How bad was 2007 for breaches, vulnerabilities and similar mayhem? On the bright side, it was better than 2008 is forecast to be.
With more of every sort of meltdown predicted - more criminalisation of the hacker community, more web-application attacks, more phishing, more spamming, more zero-day attacks and more virtualisation-related threats - we're happy to tell you that you are likely to look back on 2007 as the peaceful old days.
What, that doesn't cheer you up? Hmm. All right, then - wallow in previous misery with a quick look back at some of the notable security events of 2007. Just remember: It's all in the past now... it's all in the past now...
A brace of breaches: 2007's five worst
In November, the UK's HM Revenue & Customs managed to commit a significant blunder when it disclosed that it lost computer disks containing personal information on 25 million juvenile benefit claimants. The disks, which were not encrypted, disappeared in transit to the country's National Audit Office and included bank details and national ID numbers. Analyst firm Gartner predicted the processes of closing accounts and establishing new ones to protect against potential fraud resulting from the breach could end up costing British banks in the region of £300m ($500m).
The 2006 data breach news landscape was dominated by the compromise at the Department of Veterans Affairs, but this year commercial interests took the (booby) prize - in particular, retailer TJX, the parent company of TK Maxx. The breach it disclosed in January (several months after the fact) was the biggest ever involving payment card data.
TJX itself claimed that over 45.6 million cards belonging to customers were compromised in an intrusion that went undetected for over 18 months; however, several banks suing the company claim the actual number is 94 million cards, a vast majority of them issued by Visa. The breach prompted numerous lawsuits and calls for stronger data protection laws - and, unfortunately, engendered a spate of fraudulent card use.
Despite its scope, some believed that analyst firm Forrester Research was overestimating when it predicted early in the saga that the breach could end up costing TJX $1bn over the next few years. But nearly 11 months after the breach was disclosed, that number no longer seems so outlandish: By TJX's own estimates, the company has already spent or set aside close to $250 million for costs stemming from the incident.
Personal information on over 8.5 million individuals was compromised when a senior database administrator working at Certegy Check Services, a subsidiary of Fidelity National, illegally downloaded the data and sold it to brokers. Fidelity National, which is separate from the better known Fidelity Investments, initially said that only 2.5 million records had been compromised when it first disclosed the breach in July. A few weeks later, it quietly upped the number to 8.5 million in filings with the US Securities and Exchange Commission. According to the company, the stolen data appears to have been resold primarily for direct marketing purposes and not for ID theft or other sorts of fraud.
Some honour among thieves: TD Ameritrade Holding
The brokerage firm Ameritrade disclosed in September that someone had broken into one of its systems and stolen contact information such as names, addresses and phone numbers belonging to its more than 6.2 million retail and institutional customers. However, Social Security numbers and account numbers that were also stored in the same database appeared, according to the company, to have been left untouched. The stolen data was apparently used for the purposes of sending stock-related spam.
Names, email addresses, mailing addresses, phone numbers and resume IDs belonging to an estimated 1.6 million job seekers were accessed from Monster.com's resume database in August. Though widely described as a hacking, what actually happened was that information was accessed by attackers using legitimate user names and passwords - were most likely stolen from professional recruiters and human resource personnel using Monster.com to look for job candidates. No Social Security numbers or financial data was compromised in the breach.
Ummm... oops? Notable meltdowns
Thousands of security professionals subscribing to a daily news roundup emailed by the Department of Homeland Security (DHS) found their in-boxes clogged with mail from each other, thanks to an apparent technical oversight on the part of an email administrator working for a DHS contractor. The early October cascade kicked off when one subscriber sent a reply to the list administrator with a change request. That email was automatically resent to all of the list subscribers.
Within hours, dozens of subscribers replied to the original mail. Each response in turn was sent to all of the other subscribers on the list. By the end of the day, more than two million messages had been generated as recipients using Reply or Reply All first complained about the spam surge, then added to the flood by mailing offhand comments, humorous remarks and demands to be unsubscribed from the list - creating, in effect, a miniature distributed denial-of-service attack. The email addresses, phone numbers and contact information of several people, including government and military officials, were exposed during the uproar.
Bag that: Supervalu gets phished
Grocery chain Supervalu in February was conned into sending $10 million to two fake bank accounts by phishers posing as employees working for two of the company's approved suppliers. Supervalu received two e-mails, one purporting to be from American Greetings Corp. and the other from PepsiCo Inc.'s Frito-Lay unit, asking the company to send future payments for each supplier to new banks accounts based in Florida and Arkansas.
The emails were apparently convincing enough for Supervalu to deposit over $10 million into both accounts before realising it had been had. Happily for the retailer (and, presumably, whoever approved the change on its end), the money was recovered by the Feds before it was withdrawn.
A signature update to Symantec's antivirus software in May crippled thousands of PCs in China. The software identified two critical system files of the Chinese edition of Windows XP Service Pack 2 as a Trojan and quarantined them, causing widespread crashing. Making matters worse, those specific files were required to start affected systems in Safe Mode, ensuring all-but-total shutdown and drawing howls of protest from the blogosphere. Five weeks later, a red-faced Symantec decided to mollify affected users by giving them free backup software... and extending their subscriptions to the same antivirus software that knocked out their computers.
