From Lockheed Martin and HBGary Federal to the US government and Cornell University, no one is immune to humiliating security glitches
“The largest threats to our networks? The threat isn’t going to change. They’re in our networks, they’re all over,” Lt. General Charles Croom, Jr., commander, Joint Task Force, Global Network Operations and director of DISA, speaking bluntly in 2006 about attackers getting into military networks and the need to fix it.
A bad anti-virus update – the notorious DAT 5958 - from McAfee in 2010 caused system shutdowns for countless customers who sometimes struggled with a fix for days. Dave DeWalt, president and CEO of McAfee, apologized, saying, “We deeply regret the impact this had on you. In some cases, the outages were lengthy.”
Credit: Mike Segar / Reuters
“Obviously that aperture went too wide,” - Defense Secretary Robert Gates in 2010 following the WikiLeaks posting of 75,000 records from the Afghan war and another leak of 400,000 Army field reports from Iraq.
The Federal Trade Commission in 2006 fined data broker ChoicePoint $15 million after it admitted personal financial records of more than 163,000 consumers in its database had been compromised. This didn’t happen because ChoicePoint’s network was breached, but because ChoicePoint mistakenly sold it to fraudsters. The FTC estimates at least 800 cases of identity theft occurred. “The reality is we were never as evil as people thought we were, but we were never as good as we thought we were,” explained James Lee, ChoicePoint’s chief marketing officer, to the New York Times.
The Morris worm of 1988 released by Cornell University student Robert Tappen Morris infected at least 6,000 Unix machines — though many estimate far more — and resulted in Morris becoming the first sentenced under the 1986 Computer Fraud and Abuse Act. After the sentencing, his mother said, “I still don’t feel that in any way, shape or form my son is a felon.”
“Given that I’ve been the focus of much bad press, I hope that by leaving, HBGary and HBGary Federal can get away from some of that,” Aaron Barr, then CEO of HBGary Federal, who in 2011 said he was going to expose hacktivist group Anonymous, but instead found the tables turned when HBGary was attacked and its corporate e-mail dumped to the public.
A bad software update to AT&T #4ESS switches in January 1990 caused a cascading switch failure, leaving 60,000 people without long-distance service for 9 hours. “The software told Switch B ‘My CCS7 processor is insane,’ so Switch B shut itself down to void spreading the problem,” was how Larry Seese, AT&T's director of technology explained it to Telephony magazine at the time.
“Let’s be clear. This disclosure is not just an attack on America – it’s an attack on the international community.” – Secretary of State Hillary Clinton in 2010 following the WikiLeaks data dump of confidential diplomatic cables, some of which showed Clinton ordering a secret spy mission by U.S. diplomats to obtain biometric data, credit-card, passwords, encryption keys and other data on U.N. Security Council representatives.
Credit: Yuri Gripas / Reuters
Kevin Mitnick, who began in the late 1970’s breaking into phone networks and made social engineering ploys his calling card as a long-time hacker, ended up spending five years in prison. Now a consultant, with a new book “Ghost in the Wires,” he explains, “My passion for technology and fascination with it have taken me down a bumpy road.”
“He was a high-level employee making a six-figure salary who had spent hours each day chatting online about incest,” – MassMutual’s chief information officer in 2003, Bruce Bonsall, describing an executive’s dark obsession and how IT had to investigate it, leading to the executive’s termination—and his divorce.
“It’s someone who’s a prolific user and it’s frankly a frightening thought,” – Virginia Kice, spokeswoman for the Immigration and Customs Enforcement, which in late 2011 raided the home of Michael Peterson outside of Los Angeles to seize computers he was using to download what’s believed to be the single largest stash of child porn ever found, 500,000 images and 7,500 videos.
Credit: Cheryl Ravelo / Reuters
Information “taken from RSA in March had been used as an element of an attempted broader attack against Lockheed Martin” - Art Coviello, executive chairman at RSA had to admit in 2011, a few months after he had already disclosed RSA’s network had been breached by an attacker and information about SecurID was stolen.
Howard Stringer, president of Sony USA, apologized for the security breach in Sony PlayStation Network in 2011 that compromised 77 million user accounts, saying, “I know some believe we should have notified our customers earlier than we did.”
