Are There More Hacks & Breaches This Year… Or Is It Just Shark Attack Week?
from the questions,-question dept
There have been an awful lot of stories of computer hacks and breaches lately, many of them high profile: Google, Citibank, Sony, the US Senate. It certainly feels like everyone’s under attack. But is that really true? Bruce Schneier suggests that it’s just a media sensation:
“I truly don’t think there’s a higher instance of hacking right now. I think there’s been a wave of media coverage,” said Bruce Schneier, chief security technology officer of BT and one of the most respected security experts around. “We saw the same thing with shark attacks. It’s not that there are more shark attacks. It’s that they made the news when people started looking for them.”
It does make me wonder. The media can be quite efficient at finding evidence of an epidemic when things are actually occurring at a normal rate, but it certainly does sound like some of the attacks lately are landing on bigger name targets. Part of this may also be the more public attacks from groups like Anonymous and Lulz Security, who are doing what they do more for publicity reasons than as criminal enterprises. Either way, I’m curious to see what others think about the issue. Are we really seeing more attacks and breaches today, or is the press just picking up on it lately?
Comments on “Are There More Hacks & Breaches This Year… Or Is It Just Shark Attack Week?”
Look at CitiGroup, and how easy it was to ‘hack’ them.
“They simply logged on to the part of the group’s site reserved for credit card customers and substituted their account numbers ? which appeared in the browser’s address bar ? with other numbers.”
http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access
Oh, and from the comments
“One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: ‘It would have been hard to prepare for this type of vulnerability.'”
http://it.slashdot.org/comments.pl?sid=2239030&cid=36443084
This isn’t even a hack, this is just common sense. It’s using the system as intended, the system was practically designed to give away personal information.
Says it all:
http://www.thesatya.com/images/bruce.png
Remember Haiti?
After the earthquake in Haiti, there was a tremendous uptick in reporting on earthquakes around the world. As I discovered on my own research (to the wikipedia!), 1,000’s of earthquakes happen all over the world at variety of magnitudes every year. The only thing that had increased was how much the media was talking about it.
When more and more reports came up about hacks and security breaches online, I immediately knew this was just a journalistic frenzy crafted to cause mass panic and gain eyeballs.
Tsunamis & Volcanoes
Same thing.
Slashdot post brought up a good point: There really may be a slight up tick as more ITers are out of work and need money, IT security budgets are getting squeezed, and there is increased pressure to roll out features faster and cheaper.
The difference is intent
As you mentioned, the difference is likely that those doing the hacking aren’t out for financial gain, but attention to a particular issue, and the media is happily obliging.
Headline: Hackers hack to steal credit cards from PSN
….sucks.
Headline: Hackers hack government site as citizen retribution
….awesome.
Nope it is clearly shown that before 24 hour news channels, the internet, the mobile phone, the telephone, morse code and smoke signals crime was less, just look at how many stories about Paedofiles the average farm labourer would have known about in 1657 compared to the amount he would know about in 2011, clearly this shows that crime is on the increase and has nothing to do with the speed that such news/information can be transmitted from one location to another.
Re:
Yeah, I wouldn’t be surprised if companies are actually more vulnerable, as they’ve been running lean IT staffs or outsourcing because “IN THESE HARD TIMES” they don’t want to spend more than the bare minimum on making sure things keep working. Any competent software developer creating an online banking system would not make non-logged-in accounts visible.
I think it says alot about these groups and that their “hacks” continue because they are such small-fry operations even if they are making mainstream media.
I can not even fathom that the chinese hackers that can pick apart google are inferior to these groups. The level of opposition that countries/states face every day on their systems is far and above anything these groups have done. And I can’t think of a country that does not have to deal with attacks on their systems every day (maybe New Zeland, Just kidding! Honest!) These groups are performing the equivalent of throwing a brick through a store window and shouting “Look! They have poor security!” and grabbing stuff and running. Anyone who does that is not going to have a military operation to catch them. They are just that low of priority, and unfortunately we’re not going to hear about the real important prioritis which is a different problem.
I think what you are seeing is a combination of a few factors:
– hot button news: there is currently a push on cyberwarfare and all that, any notable hacking is certainly going to get more attention
– fast reveals of hacks: Twitter and it’s ilk allow hack reports to be more quickly spotter, hacked sites are seen before they are fixed, etc. It’s also easier to find ways to publish proof of a hack and claim responsiblity in an anonymous fashion.
– Hacktivists: A relatively new concept, people hacking companies not because they want anything, but rather to cuase the company grief, to piss off their customers, or to embarrass the company. These only work if they get significant media coverage, so they are done in with the specific goal of getting exposure.
– More to hack: Online business means there are more things to hack, more juicy targets, more credit card and personal info out there, etc.
I think the hacktivist issue probably driving much of this right now, and the media is receptive because of the banging of the cyber warfare drums.
I did mention in the past few weeks that Anonymous needed a PR campaign though the end game seems to fit there agenda which leaves most of us that take issue with these companies with a big fat smile on our face.
Yes, because the hacktavist community.
If a system is cracked...
and the media doesn’t report it, is sensitive data compromised?
I think Michael Crichton summed it up best in one of his speeches, which is unfortunately no longer available on his official website.
“Like a bearded nut in robes on the sidewalk proclaiming the end of the world is near, the media is just doing what makes it feel good, not reporting hard facts. We need to start seeing the media as a bearded nut on the sidewalk, shouting out false fears. It’s not sensible to listen to it.”
