2011's Biggest Security Snafus
Russian cyberattack on Illinois water facility, or just a contractor who happened to be on a trip to Russia?
Was it a foreign cyberattack originating from an IP address in Russia that hit an internal SCADA system at the Curran-Gardner Townships Public Water District in central Illinois, causing a water pump, turned on and off remotely, to burn out in November? The Illinois Statewide Terrorism & Intelligence Center (STIC) issued a confidential report to this effect, which was leaked in November by energy industry analyst and author Joe Weiss who read its contents to a reporter at the Washington Post. But in the media uproar that followed, the FBI and Department of Homeland Security said it investigated the Illinois STIC claims and could find nothing to validate them. Sources say the network access from Russia is now linked to a contractor working for Curran-Gardner Townships Public Water District who happened to be in Russia when he remotely accessed Curran-Gardner's network. But DHS indicates "analysis of the incident is ongoing ..."
The data-breach hit parade of 2011
- The so-called "Sony hack" in April allowed hackers to get customer information for 77 million members of Sony's online PlayStation network, including credit-card numbers, an act that forced Sony to take down its service. In May, Sony said the attack cost it $170 million.
- The once-obscure marketing firm Epsilon in April disclosed a hacker had stolen an estimated 2% of the customer names and addresses of its client base, impacting Walgreens, Best Buy, Citibank, JPMorgan Chase, Kroger's supermarket chain and more.
- When a string of SSL digital certificate providers, including Comodo, DigiNotar and GlobalSign, were breached, some of them allegedly by a 21-year-old Iranian student calling himself "Comodohacker," the fallout included the creation of a fake Google certificate (since revoked) that allowed the attacker to capture login details of a person's Gmail account without a warning from the victim's browser the site might not really be Google. DigiNotar, owned by Dutch-based Vasco Security Systems, went bankrupt as a result of the hack, especially after the Dutch government banned use of DigiNotar certificates.
- U.S. government research labs, long a target for attack, were hit, with Oak Ridge National Laboratory in Tennessee forced to shut down its email and Internet access in April following a cyberattack in which phishing email was sent to some 573 lab employees. The Department of Energy's Pacific Northwest Laboratory also shut down email and Internet connectivity after a similar type of spear-phishing attack in the summer.
- In June, Citigroup acknowledged that hackers broke in and managed to steal credit-card numbers from about 360,000 affected clients. The fraud loss: $2.7 million.
- The Texas State Comptroller's Office fired its heads of information security and of innovation and technology after an inadvertent data leak that exposed Social Security numbers and other personal information on more than 3.2 million people in the state.
- In November, a flood of porn -- like photoshopped images of Justin Bieber in unmentionable acts -- hit Facebook in what's believed to be a "clickjacking exploit" against users. Facebook got to cleaning it up.
- Romanian authorities arrested a 26-year-old hacker accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, said to use the handle "Iceman," is expected to be tried in Romania.
Who's minding the app stores?
It was something of a shock when Google in March was forced to yank down about 50 Android apps from its Android Market after finding out they were actually malicious applications. Dubbed the DroidDream malware episode, it was far worse than anything that had hit Google Android Market before.
Big year for Anonymous
Last but hardly the least, 2011 was a banner year for the shadowy hactivist collective Anonymous, which generally targets business and government organizations around the world whose practices are despised for one reason or another, typically by hacking into networks to steal data and post it, or launching attacks to take sites offline. In addition to the high-profile attack last winter against security firm HBGary, which was trying to track the hacker group, Anonymous is believed to have led attacks on Koch Industries, Bank of America and NATO, plus what ended up being a weak DDoS attack on the New York Stock Exchange. Anonymous played a role in spurring on the Occupy Wall Street movement demonstrations around the world, not to mention San Francisco's "Operation Bart."
Other actions this years from Anonymous are believed to have been against online resources associated with Tunisia, Brazil, Zimbabwe, Turkey, Australia, the Malaysian government and the Florida Chamber of Commerce. More recent Anonymous hactivism this year has focused on child-porn sites and the Mexican drug cartel, which is accused of taking an Anonymous participant captive.
Duqu: Something we're not looking forward to
The virus known as Duqu hit the security stage in October when the Hungarian research laboratory CrySyS shared its analysis of the new threat with the world's top antivirus vendors.
Security vendor Kaspersky Lab then identified infections with the new Duqu malware in Sudan and, more important, in Iran, the main target of the Trojan's predecessor -- Stuxnet. Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.
The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.
CrySyS ultimately released a toolkit to detect and remove the virus from affected systems. Microsoft too released a Fix-it tool to allow Windows users to manually patch their systems to thwart the Duqu threat.
Duqu is believed to have been created for targeted attacks against organizations and it is likely the malware will be a big story in 2012.
10 Days of Rain
A multi-tiered botnet attacked South Korean computers for 10 days in March, proving to be a stubborn force that couldn't be taken down. Then suddenly it just stopped, with the malware delivering a coup de grace to the zombie machines that destroyed files and rendered the machines unbootable. Security experts at McAfee say the attack was launched from North Korea, and that its level of sophistication -- 40 command and control servers, code updates to thwart detection, multiple encryption schemes -- was far beyond what was needed to run an effective DDoS attack. McAfee's spin: 10 Days of Rain was a reconnaissance mission designed to gauge how and how quickly South Korea's government and military contractors would react -- valuable information for a later, truly damaging attack.
Read more about wide area network in Network World's Wide Area Network section.