Covering IT security is a little bit like being a police beat writer -- or a traffic reporter. On one hand, you get to see a lot of good days and great saves. On the other hand, you get to see some real bonehead plays, both by attackers and defenders.
Today, as Dark Reading celebrates its first anniversary on the Web, we couldn't help but look back at some of the goofs, gaffes, and blunders we've seen in the past 12 months. Many of them are laughable -- as long as you're not the CSO involved. Others are just plain sad, in that they needlessly exposed the personal information of hundreds -- even thousands -- of innocent bystanders.
All of them provide the kind of hard knocks required to school companies and other organizations on what to do with security -- and what not to. So here's a list of this year's "object lessons;" sadly, we're pretty sure we'll have a new batch for you next year as well.
1. Debacle at DuPont
For sheer temerity, it's tough to beat Gary Min, the Del. chemist who in February pleaded guilty to stealing some $400 million worth of DuPont trade secrets, which he had planned to offer to his new employer. (See Insider Tries to Steal $400 Million at DuPont.)
Between August 2005 and December 12, 2005, Min downloaded some 22,000 abstracts and about 16,700 documents from DuPont's research database, most of them unrelated to his job. When the FBI raided Min's house, they found several computers containing DuPont documents marked "confidential." A software erasure program had been launched on an external disk drive of one of the computers, which was in the process of erasing the entire drive.
Agents also found several garbage bags full of shredded DuPont documents and the remains of numerous confidential documents in ashes in Min's fireplace. Min also was storing documents in a storage unit and in a separate one-bedroom apartment.
Apparently, none of Min's co-workers noticed his late-night downloads or the reams of paper he took home with him. In fact, if DuPont hadn't done a routine check on his computer activity following his announced resignation, Min might have gotten away with the whole thing.
2. Maxx'd Out
Let's put it simply: It's the worst breach of customers' personal information in human history. At last count, the TJX Companies reported that the mammoth leak, first revealed in January, has exposed some 45 million credit and debit card numbers -- and maybe more. (See TJX Breach Skewers Customers, Banks and TJ Maxx Parent Company Data Theft Is the Worst Ever.)
That figure breaks the old record of 40 million set several years ago by Card Systems -- a breach that effectively put that company out of business.
TJX still isn't saying exactly how the leak occurred -- one rumor says criminals gained access through kiosks in TJX stores -- but it does admit that the credit card data dates back as far as 1993. Under guidelines set by Visa and other credit card companies, retailers are not supposed to store any customer transaction data for more than 30 days.
Ironically, the banks that issued the credit cards bore the brunt of the pain from the breach. Card customers were not held responsible for the charges made by identity thieves, so the banks had to eat those costs as well as the costs of issuing new cards to thousands of customers. TJX itself has fared fairly well, losing only two and a half points from its stock price since disclosing the leak.
3. AOL = DOH!
Most security breaches happen because somebody left a door unlocked. Last August, however, AOL proactively took some of its valuables out the door and -- however unintentionally -- laid them out in the open. (See Users Outraged by AOL Gaffe.)
It all started innocently enough. AOL, in a generous effort to help researchers understand its search engine, published a log file containing some 19 million actual queries from more than 650,000 subscribers conducted between March 1 and May 31 of last year. The online service provider replaced the names of the searchers with numbers to protect their privacy -- but it didn't do anything to sanitize the queries themselves.
Researchers quickly demonstrated AOL's folly, analyzing the search data and coming up with dozens of user names, addresses, Social Security numbers, and credit card numbers. Some of the researchers traced queries back to discover specific users' visits on porn sites or illicit chat rooms.
"This was a screwup, and we're angry and upset about it," said AOL spokesman Andrew Weinstein.
4. Dismay at the VA
Over the past 12 months, two phrases have become synonomous: "laptop theft" and "VA." Less than three weeks after Dark Reading opened its doors last May, we were covering the Department of Veterans Affairs's loss of personal information for some 26.5 million veterans, including active soldiers in Iraq. (See VA Reports Massive Data Theft and VA Data Loss Worse Than Expected.)
The data was stored on a single user's laptop, which was brought home and subsequently stolen in a weekend break-in. The data was not encrypted, and officials said the employee should not have brought it home in the first place. The incident led to several resignations at the agency.
More importantly, the theft led to a full-scale analysis of laptop security technology and processes -- not just in the federal government, but in businesses across the globe. Virtually every company had lost at least a few laptops, and all of a sudden, they realized how vulnerable they could be.
Ironically, the FBI recovered the VA's lost laptop just a few weeks after the disclosure of its theft, and there was no evidence that the personal information had been copied, or even accessed. But the damage was done: Veterans launched lawsuits, the VA initiated a full-scale encryption program, and government agencies (as well as many businesses) reviewed and re-tooled their laptop security plans.
Next Page: Page Two
5. Thumbing a Risky Ride
One of the most prominent breaches we reported in our first year resulted in no lost data, no identity theft, and no IT staff resignations. In fact, the "victim" was happy about the outcome. (See Social Engineering, the USB Way.)
The exploit in question was perpetrated by our own Steve Stasiukonis, a penetration tester who specializes in social engineering. His plan was simple: Infect 20 USB thumb drives with a harmless Trojan, then sprinkle them in parking lots, bathrooms, and other public locations at the offices of his client, a regional credit union.
The effect was swift, and it could have been devastating. Of the 20 thumb drives planted, employees found 15 -- and all 15 of them were subsequently plugged into computers around the company. If the Trojan had been malicious, the credit union's systems might have been brought down or burglarized.
