From Stuxnet to Snoop: The infosec year in lists

SC Magazine US has compiled lists of the top US breaches, threats, acquisitions, law enforcement activity and bizarre incidents that dotted the IT security landscape this year.

Top five notable breaches (records exposed)

1. AvMed Health Plans: 1.2 million
2. Lincoln National Financial Securities: 1.2 million
3. BlueCross BlueShield of Tennessee: 1 million
4. South Shore Hospital: 800,000
5. AT&T (iPad exposure): 114,000

Top 10 notable vulnerabilities

• Stuxnet vulnerabilities Four Microsoft Windows zero-day flaws were used in the dangerous Stuxnet attack.
• "Operation Aurora" flaw A vulnerability in Microsoft's Internet Explorer allowed attackers to spread data-stealing espionage trojans to Google, Adobe, and dozens of other organisations.
• Cross-site scripting flaw on Twitter Allowed an infectious worm to spread through the social networking site, affecting an estimated 500,000 users.
• Windows Help and Support Center vulnerability Was disclosed in a controversial fashion, then widely exploited.
• Adobe PDF Reader "Launch" flaw Was exploited to spread the data-stealing trojan Zeus.
• VxWorks flaws Two critical vulnerabilities affecting this widespread embedded operating system are expected to live on indefinitely.
• AutoComplete flaw Affected several popular web browsers, including Apple's Safari and Microsoft's Internet Explorer.
• Zero-day Firefox flaw Used in late October to distribute malware on the Nobel Peace Prize website.
• iPhone, iPad "jailbreak" flaw Came to light after a group called the Dev-Team released a hack on the website JailbreakMe.com that allowed users to jailbreak their iPhone, iPad and iPod Touch devices
• ATM flaws At the Black Hat conference in Las Vegas researcher Barnaby Jack used design and authentication flaws to force ATMs to spit out cash.

Top court battles

• Albert Gonzalez received 20 years in prison for hacking into the payment card networks of retail chains to steal 130 million credit and debit card numbers. Three Gonzalez co-conspirators were also sentenced in March for providing Gonzalez with a zero-day exploit, laundering money and other charges.
• Katina Candrick was sentenced to 15 years in prison for orchestrating a scheme to steal the personal information of patients while she was employed by Texas-based medical billing contractor MedAssets.
• "Iceman" aka Max Ray Butler received 13 years in prison for his use of wireless hijacking tactics to break into the databases of financial institutions and credit card processing centers.
• Huping Zhou spent four months in prison for illegally snooping into patient records at UCLA Health System while employed by the company.
• Terry Childs was sentenced to four years in prison for disrupting computer service to the San Francisco's FiberWAN network system. The disgruntled network administrator refused to reveal his exclusive credentials.
• Kryogeniks Gang Various sentences for taking down Comcast's home page for several hours in 2008.
• David Kernell The 22-year-old former University of Tennessee-Knoxville student was found guilty of breaking into the Yahoo! email account of Sarah Palin as she campaigned for vice president in 2008. Sentencing is pending.

Top research discoveries

• Firesheep A plug-in for the Firefox web browser, created by Eric Butler, that lets anyone scan open Wi-Fi networks and hijack Twitter and Facebook accounts
• Shadow Network A sophisticated cyberespionage network stole classified documents from a number of computer systems belonging to government agencies, businesses and other organisations.
• Russian botnet Cybercrooks in Russia installed Zeus and Gozi trojans onto victims' machines, enabling them to access check image archiving services and to crack into job websites to deliver messages to unsuspecting individuals, who were recruited as money mules.
• SCADA system vulnerabilities Red Tiger Security researchers discovered 38,753 vulnerabilities at 120 critical infrastructure facilities, making them ripe for exploitation.

