Worst security snafus of 2012, part 2

2012 opened with hacks and data breaches, and the second half of the year saw Symantec's antivirus update mess and attacks from Anonymous

The first half of 2012 was pretty bad -- from the embarrassing hack of a conversation between the FBI and Scotland Yard to a plethora of data breaches -- and the second half wasn't much better, with events including Symantec's antivirus update mess and periodic attacks from hactivists at Anonymous. For a complete look at security snafus from the first half of the year, go here. Read on for a look at the rest of the year.

CATCH UP: Worst security snafus of 2012 -- so far

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

• Symantec inadvertently crippled a large number of Windows XP machines when it shipped customers a defective update to its antivirus software. The security firm acknowledged the problem that impacted users of its Endpoint Protection software.

• Dropbox disclosed that one of its employee's accounts was compromised, leading to a raft of spam that irritated users of the cloud-storage service. "We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again," said Dropbox engineer Aditya Agarwal in a statement, who added that a hacker stole a password. The company also found that usernames and passwords had been stolen from other websites and were used to access a "small number of Dropbox accounts."

• A widespread spam attack linked to malware hit Twitter, with malicious tweets reading "It's you on photo?" and the like, and many of the links having a .ru domain, according to security firm Sophos. A Twitter spokesperson acknowledged the problem and said it was seeking to resolve it.

• Gamigo, the German gaming service, suffered a password breached in which more than 8 million online credentials of its users were dumped online.

• Engineering and math software firm Maplesoft reported its administrative database was breached, apparently due to the Zeus Trojan.

• Nvidia suspended its software developer forum after attackers compromised an unknown number of login passwords used by its 400,000-strong user community, though Nvidia insisted it was only a "small proportion."

• Yahoo confirmed that about 450,000 unencrypted passwords and user names were stolen from its Contributor Network, taken by a group calling itself D33Ds Company. This followed the 5.8 million encrypted passwords taken from LinkedIn the previous month, as well as 1.5 million password hashes from dating site eHarmony.

• Internet user Bryce Kingsley Quilley, 29, of Tailem Bend, Australia, pled guilty to hacking the servers of an ISP there and on the same day, threatening to burn down its offices and threatened the owner with an ax.

• After there were complaints in Skype's users forum, Skype, a division of Microsoft, acknowledged a glitch in its software resulted in instant messages of users being shared with unintended parties.

• Knight Capital Group said electronic-trading glitches in its system caused wild price swings in dozens of stocks and would likely result in a $440 million loss to the brokerage firm, one of the biggest players in the U.S. stock market. The New York Stock Exchange canceled trades in six stocks that experienced the most pronounced price swings of more than 30 percent of their opening price one morning.

• The official social media accounts of several Major League Baseball teams were compromised, leading to some embarrassing messages appearing on their Facebook and Twitter accounts. A fraudulent post on the Facebook page for the New York Yankees, for instance, said the club's star Derek Jeter would miss the rest of the season due to "sexual reassignment surgery." The Twitter feeds of Chicago Cubs, White Sox, Miami Marlins, Washington Nationals, San Francisco Giants and San Diego Padres all posted similarly inappropriate messages.

• The news service Reuters was hacked and a phony interview with Riad al-Assad of the Free Syrian Army was posted, containing made-up information that his forces had pulled back from the northern provinces of Aleppo after battling the Syrian Army. Reuters confirmed the hack but did not indicate the source, though the Free Syrian Army blamed its adversary, the government of President Bashar al-Assad.

• A destructive computer virus intended to delete files struck internal network services at oil producer Saudi Aramco, affecting about 30,000 workstations, forcing a temporary system shutdown. A Qatari producer, Ras Laffan Liquefied Natural Gas Company, said a virus forced a shutdown of its computer system during the month as well.

• Hacktivist group Anonymous disrupted several British government sites in protest against the handling of WikiLeaks' founder Julian Assange, because Britain indicated Assange would be arrested and deported if he emerged from the Ecuadorean Embassy in London, which granted him asylum following Swedish efforts to extradite him for questioning over rape allegations. Also in August, the WikiLeaks site itself was flooded with a DDoS attack, making it temporarily unavailable for about a week, with a group called AntiLeaks taking credit for the attack.

• Some AT&T customers were affected by a failure in the carrier's Domain Name System (DNS) servers, and AT&T later ascribed the problem to a distributed denial-of-service attack that required mitigation.

• Microsoft decided to temporarily stop publishing new apps for Windows Phone on Marketplace due to an issue associated with digital certificates used to sign apps that prevented some phones from installing some apps for a few days.

• A 60-year-old civilian employee for NATO at the Ramstein Air Force Base in Germany, whose name was only given as "Manfred K.," was arrested on suspicion of espionage after he downloaded classified data top his personal computer and copied it. Prosecutors in Germany said they believed he stole "state secrets" intended to be passed to Russia's Federal Security Service for $10 million.

• Blizzard Entertainment, maker of the popular multiplayer online games such as World of Warcraft, Diablo and Starcraft, warned that its internal network had been breached, revealing scrambled passwords and email addresses. Blizzard apologized for the data breach.

• Google agreed to pay a $22.5 million fine to settle U.S. government charges that it violated privacy laws when it tracked users of Apple's Safari browser through cookies. In its legal complaint, the Federal Trade Commission (FTC) said Google falsely told Safari users that it wouldn't place tracking cookies on their devices or serve them targeted ads. But instead, Google actively circumvented Safari's cookie-blocking settings in order to track the users, the FTC said.

