2011 Year in Review: Seven Prime Hacks and Why They are Significant
There was never a dull moment in 2011. Security was front-page news in major mainstream publications. Commercial hackers were running rampant, compromising millions of Web sites while spam bots were taken offline. Cyber-espionage moved from a government-only term to a growing concern among corporations, and certain countries felt the outstretched hands of Big Brother reach the cyber-world. With all these hacks, is it even possible to choose the seven prime hacks of 2011? It’s not an easy task, but let’s take a crack at it.
Hack #1: Sony PlayStation Breach
In the spring of 2011, Sony announced a breach affecting more than 70 million PlayStation users. “Only” twelve million of the compromised credit cards were not encrypted. This breach highlighted the lack of attention to security: a fact which was highlighted in the months following when Sony was hacked again and again. And again.
Why is this hack significant? This massive breach serves as an example why security is a business problem and not just a set of controls. Note Sony’s steep drop in stock value the day following the breach announcement. To be fair, that drop was influenced by a number of factors such as the market, the earthquakes, and so on. However, the stock faced a short-term hit due to this breach, and showed us that data governance is just as important as financial reporting or 3x decline in brand value.
Hack #2: RSA SecureID compromise
In April 2011 EMC’s RSA security division released details of an attack against their systems. Malware installed on employee computers had compromised data relating to their SecureID tokens. RSA declared this particular attack an Advanced Persistent Threat (APT), which instigated the still-ongoing debate on the meaning of APT. Was this attack a relentless, targeted operation aimed at undermining the security foundation of thousands of companies? Or was it simply a symptom of human behavior and a result of a massive spear phishing campaign targeted across different companies? Regardless, APT became the new threat on everyone’s radar. In fact, a recent survey by ESG indicated that due to the fears of an APT attack 32% of respondents are increasing security spending by 6%-10%.
Why is this hack significant? RSA was targeted by client-side malware, which was not detected by antivirus products. With the increasing volume of malware and the continuing evolution of evasion capabilities, traditional controls just don’t seem to work anymore. Organizations are realizing that alternative solutions tightly coupled at the data source are required to fight data-targeting malware.
Hack #3: LulzSec’s 50 day hacking spree
LulzSec, a group of hackers claiming to hack for fun, went on a hacking spree between May to June 2011. Their targets were diverse – from Fox.com to Sony to government institutions such as Arizona’s Department of Public Safety.
Why is this hack significant? It signified how hacktivism has gone corporate. As opposed to commercial hackers who are intent on stealing information and selling it on the e-market, we witnessed hackers targeting corporations in accordance with their political agenda. The data that they stole was not used for their own financial gains. It was to embarrass companies, hurt corporate reputation or simply, for the “lulz” of the hack.
Hack #4: News of the World phone hacking
In July 2011 headline reports featured phone hacking as a common practice at News of the World – an event which eventually led to the collapse of the paper. Reporters at the media outlet admitted to hacking into the voicemails of numerous people, including murder victims. This type of hack did not require any technical skills –the reporters simply dialed-in to the voicemail of the victims. This is usually possible to carry out by calling the cell phone of interest and typing a combination that takes the caller into “voicemail mode.” Often these systems request the user to type a PIN, but these values typically remain the default. The hacking scandal may have even spread to govenment secrets.
Why is this hack significant? This hack showed just how tightly privacy and security go hand in hand. We live in a world where privacy boundaries are blurred. Our habit of checking publically-posted information as placed on Facebook and Google has extended to checking presumably private repositories in the course of doing business.
Hack #5: Government websites up for sale
At the beginning of 2011, a hacker website purported to sell control of different education, military and government websites world-wide. We tend to see a hacker as one with an avid lust to computers, a techie geek with different scripting skills and knowledge of computer systems. But as this case presented, a hacker can also be an individual who spends $499 to gain full administrative rights to CECOM.
Why is this hack significant? Brian Krebs summed it up nicely: “Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as “cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities. But none of these distractions should excuse U.S. military leaders from making sure their Web sites aren’t trivially hackable by script kiddies.” In other words, with all the advanced threats it’s easier to overlook something as simple as Web site vulnerabilities. Yet, there is no excuse for our government to ignore these issues and exempt them from its cyber-security strategy.
Hack #6: Yale University inadvertently exposes student details
In August 2011 Yale University announced that sensitive information belonging to Yale-affiliated individuals leaked to the Web. Yale claimed that the information resided on an FTP server restricted to the outside world. However, Google updated its indexing capabilities to include FTP servers, and consequently the files were exposed.
Why is this breach significant? Google is a game changer in the field of security, and this incident is indicative of its power. To be certain, Google will pick up any Internet-facing information- including sensitive data appearing on an improperly configured server. In the meanwhile, hackers are all too eager to leverage on the capabilities of search engines to dig out sensitive data lurking on servers. Google is not in the position to notify their customers directly every time they perform an update together with the request to react accordingly. Rather than assuming default search engine behavior, companies need to proactively ensure that their sensitive data is kept internally.
Hack #7: Facebook “self-XSS” malware
Why is this breach significant? Once again, this incident proves that the human is the weakest link. A hacker does not necessarily need to use the most advanced techniques to hide malware and infect users. All that is needed is a convincing message and a viral platform. The rest is up to the victims.
Facebook claimed quite a few hacks and breaches in the past year, most recently the exposure of Zuckerberg’s private photos. Although Facebook was originally created as a consumer platform, we are increasingly seeing more and more organizations leveraging on this platform to conduct business. In the next column I’ll discuss the security concerns of organizations entering this social scene.