Looking back over the last 12 months it could be said that nothing really changed within infosec, people still lost data, malware was successful and threats continued, so will 2012 be remembered for the year that things stagnated in security?
Over the next few blogs I am going to look back over the information security headlines of 2012, as reported by SC Magazine, to see if that was the case.
Going right back to the start of the year, over the Christmas period hacktivist group Anonymous hit the US security think tank Stratfor, posting 200GB of data online. This included the addresses and passwords of every customer that has ever paid Stratfor for services, and the personal information of 860,000 people who registered with the company.
It later emerged that British military and political user passwords were among those leaked, while CEO George Friedman said that credit card files had not been encrypted and admitted that this was "a failure on our part".
In other Anonymous activity, its 2011 offensives against Sony got a further push, as the hacktivists announced plans to ‘dox' (release personal information) of executives from the electrical giant, while the takedown of Megaupload also saw Anonymous target the FBI and US Department of Justice websites.
Also in January, hackers Team Poison published the names and passwords of T-Mobile staff; while Symantec began looking into reports about source code for its consumer Norton brand being leaked, and it later admitted to the theft of code and instructed users to avoid using its pcAnywhere software.
It was mid-March when Symantec confirmed that source code for Norton anti-virus was leaked, admitting it got into a blackmail battle of words with a hacker.
To the best of my memory, this is where major attacks on Sony ended, as after a year of huge campaigns the hacktivists went a bit quiet. More on that later.
One of the most referenced stories for me in 2012 was the announcement by Viviane Reding of proposed changes to the Data Protection Directive for the European Union, some of which were exclusively revealed in 2011 by SC, including the 24-hour notification law, the appointment of data protection officers and rulings on the ‘right to be forgotten'.
The changes were not met with complete acclaim; while there is some benefit to consumers if these changes are approved, it will hit businesses hard. One of the critics of the changes was the Information Commissioner's Office (ICO), who called for a rethink, saying that there were "challenges for its practical application and risks developing a ‘tick-box' approach to data protection compliance".
Also in February, research by Context Information Security found that web applications developed for government, financial services and law and insurance sectors had the greatest increase in vulnerabilities and to combat any problems, regional cyber crime units were created in Yorkshire and the Humber, the north west and East Midlands.
Also, a division of VeriSign reported facing "several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers" in 2010. It later said that its domain name system function were unaffected.
In other threat news, ticketing giant Ticketmaster admitted that is direct mailing system had been compromised with spam emails sent from its official accounts; while in much more secure terms, Barclays announced the launch of the ‘Ping' payment application and Twitter detailed its plans to set all users to HTTPS by default.
Just when you thought data loss couldn't get any worse, details of a stress test from Hartlepool's nuclear power station were lost on a USB, and ahead of London's Olympics it was predicted that more than 3,000 smartphones could be lost in the capital.
In mid-February, there were serious red faces at Microsoft as it flagged a Google update as malicious, with Internet Explorer claiming that Google.com was serving up a severe threat and that Google's home page was infected with the Blackhole exploit kit.
At the end of February, the annual RSA Conference arrived and the theme this year was very much about collaboration, with RSA executive chairman Art Coviello calling for this and the launch of the Trustworthy Internet Movement to achieve just that.
The month of March saw the back catalogue of late pop superstar Michael Jackson stolen from Sony; while research into every security-conscious person's least favourite operating system, Android, was revealed to send personal data from devices to advertising companies without user knowledge.
In acquisition news, M86 Security was bought by Trustwave, Cryptocard became part of SafeNet's offering, Sophos acquired German mobile device management vendor Dialogs and Dell announced plans to purchase SonicWall.
Rounding off news from 2011, when hacktivist LulzSec scared the life out of anyone willing to cross its path, it was revealed that leader ‘Sabu' had worked for the FBI as an informant. He was named as Hector Xavier Monsegur from New York and upon naming his former colleagues, some of who had been arrested already and some of who faced that fate later in 2012, was given FBI protection.
The hacktivists naturally were outraged, and since then Sabu's once noisy Twitter feed has fallen silent. However LulzSec did not stay quiet for long, as it hit a number of UK government sites over the Easter weekend, including the Home Office and Ministry of Justice.
After successes in taking down botnets in 2011, Microsoft continued the trend with a takedown of command and control (C&C) servers to disrupt the Zeus banking Trojan. In another botnet story that we will pick up in the next blog Apple users were affected by the biggest confirmed malware outbreak with the Flashback botnet.
The ICO was in its usual regulatory swing with numerous fines issued, leading me to ask whether it had anything against local councils. Some time later, I got to ask this directly to Information Commissioner Christopher Graham who said there were issues with awareness, training and mainly a realisation of what staff were dealing with. In short then, no real dilemma, but there is an underlying problem within this sector.
The proposed surveillance bill hit the headlines and was criticised by privacy campaigners and internet founder Sir Tim Berners-Lee, while Christopher Graham told SC that the Queen's Speech would flesh out the details of the bill.
Ending this period with some good news: Jonathan Millican, a 19-year-old student of computer science at Jesus College, Cambridge, was announced as the second winner of the Cyber Security Challenge, and SC began its countdown to the London Olympics with 100 days until the opening ceremony with advice on how to prepare.
Last and by no means least, SC announced the winners of its 2012 awards. A year when nothing happened? This was only the first four months!