• Wired journalist Mat Honan suffered a round of torment by hackers after they compromised and took over his iCloud account at Apple. The hackers had simply called Apple and bluffed their way into getting Honan's iCloud account, and Apple admitted "internal policies were not followed completely," promising changes to prevent this from happening again.

• A former head of fraud and security for digital banking at Lloyds bank, Jessica Harper, admitted to committing what amounts to millions of dollars in fraud by filing false invoices to claim payments for more than three years.

• Chinese search engine Baidu fired four employees, three of whom were under arrest, for allegedly accepting bribes to delete content on its popular online forum. The content deletion occurred on the company's online forum, Baidu Tieba, and it has become a common practice in China to pay individuals to delete controversial or negative posts.

• Websites of broadcaster Al Jazeera were knocked offline as its Domain Name Servers were attacked. A group called Al-Rashedon claimed responsibility, displaying a Syrian flag and large red stamp reading "Hack."

• After police in Cambodia arrested one of the founders of The Pirate Bay file-sharing website, Gottfrid Svartholm Warg, a group calling itself NullCrew began hacking into Cambodian government and commercial websites there.

• Antimalware firm Sophos was forced to apologize to customers after a faulty antivirus software update caused false positives for certain malware, resulting in disruptions that lasted for more than a week for some customers. Sophos CEO Kris Hagerman apologized.

• A Romanian researcher discovered a data breach in an FTP server owned by the Institute of Electrical Engineers that exposed the user names and passwords of almost 100,000 members. The IEEE organization apologized, and said it fixed the problem.

• Hackers with the Antisec group leaked a million ID numbers from Apple Inc. devices, numbers they claimed to have taken from the computer of an agent with the FBI. The leaked data included the ID numbers, the device name, and a code that allows developers to push information to the devices.

• The Federal Trade Commission brought down its punitive regulatory hammer on seven rent-to-own companies on charges they used spyware on computers they rented to customers. The FTC singled out software vendor DesignerWare LLC because software it supplied for rented computers to secretly monitored renters' online activities, including user names and passwords for social-networking sites and financial institutions, medical records and photos of family members, sending the information to an email account designated by each store. The proposed FTC settlement with DesignerWare and the computer rental companies bars use of the monitoring software and prohibits use of geolocation tracking without consumer notice and consent. However, DesignerWare owner Timothy Kelly said the FTC has "grossly misunderstood" the purpose of software PC Rental Agent, which he said is intended to track down stolen computers.

• GoDaddy, which suffered a service outage that made many customers' websites inaccessible, said the outage was not the result of an external hacker, negating claims by a supposed Anonymous affiliate who had claimed responsibility.

• Dallas law enforcement authorities arrested self-professed Anonymous spokesman Barrett Brown in what appeared to have been a dramatic raid of his apartment while Brown was in the midst of a live online video chat session. The Dallas County Sheriff's Office confirmed the arrest and Brown was transferred to an FBI facility.

• A small New York-based company named Bitfloor, which specializes in exchanging Bitcoins, was forced offline after hackers stole about $250,000 worth of the virtual currency. Though later returned online, Bitfloor's founder Roman Shtylman called the hack "devastating," saying the cost well exceeded revenues he made since launching BitFloor in October 2011. He laid blame on himself, saying he had left the private keys needed to unlock and transfer Bitcoins on an unencrypted disk.

• Unknown attackers compromised a download mirror server for the SourceForge software repository, rigging the installer package for phpMyAdmin, a popular admin tool, with a backdoor. SourceForge is a Web-based collaborative software development and repository system that hosts more than 324,000 software development projects and serves 46 million users. The affected SourceForge mirror server was based in Korea and was compromised around Sept. 22, the SourceForge team said, which advised users to check for the phpMyAdmin software and upload a fresh copy.

• Facebook agreed to delete all facial recognition data it had collected from European users and switch off the feature by Oct. 15 after hearing complaints about it raised by privacy regulators in Ireland and Germany that contend storing facial data violates European data-privacy laws.

• The Federal Trade Commission said in a report chastising Facebook that for close to a year, Facebook operated a for-profit application security testing service that was little more than a sham, taking money from application developers with false promises to vet their creations for security holes. Instead, the FTC concluded that Facebook banked the money and put a "Facebook Verified App" logo next the application, without bothering to do any additional auditing of the submitted application. Facebook said it wouldn't comment on the FTC report.

• Hackers grabbed 300,000 records from Northwest Florida State College computer systems, including names, Social Security numbers and bank routing numbers of students, teachers, staff and retirees, the school disclosed, saying the data breach apparently occurred between May and September, resulting in the identify theft of at least 50 employees.

• In a dubious stunt to promote his anti-DDoS kit, 28-year-old Tse Man-lai, owner of Pacswitch Globe Telecom, had launched cyberattacks against Hong Kong Exchanges and Clearing news sites, but in October a Chinese court sentenced him to nine months in jail.

• Adobe said it was investigating how user names, email addresses and encrypted passwords were stolen from a company database after an Egyptian hacker called "Virus_HimA" posted 230 of them on Pastebin.

• South Carolina disclosed a massive data breach in which about 3.6 million Social Security numbers and 387,000 credit and debit card numbers belonging to taxpayers were exposed after a server at the state's Department of Revenue was breached by what was thought to be an international hacker, according to state officials.

1 2 Page 1
Page 1 of 2
InfoWorld Technology of the Year Awards 2023. Now open for entries!