2011 bullshit awards

And the bullshit awards 2011 goes to Facebook

  • “Our users want to interact with brands.”
  • “We value your privacy.”
  • “We’re not tracking you when you’re logged out.”


For fun …. but not only !

Top 10 Data Breaches from 2011: #1

#1:  Cyber espionage attacks

Summary:  The major effort attack US and other countries to steal data and IP had catapulted cyber espionage to the top of many companies’ priority list.

Details:  Several countries, notably China, are using cyber espionage to catch up with Western competitors as well as establish military parity.  In a rare interview, SkyNews UK captured on film a Chinese businessman who described how he works with the government to hack his Western competitors:

The conference also highlighted the murky connections between hackers and the Chinese government.

One man who identified himself as a policeman said: “We’re here to see if they have anything we can use. If there is, then we’ll get in touch with them, and take the next step.”

The cost has been tremendous.  In fact, this will likely go down as quote of the year:

Exploitation of sensitive data has generated “the greatest transfer of wealth that’s gone on in history,” Gen. Keith Alexander, chief of U.S. Cyber Command.


File:Unconditional warfare.jpg

  • Governments, especially China, are living up to their objectives which were outlined in “Unrestricted Warfare” (cover above).  One of the key components of the book was “network warfare.”
  • The cost has been tremendous.  The office of Counter Intelligence released a report saying that between $2 and $400 billion in losses occurred due to cyber espionage.  (We detailed this report previously).

Top 10 Data Breaches from 2011: #2

#2:  Military and Government Websites Up For Sale

(Click to BIGGIFY).

Summary:  Hacker builds a business on SQL injection vulnerabilities alone.

Details:  Tons of websites were constantly scanned for SQL injection vulnerabilities.  Dozens of sites were exploited and the admin credentials were sold to other hackers.  For example, for the price of an iPad, $499, you could have access to a military website.

Why Significant?  SQL injection has proved to be the costliest, most prevalent vulnerability in history.  This site best illustrates this just how widespread SQL injection has become as a hacker developed a way to monetize the vulnerability.

Top 10 Data Breaches from 2011: #3

#3:  Sony


Sony stock performance:  Nov 2010-Nov 2011.

Summary:  Hacktivists broke into Sony worldwide, stealing about 100M data records (about 12M unencrypted).

Details:  Sony’s video game online network was breached which led to the theft of names, addresses and credit card data.

Why Significant? 

  • By volume, the largest data breach of the year.
  • Has kept a permanent drag on Sony’s stock.
  • SQL injection made it onto the agenda of board rooms worldwide.
  • This breach forever shifted the purpose of hacktivism from defacement to data theft.  The hacker’s intent wasn’t to embarrass a company, but rather to bring it down.

Top 10 Data Breaches from 2011: #4

#4:  Phone Hacking in the UK

Summary:  Reporters from the UK’s News of The World hacked into the voicemail of several people, including a murder victim, to gather information.

Details:  http://en.wikipedia.org/wiki/News_International_phone_hacking_scandal

Why Significant?  Insiders became hackers and brought down a newspaper and seriously damaged the News Corporation.  More importantly, this episode showed how hacking becomes part of our everyday lives–reminding us that hacking doesn’t require strong knowledge of computer systems.

Top 10 Data Breaches from 2011: #5

#5: PBS


Summary: Hacktivists broke into the PBS website and exposed thousands of usernames and passwords as well as defaced the news site, resurrecting dead rapper Tupak Shakur.

Details: Imperva has dissected this breach when it happened.

Why Significant: Brought hacktivism to the media, hacking wasn’t just a “corporate” issue anymore. Anyone could be a target. After this event, hacktivism was no longer a temporary blip on the radar, it became something that had staying power.  Anonymous was anything but.

Top 10 Data Breaches from 2011: #6

#6:  Army of social bots steals gigabytes of Facebook data
Summary:   A small array of scripts programmed to pass themselves off as real people stole 250 gigabytes worth of personal information from Facebook users in just eight weeks.
Detials:  The 102 “socialbots” included a name and picture of a fictitious Facebook user and used programming interfaces to automatically embed pseudo-random quotes into status updates. They also used Facebook interfaces to send connection requests to about 5,000 randomly selected profiles. They then sent connection requests to the friends of those who accepted the initial invitation, and with each acceptance, they scraped whatever information was available.

At the end of the eight-week experiment, the researchers recovered 250 gigabytes of personal data, much of it configured to be available only to people on the user’s list of friends.

Why Significant:

  • Another example of automated Facebook hacking.
  • Highlights the weaknesses in Facebook defenses.  In this case, “the defense known as the Facebook Immune System, which is designed to automatically flag fake profiles, did little to thin the army of socialbots used in the study. While about 20 percent of them were blocked, the closures were the result of feedback from other users who reported spam.”

Top 10 Data Breaches from 2011: #7

#7:  Facebook Pwn

Summary:  Social engineering may now be entering the next phase:  automation.  Recently, a new tool emerged which automates social engineering on Facebook.  Unlike hacking software, this tool doesn’t demonstrate any new theoretical security vulnerability.  However, the automation of the social engineering process may have significant practical security implications as it can be launched by every script kiddie.  The attack package is hosted on code.google.com: http://code.google.com/p/fbpwn/
Details:  It sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information, photos and friend list to a local folder.  In other words, it automates the process of friending, sees who accepted and then collects all personal information in your profile as well as photos.  The software has seen thousands of downloads.
Why Significant:  This automated software package highlights how social networking is becoming the next big target for hacking.

Top 10 Data Breaches from 2011: #8

#8:  Cyworld

Summary:  About 35M records were taken from South Korea’s largest social networking site.

Details: The records taken included phone numbers, email addresses, names and encrypted information about the sites’ members.  It is believed a foreign government took the data.

Why Significant:  This breach highlights what a significant data repository social networking has become.  In this case, it is presumed that a foreign government found the data useful enough to take it all. What does this say about Facebook’s value to government and private hackers?

Top 10 Data Breaches from 2011: #9

#9:  300,000 Medical Records Put Online

Summary:  About 300,000 detailed medical records sat on the Internet unsecured for several months.

Details:  Insurance forms, Social Security numbers and doctors’ notes. Among the files were summaries that spelled out, in painstaking detail, a trucker’s crushed fingers, a maintenance worker’s broken ribs and one man’s bout with sexual dysfunction.

Why Significant: This is significant for several reasons:

  • Highlights the persistent interest in taking medical records.  According to Privacy Clearinghouse, medical records are a consistent “favorite” every year for hackers and insiders.
  • This breach illustrates how to use medical records:
    • Criminals:  Blackmail and public humiliation.
    • Noncriminals:  “The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.”
  • Foreshadows issues with broader digitization of electronic health records.  Obamacare requires digital health records by 2014–but are we ready from a security standpoint?