Hear me, see me: House outs whistle-blowers
The House Judiciary Committee in October had to apologise to dozens of whistle-blowers for accidentally exposing their email addresses to other individuals who, like them, had used a committee website to secretly submit tips about alleged abuses at the Department of Justice.
The snafu came about when a clerical employee at the committee accidentally included the email address of all the whistle-blowers in the To field of a message sent out to each tipster, ironically to inform them of certain changes in access conditions. A substantial number of the more than 150 email addresses in the distribution list included portions of individuals' real names. Included in the list were the public email addresses of Vice President Dick Cheney and some apparently fictitious individuals.
In August, an unspecified server error at Microsoft resulted in many paying users of the company's Vista and XP systems being mistakenly identified as pirates by Microsoft's Windows Genuine Advantage (WGA) software validation system. The problem lasted for 19 hours, during which time frustrated users lost some features on their system that they could get back only after revalidating themselves all over again. The glitch occurred over a summer weekend, leading to further frustration when help from the company was slow in coming.
... and your 2007 poster boys
Star gazing: Gary McKinnon
McKinnon is a British hacker accused by the US of perpetrating the "biggest military computer hack of all time", by breaking into 97 US military computers in 2001 and 2002. He claims he broke into NASA systems, which were not password protected, to find evidence of extra terrestrial life forms and UFOs. McKinnon faces possible extradition to the US. If tried in the US, he could be looking at 70 years behind bars. Judges have agreed that McKinnon can appeal to the House of Lords against his extradition order to the US. According to the charges brought against him in 2002, McKinnon's hacks caused more than $900,000 (£450,000) in damage to various computer networks; in the case of one military network, administrators had to spend three days cleaning up after the breach.
Consultant turns bot herder: John Schiefer
This former security consultant at 3G Communications of Los Angeles admitted in November to running a huge botnet of a quarter million PCs that infected other machines with adware programs, and to using spyware to steal bank and PayPal account information. He faces 60 years in prison on four charges, including wire and bank fraud and illegally accessing protected computers. Court documents say his cohorts, including several minors, infected over 135,000 PCs with a password-stealing Trojan program and then used the stolen data to access PayPal and other financial accounts.
Exit strategy: Gary Min
In the five months before he left DuPont for a scientist position at a rival company, Gary Min quietly accessed and downloaded confidential company documents valued at an estimated $400 million. During that time, he downloaded and accessed more than 15 times as many documents as the next most active user of the DuPont database system, but he wasn't caught until after he left the company for the rival firm. He admitted in November 2006 to stealing DuPont trade secrets; the case became public in January after details were unsealed by a federal prosecutor.
A US District Court judge in November sentenced Min to 18 months in prison and ordered him to pay a $30,000 fine and $14,500 in restitution to DuPont. The sentence is substantially less than the maximum of 10 years in prison and a $250,000 fine that Min might have received.
Don't drop the soap: Ivory Dickerson
This North Carolina native and former civil engineer was sentenced in December to 110 years in prison after admitting that he and a co-conspirator hacked into computers used by young girls and used illicitly gained data with which to terrorize them into sending lurid photos of themselves. Dickerson trolled MySpace to find underage girls in the Broward County, Florida, area. When he made contact with a potential victim (via IM or email), he'd entice them into opening a file containing a Trojan program that gave him and a co-conspirator control over her computer.
He would then try to use hacked information to coerce the girls into sending photos - threatening to harm them or their families if they refused. The investigation revealed not only photos of various teenagers, but a number of bestiality photos as well, ensuring that disgust about Dickerson is shared around the food chain.
Unbirthday boy: Yung-Hsun Lin Lin
A former Unix system administrator at Medco Health Solutions' New Jersey office, pled guilty in September to planting a logic bomb that would have destroyed critical data - including prescription drug data for individuals - on more than 70 servers. He planted the bomb in the belief he would lose his job after Medco was spun off from drug maker Merck & Co. in 2003.
The bomb was first set to go off on Lin's birthday on 2004, but when it failed to work he reset the clock for it to go off ion the same date the following year. The bomb was discovered in early January 2005, months before it was scheduled to be triggered. Lin pleaded guilty to one count transmitting computer code with the intent of causing damage in excess of $5,000. He is scheduled to be sentenced on 8 January. He faces a maximum 10-year sentence and $250,000 fine.
Pick a hat already: Maxwell Butler
Also known as Max Vision, this former security consultant was indicted in September by a federal jury on three counts of wire fraud and two counts of transferring stolen identity information. Butler, who used various online aliases, including Iceman, Digits and Aphex, hacked multiple computer networks of financial institutions and card processing firms, selling the account and identity information he stole from those systems. He even made a cut on the profits his accomplices made by selling merchandise that was purchased using the stolen payment card information.
But here's the thing: Butler was once well known in the security community as a researcher. In 2000, he pleaded guilty to one count for breaking into protected military and government computers and served jail time for that. He was also accused of hacking into the networks of the developers of PC games Doom and Quake, and stealing several hundred access passwords to a California Internet service provider. During that trial, it was revealed that he had been an FBI informant for at least two years.