2010 was a long year. So for those wanting to take a ride down memory lane, SC Magazine figured we’d take some of the work out of the trip for you by compiling lists of the top breaches, threats, acquisitions, law enforcement activity and bizarre incidents that dotted the IT security landscape this year.
We hope you enjoy!
Top 5 notable breaches (records exposed)
- AvMed Health Plans: 1.2 million
- Lincoln National Financial Securities: 1.2 million
- BlueCross BlueShield of Tennessee: 1 million
- South Shore Hospital: 800,000
- AT&T (iPad exposure): 114,000
Top 10 notable vulnerabilities
- Stuxnet vulnerabilities: Four Microsoft Windows zero-day flaws were used in the dangerous Stuxnet attack.
- “Operation Aurora” flaw: A vulnerability in Microsoft’s Internet Explorer allowed attackers to spread data-stealing espionage trojans to Google, Adobe, and dozens of other organizations.
- Cross-site scripting flaw on Twitter: In September allowed an infectious worm to spread through the social networking site, affecting an estimated 500,000 users.
- Windows Help and Support Center vulnerability: Was disclosed in a controversial fashion then widely exploited.
- Adobe PDF Reader “Launch” flaw: Was exploited to spread the data-stealing trojan Zeus.
- VxWorks flaws: Two critical vulnerabilities affecting this widespread embedded operating system are expected to live on indefinitely.
- AutoComplete flaw: Affected several popular web browsers, including Apple’s Safari and Microsoft’s Internet Explorer.
- Zero-day Firefox flaw: Used in late October to distribute malware on the Nobel Peace Prize website.
- iPhone, iPad “jailbreak” flaw: Came to light after a group called the Dev-Team, released a hack on the website JailbreakMe.com that allowed users to jailbreak their iPhone, iPad and iPod Touch devices.
- ATM flaws: At the Black Hat conference in Las Vegas researcher Barnaby Jack used design and authentication flaws to force ATMs to spit out cash.
Top courtroom actions
- Albert Gonzalez: 20 years in prison for hacking into the payment card networks of retail chains to steal 130 million credit and debit card numbers.
- Three Gonzalez co-conspirators were also sentenced in March for providing Gonzalez with a zero-day exploit, laundering money and other charges.
- Katina Candrick: 15 years in prison for orchestrating a scheme to steal the personal information of patients while she was employed by Texas-based medical billing contractor MedAssets.
- “Iceman,” aka Max Ray Butler: 13 years in prison for his use of wireless hijacking tactics to break into the databases of financial institutions and credit card processing centers.
- Huping Zhou: four months in prison for, while an employee, illegally snooping into patient records at UCLA Health System employee. He is he first person to receive prison time for violating HIPAA.
- Terry Childs: four years in prison for disrupting computer service to the San Francisco’s FiberWAN network system. The disgruntled network administrator refused to reveal his exclusive credentials.
- Kryogeniks Gang: various sentences for taking down Comcast’s home page for several hours in 2008.
- David Kernell: The 22-year-old former University of Tennessee-Knoxville student was found guilty of breaking into the Yahoo! email account of Sarah Palin as she campaigned for vice president in 2008. Sentencing is pending.
Top research discoveries
- Firesheep: A plug-in for the Firefox web browser, created by Eric Butler, that lets anyone scan open Wi-Fi networks and hijack Twitter and Facebook accounts.
- Shadow Network: A sophisticated cyberespionage network stole classified documents from a number of computer systems belonging to government agencies, businesses and other organizations.
- Russian botnet: Cybercrooks in Russia installed Zeus and Gozi trojans onto victims’ machines, enabling them to access check image archiving services and to crack into job websites to deliver messages to unsuspecting individuals, who were recruited as money mules.
- SCADA system vulnerabilities: Red Tiger Security researchers discovered 38,753 vulnerabilities at 120 critical infrastructure facilities, making them ripe for exploitation.
Top 6 weirdest news items
- Hack-izzle: Symantec teamed up with, believe it or not, rapper Snoop Dogg to launch the “Hack is Wack” contest challenging contestants to make a video raising cybercrime awareness. Fo’ shizzle.
- USB miracle: A Swedish professor figured his laptop was long gone after a thief stole it from his apartment stairwell. But a week later, he returned home to find that the culprit had left him a USB stick containing all of the computer’s content. Might’ve been easier just to return the laptop.
- Shaq, the hacker? NBA star Shaquille O’Neal was accused in a lawsuit of infiltrating the voicemail of a former employer. The suit also contends that the 7-foot-1-inch center tossed a PC into a lake to hide the evidence. No word if he dunked it.