Weirdest news items

• Hack-izzle Symantec teamed up with, believe it or not, rapper Snoop Dogg to launch the "Hack is Wack" contest, challenging contestants to make a video raising cybercrime awareness. Fo' shizzle.
• USB miracle A Swedish professor figured his laptop was long gone after a thief stole it from his apartment stairwell. But a week later, he returned home to find that the culprit had left him a USB stick containing all of the computer's content. Might've been easier just to return the laptop.
• Shaq, the hacker? NBA star Shaquille O'Neal was accused in a lawsuit of infiltrating the voicemail of a former employer. The suit also contends that the 7-foot-1-inch center tossed a PC into a lake to hide the evidence. No word if he dunked it.
• McAfee flawed update Typically, administrators are encouraged to deploy new anti-virus updates. But in one case this year, McAfee delivered an update that caused uncontrollable restarts on millions of machines. Did someone say coffee break?
• Airline malware A trojan didn't actually cause the 2008 crash of a Spainair flight, but it may have prevented the plane's pilots from detecting what ultimately did before it was too late. Don't worry, though, flying is still safer than driving.
• CISO dumped In an industry that relies on transparency and information to keep organisations safe, the state of Pennsylvania fired its CISO for discussing a breach at the RSA conference. Bob Maley now gets paid to talk - he runs a consultancy.

Top five in social networks

• Simplified privacy Bowing to the continued outcry from its massive member base, Facebook streamlined the settings available to users to control the data they share.
• Worm attack A 17-year-old from Australia exploited a vulnerability to launch a massive Twitter worm that affected hundreds of thousands of accounts.
• Agency agreement Twitter settled with the FTC over charges that lax security allowed users' accounts to be compromised to deliver bogus tweets.
• Zeus meets LinkedIn A massive spam campaign targeted users of LinkedIn by trying to trick them into installing the bank credential-stealing Zeus trojan.
• Buzzed Google paid $US8.5 million into an education fund to settle charges that its Buzz service violated users' privacy.

Biggest threats

• Stuxnet SCADA systems reported being hit by the AutoRun-spreading worm, but only two sites - both in Iran - reported damage.
• Aurora Google, in a much-heralded act of transparency, disclosed that its corporate systems were infiltrated by savvy cyberspies believed to be operating out of China. Some 30 other high-profile companies were also targets.
• Zeus The repulsive malware extended its masterful ambush on mostly small and midsize businesses to steal banking credentials and dump out hundreds of thousands of dollars from legitimate accounts into those belonging to so-called money mules.
• Here you have In a year dominated by threat sophistication, a rapidly spreading email worm, traced back to a cyber-jihad group, did little damage, but clogged inboxes at corporations across the country.
• Iranian Cyber Army The hacker group responsible for defacement attacks against Twitter and Baidu appears to be adjusting its modus operandi to amass a mighty botnet. Researchers have traced exploits discovered on legitimate websites back to the gang.

Top five cybercrime busts

• A federal judge in Illinois shut down a fraudulent debit and credit card operation that went undetected for years. The unidentified defendants, who usually made charges between 20 cents and $US10 and targeted each card only once, racked up more than $US10 million in fake charges.
• Law enforcement officials in three countries cracked down on organised cybercrime operations that used the Zeus trojan to steal millions of dollars from US and British bank accounts. Within a week, police in the US, Britain and Ukraine arrested 94 money mules and orchestrators of a cybercrime ring responsible for stealing $US70 million with the data-stealing malware.
• Romanian police, in partnership with the US, arrested 70 people from three different organised cybercrime groups charged with hijacking eBay accounts and setting up fake auctions. Since 2006, the groups stole more than $US1 million from more than 800 victims across Europe, New Zealand, the US and Canada.
• Police in 12 countries including Australia arrested 178 members of an international credit card fraud ring that used stolen bank card numbers to create counterfeit cards and make ATM withdrawals and retail purchases. The bust was the result of a two-year investigation and 84 raids across Europe, Australia and the US.
• Federal authorities broke up a computer-savvy gang that stole the identities of the deceased to obtain refunds from their income tax returns. The group, led by hacker Daniel David Ringmaiden, filed 1900 fraudulent tax returns of $US4 million.

Top acquisitions

• Apax Partners bought a majority interest of Sophos for $US830 million.
• ASSA ABLOY, parent of HID Global, bought ActivIdentity.
• CA Technologies bought Arcot for $US200 million.
• EMC bought Archer Technologies.
• GFI Software bought Sun Belt Software.
• Hewlett-Packard bought Fortify Software and ArcSight.
• IBM bought BigFix, reportedly for $US400 million.
• Intel acquired McAfee for $US7.68 billion, one of the largest information security purchases of all time.
• Juniper Networks bought SMobile for $US70 million.
• St. Bernard Software bought Red Condor.
• Symantec acquired PGP (for $US300 million), GuardianEdge (for $US70 million), and the identity and authentication business of VeriSign (for $US1.28 billion).