How bad was 2007 for breaches, vulnerabilities and similar mayhem? On the bright side, it was better than 2008 is forecast to be. With more of every sort of meltdown predicted — more criminalization of the hacker community, more Web-application attacks, more phishing, more spamming, more zero-day attacks and more virtualization-related threats — we’re happy to tell you that you are likely to look back on 2007 as the peaceful old days. What, that doesn’t cheer you up? Hmm. All right, then — wallow in previous misery with a quick look back at some of the notable security events of 2007. Just remember: It’s all in the past now … it’s all in the past now…
A brace of breaches: 2007’s five worst
In a league of its own: The TJX Companies Inc. The 2006 data breach news landscape was dominated by the compromise at the Department of Veterans Affairs, but this year commercial interests took the (booby) prize — in particular, Framingham, Mass.-based retailer TJX. The breach it disclosed in January (several months after the fact) was the biggest ever involving payment card data.
TJX itself claimed that over 45.6 million cards belonging to customers were compromised in an intrusion that went undetected for over 18 months; however, several banks suing the company claim the actual number is 94 million cards, a vast majority of them issued by Visa. The breach prompted numerous lawsuits and calls for stronger data protection laws — and, unfortunately, engendered a spate of fraudulent card use.
Despite its scope, some believed that analyst firm Forrester Research Inc. was overestimating when it predicted early in the saga that the breach could end up costing TJX $1 billion over the next few years. But nearly 11 months after the breach was disclosed, that number no longer seems so outlandish: By TJX’s own estimates, the company has already spent or set aside close to $250 million for costs stemming from the incident.
The U.K.’s VA: HMRC misplaces records on 25 million kids In November, the U.K.’s HM Revenue & Customs managed to achieve VA-level snafu status when it disclosed that it lost computer disks containing personal information on 25 million juvenile benefit claimants. The disks, which were not encrypted, disappeared in transit to the country’s National Audit Office and included bank details and national ID numbers. Analyst firm Gartner Inc. predicted the processes of closing accounts and establishing new ones to protect against potential fraud resulting from the breach could end up costing British banks in the region of $500 million.
The system was broken brokered: Fidelity National Information Services Personal information on over 8.5 million individuals was compromised when a senior database administrator working at Certegy Check Services Inc., a subsidiary of Fidelity National, illegally downloaded the data and sold it to brokers. Fidelity National, which is separate from the better known Fidelity Investments, initially said that only 2.5 million records had been compromised when it first disclosed the breach in July. A few weeks later, it quietly upped the number to 8.5 million in filings with the U.S. Securities and Exchange Commission. According to the company, the stolen data appears to have been resold primarily for direct marketing purposes and not for ID theft or other sorts of fraud.
Some honor among thieves: TD Ameritrade Holding Corp. Brokerage firm Ameritrade disclosed in September that someone had broken into one of its systems and stolen contact information such as names, addresses and phone numbers belonging to its more than 6.2 million retail and institutional customers. However, Social Security numbers and account numbers that were also stored in the same database appeared, according to the company, to have been left untouched. The stolen data was apparently used for the purposes of sending stock-related spam.
Creatures from the hack lagoon: Monster.com Names, e-mail addresses, mailing addresses, phone numbers and resume IDs belonging to an estimated 1.6 million job seekers were accessed from Monster.com’s resume database in August. Though widely described as a hacking, what actually happened was that information was accessed by attackers using legitimate user names and passwords — were most likely stolen from professional recruiters and human resource personnel using Monster.com to look for job candidates. No Social Security numbers or financial data was compromised in the breach. Ummm … oops?
Do you copy?: DHS’s self-created DDoS attack Thousands of security professionals subscribing to a daily news roundup e-mailed by the Department of Homeland Security found their in-boxes clogged with mail from each other, thanks to an apparent technical oversight on the part of an e-mail administrator working for a DHS contractor. The early October cascade kicked off when one subscriber sent a reply to the list administrator with a change request. That e-mail was automatically resent to all of the list subscribers.
Within hours, dozens of subscribers replied to the original mail. Each response in turn was sent to all of the other subscribers on the list. By the end of the day, more than 2 million messages had been generated as recipients using Reply or Reply All first complained about the spam surge, then added to the flood by mailing offhand comments, humorous remarks and demands to be unsubscribed from the list — creating, in effect, a miniature distributed denial-of-service attack. The e-mail addresses, phone numbers and contact information of several people, including government and military officials, were exposed during the uproar.
Bag that: Supervalu gets phished Eden Prairie, Minn.-based grocery chain Supervalu Inc. in February was conned into sending $10 million to two fake bank accounts by phishers posing as employees working for two of the company’s approved suppliers. Supervalu received two e-mails, one purporting to be from American Greetings Corp. and the other from PepsiCo Inc.’s Frito-Lay unit, asking the company to send future payments for each supplier to new banks accounts based in Florida and Arkansas.
The e-mails were apparently convincing enough for Supervalu to deposit over $10 million into both accounts before realizing it had been had. Happily for the retailer (and, presumably, whoever approved the change on its end), the money was recovered by the Feds before it was withdrawn.
