Interesting piece by well-known IT figure Jeff Atwood:
http://www.codinghorror.com/blog/2012/09/computer-crime-then-and-now.html
On one level, this piece is a terrific summary of how hacking is done. It’s mostly not about messing with computers; it’s about messing with people. The trick in serious hacking is typically to fool someone into giving you their username and password – or to find it, usually written on a sticky note on their monitor. It’s called “social hacking”.
I’m not sure that most people understand this. From my conversations, I get the impression that most people think “hackers” can write special code that simply “gets around” the security. They think hackers perform the digital equivalent of forcing a window. In fact, modern hacking usually means nicking your key and walking through the front door.
The technique was well illustrated in the ultimate hacker film, 1983’s War Games. “They change the password every couple of weeks'” says Matthew Broderick’s character, “but I know where they write it down”. (That, by the way, is why smart systems administrators never force people to change their passwords every three months.)
But on another level, Atwood’s piece is about how the Web of passwords and information in which we now live leaves us more open than ever before to these social exploits. Online services make social hacking easier than ever before.
Atwood’s post links, among other things, to writer Mat Honan’s hacking tale – he had his iPhone, iPad and MacBook wiped and they got into his Twitter account too. How’d they do it? They rang Apple, provided a billing address and the last four digits of a credit card, and they were in. It turns out that both of these pieces of information are easy to find through other routes. Honan’s hacker used Amazon, among other things.
Honan’s vulnerabilities were the same vulnerabilities most people have. It wasn’t that he used “123456” or “password” or “welcome’ as his password, though lots of people do. His problem was that he had various pieces of information spread through multiple online services – Gmail, Apple, Amazon, Twitter and so on. The hacker could piece together the information he needed through those various services.
And there’s your problem.
Increasingly, “our information” is just a series of access codes that get us in to other people’s databases – Google, Apple, Microsoft, Intuit, NAB, CBA, Dropbox. Each of these firms has different security protocols. Put them all together, and they create a Web of vulnerability for online data.
And “online data” increasingly means “all our data”.
Our email lives online. So do our most important documents, our backups, our family photographs, our tax information, our business accounts. I think that is probably the way it should be, if only because Google knows how to back stuff up, and Uncle Bill does not.
But before this new information ecosystem can work properly, we will need to change people’s security behaviour. That is going to be very, very hard.
(Cross-posted at shorewalker.com)
There’s a fair number of simple but effective brute-force attacks out there as even a casual glance at any server logs will testify. I dunno how many they catch out with that stuff, but must be enough to encourage them to keep trying.
I also get buckets of virus-infected spam emails, phishing scams, offers from Nigeria, you name it… they wouldn’t send that stuff if someone out there wasn’t falling for it. Remember the good old days, when you could just scam people with common or garden Ponzi schemes, and fictional reserve banking? Where did we go wrong?
That’s right, Tel. My server logs say the same thing, as do my spam folders. Hence my reference to “serious hacking”. Most of the bot attacks are efforts to take over a server for the purposes of distributing viruses, spam email etc – the attackers don’t really care which computers/users they find, and frequently attempt to keep the rest of the system going so they are not discovered.
I’m thinking more of attempts to get hold of or destroy specific pieces of information, or a specific person’s information. The Matt Honan story is about someone specifically targetting Honan for attention.
Brute-force attacks were once employed in these scenarios – but not any more.
Meanwhile, there’s some former customers of a bloke named Bernie who will tell you that the Ponzi schemes still work pretty well, for a while at least.
One way to get into a secure system is to “lose” a few USB keys in the nearby streets. Its amazing the number of people who’ll want to see what’s on that thing they found on the pavement. Your secure network need not even have any link at all to the outside world.
As a rule people are more easily hacked than computers.
We should focus on the behaviour of organisations that operate these systems, not on the behaviour of people that use them. In a society where people don’t take reasonable care of things such as their health or superannuation, you’re not going to get people to take responsibility for informational security.
I think the best way forward is to make organisations strictly liable for the consequences of the misuse of any information they store. Once a data breach is proven, any potentially related damage (e.g. identity theft) becomes presumed. Alternatively a statutory penalty rate could be attached to each type of data which multiplied by the amount of data stolen for all breaches. It might be an idea to sprinkle unique ‘finger-print’ data into each system in order to establish proof of where the information leaked from. This will provide the incentives for organisations to seek out the best way to protect people’s information, including the best way to police the people that use their systems.