2011: a year in headlines from SC Magazine, September to December

Opinion by Dan Raywood

Most of September's news was dominated by the hacking and issuing of rogue certificates from DigiNotar.

Most of September's news was dominated by the hacking and issuing of rogue certificates from DigiNotar.

After it admitted to an initial compromise, it was given a vote of no confidence by Google, Microsoft and Mozilla, and later Apple.

The hacker said he had access to four other certificate authorities (CA), putting fellow CA GlobalSign on alert, although it later said nothing had been compromised. In an email to SC Magazine, the hacker said his intention was to embarrass DigiNotar.

DigiNotar was later declared bankrupt and this proved to be one of the main cases of a cyber attack leading to the closure of a business.

Elsewhere a CD was lost by a primary care trust that contained the personal details of 1.6 million individuals, the University Hospital of South Manchester NHS Foundation Trust lost the personal information of 87 patients following the loss of an unencrypted memory stick, while the Scottish Children's Reporter Administration breached the Data Protection Act twice.

The Information Commissioner Christopher Graham called for custodial sentences after former Barclays cashier Sarah Langridge pleaded guilty to illegally accessing the account details of a customer, against whom her husband had been jailed for a sex attack.

A major DNS hack led to the websites of Vodafone, Betfair, Acer, National Geographic, the Daily Telegraph and the Register to be replaced with an image and a message that read: “h4ck1n9 is not a cr1m34. Sept. We TurkGuvenligi declare this day as World Hackers Day - Have fun ;) h4ck y0u.” Also, further arrests were made in connection to the LulzSec attacks, with two people arrested in the UK and Ireland and another in Arizona.

Research by Trend Micro uncovered a series of targeted attacks that compromised 1,465 computers in more than 60 countries, while the most notable acquisition of 2010, the purchase of McAfee by Intel, saw the DeepSafe technology launched.

In September I attended the Gartner security conference in London, and among the highlights were meeting the director of consumerisation from Trend Micro, proving how far the trend has come, and SABMiller CISO Mark Brown saying that CISOs "have to become business enablers and talk at board level if they want to retain their status".

At the end of September, SC Magazine exclusively revealed that businesses would face a 'mandatory data breach disclosure' law as part of the new Data Protection Directive, the legislation on which the Data Protection Act is based.

While the law will go through a process of consultation over the next 12 months, this is expected it to become law in the UK by early 2013. Just how ready will businesses be? Probably about as prepared as they are for the cookies law; still, there is no fighting the regulator.

In another botnet takedown, Microsoft confirmed the end of the Kelihos botnet, which primarily sent out the MacDefender virus, while it faced a false positive nightmare as it flagged an update for Google Chrome as the Zeus Trojan.

In acquisition news, it was all about security incident and event management (SIEM) as McAfee grabbed NitroSecurity and IBM snapped up Q1 Labs. The news on 6 October was dominated by the passing of Apple founder Steve Jobs, with tributes paid from around the world by people involved in technology and government.

Also in early October, I attended the Symantec Vision conference in Barcelona. New announcements were led by its launch of a data loss prevention (DLP) solution for the Apple iPad and its declaration that "reputation-based protection is the future of anti-virus". I was also given my first demonstration at this show of the capability to Trojanise mobile applications, a trend that may grow in dark popularity.

The following week was dominated by the RSA Conference Europe, which opened with an apology and executive chairman Art Coviello quoting Nietzsche's epigram, "what does not kill you makes you stronger".

Coviello also said the attack on his organisation was done by two groups, with one definitely from a nation state, and he later said that security technology should be advanced so that it is risk-based, agile and has a contextual capability; he added: "While we may try, we will never keep up with individual attacks, but we can create a system to withstand certain attacks."

At the show I met with HB Gary CEO and co-founder Greg Hoglund, who detailed how the company was stronger following its attack, while Sony confirmed that it detected attempts on the Sony Entertainment Network (SEN), PlayStation Network (PSN) and Sony Online Entertainment (SOE) services to test a massive set of identities and passwords against its network database, possibly impacting 93,000 accounts.

The RSA Conference Europe was closed by internet godfather Tim Berners-Lee, who expressed his dismay at a lack of user control over data, calling it "disfunctional". Also in October, the research paper ‘BEAST', which detailed a method of defeating SSL, was praised for being "technically clever but over-sold" by SSL inventor Taher Elgamal.

Into November and the US stuck its neck out and dared to name China and Russia as key cyber threats in a report, while sportswear giant Adidas was forced to take down its websites after suffering a "sophisticated, criminal cyber attack".

Another incident at a certificate authority (CA) caused KPN Corporate Market to stop issuing SSL certificates after it discovered a security breach that allowed hackers to store tools for denial-of-service attacks on its servers. Microsoft also said it would revoke trust in Malaysian intermediate CA 'DigiCert Sdn. Bhd' after the CA had issued 22 certificates with weak 512-bit keys, and issued certificates without the appropriate usage extensions or revocation information.

In less of an acquisition, more of a save, Cryptocard acquired GrIDsure after the latter went into liquidation, while Southwark Council was told off by the ICO after it left a computer and papers containing the personal information of 7,200 people in a skip

Also in this period, Prolexic reported the largest packet-per-second distributed denial-of-service (DDoS) attack of the year, while seven people were charged with using malware to manipulate online advertising and infect more than four million computers in more than 100 countries in ‘Operation Ghost Click'.

It had been more than a year since the Stuxnet worm impacted SCADA systems, but attacks on water systems in Illinois and Texas hinted at fresh attacks. Sourcefire EMEA technical director Dominic Storey said these "would be just the beginning", while the attacker of the Texan system told SC Magazine that the SCADA-based system was controlled by a three-character password.

While North Somerset Council and Worcestershire County Council received ICO fines for "serious email errors", the Government announced its Cyber Security Strategy that will open a new national cyber security ‘hub', a cyber crime unit within the National Crime Agency and a single reporting system to report financially motivated cyber crime.

Generally the strategy was welcomed by the security industry, but some called it too political or reliant on unlikely collaboration. Among those proposing changes were former Home Secretary Jon Reid, who said a lack of investment in innovation would harm industry.

There will be an impact on ISPs, as the strategy said government will work with them to create a voluntary code of conduct to help people identify if their computers have been compromised and advise them on what action to take.

Also in regulatory news, it was announced that new data protection laws will compel European businesses to appoint a data privacy officer, something that could have saved Powys County Council from the largest ICO fine to date, £130,000, after child protection case details were sent out incorrectly in two instances.

At the half-way point of the year's grace on 'cookie compliance', the ICO announced there had been little progress on the issue and encouraged collaboration to understand the road to regulation.

In the world of the CA, another was reportedly hacked, although this did not appear to have affected certificate issuance from Gemnet. At the same time, CA GlobalSign said it had found no evidence of any rogue certificates being issued or any compromise of its CA infrastructure, following rumours in September to the contrary.

Wrapping up the final headlines for December, rumours abounded that a European processor had been breached, but at the time of writing there was no further confirmation.

Microsoft confirmed it will offer ‘silent' updates of Internet Explorer for those who want it, while Google pulled 14,000 malicious applications from its Android market.

What I hope these three 'year in review' articles have proved is what a busy 12 months it has been for all of us in security. Security hit the headlines of the national press around the world many times, with stories and angles that I could never have predicted. So here's to 2012, when I hope there will be some more good news!


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events