We live in a world where cyber-attacks dominate the headlines. Be it a teenager in his basement or a government agency trying to obtain your data, the Internet landscape has been transformed into a binary battlefield. Who needs a gun when you have a keyboard? Here are the top ten security attacks horrors in history.
In February 2000, a Canadian high school boy named Michael Calce aka Mafiaboy unleashed a DDOS attack that brought down, for several hours the websites of Yahoo!, CNN, Dell, Amazon, and eBay among others. He managed to break into more than 50 university networks, after which he used the computers to flood the above sites with useless traffic. Some sites like eBay were down as long as six hours causing millions of dollars in damages.
He was later apprehended and sentenced to eight months in open custody due to his young age.
The so-called Heartbleed bug, discovered in April 2014 by a team of researchers from Google and a small Finnish security firm called Codenomicon, is said to be one of the most serious security flaws to have faced the internet to date, partly because it remained undiscovered for more than two years.
This security bug was discovered in the open source software known as OpenSSL, the encryption technology used to protect many of the world’s major websites, leaving them vulnerable to data theft. This serious vulnerability could be used to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.
Operation “Get Rich or Die Tryin’”
One of the largest cyber frauds in history was carried out from 2005 to 2007 by an American computer hacker, named Albert Gonzalez, when he manage to resell more than 130 million credit card and ATM numbers. The credit card theft was carried out using SQL injection to deploy backdoors on several corporate systems in order to launch packet sniffing (specifically, ARP Spoofing) attacks which allowed him to steal computer data from internal corporate networks.
While investigators from with the international Atomic Energy Agency where completing an inspection of the Natanz Uranium enrichment facility in Iran on January 2010, a worm targeted the Siemens computer systems within the facility causing the centrifuges to spin out of control and self-destruct. Stuxnet is believed to be the first-known worm designed to target real-world infrastructures such as industrial systems, water plants and power stations.
The devastating attack set back the Iranian nuclear programme by at least two years. The worm also spread to 50,000 more computers outside the facility.
In April 2011, around 77 million accounts from Sony Online Entertainment and Sony PlayStation Network were stolen, including contact information, addresses and bank account numbers. The hackers exploited a weakness in the Sony network infrastructure whilst a DDOS attack was being performed. The breach lasted up to 24 days. Sony of course took the PSN offline once it realised it was compromised, but by then the damage was done, estimated to have been somewhere between 1 and 2 billion dollars.
Estonian Cyber war
The so called “Estonian cyber war” was a large-scale DDOS attack against the Baltic nation of Estonia in April 2011 launched as a protest against the Estonian government’s removal of the Bronze Soldier monument in Tallinn. The attacks targeted prominent government websites along with the websites of banks, universities, and Estonian newspapers.
The perpetrators, a pro-Kremlin group called the Nashi, employed a number of techniques that were so advanced at that time, such as ping floods and botnets, that the Estonian government believed that they might have had aids from the Russian government.
The attacks triggered a number of military organisations around the world to reconsider the importance of network security to modern military doctrine.
Known as the most costly cyber-attack in all of history, the data breach in Epsilon, the world’s largest supplier of management and advertising services to leading businesses in 2011, which handled more than 30 billion emails every year and more than 2,000 brands worldwide including Best Buy, JP Morgan and CitiGroup, had an estimated damage cost that ranged from $225 million to $4 billion dollars.
The breach itself was set into motion when an employee working for the company received a phishing email. Unfortunately for all involved, that employee clicked on a link, which cybercriminals then used to gain access to the employee’s credentials. With the credentials in hand, the cybercriminals were able to access the company’s databases.
In 2004, Shawn Carpenter, an analyst at Sandia National Laboratories, discovered a series of coordinate cyber raids in what the FBI believed were originating from government-supported cells in China. Known as Titan Rain, designation given by the federal government of the United States, hackers were able to penetrate several computer networks including those at NASA and other prominent defence contractors. The culprits, believed to be part of the People’s Liberation Army (PLA), managed to steal a great deal of information that even though not being classified, when put together, could proof destructive.
Ever since Titan Rain there has been friction and distrust from the US government towards China as one never knows for sure, after a situation like this, that these systems don’t contain backdoors or if these machines have been zombified.
The Federal Office of Personnel Management (OPM), the US government human resources division for all intents and purposes, announced in June 2015, that there had been a data breach in their systems that exposed the records of more than 18 million Americans. The hackers, believed to be from China, were able to access a whole range of sensitive information including home addresses and social security numbers. As more information is uncovered about the extent of the data breach, the repercussions seem to be much graver than anyone thought.
It is worth mentioning that the OPM had no IT security staff until 2013, which showed. In the subsequent investigation it was found out that the office failed to maintain a proper inventory list of all of its servers and databases and didn’t have knowledge of all the systems that were connected to its networks. The agency also failed to use multi-factor authentication for workers accessing the systems remotely from home or on the road.
The Original Logic Bomb
In 1982 amidst the cold war, the CIA found a way to disrupt the operation of a Siberian gas pipeline to Russia without using traditional explosive devices such as missiles or bombs. This pipeline, which provided the majority of gas supplies to Russia during the cold war, was controlled by an automated system of computers. A Trojan horse was inserted in to the software designed to reset pump speeds and valve settings to produce pressures greater than those that the pipeline could handle. The explosion that ensued was so colossal that the resulting fire was even seen from space.
This was one of the earliest demonstrations of the power of hackers. More than three decades later, with many more vital computer systems connected to the internet, with more and more business moving to the cloud each day, could an individual use a virus to, say, turn on remotely the brakes of a car going at high speed? Could hackers have access to financial trading systems? And given that computer chips are practically found in any device nowadays, could we potentially be controlled without knowing it?
In an effort to help businesses protect themselves from such attacks, we caught up with IT security expert Javvad Malik, who compares a Mike Tyson quote to cyber security.