2011: a year in headlines from SC Magazine, January to April

Opinion by Dan Raywood

With 2011 proving to be the year that information security hit the national headlines over and over again with some of the biggest stories in years, rather than looking back in one article, I have decided to take an extended view of the past 12 months.

With 2011 proving to be the year that information security hit the national headlines over and over again with some of the biggest stories in years, rather than looking back in one article, I have decided to take an extended view of the past 12 months.

The year began without a major flurry and, following 2010's Aurora attacks, information security news had a lot to live up to a year on. Following a flurry of acquisitions in 2010, this continued at the start of 2011 with Dell's acquisition of SecureWorks and Sourcefire's acquisition of Immunet.

The first of many data losses in 2011 that were reported to the Information Commissioner's Office (ICO) concerned the Scottish Court Service disposing of documents at a local recycling bank. Another major 2010 story, WikiLeaks, was addressed with US government agencies encouraged to create 'insider threat' programmes to find disgruntled workers who could leak state secrets.

One of the major and consistent themes of 2011 was consumerisation, and my first blog of the year focused on this theme and asked if the smartphone was to blame. If your concern was the security of open source software, then Trend Micro chairman Steve Chang agreed with you.

On a wet Friday afternoon in January I was one of a select bunch of journalists invited to meet finalists from the Cyber Security Challenge; it later confirmed the winners, and this experience gave me an insight into what was going on with the next generation of security folk.

Those who thought they were untouchable were arrested on a charge of stealing iPad user data from AT&T's servers; however up to ten million smartphone users may have been impacted after a breach in Trapster's username and password database was revealed.

The end of January also brought an end to Lush's website, after it revealed a four-month-long compromise that caused it to jokingly offer a job to the hacker. Less amusing was the revelation by Imperva that major European and US government websites had been hacked, with access to the sites put on public sale.

As January came to an end, the Arab Spring began with Egyptian ISPs ordered to cut connectivity, and Anonymous sent a warning to the UK government after the arrest of five men.

Into February and the ICO issued its third and fourth fines to Ealing and Hounslow Councils over the loss of unencrypted laptops, Google announced new CEO Larry Page, while Qualys called for the open source development of the web application firewall. The status of this project is now unknown.

McAfee launched the ‘Night Dragon' report that talked of targeted attacks on oil and gas field bids and operations, although comments from Sophos later suggested this did not have enough depth for it to be taken seriously.

Over at the RSA conference in San Francisco, Art Coviello talked about trust in the cloud, demos were given on drive-by downloads and mobile malware, but the organiser's biggest news was to follow later.

Robust attacks hit the headlines again, with controversial Westboro Baptist Church taken down; initially it was suspected that it was the work of Anonymous, but responsibility was later claimed by pro-US hacktivist ‘the Jester'.

If malware is your bag, we saw OddJob in February, Android pulled 21 suspicious apps from its marketplace, while my first encounter with Zeus came courtesy of IronKey at its lab in California.

March saw the release of the iPad 2 from Apple and blog platform WordPress was hit by a huge distributed denial-of-service attack that was ‘multiple Gigabits per second and tens of millions of packets per second'.

In fact, March saw a number of attacks, with the French budget minister, 29 government and other agency websites in South Korea and Broadcast Music (courtesy of Anonymous) all taken down.

On the same day as Wolverhampton City Council was reported to have dumped "confidential personal information in a skip", Twitter introduced a full HTTPS session as an option; it later made this mandatory for all users.

Now you could remember 18 March as the day Microsoft announced the takedown of the Rustock botnet, which otherwise would have been a major headline-grabber, but that news was superseded by RSA's announcement that it was hit by an advanced persistent threat (APT).

Looking back at that story, there is nothing much in it that gives any clue to the impact of the incident, but at the time it was earth-shattering: executive chairman Art Coviello said that a "an extremely sophisticated cyber attack" was detected while in progress, and its investigation revealed that the attack resulted in certain information, specifically related to RSA's SecurID two-factor authentication products, being extracted.

The story would run for days, weeks and months, and remains one of the most referenced of the year. In the following days, Play.com revealed that it had breached data laws, while Trip Advisor also admitted to a breach of user data rules.

The European Commission announced that it was hit by an APT, while a BP employee lost a laptop containing the personal details of 13,000 Louisiana residents who had filed compensation claims after the Gulf of Mexico oil spill. Another bad day for the oil giant.

In possibly one of the most distressing stories of the year – a data leak at an HIV clinic revealed test results for adult actors, while marketing company Epsilon suffered a breach that caused it to inform its customers of the potential breach; in other words, a nightmare for everyone involved. However, it did lead to Twitter users ‘counting' how many notifications they had received: just the one for me.

Further light was shone on the RSA ‘incident' as it was found to be caused by a spear phishing message that took advantage of a vulnerability in Adobe Flash for access to be granted. RSA also acquired the company whose technology helped it detect the attack – NetWitness.

In slightly more positive news, the Jericho Forum introduced one of the first thought leadership pieces of the year, with its guidance on identity management launched in London. We also saw another botnet, Coreflood, taken down as the FTP server turned 40.

April ended with the InfoSecurity Europe show, where a demonstration of how easy it is to run a rogue WiFi point snared 300 visitors, the Information Commissioner denied, and got rather confused about, some Freedom of Information Act findings, and, most importantly, the SC Magazine Europe Award winners were announced.

A very busy four months then, and as the world enjoyed the Easter and Passover holidays and waited for the wedding of Prince William and Kate Middleton, the headlines were not about to relent.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events