Sorry I am a week late in posting this, but 2009 snuck up on me. So here, without further ado, is my list of Top Ten Infosec Oops! of 2008. They are my personal choices, not necessarily the ones that got the most headlines or hype--so if you don’t like them, make your own and post it to this list. Enjoy.
- 11,348,196 Private Records Compromised--In 687 separate incidents over the year, per Privacy Rights Clearinghouse (www.privacyrights.org). Whether it was an outside hacker, an inside job, or just plain “Oops!” (an accidental release), it still amounts to huge whopping mistakes on the part of government and private industry. One which we will all pay for, either directly in terms of the cost of an ID theft or indirectly via higher fees and costs for goods and services to pay for all this cleanup. And remember, these are just the ones that are discovered and reported. Most likely it is the tip of the iceberg. When are these entities going to learn that is always cheaper to spend the money up front to prevent these incidents rather than to deal with them afterwards? Is it wishful thinking to hope it will be better in 2009?
- DNS Hack Discovered by Dan Kaminsky--http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky. This huge gaping hole was discovered in the most basic Internet services, DNS. I have long posited that this is the biggest area of vulnerability on the net (DNS, not the specific vulnerability. I’m not that brilliant). Kaminsky proved it and it was a big one. As he said when he first discovered it, “Oops, I broke the Internet.”
- Dan’s Flubbing of the Release of the DNS Exploit--Dan had good intentions. He wanted to let all the affected companies know before he went public with the information so they could develop patches and release them, which is considered the ethical thing to do. Unfortunately, he also set up a keynote address to announce it publicly at Blackhat, one of the biggest Infosec conferences in the world. And the word got out. Some very smart people figured it out from his vague press release and by the time he gave his speech, the cat was already out of the bag and systems were getting exploited. While he may have had good intentions to begin with, it ended up looking like a publicity stunt. Nice try Dan, but next time. Either go public or keep it totally quiet till you are ready. And next time, don’t trust hackers.
- The Hacking of Sarah Palin's Email--As if dear Sarah needed anything else to make her look more like a boob (no pun intended). Getting her Yahoo email hacked, which she was using for official state of Alaska business, was the cherry on the sundae for us Infosec types. The silver lining is that it's been a highly visible cautionary tale to use in my security awareness trainings. Now maybe company employees will stop using their free mail accounts for sensitive business. Naww....
- Microsoft’s Crashing the Zune at Christmas Time!--Just imagine, it's Christmas morning, you just got a brand new Zune player (because your parents hate you), and you are all ready to start jamming. What does good ole grinchy MS do? It crashes your Zune. Apparently the result of some leap year bug. Didn’t we fix all these things before Y2K? Not the best way to build a rep and catch up with market leader, iPod. Time to throw another has-been piece of wannabe tech on the trash heap.
- Spores Oppressive DRM--What a great game concept! Evolve from a simple Amoeba to a Galactic Civilization. Unfortunately your PC can only go through three evolutions before the game no longer installs. There was a huge outcry and even a lawsuit. Do you really own that software? Or do you just own three installs of it?
- Microsoft’s Non-Scheduled Patch Releases--First they got us going on regular patch releases. And then proceeded to regularly have to release patches out of cycle. I understand that some necessitate not waiting for the next release date, but if you are having that many out of cycle, why bother with the planned release schedule?
- Apple Exploits--2008 was the year Apple finally lost its halo of being the system that never gets hacked. Maybe its success is finally catching up to it. Greater numbers of users equals a bigger target. Or maybe now that they are basing their system on Intel and a BSD like OS, its just easier to hack. Either way, this year saw the release of a number of high-profile apple hacks. So you can no longer ignore security if you own a Mac.
- RIAA Lawyers Withdraw from the Field--Years ago, when the music recording industry could have turned the tide, instead of pursuing a technical or artistic solution, they opted for a legal one. I bet they spent more on high-dollar legal beagles than they ever recovered from suing grandmas and 13 year olds. Nice way to ingratiate yourself to a whole generation of kids who have grown up with “free” music and ubiquitous broadband. At the end of 2008, they finally admitted it was a failed approach and called off the dogs (not in as many words). Next brilliant plan: marketing CDs as drink coasters.
- MD5 Hash Being Hacked--Time will tell whether this is a major break in the underlying Internet infrastructure or a sophisticated, limited-application exploit; however, it strikes at the underpinning of the Internet. MD5 hashes are used on most certificates used for ecommerce. Let’s hope it stays esoteric and academic (though these things rarely do).
That’s it till next year. Let’s hope there are fewer “Oops” moments in 2009. Coming up next, the positive side, things to look forward to in Infosec in 2009.