gov security by selling access to conquered websites. Prices ranges from $33 to $499 depending upon the site's importance.

According to ThreatPost, PandaLabs says prices are dropping on the cybercrime black market where cybercrooks can buy "everything from stolen banking credentials to phony ATM machines, to fake credit cards - some of which can be had for as little as $2 a piece."

It's debatable whether or not this high profile hack was an entry for Facebook's Hacker Cup competition. TechCrunch reported, "Let the hacking begin" as appeared on Facebook CEO Mark Zuckerberg's fan page. "Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn't Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business' the way Nobel Price winner Muhammad Yunus described it? http://bit.ly/fs6rT3 What do you think? #hackercup2011." The hacked fan page was taken down pretty fast.

In the never-ending battle of famous people getting hacked, the popstar P!nk had her Twitter account hacked. EarSucker reported, "Pink was the target of a nefarious Twitter hacker -- her husband, Carey Hart!"

After the Egyptian authorities blocked access to Twitter, Anonymous hackers released a press release today asking citizens to get busy with "Operation Egypt" and launch a DDoS attack on Egyptian government.

Another day, another hack: 4chan members posted the administrative username ("admin") and password ("poopnugget") of a New Jersey school district on a message board, allowing access to the online student information system of the Plainfield Board of Education. Robert McMillan reported, "It's not clear how much damage was caused, but 4chan members soon started posting screenshots showing how they were able to mess with the school's system. One screenshot shows school lunch prices reset to $9,000 per meal. Another post claims that "every class is now an elective, and requires only 1 credit to graduate."

A previous target of Anonymous, antipiracy lawyer Andrew Crossley from ACS:Law has stopped issuing demands for damages and abandoned all P2P cases against alleged copyright infringers, noted the Telegraph.

In the lawfirm-thinks-it's-funny category, Torrent Freak reported, "Funimation announced a lawsuit against 1337 alleged BitTorrent downloaders."

The Department of Justice is seeking mandatory two-year data retention for U.S. ISPs [PDF]. As reported on ComputerWorld, the DOJ said "data retention was crucial to fighting Internet crimes, especially online child pornography." The emphasis is mine, since retaining data for that long could also create a handy little dragnet for law enforcement.

That's only skimming the surface of what has happened when we are not even one complete month into 2011.

Subscribe to the Security Watch Newsletter

Comments