You can find the speech in its entirety on several websites. I do remember that his website clearly stated he didn’t want people publishing it without permission so I won’t post a link here. I’d hate to lose Techdirt to an ICE domain name seizure.
The strange thing about Citigroup is that their security was crap (non-existent) back in the 80’s and nothing much seems to have changed.
Mid 80’s or there-about a prominent Australian cracker named Force was scanning networks with DEFCON (his network mapping program) and came across an IP address that started spewing out numbers, this lasted for almost 48 hours and turned out to be a massive database of credit card numbers/details.
The machine he was connected to could be prompted to spew out all these details with Ctrl+K or something similar.
Re:
So, since institutions don’t have any money to hire IT professionals, IT professionals are out of a job. As a result, those institutions don’t have secure servers and since many IT professionals are now out of a job, they have little better to do than to go around hacking these poorly secure institutions. Hacking them gives these institutions a reason to hire more IT professionals. Upon hiring more IT professionals, there are fewer (competent) attackers attempting to hack these more secure institutions (since now the hackers are employed, though there could be cases of inside attacks) and so management no longer sees much of a need to hire so many IT professionals. Management lays many of them off. Over time, the servers once again become insecure and all of a sudden there is an influx of available IT hackers with no jobs. More institutions get hacked, managers need to hire more IT staff again, and the cycle continues.
One place to consider in terms of searching for who’s behind many of these hacks is previous IT employees who have been laid off. Such previous employees are likely to be most familiar with the system and its vulnerabilities (not to mention they may have intentionally created some subtle vulnerabilities themselves during employment) and hacking the system could give their previous employers incentive to re-hire them (since they would need the least training and so hiring them is more cost effective than hiring someone less familiar with the system).
It’s almost like arson where someone who gets money either for putting out fires or serving/catering those who put out fires (or otherwise) starts a fire to create a job for himself that he gets paid for.
Just speculation here but there seems to be a push to demonize the word “hacker” by associating them with criminals in every opportunity. Even in this article. Criminals should be treated as criminals, if the crime happens with a computer then they are still a criminal. Slapping the label “hacker” on a criminal just because the internet was involved just seems pointless and misleading to me.
Has Sony Been Hacked This Week?
.
.
.
http://HasSonyBeenHackedThisWeek.com/
twitter.com/HSBHTW
yesterday it said “yes”, today it says “not yet”
Well, there is the big part about LulzSec doing it for the lulz. When they hack into something, they reveal it for all the world to see. When a black hat crime hacker group hacks into something, they steal everything and don’t let anyone know about it (because what good is scamming a mark if you let them know about it after?)
I’m betting that hacking has been going on all around us, but because the hacking has been silent, the hacked don’t even know about it and can’t even report it if they wanted to.
It is actually sharks with lasers.
I believe hacking is greatly under reported!! Many companies who are hacked are embarrassed to report it. As a spectator, I do feel angry with what has happened in the last few years. Major banks rolled over the populace and law enforcement agencies are abusing there authority! The U.S. has become so comfortable with complacency its sickening!!! I know this sounds awful but part of me wants a serious uprising against the status quo (political establishment). It kills me to hear over 45 million Americans are living on food stamps. Bottom-line, yeah, I’m fucking angry!!!
Am I the only one who is beginning to think that LulzSec is really a PsyOp?
Re:
It does not have a thing to do with embarrassment. It is all about the money. Shareholder confidence crumbling. Legal repercussions. Etc. Etc. Money. First. Last. Always.
compliance
I read an article on Monday and despite a rabid search for the past two days, cannot find it again but the particular journalist’s take was that breaches are on the rise because companies are so busy jumping through the hoops of SOx, PCI and the like. Those that understand the technology understand that most of the requirements of those … things are really best practices that should have been being done in the first place and may have nothing to do with the current threats. People who do not understand the technology are yelling at their IT people with, “But I thought we were compliant?!”.
Probably an unreported factor in these breaches is the lack of understanding that if your employees are on Facebook or can actually figure out how to send an email, then they are technically savvy. That is a huge assumption. And it is wrong. I have fielded complaints from a user that they cannot input their password because there are x’s over it and they can’t see what they are typing. Having 2 million friends on Facebook means nothing.
I don’t personally know if breaches are up or not. April of 2010 was a pretty rough month if I remember correctly. I would bet a pretty dollar that while some high value targets have been very, very public, it is still the tip of the iceberg. There are too many detriments to reporting a breach unless you absolutely have to.
btw – I am an (employed) (overworked) application security engineer.
WTF 1997
This kind of hack, reported by the NYT, has been known about forEVER. When everything wasn’t menued and crosslinked, you’d do this mousing around a directory… You did it all the time using Gopher and Veronica and Archie. A lot of early websites didn’t have proper 404 pages and if you typed a wrong URL you’d get dumped into a directory/filesystem list (which could be dangerous)… so you hacked your way manually back up the tree to get back to where you got off the track.
Yahoo was “hacked” this way several years ago and for using the same nonsecurity; username was part of the urls and you could simply try other usernames and there you were, in their account…
This kind of hack is ANCIENT and any site with ANY responsibility for personal info, let alone freakin’ BANK ACCOUNT INFO, simply cannot have such a low-level security hole. Period. This hack is taught in web site 101 and has been for the last 12 years or more. It isn’t even really a “hack”; it’s a bad configuration.
It’s shameful and exposes just how lame these financial institutions are and how fast and loose they are with data handling (moddable user data in the url?). Every one of their “IT staff” should be sent to work at McDonalds; the hamburger guy there could probably figure out a more-secure system than this.
Tip: don’t believe in the Media.