2012 in review: September to December
Malware hits the Mac but is it worth worrying about?
So to summarise so far, I started my look back at 2012 thinking ‘that was a quiet year'. Almost 2,500 words and numerous hyperlinks later, perhaps I was wrong.
In this final part, I look at the latter part of 2012 starting from September. The big news event for this time was of course the London Olympics and Paralympics and aside from our 100-day countdown, the only coverage we were able to achieve was on the SEO poisoning, while BT later said that attacks had been thwarted.
This period saw some government intervention into cyber security, with the White House preparing an executive order for cyber attack readiness – although surely that is what the US Cert is for. It may have been a worrying time when it was announced that Chinese hackers had been able to access the White House Military Office, but it eventually cleared Huawei to sell into the US after it was suspected of being a spy threat.
Here in the UK it was announced that the private sector would work with GCHQ to learn how to thwart cyber attacks and how to create a more security-conscious culture.
The UK government also announced plans for a £3.8 million cyber research institute, while Foreign Secretary William Hague revealed plans to open a European cyber crime centre in acknowledgment of the on-going challenges that the internet faces.
December marked the one year anniversary of the Cyber Security Strategy by focusing on work already completed and that which is yet to be done, particularly within GCHQ. One aim was to introduce a cyber reserve army of volunteers, a concept slammed by a former military and security man.
In attack news we looked at how the Mexican government had prepared in the event of a DDoS attack, something European governments could be better prepared for according to an Enisa-backed stress test that was carried out in October. Enisa later called for greater cooperation in such tests.
Following on from the Home Office being hit by a cyber attack over the Easter weekend, a man was arrested in connection with the incident. In December, a student was charged with attacks on PayPal; while the co-founder of the Pirate Bay Gottfrid Svartholm Warg was also arrested.
Data breaches continued in relentless fashion but some of the details appeared a little sketchy. Firstly, Go Daddy suffered a four-hour outage that Anonymous claimed responsibility for, although it later said that it was down to "a series of internal network events that corrupted its router data tables".
In the other incident, a million Apple unique device identifiers were leaked after hackers claimed to have obtained them from an FBI breach, but a Florida publishing company named Blue Toad said that the database was stolen from its servers. It's unclear who tells the truth in these instances. Is it a case of hackers jumping on a problem and claiming it before the analysis in the hope of press coverage?
One company telling the truth was HSBC, who admitted to being hit by a denial-of-service attack that did affect the availability of online services but not customer data.
A zero-day in Internet Explorer caused the German government's Federal Office for Information Security to instruct citizens not to use Internet Explorer following the discovery of a zero-day bug in the browser.
After the problems that VeriSign and Symantec had at the start of the year, it was the turn of software giant Adobe to admit that it suffered a targeted attack on its digital certificate code signing infrastructure, however its Flash, Reader, Shockwave and Air products were not impacted. It later revoked all code signed since the 10th July.
Following the loss of a laptop with unencrypted data on it, Nasa was forced into an ultra secure mode where it locked down all devices.
To prove that hacktivism did live on, a hacker named ‘NullCrew' hit Sony and planned to sell his haul. Yet he told SC Magazine that he was no longer selling the data.
Anonymous continued action, this time against the controversial Westboro Baptist Church after it planned a protest at the site of a school shooting in Connecticut.
After accusing Russian programmer Andrey Sabelnikov of being behind the Kelihos botnet, Microsoft ‘reached a confidential settlement' with Sabelnikov to close the case and to prove that major threat tools never die, Kaspersky Lab revealed a smaller but still effective ‘mini' version of Flame.
Picking up a previous thread, research by IBM X-Force found the Flashback botnet was the most widespread and sophisticated Mac malware to date.
In other news, Sophos' James Lyne got on his bike to reveal the lack of security around London's WiFi networks.
Throughout the latter part of 2012, I attended a number of conferences, and the first was the Gartner security summit in London. Among the presentations, a claim that there are too many industry guidelines was interesting, as was the Information Commissioner's Office saying that it was "pressing for custodial sentences".
At the annual European leg of the RSA Conference, a lot of the talk was on attack and defence, with executive chairman Art Coviello talking about shrinking budgets, guest speaker Alec Empire highlighting the threat of hacktivists, and Wikipedia founder Jimmy Wales calling for HTTPS to be "used everywhere".
On to another show, and at the ISSE conference in Brussels the talk was of major trends and some instruction of how to create the ideal solution for ‘bring your own device' (BYOD), while a BlackBerry spokesperson was forced to take steps back after saying that BYOD was a ‘nightmare'.
Next I visited the Irish conference Irisscon, hosted by the Irish Cert, which detailed the level of threat faced by the emerald isle, and presentations included work on preventing child abuse and the problem of annual penetration tests.
The theme of SC's final conference of the year was governance, risk and compliance, and views there detailed how to achieve this and the correct road to take with management. Finally, I attended Dell World, where a company who acquired three security vendors in a year talked up security and software. Giving the opening keynote was former US president Bill Clinton, who talked philanthropy and made some interesting references to technology and collaboration.
On to those acquisitions once again then: Dell acquired both Quest Software and Credant; Google bought inspection service Virus Total; Veracode acquired mobile scanning technology vendor Marvin Mobile Security; SecureData purchased Quadrant Networks; Axway bought API provider Vordel; and rubber-stamping the mobile market, Citrix completed its acquisition of Zenprise.
Finally, to once again finish on some good news – Facebook followed Jimmy Wales' advice and announced that it was rolling out HTTPS for all users, and after learning that he would not face extradition, Gary McKinnon learned that the Crown Prosecution Service would not be bringing charges against him.
So that was 2012 in around 3,500 words and a lot of work for me and hopefully happy reading for you.