For the past few months or so, there have been numerous stories about security breaches. Earlier in the saga of security breaches, Sony wound up becoming the centre of attention for people breaking in to whatever system Sony had some control over whether it be their network, their website or a host of other hacks. More recently, Sony has found itself in good company with other organizations who had their security breached. Drew Wilson argues that we should really be thanking some of these hackers who bring to attention security vulnerabilities and pay more attention to online security.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
Let’s set a very stripped down scene here. A person with malicious intentions decides they want to break in to a website, steal people’s identities and sell those identities on the black market for a huge profit without a care of what happens to countless innocent victims. So, this person invests some time in figuring out how to break in to a large organization. The person breaks in successfully, steals hundreds of thousands of identities. By the time the organization knows about the breach, let alone the public, the crime has already taken place and the sale of this sensitive information has already happened. Who gets the blame here: the person that broke in to organization in the first place to commit the crime or the organization for failing to keep their organization secure enough from such intrusions?
Chances are, such a question will garner a wide variety of opinions ranging from “how awful it is that someone would sell peoples identities?” to “what was the organization thinking allowing for such a thing to take place?”. The real question that should be asked, in my view, is what are the details of that incident? Did this hacker go to the extreme lengths of corporate espionage? Like, did this person take a job offering, got hired on and did some sort of sophisticated inside job? Did this person simply rip open a paper door and picked up an insecure, unattended laptop off of someones table? Such details, in my view, alter who is more responsible for the security breach.
Some of these security breaches that have happened lately, for me, really places the blame on some of the organizations that got hacked. First, what should be expected of someone who works as a security arm of an organization? If someone’s job is to monitor the security of a website for a large organization, what should they be doing? For me, I would expect them to at least know a thing or two about internet security and how to secure a website. Next, be aware of how people are breaking in to websites in the first place and asking, “OK, this is how this person did that on x website, how could this affect our website and how are we guarded against such an attack if we are?” Finally, assess the likelihood of different attacks and build or fix the website accordingly. I would argue that one could go a step further and deliberately find ways of hacking in to your own website for security purposes and patch up the website accordingly. Heck, why not hire a skilled independent hacker and monitor that person as they try and hack in to the website and figure out how to patch the site accordingly? Other things I might expect would be encrypting personal information. If personal information is on server y, then it better have security as tight and strict as US copyright laws. Ideally, not all of the information would be stored on a single server if you are a large company. So, really these are just some of the expectations that first come to mind for me (someone who wouldn’t know everything there is to know about securing a website of a large organization) when it comes to web security of a large organization.
So, when reports came in on a regular basis that Sony was getting hacked, it really seemed like these sorts of attacks were exclusive to Sony. This is just one organization that may have stored passwords and personal information in plain text (not encrypted). Some might think, “This is clearly an isolated case and it was one company that decided to be negligent about security. Other organizations are smarter then that.” Really, for weeks, the stories you’d read about security in some places would suggest that this sort of activity was exclusive to Sony. In the last few weeks, there are reports circulating that suggest that security issues are simply not exclusive to Sony.
The National Health Services of the UK (NHS) had their administration passwords recently hacked as well roughly two weeks after the US government declared that a cyber-attack was an “act of war”. I could go on all day about who has been recently hacked like Bethesda, servers for EVE Online, Minecraft, The Escapist League of Legends. The point is that it really is starting to sound like hacking these sites are actually really easy. A lot of these hacks were done by LulzSec, one hacking group. I really wonder how easy it really wound up being to hack these places in the first place because people like LulzSec make it sound like it’s really easy. That, in and of itself, is a little freaky in my mind. How easy could it be to hack a large organizations website? Well, a recently disclosed hack really sets off alarm bells in my mind.
According to the Daily Mail, Citigoup, a major banking institution was hacked and 200,000 accounts were compromised. How was the hack accomplished? the simple act of changing numbers in a URL. No special DOS commands, no hacking utilities, not even very much skill at all. Just a browser and an internet connection. All the intruder had to do was log in to their account, then change some numbers in the URL to obtain someone else’s banking details. The scary part above that? The response of one of their investigators:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: ‘It would have been hard to prepare for this type of vulnerability.’
