In Part I of our review of the year’s biggest data breaches, we noted that every one of them was caused by simple security failures that are within most organizations’ abilities to control.
The breaches had nothing to do with sophisticated new hacking tools or attack techniques, and everything to do with a poorly coded or un-patched piece of software here, a lost laptop there, disgruntled employees or the wayward disclosure of a password or access code.
Part I also reviewed 2 of the most egregious breaches of the year: the redaction error at the Transportation Security Authority and the SQL injection theft of credit card information from Heartland America. A third breach that made the list-the Health Net fiasco-was covered here. The remaining 2 are presented below:
Government Printing Office Posts Nuclear Secrets on the Web
Lost amid the accelerating trend toward open government has been the increased risk of security lapses, such as occurred when a document containing information about US civilian nuclear sites got posted by accident on the Web site of the Government Printing Office.
The 267-page document had been labeled “Highly Confidential Safeguards Sensitive,” by President Obama. It described the assets and activities of the US nuclear weapons research programs located at the Los Alamos, Livermore and Sandia labs.
The data was part of a report for the International Atomic Energy Agency that was being prepared by the Feds.
It remains unclear to this day how or why the report ended up on line. It has long since been removed from the site, but showed up later on several locations including Wikileaks.org.
The wayward document went undetected by the government until being discovered during a “routine review” of new GPO publications by Steven Aftergood, who directs the Federation of American Scientists’ Project on Government Secrecy. “I thought, ‘wow, that’s interesting,’” Aftergood told Computerworld.
“The federal government is trying to push out more data, but they need to make sure they have the processes in place first,” to prevent such accidents, said Gartner Inc. analyst John Pescatore.
The Government Printing Office gave no explanation for the gaffe, but did call attention to the marked increase in the volume of such reports being processed by the GPO under the Obama Administration.
RockYou Database Hack Exposes 32 Million Passwords
In early December, a hacker breached a database at RockYou Inc, and made off with the username and password information on 32 million people that had accounts with the social networking application designer.
The sensitive information had been stored in plain (unhashed) text in the compromised database, and user names were set up to be the same as the users’ Gmail, Yahoo or other Web mail account. Thus the hacker could use the stolen information to access Web mail accounts of affected users and other accounts as well.
The breach was discovered by database security provider Imperva Inc. during its routine monitoring of underground chat rooms. Imperva promptly informed RockYou that it had detected a major SQL injection error on a RockYou Web site page, and that the vulnerability was being exploited.
According to Computerworld, RockYou did not respond right away, leaving the flawed Web page up for a day or so before taking it down. By that time the damage was done.
Since the data breach did not include financial information or Social Security numbers, it’s unlikely that financial motivations were behind the hack, according to Gretchen Hellman, a VP of security solutions at Vormetric, a database security vendor. Instead, the hacker appears to have wanted to expose some privacy gaps associated with social networking sites, she explained.
RockYou makes widgets for social networking sites including Facebook, MySpace, Friendster and Orkut. It claims to be a leading provider of social networking application-based advertising services and that more than 130 million unique users use its applications each month.
SQL injection attacks have become a common security problem in the past few years. To carry out such an attack, the hacker seeks and takes advantage of poorly coded Web application software and introduces malicious code into the systems and network of a company. The vulnerability is created when the application does not properly validate user-entered data such as occurs when orders are placed online.
Glenn Laffel MD, PhD
Sr. Vice President, Clinical Affairs, Practice Fusion
