Attacks/Breaches
12/21/2012
12:39 PM
Connect Directly
RSS
E-Mail
50%
50%

10 Biggest Information Security Stories Of 2012

From John McAfee's escape from Belize to the privacy debacle that compromised CIA director Petraeus' career, 2012 had no shortage of security shockers.

6. Privacy Bill Of Rights Lacks Force Of Law.

Earlier this year, the White House unveiled a pioneering Consumer Privacy Bill of Rights, building on FTC recommendations for increasing the transparency of how businesses use people's personal information. Unfortunately, because the bill of rights hasn't been passed by Congress and become law, the White House has to encourage businesses to say they'll voluntarily abide by the recommendations.

Also this year, California's attorney general began requiring that all mobile apps distributed to its residents -- and thus, really, any U.S. resident -- would need to contain clear privacy policies, or be in breach of California law. Later in the year, California carried through by warning and then suing Delta Airlines for failing to offer a privacy policy for its mobile apps.

Beyond the White House and California, however, the body that's most notably been absent from advancing consumer privacy protections has been Congress, which has so far failed to pass any laws aimed at protecting people's online privacy.

7. How Girlfriends Stop Hackers.

What stops hackers from hacking? Simple: Jobs, relationships, children and other adult responsibilities. Some readers, perhaps not making it past the related story headline --"One Secret That Stops Hackers: Girlfriends" -- took offense at the suggestion that more hackers need girlfriends. Others suggested that the actual cost of procuring girlfriends for hackers might prove exorbitant, while other respondents reported that yes, in fact they'd dropped hacking because they'd gotten a girlfriend.

Based on research conducted by online psychology expert Grainne Kirwan, who lectures at Ireland's Dun Laoghaire Institute of Art, Design and Technology, as do other criminals most law-breaking hackers simply "age out" of their life of crime after getting more responsibilities. But even with that knowledge, the next step toward preventing more teenagers from breaking the law by hacking remains an open question.

8. Revealed: Outsourced Brokerage Firm IT Meltdown.

Although the downfall of brokerage firm GunnAllen occurred in 2010, its demise arguably began a decade before, when one broker began running Ponzi schemes, followed by another concocting a "trade allocation scheme" that routed profits from profitable picks to his wife. But the firm's demise could also be glimpsed by the manner in which the firm's executives outsourced all IT responsibilities for at least several years to the Revere Group, and never looked back.

But former Revere employees revealed this year that numerous IT errors had remained unreported to regulators, and perhaps even GunnAllen management. Among other incidents, network traffic-handling trades were routed through a home network; unencrypted lost laptops remained unreported to regulators; and a rogue engineer apparently was sabotaging equipment and playing hero by fixing it. Also notable was the fact that the missteps remained undetected by regulators.

9. Designerware PC Rental Surveillance Tool Revealed.

Consumers who buy rent-to-own PCs, beware: A judge has ruled that it's okay to spy on you and your children. That fact emerged during a court case against software developer Designerware, as well as multiple rent-to-own businesses that used the company's software for "loss prevention" purposes. Although many of the businesses claimed they only used the software to recover laptops from people who missed payments, former employees told a court that rent-to-own managers and employees regularly used the software to remotely activate webcams and spy on people's "intimate activities."

Those revelations led to FTC charges, which in September both DesignerWare and seven rent-to-own businesses agreed to settle, although Florida's attorney general launched her own investigation. Meanwhile, Designerware's two principals declared bankruptcy after seeing their court costs mount -- so some related privacy justice, while delayed, does seem to finally have been served.

10. FBI Investigation Snares CIA Director Petraeus.

Consumer advocates have long maintained that the privacy protections afforded to Americans, and their personal data, remain sorely lacking. Perhaps the best illustration to date of people's poor privacy rights arrived in November via an FBI agent outing an affair between the director of the CIA, David Petraeus, and his biographer, Paula Broadwell.

Petraeus' career was undone by Broadwell sending anonymous emails of an allegedly threatening nature to Jill Kelly, a friend of Petraeus whom Broadwell viewed as a rival. Kelly showed the emails to an FBI agent, who alerted the bureau's cybercrime investigators, who traced them back to the sender, in part via a Gmail account Broadwell shared with Petraeus to coordinate their affair.

After the bureau found no evidence of wrongdoing that it wished to prosecute, the FBI agent friend of Kelly suspected that the White House was covering up the incident, and so leaked details to Rep. Dave Reichert (R-Wash.), who took it to Rep. Eric Cantor, the GOP majority leader, who -- not knowing that the FBI had dropped the investigation -- took the information to Petraeus' boss, James Clapper, the director of national intelligence. Clapper told Petraeus to resign. One upside from the case is that the ease with which Petraeus' affair was discovered and his career apparently wrecked has finally driven more members of Congress to weigh better consumer privacy protections for all.

Recent breaches have tarnished digital certificates, the Web security technology. The new, all-digital Digital Certificates issue of Dark Reading gives five reasons to keep it going. (Free registration required.)

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.