The best (or worst) security breaches of 2010
This obviously raises security concerns. If I can transfer money out of my bank account with just a name and password, so can you. That isn't to say that online security is worse than offline, however. SSL-encrypted communications are infinitely more secure than banking over the phone, or speaking in hushed tones in a brick-and-mortar bank. Passwords are a lot more secure than merely providing a 4-digit PIN or a mother's maiden name, too.
The actual problem is databases, or centralized repositories of information. It's no good having a password to your account if a nefarious types hacks a bank and takes all of the accounts. Likewise, putting your bag in a locker doesn't help if someone lifts the entire block of lockers into a truck and drives off.
2010 was a bad year for digital security breaches, and it won't get better until every organization and institution hires a security specialist and puts proper safeguards in place. This post, then, is dedicated to the organizations and institutions that left the barn door open in 2010 -- shame on you!
How it was done: Most likely via spear phishing, but out-dated Linux kernels and weak password ciphers actually made the attack possible.
While not the largest security breach of 2010, the Gawker hack was certainly the highest profile (amongst the tech industry, anyway!) Over 1.5 million user names, email addresses and passwords were leaked, and anyone with a BitTorrent client could download them.
Gawker Media's database was compromised by a group of hackers called Gnosis. As is always the case, they claimed it was an easy hack, and that if they hadn't done it, someone else would've. It's also noteworthy that Gnosis simply put the list of names and passwords into the public domain -- they could have done a whole lot worse! Keeping the hack quiet and passing the list off to a Spam King would've had devastating results.
One less-reported feature of the breach was that Gawker Media's content management system (CMS) was also zipped up and published for all to see. Gawker will now have to rewrite its entire system if it wants to be secure from further attacks from opportunist hackers.
How it was done: A vulnerability in a third-party website admin tool was exploited.
In terms of pure, unadulterated, good ol' fashioned irony, nothing comes close to the Kaspersky hack. Kaspersky, if you weren't aware, is a computer security company that sells antivirus, Internet security and mobile security suites. In this case, hackers worked their way into the Kaspersky USA website -- once there, they changed some Web pages so that visitors downloaded fake, malicious antivirus software, rather than the real thing.
The worst thing is, this was the third successful attack in just two years! The first two hacks, fortunately, were just flat-out defacement of websites -- but one has to wonder, can you really trust a security firm that can't lock up a few simple Web servers?
No one knows just how many people were infected, and there are scant details of what the fake antivirus software actually did to those that installed it. Kaspersky didn't even offer a free copy of the real antivirus software to the unfortunate victims; sheesh!
The Pirate Bay
How it was done: A few simple SQL injections in The Pirate Bay blog software.
Back in July, a trio of Argentinian 'researchers' hacked into The Pirate Bay's database and stole the details of more than four million users. No reason was given for the hack, except for one rather odd phrase from ringleader Ch Russo: "The community caused problems to huge companies and corporations." The chances of a clandestine group in Argentina supporting the RIAA and MPAA are tiny.
The good news is, The Pirate Bay took suitable precautions and encrypted the email addresses and passwords of its members, so the list is virtually worthless.
iTunes and the App StoreImpact: Medium
How it was done: A clever developer somehow managed to exploit iTunes user accounts and make e-book and app purchases using their saved credit card details.
This security breach kind of never happened. While The Next Web were certain that this was a hack of epic proportions, Apple assured us that only 400 user accounts were compromised. The truth is, only Apple really knows what happened, and beyond assuring us that its servers were never breached, it has remained mute.
The hack, if it can be called that, was first performed by rogue developer Thuat Nguyen. He used hundreds of compromised accounts to purchase his own apps, thus propelling them into the Top 50. It's not known how Nguyen compromised the accounts, though; it might simply have been a matter of brute forcing simple passwords, but who knows. A bunch of 'app farms' using the same process soon sprung up, and Apple just as quickly shut them down.
Because of the hack, iTunes and the App Store now make use of the CVV digits on the back of your credit card, making it all but impossible for rogue developers to purchase apps in your name.
Google and other Silicon Valley companies
How it was done: An incredibly complex attack that used spear phishing and Advanced Persistent Threats. Internet Explorer 6, believe it or not, may have been the initial entry point.
2010 started off with a devastating, humbling bang: the golden boy of technology, Google, had been hacked! A ton of other SIlicon Valley companies were also hacked, including Yahoo, Adobe and Symantec, but who cares about them? Google got hacked!
What's interesting is that while over 30 companies were breached, Google was the only company that actually made a public statement about it. In the report, Google said that the primary target had been the Gmail accounts of Chinese human rights activists, but it quickly became apparent that there was a whole lot more to it.
More importantly, Google implicated China in the attacks -- and not just a Chinese citizen, but the government. The U.S. government even leaped in to support Google, and for a few weeks it looked like something serious might kick off. Fortunately, neither Obama or Jintao pushed their big red button.
At the time, the Chinese government denied any involvement in the hack, but it turned out it was lying: a cable released as part of the WikiLeaks 'Cablegate' showed clear signs that the hack was spearheaded by the Chinese government.
Every security breach has repercussions, but this one teaches companies and security agencies all around the world an important lesson: it isn't just lone bands of hackers stealing data, but entire countries are at it too. It's worth noting that the hack on Google and other Silicon Valley companies was definitely not the first attack of its kind, either; it was simply the first to be discovered, and the first to be publicly reported. If the first great cyber war hasn't already begun, it certainly will soon.