Undiplomatic relations: Symantec in China A signature update to Symantec Corp.’s antivirus software in May crippled thousands of PCs in China. The software identified two critical system files of the Chinese edition of Windows XP Service Pack 2 as a Trojan and quarantined them, causing widespread crashing. Making matters worse, those specific files were required to start affected systems in Safe Mode, ensuring all-but-total shutdown and drawing howls of protest from the blogosphere.
Five weeks later, a red-faced Symantec decided to mollify affected users by giving them free backup software … and extending their subscriptions to the same antivirus software that knocked out their computers.
Hear me, see me: House outs whistle-blowers The House Judiciary Committee in October had to apologize to dozens of whistle-blowers for accidentally exposing their e-mail addresses to other individuals who, like them, had used a committee Web site to secretly submit tips about alleged abuses at the Department of Justice. The snafu came about when a clerical employee at the committee accidentally included the e-mail address of all the whistle-blowers in the To field of a message sent out to each tipster, ironically to inform them of certain changes in access conditions. A substantial number of the more than 150 e-mail addresses in the distribution list included portions of individuals’ real names. Included in the list were the public e-mail addresses of Vice President Dick Cheney and some apparently fictitious individuals.
Arrrrr! WGA sees pirate people In August, an unspecified server error at Microsoft Corp. resulted in many paying users of the company’s Vista and XP systems being mistakenly identified as pirates by Microsoft’s Windows Genuine Advantage (WGA) software validation system. The problem lasted for 19 hours, during which time frustrated users lost some features on their system that they could get back only after revalidating themselves all over again. The glitch occurred over a summer weekend, leading to further frustration when help from the company was slow in coming.
… and your 2007 poster boys Consultant turns bot herder: John Schiefer This former security consultant at 3G Communications Corp. of Los Angeles admitted in November to running a huge botnet of a quarter million PCs that infected other machines with adware programs, and to using spyware to steal bank and PayPal account information. He faces 60 years in prison on four felony charges, including wire and bank fraud and illegally accessing protected computers. Court documents say his cohorts, including several minors, infected over 135,000 PCs with a password-stealing Trojan program and then used the stolen data to access PayPal and other financial accounts.
Exit strategy: Gary Min In the five months before he left DuPont for a scientist position at a rival company, Gary Min quietly accessed and downloaded confidential company documents valued at an estimated $400 million. During that time, he downloaded and accessed more than 15 times as many documents as the next most active user of the DuPont database system, but he wasn’t caught until after he left the company for the rival firm. He admitted in November 2006 to stealing DuPont trade secrets; the case became public in January after details were unsealed by a federal prosecutor. A U.S. District Court judge in Wilmington, Del., in November sentenced Min to 18 months in prison and ordered him to pay a $30,000 fine and $14,500 in restitution to DuPont. The sentence is substantially less than the maximum of 10 years in prison and a $250,000 fine that Min might have received.
Don’t drop the soap: Ivory Dickerson This North Carolina native and former civil engineer was sentenced in December to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data with which to terrorize them into sending lurid photos of themselves.
Dickerson trolled MySpace to find underage girls in the Broward County, Fla., area. When he made contact with a potential victim (via IM or e-mail), he’d entice them into opening a file containing a Trojan program that gave him and a co-conspirator control over her computer. He would then try to use hacked information to coerce the girls into sending photos — threatening to harm them or their families if they refused. The investigation revealed not only photos of various teenagers, but a number of bestiality photos as well, ensuring that disgust about Dickerson is shared around the food chain.
Unbirthday boy: Yung-Hsun Lin Lin, a former Unix system administrator at Medco Health Solutions Inc.’s Fair Lawn, N.J., office, pled guilty in September to planting a logic bomb that would have destroyed critical data — including prescription drug data for individuals — on more than 70 servers. He planted the bomb in the belief he would lose his job after Medco was spun off from drug maker Merck & Co. in 2003. The bomb was first set to go off on Lin’s birthday on 2004, but when it failed to work he reset the clock for it to go off ion the same date the following year. The bomb was discovered in early January 2005, months before it was scheduled to be triggered. Lin pleaded guilty to one count transmitting computer code with the intent of causing damage in excess of $5,000. He is scheduled to be sentenced on Jan. 8. He faces a maximum 10-year sentence and $250,000 fine.
Pick a hat already: Maxwell Butler Also known as Max Vision, this former security consultant was indicted in September by a federal jury on three counts of wire fraud and two counts of transferring stolen identity information. Butler, who used various online aliases, including Iceman, Digits and Aphex, hacked multiple computer networks of financial institutions and card processing firms, selling the account and identity information he stole from those systems. He even made a cut on the profits his accomplices made by selling merchandise that was purchased using the stolen payment card information.
But here’s the thing: Butler was once well known in the security community as a researcher. In 2000, he pleaded guilty to one felony county for breaking into protected military and government computers and served jail time for that. He was also accused of hacking into the networks of the developers of PC games Doom and Quake, and stealing several hundred access passwords to a California Internet service provider. During that trial, it was revealed that he had been an FBI informant for at least two years.