The 2007 security hall of shame
- — 27 December, 2007 07:47
Ummm ... oops? Notable meltdowns
Do you copy?: DHS's self-created DDoS attack Thousands of security professionals subscribing to a daily news roundup e-mailed by the Department of Homeland Security found their in-boxes clogged with mail from each other, thanks to an apparent technical oversight on the part of an e-mail administrator working for a DHS contractor. The early October cascade kicked off when one subscriber sent a reply to the list administrator with a change request. That e-mail was automatically resent to all of the list subscribers.
Within hours, dozens of subscribers replied to the original mail. Each response in turn was sent to all of the other subscribers on the list. By the end of the day, more than 2 million messages had been generated as recipients using Reply or Reply All first complained about the spam surge, then added to the flood by mailing offhand comments, humorous remarks and demands to be unsubscribed from the list -- creating, in effect, a miniature distributed denial-of-service attack. The e-mail addresses, phone numbers and contact information of several people, including government and military officials, were exposed during the uproar.
Bag that: Supervalu gets phished Eden Prairie, Minn.-based grocery chain Supervalu in February was conned into sending US$10 million to two fake bank accounts by phishers posing as employees working for two of the company's approved suppliers. Supervalu received two e-mails, one purporting to be from American Greetings and the other from PepsiCo's Frito-Lay unit, asking the company to send future payments for each supplier to new banks accounts based in Florida and Arkansas.
The e-mails were apparently convincing enough for Supervalu to deposit over US$10 million into both accounts before realizing it had been had. Happily for the retailer (and, presumably, whoever approved the change on its end), the money was recovered by the Feds before it was withdrawn.
Undiplomatic relations: Symantec in China A signature update to Symantec's antivirus software in May crippled thousands of PCs in China. The software identified two critical system files of the Chinese edition of Windows XP Service Pack 2 as a Trojan and quarantined them, causing widespread crashing. Making matters worse, those specific files were required to start affected systems in Safe Mode, ensuring all-but-total shutdown and drawing howls of protest from the blogosphere. Five weeks later, a red-faced Symantec decided to mollify affected users by giving them free backup software ... and extending their subscriptions to the same antivirus software that knocked out their computers.
Hear me, see me: House outs whistle-blowers The House Judiciary Committee in October had to apologize to dozens of whistle-blowers for accidentally exposing their e-mail addresses to other individuals who, like them, had used a committee Web site to secretly submit tips about alleged abuses at the Department of Justice. The snafu came about when a clerical employee at the committee accidentally included the e-mail address of all the whistle-blowers in the To field of a message sent out to each tipster, ironically to inform them of certain changes in access conditions. A substantial number of the more than 150 e-mail addresses in the distribution list included portions of individuals' real names. Included in the list were the public e-mail addresses of Vice President Dick Cheney and some apparently fictitious individuals.
Arrrrr! WGA sees pirate people: In August, an unspecified server error at Microsoft resulted in many paying users of the company's Vista and XP systems being mistakenly identified as pirates by Microsoft's Windows Genuine Advantage (WGA) software validation system. The problem lasted for 19 hours, during which time frustrated users lost some features on their system that they could get back only after revalidating themselves all over again. The glitch occurred over a summer weekend, leading to further frustration when help from the company was slow in coming.