Like the VA's laptop theft, the hack illuminated a vulnerability that existed at almost every company in our readership. The credit union immediately instituted new policies and training programs to prevent the exploit from happening for real. Since then, many vendors have stepped forward to offer portable security solutions, both for thumb drives and for other removable storage devices.
6. Redfaced in the Rising Sun
American organizations weren't the only ones losing their stuff in the past year. In March, Dai Nippon Printing reported that around 8.64 million pieces of customer information related to 43 client companies -- including Toyota and Aeon -- were stolen last summer by a former employee of a subcontractor, who absconded with a magnetic optical drive containing the data. (See Huge Leak Revealed at Japanese Firm.)
The data includes names, addresses, telephone numbers and, in some cases, credit card numbers on 1,504,857 customers of American Home Assurance, 581,293 customers of Aeon, and 439,222 customers of NTT Finance.
The data was allegedly stolen by Hirofumi Yokoyama, 45, a former employee of a subcontractor that processed the information for the printing company. After smuggling the data out on a portable hard drive, Yokoyama sold the data of some 150,000 customers of a major consumer credit firm to a fraud ring targeting online shoppers, prosecutors said.
Ironically, Japan's flawed data breach laws allowed police only to hold Yokoyama on the theft of the drive itself, which is worth about 250 yen. If he had used his own drive, instead of borrowing one from Dai Nippon, he might have gotten away.
7. Disgruntled Disaster
Roger Duronio was pissed off. He didn't get as big an annual bonus as he expected, so he quit his job as a systems administrator at UBS PaineWebber and he went home. Then, Roger got an idea.
Using access codes he retained from his old job, an angry Duronio planted a logic bomb in UBS PaineWebber's systems. The bomb hit at 9:30 in the morning, just as the stock market opened for the day. Files were deleted from up to 2,000 servers in both the central data center in Weehawken, N.J., and in branch offices around the country. Company representatives never reported the cost of lost business, but they did say it cost the company more than $3.1 million to get the system back up and running.
In July, Duronio was convicted of the felony -- which occurred in 2002 -- after a six-week trial. He now will serve up to eight years in federal prison. UBS PaineWebber says it is just happy the case is over, but experts say the incident was a major blow to the company.
The incident illustrates the danger posed by insiders, especially those skilled in IT with axes to grind. With cases such as UBS PaineWebber's in mind, many experts now say the internal threat has outstripped external threats as the most serious issue faced by IT security departments. (See Ex-UBS Sys Admin Found Guilty.)
8. Lies, Damn Lies, and Pretexting
When Hewlett-Packard executives discovered a media leak in their ranks last year, they decided to do something about it. That's where they got into trouble.
According to court documents, HP Chairwoman Patricia Dunn hired private investigators who used "pretexting" -- sometimes called lying -- to fraudulently gain access to records of personal calls made to and from board members' homes and personal cellphones. (See HP Under Inquiry in Media-Leak Scandal and California Judge Dismisses All Charges Against HP's Dunn; Three Others Cut Deals.) The Federal Trade Commission says pretexting is illegal.
The investigators' methods -- which included both social engineering and spyware -- led to an ugly court case for HP, as well as a lawsuit and, eventually, a new U.S. law against pretexting. Dunn and three other HP executives pleaded guilty to a misdemeanor count of fraudulent wire communications.
The case has made many companies rethink their approaches to internal investigations of potential security breaches. Companies should leave such investigations to professionals -- or even the authorities -- to ensure they are on solid legal ground, experts say.
9. Spy Where?
The U.S. Department of Energy would like you to know that it's doing all it can to protect the PCs and laptops containing sensitive information about nuclear technology. Um, it just needs to find all of them first. (See Dude, Where's Your PC?)
The DOE's Counterintelligence Directorate -- which is tasked with protecting sensitive data and operations against espionage by foreign entities -- is missing 20 computers that may contain classified data, according to an inspection report issued in March by the DOE's Office of the Inspector General.
At least 14 of the computers were known to have processed classified information, the report says. "Based on these findings, we concluded that Counterintelligence was unable to assure that the computers for which it is accountable, and the often highly-sensitive and/or classified information they processed, were appropriately controlled or were adequately guarded from loss and theft," the Inspector General concluded.
The report cast a new light on the many "lost laptop" breaches of the previous months, most of which involved only a single machine. While such disclosures reveal the loss of devices that are known to be missing, most organizations are quietly unable to locate a large chunk of their PC inventory at any given time, experts said.
Gartner estimates that most enterprises can tell you the location and the user of only about 65 percent of their machines. While many of the "lost" PCs probably are still inside the enterprise, analysts estimate that as many as 3.5 to 5 percent of the missing machines are stolen, usually by employees.
10. Vacuuming VOIP
Everybody's excited about the potential for voice over IP (VOIP) services. Unfortunately, "everybody" includes hackers.
A Miami businessman, helped by a professional hacker, last summer penetrated the networks of Internet phone providers to connect hundreds of thousands of free calls, federal prosecutors said. (See Security Honeymoon Over for VOIP.) After obtaining free access to the networks, Edwin Andres Pena charged customers more than $1 million to route calls for them, according to the FBI.
Pena paid $20,000 to hacker Robert Moore of Spokane, Wash. for a VOIP exploit, according to court documents. He went on to sell more than 10 million minutes of calls that rode illegally on the VOIP providers' networks, then pocketed the cash.
The exploit demonstrated the ease with which VOIP technologies -- and even public services -- could be penetrated. Subsequently, many VOIP vendors leapt into the fray with new VOIP security measures and products.
Tim Wilson, Dark Reading