Book of Lists: 2011's strongest trends, weirdest news
Taste of one's own medicine: A hacker in October who received a scam email had the last laugh when he took control of the phishing page and turned it into a public service announcement around phishing awareness.
Happy ending: Ivan Kaspersky, who was kidnapped for a ransom of $4.3 million, was rescued following a police operation. He is the son of IT security mogul and Kaspersky Lab founder Eugene, one of the wealthiest businessmen in Russia.
Mean streets: The YouTube channel for Sesame Street was briefly hijacked by hackers who swapped out educational videos with X-rated pornography. Not long after, Microsoft's YouTube channel was also compromised, but not to display erotic video.
Top 3 breaches of 2011 (by impact)
On Sept. 20, the Dutch-based certificate authority (CA) was “declared bankrupt” after it emerged that the company issued hundreds of counterfeit SSL credentials after hackers breached its systems. At least one phony certificate, for Google.com, appeared in the wild, presumably so Iranian users could be spied on the government. Authentication solutions provider Vasco, the parent of DigiNotar, expects the bankruptcy to cost it between $3.3 and $4.8 million.
In March, another CA revealed that hackers gained access to its system and fabricated nine certs for some top-tier sites. Experts believe the Iranian government carried out the Comodo, and more recent DigiNotar, attacks to spy on private communications.
In March, the security company revealed that sophisticated hackers launched a spear-phishing attack that exploited an Adobe Flash zero-day vulnerability to successfully infiltrate its systems and steal information related to its SecurID products. Such products include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs. Subsequently, hackers leveraged stolen information about SecurID in an attack on U.S. defense contractor Lockheed Martin. RSA President Art Coviello issued a warning for customers to be more vigilant and issued a list of recommended actions.
Top 8 legal actions
1 In what was termed the largest identity theft takedown in U.S. history, 111 individuals were charged for their involvement in a New York-based organized crime operation responsible for more than $13 million in losses.
2 Six men believed to be behind a massive click-fraud scheme, all of whom are Estonian nationals, were arrested last month following a two-year, international police investigation, dubbed Operation Ghost Click. The racket led to the infection of more than four million computers in 100 countries with malware.
3 Running an online business that sold counterfeit credit cards embedded with stolen account information led to a 14-year prison sentence for Tony Perez III, 21, of Indiana.
4 The U.S. point person for one of the largest phishing rings ever to be brought down, Kenneth Lucas II, 27, of Los Angeles, was sentenced to 11 years in prison for his part in stealing more than $1 million from victims.
5 Scammer Tien Truong Nguyen, 34, of Long Beach, Calif., was sentenced nearly 13 years in prison for orchestrating a phishing operation that duped at least 38,500 people.
6 Using stolen credit card numbers to conduct fraudulent transactions totaling more than $36 million resulted in a 10-year prison sentence for Rogelio Hackett Jr., 25, of Lithonia, Ga.
7 Former IT employee Jason Cornish, 37, of Smyrna, Ga., faces 10 years in prison for crippling his ex-employer's network and causing hundreds of thousands of dollars in damages.
8 A nine-year sentence was handed down to former Dallas hospital guard Jesse William McGraw, 26, after he broke into hospital computers, planted malicious software, and planned a DDoS attack.
Top 3 hacktivist attacks
The victim: HBGary Federal (now defunct)
The motive: CEO Aaron Barr threatened to out members of Anonymous.
The hack: The Anonymous group published tens of thousands of emails, including a plan to smear whistleblower site WikiLeaks and its supporters, apparently at the behest of the U.S. Chamber of Commerce and Bank of America.
The victim: Sony Pictures
The motive: The company has pursued legal action against alleged copyrighters.
The result: The now-disbanded LulzSec group exploited a SQL injection vulnerability to gain access to internal Sony networks and websites. The hack yielded the passwords, email addresses, home addresses, birth dates and other account information belonging to more than one million users.
The victim: PBS
The motive: LulzSec sought revenge against the network for airing what they considered an unfair documentary about WikiLeaks.
The hack: The intruders compromised the website of PBS NewsHour to post a fake story that rapper Tupac Shakur was still alive. In addition, they published the usernames and passwords to staff at the public TV station, as well as those working at other networks affiliated with PBS.
Top 5 threats
Duqu: An information-stealing trojan that shares much of its code with the notorious Stuxnet worm, and has impacted roughly five Europe-based manufacturers of industrial control systems.
Zeus: The insidious banking trojan, which continues to be used to siphon millions of dollars from U.S. bank accounts, became even more prolific this year when its source code was leaked on at least two underground forums.
DroidDream: The malware, which is capable of harvesting data, was discovered this year in more than 50 apps offered in Google's official Android Market, and illustrates that cybercriminals are focusing more of their efforts on mobile platforms.
Operation Shady RAT: A five-year-long advanced persistent threat and cyberespionage offensive that plundered intellectual property from some 72 organizations across 14 nations, including the U.S. government.
Mac OS X scareware: While still much-less prevalent than those seen in the Windows world, rogue anti-virus malware scams targeting the Mac platform grew increasingly nefarious this year, leading to a significant uptick in infections.
Top 5 research revelations
BIOS fuel Researchers discovered the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer. The discovery of Mebromi, the root kit, should not induce panic, though, as the complexity of a successful attack on the motherboard is high.
CA, MIA Moxie Marlinspike released Convergence, an add-on for Firefox, which essentially inverts the existing (and much maligned) certificate authority (CA) system, giving more power to users. They take their pick of so-called “trust notaries,” which authorize their web communications by default.
Pumped up Jay Radcliffe demonstrated at Black Hat how he is able to send commands to and wirelessly disable the insulin pump he has been wearing since he was 22, when he was diagnosed with the autoimmune disease after dealing with extreme weight loss and an unquenchable thirst.
In control In an effort to prove that SCADA hacks don't require deep pockets, Dillon Beresford took the stage at Black Hat to describe how to infiltrate Siemens industrial control systems. He uncovered replay attack bugs in programmable logic controllers, or PLCs.
Baby ginger Xuxian Jiang, assistant professor at North Carolina State University in Raleigh, found the first malware that uses a root exploit, known as GingerMaster, against Android version 2. The discovery is a sign that cybercriminals are keeping pace with the evolution of mobile devices.