There was no single miscue or scandal that adequately sums up all that’s transpired in the data security universe in 2010. That, as much as anything, illustrates just how prolific hackers and malware authors have become and why consumers and enterprises will need to be especially vigilant in the coming year.
Throughout 2010, there seemed to be a never-ending barrage of transgressions, small and large, that kept security software vendors and their customers constantly on edge. Hospitals and universities were tagged with dozens of data breaches that exposed millions of sensitive files. The supposedly secure data networks of Fortune 500 companies were infiltrated on a regular basis and even the U.S. government found itself exposed and embarrassed in front of an international audience.
Consumers’ infatuation with smartphones and social networking sites combined with enterprises’ willingness to embrace more complicated and security-challenged options like virtualization and cloud computing created numerous new – and old – opportunities for hackers this year.
Here’s a look back at a small, but significant sampling of the biggest security stories of 2010, each of which portends even larger threats and potential damage in 2011:
In January, senior executives at the three of the world’s largest oil companies admitted they were victimized by a sophisticated malware campaign that targeted specific executives in customized emails designed to extract proprietary corporate data.
Top-tier executives at ExxonMobil, ConocoPhillips and Marathon Oil acknowledged that, as far back as 2008, custom spyware that went undetected by antivirus software was installed on employee computers and used to garner critical data, including research and development plans for future oil and natural gas reserves.
Nation-Sponsored Attacks Increase
Google (NASDAQ: GOOG) and about two dozen other U.S. companies, including Intel (NASDAQ: INTC) and Adobe Systems (NASDAQ: ADBE), were tagged by a sophisticated hacking attack known as Operation Aurora in which hackers based in China managed to exploit a zero-day vulnerability in Microsoft’s Internet Explorer browser to access and steal files.
On the same day that these companies acknowledged the organized attacks on their networks, Michael McConnell, a retired U.S. Navy vice admiral and former director of national intelligence, testified before the Senate Committee on Commerce, Science, and Transportation that the U.S. would surely lose a cyber war if it were fought today and that cyber crime poses the single largest threat to national security today.
“We’re the most vulnerable, we’re the most connected, we have the most to lose,” McConnell said. “We will not mitigate this risk. And as a consequence of not mitigating this risk, we are going to have a catastrophic event.”
Google was also the perpetrator in a security dust-up involving its controversial Street View project. In May, the company apologized for collecting an unknown amount of personal information from citizen’s WiFi networks as its vehicles circumnavigated the globe taking photos of individual buildings and residences.
Iran in September confirmed that its first nuclear power plant was infiltrated by the Stuxnet worm, a piece of advanced malware created specifically to attack Supervisory Control and Data Acquisitions (SCADA) systems used to run critical infrastructure like communications, transportation and utilities.
Security experts insist Stuxnet represents a new frontier in nation-sponsored cyberterrorism and will surely become a serious problem for governments and companies for the foreseeable future.
The U.S. government also found itself vulnerable and embarrassed late in the year when WikiLeaks released thousands of classified diplomatic cables to a handful of media outlets. The Justice Department launched an investigation into how all these sensitive documents were exposed but the damage to the country’s reputation, among friends and foes alike, was already done.
In that same vein, AT&T this summer admitted that a glitch in its computer system exposed the email addresses of more than 100,000 iPad customers.
Hackers continued to exploit social networking sites such as Facebook and Twitter to guide unsuspecting victims to malicious websites, infect their mobile devices with malware and steal passwords and login credentials for banking and credit card accounts.
Score A (Very) Few for the Good Guys
While the victories were few and far between, law enforcement did manage to take down a handful of high-profile cybercrooks in 2010.
In September, the FBI busted37 members of an international cybercrime ring based in Eastern Europe accused of using the Zeus Trojan to snare bank account numbers and passwords that were then used to pilfer more than $3 million from victims’ accounts.
The FBI and authorities in Slovenia also arrested the mastermind of an organized malware syndicate responsible for selling Butterfly botnet kits online while the Los Angeles Police Department nabbed a pair of thieves responsible for running one of the most profitable counterfeit software operations in the world.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.