Significant Security Stories of 2013 - Security Watch

Looking back, 2013 felt like a roller coaster, as we lurched from good news to bad news every few weeks: Data breaches, privacy, cyber-espionage, government spying, advanced malware, significant arrests, improved security features, etc.
The biggest story—or rather, series of stories—of the year revolves around the documents ex-National Security Agency contractor Edward Snowden stole and released to the media. However, it wasn't the only major story of 2013. For the first time, a security company laid out a definite case of how China spies on American businesses, and the US government officially discussed the issue with the Chinese government. Law enforcement had some significant victories, breaking up a large credit card theft ring and arresting the creator of the Blackhole Exploit Kit. Data breaches continued, but the Experian breach highlighted the problem of data brokers aggregating personal information. Regular users started talking about online privacy as Google Glass users hit the streets. Companies committed to better security practices, such as encrypting data in transit, implementing two-factor authentication, and becoming more transparent about what information it provides the government.
2013 was a busy one for security professionals and individuals alike. Here is a review of the year's significant security stories, in no particular order.

Secret NSA Surveillance Programs
We could fill an entire column with nothing but the NSA revelations. The initial articles about the phone records collection program were shocking enough, but it feels like each subsequent revelation is more explosive than before. The agency spied on Web activity, snooped traffic going to and from Google and Yahoo data centers, intercepted shipments to install spyware and backdoors in electronics equipment, and allegedly eavesdropped on leaders of other countries and gamers. While NSA chief Gen. Keith Alexander continues to insist that the agency acts within its boundaries and that it was careful to preserve civil liberties, calls for reform is growing louder. Congress is debating what to do about the problem of the NSA, a conservative federal judge ruled, in Klayman v. Obama, that the NSA's phone-records program possibly violated the Fourth Amendment, and the independent panel selected by the White House recommended the NSA programs need to be curtailed.
A group of tech giants, including Apple's Tim Cook, Google's Eric Schmidt, and Yahoo's Marissa Mayer spoke with President Barack Obama about their concerns regarding NSA's activities. AOL, Apple, Facebook, Google, LinkedIn, Twitter, Yahoo and Microsoft banded together to demand that while governments need to take action to protect their citizens' safety and security, "current laws and practices need to be reformed."
More companies are releasing transparency reports to disclose what kind of information they hand over to the government, and encrypted email service Lavabit shut down in order to avoid having to hand over information about its users. RSA, the security division of EMC, is currently defending its reputation following a Reuters report that it took $10 million from the NSA to push a compromised cryptographic algorithm in its security products.

China, China, China
We've been so enthralled by the waves of information coming out about NSA's activities that it's easy to forget that we began 2013 with an explosive report outlining China's role in cyber-espionage. The APT1 report from Mandiant was the first definitive statement clearly laying out what cyber-attackers from China was doing to break into US business and government networks. The report outlined how these attackers stole intellectual property, installed backdoors, and damaged systems. 
Shortly after the report was released, various government officials spoke out about China's activities. In May, the Pentagon's Annual Report on China directly blamed that nation's government for government and military attacks against the US. President Obama even brought up the accusations during a meeting with Xi Jinping, the president of China. The Chinese government even accused the US of essentially doing the same thing. (A little bit of foreshadowing for Snowden?)

Attacks Against Media Outlets
The media came under attack this year, with The New York Times, Washington Post, and Wall Street Journal disclosing they'd been infected with sophisticated malware. The finger of suspicion pointed—where else?—China. The Syrian Electronic Army went on a spree against the Twitter accounts for The Onion, Guardian, and other outlets. The fake post on AP's Twitter account, "Breaking: Two Explosions in the White House and Barack Obama is injured," even caused a little blip on the stock market, with the Dow Jones temporarily dipping 140 points.
The attack against the New York Times website where the SEA managed to change the site's domain name system settings highlighted just how easily attackers could interfere with Web operations. The SEA in this attack didn't even hack in to the network—the group accomplished this attack via spear phishing.

Focus on Application Security
The Affordable Care Act and the rollout of the healthcare exchange website brought the importance of security testing to the forefront. Security professionals know how critical it is that applications be tested for security issues before going live, but when the clock is ticking and time is running out to ship the product on time, security falls by the wayside. Some of the issues identified in the HealthCare.gov after its botched rollout raised the possibility that attackers will target the site. There were reports that individuals were seeing sensitive information belonging to other users on the site.
Executives who followed the whole saga probably won't be so quick to skip security testing the next time they have a major application rollout. Or so we hope.

Distributed Denial of Service Attacks
DDoS is not new, but this year we saw two major developments. DDoS was frequently used against financial sites, especially as part of Operation Ababil, but attackers expanded their targets to include other industries. One of the largest attacks of the year was against Spamhaus in March, with peaks hitting 300 gbps.

Major Cyber-Crime Arrests
In May, the U.S. Attorney for the Eastern District of New York in May announced charges in a $45 million bank heist involving stolen account information. The gang allegedly hacked into financial institutions to steal account information and then withdrew millions of dollars from ATMs.
In July, the U.S. Attorney for New Jersey charged another cyber-crime ring for breaching the computer networks of at least 17 major retailers, financial institutions, and payment processors to steal more than 160 million credit and debit card numbers. Targeted networks included Nasdaq, 7-Eleven, Visa, and J.C. Penney, among others.
Russian authorities claimed to have arrested Paunch, the creator of the Blackhole Exploit Kit. Security experts believe that with the arrest, there is a void cyber-criminals are currently scrambling to fill. "With no clear successor to Blackhole, cyber criminal gangs may be investing in other places to make up for the lost income due to less sophisticated delivery mechanisms for malware," said Alex Watson, director of security research at Websense.
Watering Hole Attacks
Watering hole attacks were pretty prominent this year, with websites being hacked to compromise employees at major tech firms such as Facebook, Apple, Microsoft, and Twitter, as well as against defense contractors and government employees. These watering hole attacks took advantage of zero-day vulnerabilities in Internet Explorer, Java, and other commonly used technologies.
Watering hole attacks were also discovered against pro-Tibetan activists, as attackers targeted Chinese-speaking people visiting the Central Tibetan Administration and the Tibetan Homes Foundation, as well as the Uyghur website maintained by the Islamic Association of Eastern Turkistan.

Experian Data Breach
We tend to remember the last major data breach and forget all the other ones that came before. While the recent data breach suffered by Target in which nearly 40 million debit and credit card numbers were compromised during the holiday shopping season is pretty major, the scariest data breach involving user information was the Experian data breach.
Experian is one of the organizations in the business of buying and selling personal information—social security numbers, addresses, bank account details. This information was sold to an overseas crime ring, according to an investigation by security writer Brian Krebs. The breach also highlighted the fact that many knowledge-based authentication systems, where people are asked to verify their identity by saying what car they own, or where they used to live, are now even more vulnerable.


People Wake Up to Online Privacy
When Google unrolled the future of wearable tech with its first wave of Google Glass "explorers," people freaked out. People were finally cognizant of the impact facial recognition and the ability to post anything online could have on their privacy. Is the future of tech one where there is no privacy, or where people can be booted from restaurants and other establishments for being a threat to privacy?
We've already looked ahead to 2014, with our predictions for new attacks, a national Internet, online payments, mobile security, and the Internet of Things. Welcome to 2014. Will it be a year of uncertainty or victories? Stick with Security Watch in the new year as we follow the ups and downs of security.