Top 3 weirdest news items
Taste of one's own medicine: A hacker in October who received a scam email had the last laugh when he took control of the phishing page and turned it into a public service announcement around phishing awareness.
Happy ending: Ivan Kaspersky, who was kidnapped for a ransom of $4.3 million, was rescued following a police operation. He is the son of IT security mogul and Kaspersky Lab founder Eugene, one of the wealthiest businessmen in Russia.
Mean streets: The YouTube channel for Sesame Street was briefly hijacked by hackers who swapped out educational videos with X-rated pornography. Not long after, Microsoft's YouTube channel was also compromised, but not to display erotic video.
Top 3 breaches of 2011 (by impact)
On Sept. 20, the Dutch-based certificate authority (CA) was “declared bankrupt” after it emerged that the company issued hundreds of counterfeit SSL credentials after hackers breached its systems. At least one phony certificate, for Google.com, appeared in the wild, presumably so Iranian users could be spied on the government. Authentication solutions provider Vasco, the parent of DigiNotar, expects the bankruptcy to cost it between $3.3 and $4.8 million.
In March, another CA revealed that hackers gained access to its system and fabricated nine certs for some top-tier sites. Experts believe the Iranian government carried out the Comodo, and more recent DigiNotar, attacks to spy on private communications.
In March, the security company revealed that sophisticated hackers launched a spear-phishing attack that exploited an Adobe Flash zero-day vulnerability to successfully infiltrate its systems and steal information related to its SecurID products. Such products include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs. Subsequently, hackers leveraged stolen information about SecurID in an attack on U.S. defense contractor Lockheed Martin. RSA President Art Coviello issued a warning for customers to be more vigilant and issued a list of recommended actions.
Top 8 legal actions
1 In what was termed the largest identity theft takedown in U.S. history, 111 individuals were charged for their involvement in a New York-based organized crime operation responsible for more than $13 million in losses.
2 Six men believed to be behind a massive click-fraud scheme, all of whom are Estonian nationals, were arrested last month following a two-year, international police investigation, dubbed Operation Ghost Click. The racket led to the infection of more than four million computers in 100 countries with malware.
3 Running an online business that sold counterfeit credit cards embedded with stolen account information led to a 14-year prison sentence for Tony Perez III, 21, of Indiana.
4 The U.S. point person for one of the largest phishing rings ever to be brought down, Kenneth Lucas II, 27, of Los Angeles, was sentenced to 11 years in prison for his part in stealing more than $1 million from victims.
5 Scammer Tien Truong Nguyen, 34, of Long Beach, Calif., was sentenced nearly 13 years in prison for orchestrating a phishing operation that duped at least 38,500 people.
6 Using stolen credit card numbers to conduct fraudulent transactions totaling more than $36 million resulted in a 10-year prison sentence for Rogelio Hackett Jr., 25, of Lithonia, Ga.
7 Former IT employee Jason Cornish, 37, of Smyrna, Ga., faces 10 years in prison for crippling his ex-employer's network and causing hundreds of thousands of dollars in damages.
8 A nine-year sentence was handed down to former Dallas hospital guard Jesse William McGraw, 26, after he broke into hospital computers, planted malicious software, and planned a DDoS attack.
Top 3 hacktivist attacks
The victim: HBGary Federal (now defunct)
The motive: CEO Aaron Barr threatened to out members of Anonymous.
The hack: The Anonymous group published tens of thousands of emails, including a plan to smear whistleblower site WikiLeaks and its supporters, apparently at the behest of the U.S. Chamber of Commerce and Bank of America.
The victim: Sony Pictures
The motive: The company has pursued legal action against alleged copyrighters.
The result: The now-disbanded LulzSec group exploited a SQL injection vulnerability to gain access to internal Sony networks and websites. The hack yielded the passwords, email addresses, home addresses, birth dates and other account information belonging to more than one million users.
The victim: PBS
The motive: LulzSec sought revenge against the network for airing what they considered an unfair documentary about WikiLeaks.
The hack: The intruders compromised the website of PBS NewsHour to post a fake story that rapper Tupac Shakur was still alive. In addition, they published the usernames and passwords to staff at the public TV station, as well as those working at other networks affiliated with PBS.
Top 5 threats
Duqu: An information-stealing trojan that shares much of its code with the notorious Stuxnet worm, and has impacted roughly five Europe-based manufacturers of industrial control systems.
Zeus: The insidious banking trojan, which continues to be used to siphon millions of dollars from U.S. bank accounts, became even more prolific this year when its source code was leaked on at least two underground forums.
DroidDream: The malware, which is capable of harvesting data, was discovered this year in more than 50 apps offered in Google's official Android Market, and illustrates that cybercriminals are focusing more of their efforts on mobile platforms.
Operation Shady RAT: A five-year-long advanced persistent threat and cyberespionage offensive that plundered intellectual property from some 72 organizations across 14 nations, including the U.S. government.
Mac OS X scareware: While still much-less prevalent than those seen in the Windows world, rogue anti-virus malware scams targeting the Mac platform grew increasingly nefarious this year, leading to a significant uptick in infections.
Top 5 research revelations
BIOS fuel Researchers discovered the first in-the-wild rootkit that targets BIOS, the built-in software responsible for booting up a computer. The discovery of Mebromi, the root kit, should not induce panic, though, as the complexity of a successful attack on the motherboard is high.
CA, MIA Moxie Marlinspike released Convergence, an add-on for Firefox, which essentially inverts the existing (and much maligned) certificate authority (CA) system, giving more power to users. They take their pick of so-called “trust notaries,” which authorize their web communications by default.
Pumped up Jay Radcliffe demonstrated at Black Hat how he is able to send commands to and wirelessly disable the insulin pump he has been wearing since he was 22, when he was diagnosed with the autoimmune disease after dealing with extreme weight loss and an unquenchable thirst.
In control In an effort to prove that SCADA hacks don't require deep pockets, Dillon Beresford took the stage at Black Hat to describe how to infiltrate Siemens industrial control systems. He uncovered replay attack bugs in programmable logic controllers, or PLCs.
Baby ginger Xuxian Jiang, assistant professor at North Carolina State University in Raleigh, found the first malware that uses a root exploit, known as GingerMaster, against Android version 2. The discovery is a sign that cybercriminals are keeping pace with the evolution of mobile devices.
4 ways to prevent breaches
Companies spend a lot of time and money to protect their data from hackers, thieves, and other malfeasants—and for good reason. But when it comes to the causes of data breaches, don't forget human goof-ups. The irony about these true stories is that organizations try to do the right thing and they still experience data breaches.
Garage sale bargains: Patient data files. Garage sales are great places for a deal. You might discover a treasure, as did one customer who purchased a filing cabinet chock-full of personal data, including Social Security numbers and home addresses. Thankfully, this bargain shopper left the contents safely with the owner to destroy.
Leaving personally identifiable information (PII) in a car. One organization held an annual drill to assess its preparedness in the face of a data breach. Instead of using “test” data, an employee transported actual data tapes offsite that contained client accounts payable information and left them overnight in his car. A thief got details on every payout ever made to people who had sued the company.
Lost keychain with a flash drive. Flash drives are great portable devices, but they don't belong on key rings. The data on that drive is probably more valuable than your Honda.
Private patient records spill from a shredding truck. A shredding truck containing an organization's patients' records overturned while driving on a street. Paper records spilled out and flew all over town. – Christine Arevalo, director of healthcare identity management, ID Experts