Its that time again (actually a day late, but whose counting), so without further ado, here is my top ten security Opps list for 2010:
Top Ten Security “Opps” of 2010
1. Wikileaks – No security story for 2010 would be complete without discussing Wikileaks, possibly the biggest hack of the decade. The Wikileaks organization is publishing some of over 200,000 sensitive diplomatic documents that were stolen from the US State department. Like many major hacks, it was carried out by an insider using physical means. The records were smuggled out on a fake Lady Gaga CD. While many laud Adrian Assange as a hero of the people, I tend to see him as a common data thief, releasing tidbits at his leisure and for his own benefit. If he was really such a champion of freedom of information, he’d put the whole database online for any reporter to search for a story. Don’t hold your breath on that one.
2. WikiLeaks retribution attacks
You can’t talk about the Wikileaks story without talking about the subsequent retribution attacks. Hackers went after any and all perceived antagonists of Wikileaks including Amazon, Citibank and even the lawyers representing women who he allegedly molested. Come on guys, aren’t people allowed to have lawyers anymore?
3. Iranian nuclear site virus infection
Talk about a holy Sh%$# attack. A virus allegedly infects key computers at an Iranian Nuclear facility and causes them to shut down their centrifuges . A specialized version of the Stuxnet worm infected control systems at the plant and experts say it caused major damage to the plants operations. Whether you believe that Israelis planted the worm or not, it is worrying that an attack is possible on such sensitive and supposedly secure infrastructure. How soon till extremist hackers target the west with this tech?
4. China Google Hacks
News that Chinese hackers were able to penetrate deep within Google corporate offices both in China and at home was not terribly surprising. But that it was directed from the highest levels of Chinese leadership (if we are to believe the aforementioned Wikileaks dispatches) represents a new, more active involvement by the Chinese government. Google was not the only victim and this only reinforces that hacking is now just another tool that governments willingly use to achieve their ends, somewhere in between military force and diplomatic negotiations.
5. Facebook App information sharing
What a surprise! Facebook’s policy for third party apps was not being enforced and many developers were sharing far more information than they were supposed to. Facebook isn’t exactly known as a stalwart defender of our privacy rights, but they better get on it soon if they don’t want to be forced to by regulatory action.
6. Apple iPhone “Jailbreaking” now OK
This was not so much an opps as an “finally”, but it took a court case to make Apple admit it. They had been holding out the threat of criminal prosecution under the DMA for folks who removed restrictions on their iPhones, even though most of those people just wanted to run non standard apps and possibly use a different carrier. Apple needs to lighten up on their customer before they become the new Microsoft.
7. Apple removes DRM from iTunes
Another Apple opps, again more of a “Finally” when they removed their Fairplay DRM from most of the music tracks they sell. However, they did not totally make this wrong right as they still shackle users to their hardware and make it difficult to move tracks around. They also used the DRM removal as an excuse to start charging us 30% more for songs as the DRM-free iTunes Plus tracks now cost 1.29 instead of .99 cents. Nice PR move that generates more revenue, Apple
2010 was the year of geo-tagging. This is the act of attaching location specific information to your pictures, Facebook posts, movements and anything that mobile vendors could get their hands on. Read those license agreements carefully and opt out when you can unless you want your every move tracked
This popular website ended the year with a bang; 1.3 Million users passwords published online. It seems that a hacker group, Gnosis got access to internal system and was able to brute force many passwords which were painfully simple. Try a tougher password policy next time.
10. Internet Neutrality
This annual political football finally got settled this year. or did it? The FCC’s ruling on Internet provider’s ability to charge more for different types of traffic, known as Net Neutrality, seemed to be a case of a glass half full for everyone. While they ruled that ISPs could not charge more for certain kinds of content, they left it open for them to charge more for “paid prioritization” which some critics claim is just that. This kind of half baked policy will only lead to more confusion and less innovation and makes nobody happy. A outcome that seems to be common in Washington these days.
This list was just some of the biggest and most news worthy leaks, breaches and bloopers. For a more complete list, check out www.privacyrights.org which has a full database of reported It security events going back to 2005. There are a total of 590 incidents listed for 2010 accounting for over 511 Million records affected. And that’s just the ones that were reported. No doubt 2011 will top that number, and on that note, Happy New Year!