By Andy Marken
The NYSE (New York Stock Exchange) and United Airlines computer glitches couldn't have happened at a worse and better time.
The incidents weren't caused by hackers but did highlight that software is cobbled together code with pieces from here, there, you name it. Bad code gets passed along without causing a problem ... until it does.
Of course, the outages raised the visibility of the growing problem of hacking and gave government officials another opportunity to say "See, encryption is a bad thing and we need backdoors into systems to catch bad guys/gals."
Yes government agencies have to encrypt their stuff because they have to do things in secret. For everything else, they want digital keys to unlock encrypted data.
To make sure it's safe, they'll give parts of the key to various trustworthy people like they do with missile keys.
That'll make you sleep better at night!
We agree that protecting computers, networks and national infrastructure (in every country) from cyberattack is both critical and a huge challenge.
Cyber-security firm, Trap X pointed out that most companies and governmental agencies spend less than 10 percent of their IT (information technology) budget on security. And you can bet every board of directors and CEO (chief executive officer) are telling their IT department to get hardware/software security installed ... yesterday.
The security stuff will work just great until we add the human factor.
Ordinary folks think all that security stuff just gets in their way of getting things done so they don't regularly update theirs or they work around it.
Just ask Sony or the hundreds of organizations that are hacked and sacked every day.
Just a Sample – Data breaches are becoming so frequent that they barely get covered in the obit page any more. Only the really big ones seem important, except if one of them involves your personal data; then even the smallest is huge.
Begrudgingly, you have to admire the individual and teams of hackers who work around-the-clock, around-the-calendar, and around-the-globe.
Cyber hunters from Symantec, Trend Micro, Kaspersky, Mandiant, Phishlabs and hundreds of other security firms and government agencies spend days, weeks, months, years tracking the bad folks who prey on people's ineptitude, gullibility, stupidity, greed and laziness.
Back when New York Times' John Markoff documented the tracking and capture of Kevin Mitnick (the work became a book Takedown and later a movie) hacking was in its infancy, requiring something similar to good police work – investigate entry points, victims, criminal fingerprints, items left behind at the scene.
Making the connection between the attack and the individual(s) is extremely difficult because you almost have to catch them with their hands on the keyboards, which is why so few are ever brought to justice.
Security firm Kaspersky Labs knows because they discovered an ongoing attack on their own advanced research systems. They thwarted the attack but still know very little about the hackers. Eugene Kaspersky noted, "You have to surround the person who is behind the keyboard."
That's easier said than done when the attacks could be coming from anywhere in the world ... and they do.
In Realtime – Network and site attacks are so frequent they're almost boring unless you watch the action taking place around the globe. Think of it as realtime Pong with someone in one country banging on someone's backdoor in another country trying to gain entry. Old software and sloppy people make it way too easy for the bad guys/gals.
The importance of the global infrastructure has created renewed interest and concern for everyone – most of us feel we can't talk to folks if we can't email or text them.
As a result, the U.N. (United Nations) has agreed that all nations should respect the rules of the road in cyberspace to protect critical infrastructure from cyberattacks.
Okay, that won't protect the world from hackers/whackers; but man, we have to start somewhere to tame cyberspace's wild, lawless frontier.
Then the cyber guards and bounty hunters can focus on hackers who have expanded their fields of operation--not the good blackhats who dig out vulnerabilities for firms or those who develop protection products and test their own products for penetration. Yes, they still love getting personal info and using it for financial gain, but they've also begun tapping into companies and stealing valuable IP (intellectual property).
Actually, stealing passwords and personal data is still the activity that gets all the coverage because that's individual people's stuff! Selling passwords, social security numbers and financial information will continue to be big business – profitable and relatively risk free.
But they've expanded to focus on multibillion dollar, multi-national companies with rich libraries of IP in the internet, software, pharmaceutical, legal and commodities fields.
Given the business they're in you'd expect their op sec (operational security) to be pretty good; and for the most part, it is (they clean up after themselves after they've come into a company's system, gotten what they came for).
One of the best hacks (so far) was of a company called Hacking Team. They make spyware and malware for "authorized" law enforcement, intelligent agencies, countries (yours, mine, his, hers); and it turns out, for oppressive regimes and "others."
How did they do it? Weak passwords ... get outta' here!
Dumb, Dumber – You'd think that people who make their living developing stuff to get into other people's stuff would be a little paranoid about how they handle their work but Hacker Team people are just like you and me; they are lazy when it comes to picking really tough passwords.
Cybersecurity folks all agree that humans are the weakest link in the chain – poor/weak passwords, passwords on Post-Its, outdated malware/security software
Of course, the OPM (Office of Personnel Management) heist (22M personal records – which they'll admit to losing) was the biggest experienced in the U.S. (or any country) to date.
You'll see government committees formed to root out the problem/correct the situation; and other countries will work to tighten up their security with more products, more services and more people but the noise will die down and after awhile, things will return to a normal governmental agenda.
Until next time.
Hackers, especially sophisticated teams, are a lot like taggers. They mess things up but you have to admire their creative and they have their own distinct style.
Ultimately, that's the way determined cyberhunters find them; and even if they can't be prosecuted, knowing who the individual(s) are makes it easier to defend against them.
No company – Kaspersky, Symantec or the thousands of other security/malware products or service companies – will guarantee 100 percent defense against an attack but any organization/individual can do something to make it difficult.
Protection
Here are just a few common sense precautions:
- If you're interested in buying/selling/renting something and the person on the other keyboard asks you to share your Social Security number and other personal information, it's time to leave the conversation.
- From time to time, you'll receive some interesting phishing emails – bank, dying person in Ethiopia, government official in Iraq, lawyer – asking you to either provide personal information or "click here" and BAM! You've got a virus or your system has been occupied ... just hit delete.
- To foil dumpster divers, shred your important papers or lock them in a safe place.
- Slim down your walled by leaving your social security card, health insurance card, all those extra credit cards in a safe place.
- Check the security settings on all of the public websites – Facebook, Linkedin, Spotify, etc. and eliminate/minimize personal information and the people who can actually see it.
- Check information and images with various searches to determine authenticity (someone mentioned it also works for the online dating services – yeah!).
- Come up with some really good passwords (better than the most popular used by Hacker Team and your friends), use them, and change them frequently.
- If you don't want to forget all those complex passwords, use a password manager like 1Password or LastPass (but just remember they can also be hacked ... LastPass was awhile ago).
- Buy good malware, antivirus software – run, update repeat.
- When you receive authentic notices of patches and updates, install them. They just might be plugs for huge holes someone finally uncovered.
- Got really important things to talk about or just want to irritate government agencies? Use encryption software like that written by Moxie Marlinspike.
Don't look at the hack/breach articles and think it's not all that bad.
A lot of financial losses go unreported ... bad PR.
Jupiter Research projects that cybercrime will only get more sophisticated and that by 2019, it will cost businesses more than $2T.
There's no need to contribute your share.
Just remember what Reuben said about casino security, "I invented it, and it cannot be beaten. They got cameras, they got locks, they got watchers, they got timers, they got vaults, they got enough armed personnel to occupy Paris!"
But protection is only defensive and you never know where or how the hackers are going to take the offensive.