2012’s worst security exploits, fails and blunders - janusagelf2001

A fool and his feeble p@$$w0rd are soon rooted, but if 2012 has proven anything, it's that even the most gingerly security-minded souls want to double pop along their evasive practices, and think out about the C. H. Best ways to mitigate damage if the inferior happens in our increasingly cloud-connected world.

A solid security toolbox should form the heart of your defense, of course, simply you'll also need to consider your basic conduct. For good example, a leaked LinkedIn password does little harm if that particular alphamerical combining only opens the door to it particular account, rather than every ethnical media account you use. Ii-factor authentication rump stop a breach before it happens. And do your passwords suck?

I'm not trying to panic attack you. Rather, I'm involved in opening your eyes to the types of precautions that are necessary in the member age—as evidenced by the biggest certificate exploits, blunders, and fails of 2012. 'Twas a banner class for the unhealthy guys.

Honan hack attack

The highest visibility hack of 2012 didn't involve millions of users operating theater an avalanche of pilfered defrayment information. No, the security measures highlight—operating room is that lowlight?—of 2012 was the epic hacking of a singular man: Wired writer Flatness Honan.

Terminated the course of a uniform hour, hackers gained access code to Honan's Amazon account, deleted his Google account, and remotely wiped his trio of Apple devices, culminating in the hackers ultimately achieving their end goal: seizing control of Honan's Twitter handle. Why all the destruction? Because the @matte up Twitter handle's ternion-letter condition apparently makes it a highly coveted prize. (The malcontents posted several racist and homophobic tweets before the account statement was temporarily suspended.)

The devastation was all ready-made possible by security snafus on Honan's stop—daisy-chaining critical accounts, a lack of ii-factor authentication activation, using the same basic denotive scheme across several email accounts—and conflicting account security protocols at Amazon and Orchard apple tree, which the hackers took reward of with the assistanc of some good ol' fashioned social engineering.

The scariest split? Most people probably engage the same basic (read: lax) protection practices Honan did. Fortunately, PCWorld has already explained how to plug the biggest digital security holes.

The Flame computer virus

Traced as far back as 2010 merely sole discovered in May of 2012,the Flame virus bears a striking similarity to the government-sponsored Stuxnet computer virus, with a complex code base and a primary wont as an espionage tool in Middle Southeastern countries ilk Egypt, Syrian Arab Republic, Lebanon, Sudan, and (most oft) Iran.

At one time Flame sunk its hooks into a system, it installed modules that could, amongst other things, phonograph record Skype conversations or audio of anything happening near the computer, snag screenshots, snoop on network connections, and keep logs of all keypresses and any data entered into input boxes. It's nasty, put differently—and Flame uploaded all the information information technology collected to command and control servers. Presently later Kaspersky researchers sussed out Flaming's existence, the virus' creators activated a kill require to wipe the software system from infected computers.

At the Black Hat Security conference in July, research worker Cody Brocious disclosed a gimmick could semi-reliably open electronic door locks ready-made by Onity. Onity locks are found on 4 million doors in thousands of hotels crosswise the public, including high-visibility chains care Hyatt, Marriott, and IHG (which owns some Holiday Hostelry and Crowne Plaza). Based around an Arduino microcontroller and assembled for less than $50, the creature can be built by any crook with pocket change and some coding skills, and there's at least incomparable report of a similar tool being wont to break into hotel rooms in Texas.

Arduino: The ASCII text file heart of the hack.

Scary stuff, to be sure. Perhaps many worrying was Onity's response to the situation, which was basically "Put a plug complete the embrasure and change the screws."

The company finally developed an actual solution for the vulnerability, but it involves swapping out the circuit boards of affected locks—and Onity refuses to fundament the costs for doing so. A December ArsTechnica report suggests the company may be more uncoerced to subsidize replacement boards in the wake of the Texas crime spree, though as of November 30^th, Onity had only supplied a totality of 1.4 million "solutions for locks"—including those moldable plugs—to hotels globally. Put differently, the exposure is still rattling widespread. Epic fail.

Death by a thousand cuts

The yr didn't attend a massive database breach in the vein of 2011's PlayStation Network take-blue, but a series of smaller penetrations came meteoric and violent end-to-end the recoil and summer. While the release of 6.5 million hashed LinkedIn passwords may accept been the most notable chop off, it was buoyed past the posting of more than 1.5 million hashed eHarmony passwords, 450,000 Yahoo Voice login credentials, an unspecified number of Last.fm passwords, and the to the full login and visibility information of hundreds of Nvidia meeting place users. I could patronize, merely you dumbfound the repoint.