- McAfee flawed update: Typically, administrators are encouraged to deploy new anti-virus updates. But in one case this spring, McAfee delivered an update that caused uncontrollable restarts on millions of machines. Did someone say coffee break?
- Airline malware: A trojan didn’t actually cause the 2008 crash of a Spainair flight, but it may have prevented the plane’s pilots from detecting what ultimately did before it was too late. Don’t worry, though, flying is still safer than driving.
- CISO dumped: In an industry that relies on transparency and information to keep organizations safe, Pennsylvania fired its CISO for discussing a breach at the RSA conference. Bob Maley now gets paid to talk – he runs a consultancy.
Top 5 social networking news
- Simplified privacy: Bowing to the continued outcry from its massive member base, Facebook streamlined the settings available to users to control the data they share.
- Worm attack: A 17-year-old from Australia exploited a vulnerability to launch a massive Twitter worm that affected hundreds of thousands of accounts.
- Agency agreement: Twitter settled with the FTC over charges that lax security allowed users’ accounts to be compromised to deliver bogus tweets.
- Zeus meets LinkedIn: A massive spam campaign targeted users of LinkedIn by trying to trick them into installing the bank credential-stealing Zeus trojan.
- Buzzed: Google paid $8.5 million into an education fund to settle charges that its Buzz service violated users’ privacy.
Top 5 threats
- Stuxnet: Numerous SCADA systems reported being hit by the AutoRun-spreading worm, but only two sites – both in Iran – reported damage.
- Aurora: Google, in a much-heralded act of transparency, disclosed that its corporate systems were infiltrated by savvy cyberspies, believed to be operating out of China. Some 30 other high-profile companies also were targets.
- Zeus: The repulsive malware extended its masterful ambush on mostly small and midsize businesses to steal banking credentials and dump out hundreds of thousands of dollars from legitimate accounts into those belonging to so-called money mules.
- Here you have: In a year dominated by threat sophistication, a rapidly spreading email worm, traced back to a cyber-jihad group, did little damage but clog inboxes impacted corporations across the country.
- Iranian Cyber Army: The hacker group responsible for defacement attacks against Twitter and Baidu appears to be adjusting its modus operandi to amass a mighty botnet. Researchers have traced exploits discovered on legitimate websites back to the gang.
Top 5 cybercrime busts
- A federal judge in Illinois shut down a fraudulent debit and credit card operation that went undetected for years. The unidentified defendants, who usually made charges between 20 cents and $10 and targeted each card only once, racked up more than $10 million in fake charges.
- Law enforcement officials in three countries cracked down on organized cybercrime operations that used the Zeus trojan to steal millions of dollars from U.S. and U.K. bank accounts. Within one week, police in the U.S., U.K. and Ukraine arrested 94 money mules and orchestrators of a cybercrime ring responsible for stealing $70 million with the data-stealing malware.
- Romanian police, in partnership with U.S. law enforcement, arrested 70 people from three different organized cybercrime groups charged with hijacking eBay accounts and setting up fake auctions. Since 2006, the groups stole more than $1 million from more than 800 victims across Europe, New Zealand, the U.S. and Canada.
- Police in 12 countries arrested 178 members of an international credit card fraud ring that used stolen bank card numbers to create counterfeit cards and make ATM withdrawals and retail purchases. The bust was the result of a two-year investigation and 84 raids across Europe, Australia and the U.S.
- Federal authorities broke up a computer-savvy gang that stole the identities of deceased people to obtain refunds from their income tax returns. The group, led by self-professed hacker Daniel David Ringmaiden, 29, of Santa Clara, Calif., filed 1,900 fraudulent tax returns totaling $4 million.
Apax Partners purchased a majority interest of Sophos for $830 million.
ASSA ABLOY, parent of HID Global, acquired ActivIdentity.
CA Technologies acquired Arcot for $200 million.
EMC acquired Archer Technologies.
GFI Software acquired Sun Belt Software.
Hewlett-Packard acquired Fortify Software and ArcSight.
IBM acquired BigFix, reportedly for $400 million.
Intel acquired McAfee for $7.68 billion, one of the largest information security purchase of all time.
Juniper Networks acquired SMobile for $70 million.
St. Bernard Software acquired Red Condor.
Symantec acquired PGP (for $300 million), GuardianEdge (for $70 million), and the identity and authentication business of VeriSign (for $1.28 billion).