Think Information. Think Security.

The year started off with the FBI raiding the cloud file-sharing and storage Megaupload site, based in Hong Kong and founded by 38-year-old New Zealand resident Kim Dotcom, on content piracy charges to the tune of $175 million. And that action, supported by the U.S industries which hailed it as bringing down a big fish that was devouring their intellectual property, has triggered a year's worth of lawsuits and retributions from all even remotely involved. It turned confrontational when outraged users of Megaupload were invited by hactivist group Anonymous to attack law enforcement and industry websites supporting the raid by downloading do-it-yourself denial-of-service software such as Slowloris.

But by March it was apparent some of this DoS advice came from hackers who were merely tricking users into downloading Trojan software, such as Zeus, from infected links. Another twist: A New Zealand judge in March ruled an order granted to law enforcement allowing them to seize luxury cars and other personal effects of Dotcom is invalid mainly because the local police commissioner applied for the wrong type of seizure order that was requested by the U.S. 

Other January Snafus:

" Online retailer Zappos disclosed hackers had likely broken into its network and stolen information on customers, including name, address, billing and shipping address, phone number and the last four digits of credit-card numbers and cryptographically scrambled passwords stored in hash form. Zappos informed customers all passwords were expired and customers should create a new one.

" Researchers from Seculert discovered what they say is a botnet command-and-control serverholding 45,000 login credentials Facebook users exploited by a pervasive worm, Ramnit, infectingWindows and designed to infect computers and steal social networking usernames and passwords.

Right in the midst of a conference call the FBI was having with its agents and law-enforcement officials overseas at Scotland Yard, cybercriminals hacked their way into the phone conversation, recorded it and posted it online. The conversation was about hackers facing charges in the U.K. The group Anonymous took credit for the intercepted call. The FBI said it appeared likely the cybercriminals may have hacked into a law-enforcement official's email to get the information for the conference call dial-in.

Other February Snafus:

" Taiwan-based Apple supplier Foxconn was hacked by a hacker group calling itself Swagg Security, apparently in protest related to media reports about poor working conditions at the electronics manufacturer's factories in China. The hackers posted usernames and passwords that they said would allow attackers to place fraudulent orders under other companies' names, including Microsoft, Apple, IBM, Intel and Dell.

" The FBI arrested a computer programmer Bryan Zhang, a contract employee at FRBNY in New York for stealing proprietary software code from the Federal Reserve Bank of New York (FRBNY). The software is known as the Government-Wide Accounting and Reporting Program (GWA), which handles all kinds of U.S. government financial transactions, and it cost over $9 million to develop. 

At least 228,000 Social Security numbers were exposed in a March 30 breach involving a Medicaid server at the Utah Department of Health, according to officials from the Utah Department of Technology Services and Utah Department of Health, which theorized that attacks from Eastern Europe bypassed security controls because of configuration errors. In May, Utah CIO Steven Fletcher resigned because of it.

Other March snafus:

" Hackers in the LulzSec group associated with the broader Anonymous movement found the tables turned when they were arrested by the FBI and European law-enforcement agencies -- and it was LulzSec leader Hector Xavier Monsegur, alias "Sabu," who turned in his friends as part of a deal to work as a stooge for the FBI after being arrested in New York City last year

" By the end of March, LulzSec claimed to be "reborn" and took credit for hacking a dating website for military personnel,, leaking more than 160,000 account details from its database

The Federal Communication Commission fined Google $25,000, asserting the search-engine giant impeded an investigation into how Google collected data while taking photos for its Street View mapping feature. The FCC maintained in a report that Google "deliberately impeded and delayed" the investigation for months by not responding to requests for information and documents. But the FCC also said it won't take action against Google over its data collection because it still has questions it wants answered. The FCC had subpoenaed an unnamed Google engineer -- now known to be Marius Milner -- but he had apparently declined to testify, invoking his Fifth Amendment rights against incriminating himself.

Other April snafus:

" Hactivist group Anonymous brought down the websites of trade groups U.S. Telecom Association and TechAmerica, apparently for their support of the cybersecurity bill proposed by Rep. Mike Rogers that would allow the private companies and the government to share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Privacy advocates, including the ACLU and Center for Democracy and technology, contend the bills shreds privacy protections.

" Anonymous claimed it hacked a U.S. Department of Justice website server tied to the U.S. Bureau of Justice Statistics and claimed to release 1.7GB of stolen data from it, with the statement. The data was offered on The Pirate Bay.

" Yahoo accidentally leaked the private key that was used to digitally sign its new Axis extension for Google Chrome. Axis is a new search and browsing tool from Yahoo. Security blogger Nik Cubrilovic discovered the package included the private crypto key used by Yahoo to sign the extension, noting it offered a malicious attacker the ability "to create a forged extension that Chrome will authenticate as being from Yahoo." Yahoo was forced to release a new version of its Axis extension for Google Chrome after that.

The University of Nebraska in Lincoln acknowledged a data breach that exposed information of more than 654,000 files of personal information on students and employees, plus parents and university alumni. The information was stolen from the Nebraska Student Information Systems database; a student is the suspected culprit.

Other June snafus:

" About 6.5 million cryptographic hashes of LinkedIn user passwords were stolen and posted online, a breach LinkedIn acknowledged though it didn't discuss specific numbers, which may be much less due to duplicates. LinkedIn invalidated the passwords of impacted users and the company said emails will be sent to users whose passwords were compromised, though it warned about updating passwords via links sent in email.

" The New York Times article asserting that the cyber-weapon Stuxnet is a creation of the U.S. with Israel, and was launched in a covert action authorized directly by President Barack Obama against an Iranian facility suspected of developing a nuclear weapon, has stirred up a firestorm of controversy in Washington about leaked information. Now that another cyber-weapon for espionage, Flame, has been discovered and linked directly with Stuxnet, there's more concern, with the United Nations division International Telecommunication Union warning countries that Flame is dangerous, and some saying the U.S. is losing the moral high ground as its secret cyberwar efforts become known.

Cross-posted from: PC World

Leave a Reply.