2011's Biggest Security Snafus
Perhaps it was an omen of what was to come when the city of San Francisco on New Year's Eve 2010 couldn't get a backup system running in its Emergency Operations Center because no one knew the password.
But as 2011 begins to fade to black, we look back at the biggest security snafus that made headlines, from the numerous service outages to data hacks attributed to everything from the shadowy group Anonymous to China. Some might even want to label 2011 the year of the advanced persistent threat.
Beware the Ides of March
When RSA Executive Chairman Art Coviello in mid-March announced that RSA had been hacked and information stolen linked to its SecurID token authentication, that was just the start of trouble. In what can be considered the data breach of the year, it became clear later on that the attacker was going after RSA customers, including Lockheed Martin. Credit Coviello (who has since blamed a "nation-state" without using the name China, though at least one security vendor, SecureWorks, claims analyzed evidence points strongly in that direction) for popularizing the phrase 'advanced persistent threat" (APT).
APT is an expression first used by the Air Force to describe the unremitting attacks on its networks. The cost of the RSA breach for parent company EMC was reported at $55 million in the second quarter of last year.
APTS were bursting out all over in 2011. In just one example, Norway's National Security Agency in November disclosed that oil, gas and defense firms there had been targeted by sophisticated attacks in which industrial secrets and information about confidential contract negotiations were stolen. 10 companies in Norway were said to have been hit by customized email containing viruses that didn't trigger anti-malware detection systems. The Norwegian security agency didn't state any probable source for the APTs there.
Patch that hole!
The YGN Ethical Hacker Group, the Burmese group which claims to do only "ethical" hacking to expose software vulnerabilities, spotted vulnerabilities in McAfee's website and quietly contacted McAfee to tell the company about it. But when McAfee didn't fix the website, YGN went public in March, causing some embarrassment to the security vendor, which says its customers weren't in danger. YGN, whose practices doing unauthorized vulnerability testing of public-facing websites does defy U.S. law on the practice, also got Apple, which had also been a bit lax, to fix its developer website.
Open sesame! Open source hacked
These open-source bastions were scaled and taken last year: MySQL.com, the Linux Foundation with Linux.com and Linux.org, and Kernel.org; plus open source OS Commerce software was compromised with malware. A Russian hacker claimed to be selling root access to the My.SQL domain for $3,000.
Can you hear me now?
Verizon's 4G LTE network, which came online in December 2010, suffered a nationwide outage. They weren't the only one last year. The four-day global outage of the BlackBerry data services in October was not the kind of attention that RIM wanted, already struggling to keep the BlackBerry looking smart in the face of the Apple iPhone publicity barrage. But when RIM's "dual-redundant, dual-capacity core switch" failed and its backup failed to activate, causing BlackBerry users around the world to either receive weak or no service at all, RIM co-CEO Mike Lazaridis was compelled to issue a public apology to customers, acknowledging the outage as the worst in the company's history.
In November, Internet outages were briefly suffered across North America and Europe that were apparently related to bugs in Juniper routers receiving a Border gateway protocol update, impacting carriers such as Level3. A reminder about how easy it can be to lose what most of us take for granted every day.
Not exactly floating on a cloud either ...
Microsoft BPOS cloud-hosted communications and collaboration suite suffered an outage in June, while Amazon's EC2 service in April suffered availability issues and a shorter outage in August. VMware's Cloud Foundry service suffered an outage in beta. And don't forget Northrop Grumman. It agreed to pay almost $5 million to 26 Virginia state agencies after an outage related to data-center services it was providing to them.