In what world is changing a URL in a browser to obtain other account holders information considered so sophisticated that security can’t stop it? You don’t have to take it from just me that this sounds ridiculous, just read some of the comments on Slashdot:
this quote is the single stupidest and most frightening things I have ever read on the internet.
this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.
any session allows them to go digging around willy nilly is so unbelievably stupid, I can’t even find the words.
Some other reaction to this story on Slashdot:
I don’t understand how this could happen to a bank […]. It’s ridiculous.
Heads need to roll for this one… Amazing. Words escape me
It was a pretty similar reaction on Fark:
The fark are those IT people doing all day?
If you’re working for a financial institution and you’re passing account information in through the address bar, your whole department needs to be laid off.
On ZeroPaid, we’ve already have a response:
You gotta be f***ing sh****ing me, that is what they pass off as security?
So, I think I’m in pretty good company when I say this revelation is both frightening and outrageous.
At what point does a security breach move form a malicious attack to simple negligence on the organizations part? It’s the kind of security that is the equivalent to being able to, with minimal effort, remove a heavy stone wall, by hand, with a crowbar in ten minutes. It shouldn’t be possible at all – just like it shouldn’t be possible to breach security at an online banking institute by changing numbers in a URL. If security measures are this easy to bi-pass at other banks, it’s no wonder whatsoever that credit card information or banking information is being passed around like trading cards in certain private IRC chatrooms. Many people do know what can potentially happen when certain bits of personal information is out in the wild. This is where you hear stories of people suddenly finding out that they owe thousands of dollars thanks to purchases they never made in countries they don’t even live in. Other stories like how some poor woman, for instance, having hundreds of thousands of dollars put on a loan against a house she thought was paid off and a bank tapping their feet at her doorstep asking where their money is at. How about stories like some guy finally getting a handle on life only to find out his bank account was completely cleaned out because of a wire transfer he didn’t authorize. God help them if the bank in question won’t believe them when they say they were fraudulently charged. Bottom line, innocent people are being screwed here likely because there was some form of incompetence somewhere along the line in some of these organizations.
Where is the accountability in all of this? Where does it say that if you are negligent in protecting people’s private information, that could be financially detrimental to people if put in the wrong hands, you are going to face some serious consequences beyond a typical wrap on the wrist? How often are people even prosecuted for data breaches of this magnitude when they do happen anyway? How can we trust organizations with out money, sometimes our life savings, if security seems so lax with some of them?
So where’s the hackers in all of this? No doubt some of them will misuse private information because hacking can be financially motivated. Some of the hacking done by LulzSec, I think, should be thanked because it really puts to the forefront the importance of security online. One commentator had an nice rant about LulzSec saying that security professionals are getting a kick out of what LulzSec is doing:
So for the last ten years I’ve been working in media, trying to raise awareness of the idea that maybe, just maybe, using insecure computers to hold your secrets, conduct your commerce and run your infrastructure is a sh***y idea.
No one who mattered listened. Executives think it’s FUD. They honestly think that if they keep paying their annual AV subscriptions they’ll be shielded by Mr. Norton’s magic cloak.
Security types like LulzSec because they’re proving what a mess we’re in. They’re pointing at the elephant in the room and saying “LOOK AT THE GIGANTIC F***ING ELEPHANT IN THE ROOM ZOMG WHY CAN’T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!”
There is no security, there will be no security. The horse has bolted, and it’s not going to be the infrastructure that’s going to change, it’s going to be us.
I certainly agree to that. If, in large organizations, there’s a culture surrounding web security that allows what we’ve seen happen in the last few weeks, then something about that culture needs to change before these kinds of security breaches gets any more out of hand than it already has. For the hackers that simply expose the security flaws and don’t misuse the information they obtain, I think they should be thanked because a lot of them are really bringing to light how shoddy security can be. Just because an organization has an internationally recognized name doesn’t mean its invulnerable to any threat that exists today. To those that misuse the information, I have no hesitation in saying that they should be ashamed of themselves – especially if people are severely affected by the misuse of that information.
I think all of this serves as a wake-up call that organizations need to ensure that there is sufficient funding and/or resources devoted to security – especially those who have financial information. Sure, times are tough, but security of personal information shouldn’t be something to skimp out on – especially after what we are seeing in these kinds of reports these days. So, to those who hack ethically, I say you should be thanked because this is an excellent way to start some kind of change. If change does happen, let’s hope it’s for the better.