In case you missed it, there’s a newly discovered vulnerability in the BASH shell that impacts not only Unix and Linux systems, but Apple’s OS, F5s, Cisco hardware, access points, and practically every other device on the Internet that has an operating system or firmware that is based on Linux and an interface that parses remote data. It’s called ShellShock, but it’s not the wide ranging implications of every device other than Windows systems that deserves the facepalm, but that the vulnerability has apparently been around since 1992. Yes, that’s right. There are college grads in the IT workforce today who are younger than this vulnerability!
With all the media attention focused on ShellShock, we thought it would be a good time to take a look back at some other web-shaking security events of the past. In chronological order, here are 24 facepalm moments in information security, what they were, when they happened, how they happened, and the results.
1. Nimda
September 2001: Malware infected over 160,000 Windows workstations and servers, spread via multiple vectors including email, network shares, compromised websites, IIS vulnerabilities, and backdoors left by previous malware.
This was one of the first, and at the time, both the most widely covered and fastest spreading pieces of malware to impact the web.
2. SQL Slammer
January 2003: 75,000 SQL servers impacted, worm exploited buffer overflow in Microsoft SQL.
The critical nature of SQL servers to most businesses, and the amount of network traffic caused by the worm attempting to spread, took down many networks for days.
3. Sasser
May 2004: Up to 750,000 Windows systems, exploited LSASS service on Windows systems through active scanning of local and remote network ranges.
This crippled many business networks as domain controllers became unavailable to service user logons.
4. CardSystems Solutions
June 2005: 40 million accounts compromised, SQL Injection used to install software to exfiltrate data via FTP.
Bad enough that a SQL injection gained access to install software, but the data was stored unencrypted and outbound FTP was not blocked.
5. Department of Veterans Affairs
May 2006: Full Personal identify information (PII) on over 26 million US veterans, stolen laptop containing unencrypted data.
Bad enough that US veterans’ data was lost by the agency charged with its care, but this could have been easily avoided either by not transporting data on a laptop, or at least encrypting that data. Standard practice today largely because it wasn’t standard practice when this happened.
6. AOL
August 2006: 650,000 users’ search history, data leakage (posted internal data publicly).
This was both a data leakage accident and a clear indication that your search history is not private or anonymous.
7. TJX Companies
December 2006: Data on 94 million credit cards lost, either by decrypting WEP, or compromising corporate network through job application kiosks in stores.
To date, the worst compromise of payment card data in history, and shows both the dangers of using essentially worthless WEP, and of not segregating systems on your network.
8. Zeus
July 2007: Over 3.6M systems infected, Trojan horse with keylogging capabilities.
This Trojan is still making the rounds seven years later in one variant or another, stealing credentials from users and turning their machines into zombies on botnets.
9. Fidelity National Information Services
July 2007: PII and credit card data on 3.2 million customers, inside job by privileged user.
This underscores the need to background check privileged users, use the concept of least privilege, and to store data in an encrypted form that is at least difficult for a privileged user to simply take.
10. Monster
August 2007: PII for 1.3 million jobseekers later used in phishing scam, stolen credentials.
The worst part of this was that most of the phishing scams involved fake job offers to take advantage of people already in dire straits.
11. Heartland Payment Systems
March 2008: Data on 134 million credit cards exposed, SQL Injection used to install spyware.
This took the payment card exploit record up an order of magnitude, and helped shape PCI DSS standards to try to avoid a repeat.
12. iPad data breach
June 2010: 114,000 AT&T users’ email addresses and ICC-IDs, poorly coded website vulnerable to information disclosure.
For a brand new device with huge media coverage, many of the victims were celebrities and other public figures.
13. Stuxnet
June 2010: Unknown number of systems worldwide, Windows Trojan alleged to target Iranian SCADA systems which used a valid certificate which then got out “into the wild.”
We may never know who coded Stuxnet, or how it slipped its leash to get out into the world, but hundreds of television, movie, and book plots can now revolve around this code that can lead to a nuclear meltdowns and dam breaches, or cause space stations to fall from the skies.
14. The RSA SecureID hack
March 2011: Up to 40 million records stolen leading to loss of confidence in the largest 2FA solution used by thousands of businesses and governments, breach exploited Flash vulnerability.
What’s the worst thing about this is that a system relied upon to secure countless other systems was exposed as vulnerable.
15. Sony PlayStation Network
April 2011: 77 million user accounts hacked with over 12 million credit card numbers, still unknown.
Sony is still trying to recover its brand and its reputation as a result of this loss. Gamers have long memories.
16. South Carolina Health Department
April 2012: PII on 225,000 citizens, privileged user emailed themselves data at personal account.
Let’s see how many ways this was bad, from exploit of privileges to lack of DLP to no limits on email.
17. LinkedIn
June 2012: Credentials for 6.5 million users, unknown
While this may have been little more than an inconvenience for most, that the business equivalent of Facebook got hacked made many wonder just what was safe to post online.
18. The NSA and Edward Snowden
June 2013: Leakage of sensitive to top secret government information on active national security activities and who knows what else, abuse of privileged access.
US Citizens may never know just what their government does, but Snowden’s leaks and allegations mean no one may ever trust their government again. The worst of this? Snowden used his own privileges and some rudimentary social engineering (he just asked) to get credentials from another privileged user to gain access to all that data.
19. Cryptolocker
September 2013: 250,000 victims, new form of ransomware that encrypted victims data and extorted them for the decryption keys.
The most nefarious part of this was perhaps its unique approach. Pay us, or you will never be able to see your pictures and videos again. Underscores the importance of both antivirus software and offline backups.
20. Target Stores
December 2013: PII on 70 million customers and card data on 40 million credit cards, malware installed on payment card readers.
A major US retailer managed to let malware get on untold numbers of point of sale systems, losing millions of users’ PII and card data. Had they not handled it well and quickly, this could have been the end for them.
21. Heartbleed
April 2014: Millions of vulnerable systems including commerce sites, security appliances, and SOHO equipment, potential key compromise of any system using OpenSSL.
Like the RSA hack, the far reaching implications of a vulnerability in software that is used to secure so much of the Internet makes many question reality.
22. Office of Personnel Management
July 2014: PII on potentially every person holding a US security clearance, remote hacks allegedly performed by Chinese government.
So it certainly seems bad that a foreign government now has data on every single person who has a security clearance, since they are not even supposed to talk about having a security clearance.
23. U.S. Investigations Services, LLC
August 2014: PII on unknown number of government employees and contractors, unknown.
But the above pales in comparison to the hack that got even more PII on even more people with clearance, especially since DHS allegedly chose this outsourcer in part because they didn’t trust the OPM to handle background investigations.
24. Home Depot
September 2014: Data on 56 million credit/debit cards, malware installed on POS systems.
While this attack was almost as large as the Target one from less than a year earlier, the most interesting thing is how little press it got relative to the Target breach. It seems that the public may be getting desensitized to this sort of thing.
These 24 security events were all major facepalm moments, but they weren’t the only ones over the past decade or two. Looking back, do you think there were any worse? Leave a comment below.
