I was on holiday when the first announcement was made about the Sony attack. My first reaction was that it would not be as big a deal as the RSA attack, but in fact this would be the more ‘persistent' on the ground that it went on and on.
Sony promised to improve its security by appointing a CISO after the initial hack, as board members publicly apologised for the incident. Sony went on to blame Anonymous for the hack after discovering a file on a server that was named ‘Anonymous' with the words "we are Legion". Also suffering from a loss of data was the US version of the X Factor with popstar hopefuls impacted.
The killing of Osama Bin Laden caused warnings on scams, while Baroness Pauline Neville-Jones stepped down as security minister to be appointed as a special representative to business on cyber security, later playing an important part in the government's cyber security strategy.
Just when you thought data-loss stories couldn't get more ridiculous, former data controller of ACS:Law Andrew Crossley was fined just £1,000 for failing to keep sensitive personal information relating to around 6,000 people secure. The Information Commissioner's Office (ICO) said the fine could have been £200,000 if the firm was still trading, but the unencrypted document which listed the personal details of more than 5,300 BSkyB Broadband subscribers belonged to a company that had closed down.
The ICO also announced that the details of 82,000 people were accidentally published online when a data file, which had been repaired by Co-operative Life Planning's software support contractor, was hacked.
Yet the ICO's big announcement of this period was in regard to cookies, when it gave companies a year to get consent from visitors to their websites in order to store cookies on their computers. The Chancellor announced at this time that the Treasury faces one email attack every day; just the one, Mr Osborne?
More realistic was the announcement that the Ministry of Defence faced more than 1,000 cyber attacks in 2010.
The rise of advanced malware for mobile and Apple products has been predicted for some time, and in 2011 we had some of the first real examples. Android phones were said to be vulnerable to a third-party snooping flaw, Apple users were warned about using an outdated, vulnerable version of Opera, and the detection of a rogue anti-virus product named ‘MACDefender' made malware for Apple all the more real.
The RSA incident came back to life when US defence contractor Lockheed Martin announced that its network had come under a "significant and tenacious" attack and, according to reports, RSA's SecurID tokens were linked to the access. Later it was suggested that at least one prime defence contractor (not Lockheed Martin) made the decision to stop using RSA SecurIDs for its senior staff and found a completely different vendor to supply its security tokens following the incident.
RSA executive chairman Art Coviello later admitted that SecurID data was compromised during the attack, and that it had been "used as an element of an attempted broader attack on Lockheed Martin". Lockheed Martin said the attack was thwarted and no sensitive information was intercepted. Is this the last we have heard of this incident, I wonder?
Attacks against Sony continued; an attack of the Sony Pictures website revealed one million passwords which were unencrypted and stored in plain text, as a hacking group named LulzSec (internet slang for laughing at security) emerged as the responsible party. The same group attacked the Sony BMG website and computer entertainment developer network.
LulzSec later intercepted a Nintendo configuration for one of its US servers, but said its focus was on Sony and it was not planning to do anything with the file. Games developer Codemasters was also attacked, but no claim was made by LulzSec; likewise Sega's pass portal was hacked with around 1.3 million user details compromised, but cardholder data was unaffected.
Proving that its attention was not wholly focused on gaming, LulzSec hit the US Senate and the website of the CIA, while long-term Anonymous target PayPal denied that login information had been accessed after LulzSec claimed to have released login information for Facebook, PayPal, dating sites, Xbox Live and Twitter accounts. LulzSec also denied responsibility for hacking UK census data, although the office of National Statistics later said that no data had been compromised.
At the peak of their infamy, on 25 June LulzSec announced it was ending its campaign, with its final act to dump more than half a million user credentials. The end of its operations brought many comments on what it had achieved, and it has mostly stayed true to its retirement, although its members later merged with Anonymous to continue the latter's operations.
In more positive news, IPv6 Day demonstrated the capabilities of the modern protocol, and Google launched a new social networking site named ‘Google +', although its first flaw was found a few days later.
The ICO said the NHS needed to do more to protect user details following a spate of data breaches, yet the private sector was named as being responsible for a third of data breaches. In this period the ICO handed another fine to Surrey County Council.
In malware, the most complex botnet of all time was discovered and named the TDL-4, while LulzSec made a brief return to redirect visitors to the Sun newspaper site, which claimed Rupert Murdoch had committed suicide. The Sun also admitted to a potential data loss because of the attack.
In fact, the shadow of LulzSec remained during July, as arrests were made and LulzSec responded by saying: “Arresting people won't stop us, FBI. We will only cease fire when you all wear shoes on your heads. That's the only way this is ending.”
However, one of the arrests was of an 18-year-old from the Shetland Islands named Jake Davies, who was suspected of being the LulzSec member Topiary. He was later charged with computer offences by the Metropolitan Police.
The police also warned off wannabe hackers, but not before ‘TeaMp0isoN' emerged defacing the BlackBerry blog in response to RIM's announcement that it would co-operate with police following the London riots.
Facebook announced a bug bounty programme, but said flaws in third-party apps would not be rewarded. Microsoft offered $200,000 for the inventor of the ‘next great security technology', although this offer was criticised by research and development firm Subreption, which said "entrants should not sell themselves so cheap".
Anonymous returned to the news once again in August with plans announced that it would 'kill Facebook' on 5 November, while it hit the San Francisco Bay Area Rapid Transport (BART) system following the latter's decision to shut down mobile phone services.
In a good bit of vendor tussling, McAfee launched its ‘Shady RAT' report detailing multiple and lengthy intrusions; Eugene Kaspersky dismissed it, calling it "shoddy rat". McAfee responded to Eugene's claims, saying he had "missed the point".
In other news, Google passed an ICO audit following its Street View cars collecting data from unsecured WiFi transmissions, LinkedIn was forced to change a proposed policy on using members' photos on its 'social ads' following a user backlash; and, to bring things to a full circle, the email that brought down RSA was identified by F-Secure.
The month ended with members of Anonymous leaving the movement and criticising its direction, while Dutch certificate authority DigiNotar admitted to being hacked with rogue certificates issued, to become the next major trend of 2011.