Sony executive Kas Hirai also got to make a long apology, which included the advice that customers should be “vigilant” about possible stolen credit-card numbers.
Credit: Steve Marcus / Reuters
“Child porn is 50% of our criminal cases,” was what Steven Shirley, director of the Defense Cyber Crime Center, said in 2005 as he explained what his computer forensics lab deals with when contacted by military investigators to analyze digital evidence in military computers.
Credit: Romeo Ranoco / Reuters
“2Checkout continues to fight an extortion based on (‘Pay us or else we will continue to attack’) DDoS attack. We apologize for any service disruptions,” – company statement of the Columbus, Ohio-based e-commerce company in 2004 after a week of rolling outages from the distributed denial-of-service attack.
It might be a data breach or some other failure, but sometimes someone has to stand up and tell it like it is. Here we take a look at some of the most mortifying security gaffes over the past few years.
“Relax. I am a federal agent. I am an agent of the federal government.” – what LulzSec hacker group leader Hector Xavier Monsegur, alias “Sabu,” said to the New York City police when stopped by them on Feb. 3, 2012 on New York’s Lower East Side, just a month before the FBI revealed that Monsegur had in fact turned FBI informant after they got him to plead guilty to a string of crimes, including the HBGary break-in, Sony Pictures Entertainment and others.
When the Code Red worm outbreak in 2001 brought chaos by invading unpatched Microsoft servers across the world, an event so severe the federal government’s National Infrastructure Protection Center quickly organized a press conference in Washington to explain to the public what was happening, Microsoft executive Scott Culp was there as well with the advice “You need to get the patch right away.” Microsoft headquarters also got hit by Code Red.
“It’s a reminder that the best security systems are not immune to rogue employees,” – Renz Nichols, president of Certegy Check Services, a subsidiary of Fidelity National Information Services, in 2007, about how a former senior-level database administrator stole 2.3 million consumer records containing credit-card, bank account and other personal information.
In his last public appearance at the RSA Conference, Bill Gates in 2007 appeared with Craig Mundie, the Microsoft executive taking over responsibility for security in Microsoft products, and the two offered a mea culpa on why Microsoft’s software has had issues. “Humans are humans and they make mistakes,” said Mundie. Gates indicated he hadn’t focused a lot on security in the early years at Microsoft due to a perception people are “good” and the data center seemed carefully tucked away.
When the Stuxnet worm struck industrial control systems at an Iranian nuclear facility, “they succeeded in creating problems for a limited number of our centrifuges with the software they had installed,” acknowledged Iranian President Mahmoud Ahmadinejad about the cyber-attack. Who did it remains shadowy, although one Israeli General boasted about it at his retirement party.
Credit: Morteza Nikoubazl / Reuters
“We have to earn their trust each and every day and with each and every action we take,” wrote AOL’s CEO Jonathan Miller in a company memo in 2006, after the AOL Research division by mistake posted to the public Internet 20 million web inquiries related to more than 650,000 users, including shopping and banking data, a screw-up that saw the head of the division and then-CTO Maureen Govern exiting the company.
BlackBerry data services suffered a four-day global outage in October of 2011 when its "dual-redundant, dual-capacity core switch" failed and its backup failed to activate, causing BlackBerry users around the world to either receive weak or no service at all. RIM co-CEO Mike Lazaridis acknowledging the outage as the worst in the company's history, said, “You expect better from us and I expect better from us.”
“The audits done by our QSAs (qualified security assessors) were of no value whatsoever,” – Heartland Payment Systems CEO Robert Carr, speaking to the press in 2009 after the break-in into the vulnerable payment systems network, for which criminal Albert Gonzalez was later convicted for stealing card data.
Google’s wireless sniffing and collecting of data from individuals on unencrypted Wi-Fi networks during its Street View car projects, which it says was inadvertent, got it in big trouble, especially with European regulators. Alan Eustace, vice president of engineering and research, profusely apologized in 2010, saying, “The engineering team at Google works hard to earn your trust—and we are acutely aware that we failed badly here.”
Credit: Fred Prouser / Reuters
Don’t have an account? Sign up here
Don't have an account? Sign up now