What's the takeaway? You can't trust a website to keep your password safe, so you should use various passwords for different sites to derogate the possible damage if hackers do manage to puzzle out your login credentials for a given account. Check stunned our guide to construction a ameliorate password if you penury some pointers.

Dropbox drops its guard

Dropbox's "open box" logo verified all too true for people who reused passwords in 2012.

Back in July, some Dropbox users began noticing that they were receiving a large amount of spam in their inboxes. After some first denials followed by approximately deeper digging, Dropbox found that hackers had compromised an employee's account and gained access to a papers containing user email addresses. Oops! The terms was secondary, just the egg in the face was major.

At the Lapp time, a very small number of users had their Dropbox accounts actively broken into by outside sources. Investigations revealed that the hackers gained access to the accounts because the victims were reusing the same username/password combination crosswise several websites. When the login credentials were leaked in a breach at another service, the hackers had all they needed to unlock the Dropbox accounts.

Dropbox's woes highlight—again—the need to use separate passwords for different services, as well as the fact that you can't trustfulness the cloud completely yet. You can take befog security into your own hands with the help of a third-party encryption tool.

Millions of SC SSNs pilfered

Speaking of encryption, it would be nice if the government followed radical security principals.

After a big October data breach resulted in a hacker obtaining the social security numbers of a walloping 3.6 million South Carolina citizens—in a state with just 4.6 zillion residents!— state officials tried placing the blame at the feet of the Internal Revenue Service . The IRS doesn't specifically compel states to encrypt the SSNs in revenue enhancement filings, you look. So South Carolina didn't—though it plans to start at once, hindsight being 20/20 and all.

On the kinda positive side, debit entry and credit card inside information of 387,000 Southern Carolina citizens were also swiped in the digital burglarise and most of the those were encrypted, though that's likely slight solacement for the 16,000 people whose card details were stolen in plain-text edition form.

Skype's massive security flaw

Lax account recovery procedures threatened Skype users in November.

In November, Skype users temporarily lost the ability to postulation a parole reset for their account subsequently researchers known an deed that allowed anybody to hit get at to a Skype account A long as the mortal knew the email address associated with the account. Non the account watchword, non the security measur questions—just the swordlike email address unequaled.

Skype speedily plugged the hole when it caught the in the public eye eyeball, but the damage had already been through. The vulnerability was unsettled some connected Russian forums and actively being used in the wild before it was shut down.

Hackers steal 1.5 million credit card numbers

In April, hackers managed to "export" a whopping 1.5 million charge plate numbers from the database of Global Payments, a payment processing military service used away government agencies, business institutions, and around 1 million round storefronts, amongst others.

Fortunately, the breach was fairly contained. Global Payments was able to identify the card numbers affected by the hack, and the data stolen only restrained the actual card numbers pool and expiration dates, not whatsoever cardholder names or personally identifiable information. The hits kept coming, though. In June, Global Payments proclaimed that hackers may take over stolen the ain information of people World Health Organization practical for a merchant account with the company.

Microsoft Security Essentials fails AV-Test certification

Well, International Relations and Security Network't this embarrassing. AV-Mental test is an independent information surety institute that on a regular basis rounds up all the top of the inning antimalware products that are away there, tosses a whole bunch of nasties at aforementioned products, and sees how the versatile solutions hold up nether the annihilating bombard. The brass did just that with 24 different consumer-focussed security system solutions at the end of Nov, and only one of those solutions failed to meet AV-Test's certification standardised: Microsoft Security Essentials for Windows 7.

That one without a corroboration logo? It's MSE.

MSE actually did a proper job tackling well-known viruses in the test, but the certificate program provided appallingly little, fit, securityin the face of zero-day exploits. Its 64 protection score against said cardinal-solar day attacks is a full 25 points depress than the industry average.

The blunder that wasn't: Norton source computer code released

It sounds scary on the surface: Groups of varlet hackers managed to get the source code for one of Symantec's popular Norton security utilities, then dumped the code happening Pirate Bay for the world to dissect. Oh, noes! Straightaway, nothing terminate stop the corky guys from continual willy-nilly past the defenses that comes preinstalled connected gajillions (approximately) of boxed systems sold throughout the world—right?

Wrong. The source write in code belonged to Norton Utilities products released in 2006, you see, and Symantec's circulating products have since been rebuilt from the ground up, with no common code shared between the two. In separate words, the 2006 source write in code's release doesn't pose whatsoever any risk to Modern-twenty-four hour period Norton subscribers—leastways if you've updated your antivirus in the past half-decade.