By Zachary Vasile
Like birth and death, hacking became a new form of the inevitable in 2014. Of course, it had bubbled to the surface time and again, stewing in and out of personal computers, government databases and the sci-fi imagination.
During the last 12 months however, hacking broke through to the banner headlines and shows little sign of relinquishing the threatening power it wields in every field from engineering to electronic eavesdropping to entertainment.People seem familiar with the concept of this dark art. But most of us lack the technical background to challenge the netherworld that hackers invade and conquer. That needs to change.
The cyber security community is emphatic in insisting that government officials, CFOs, high school students and everyone else need to get proactive about a problem that is quickly spiraling out of control. Without the proper information —and a willingness to cut through the techie jargon that often clouds any conversation about hacking— we all add to our risk.
“We Can’t Call the Police”
The crowd of sharply dressed business leaders and innovators shuffled out of the lake-effect cold and into the posh and purple-lit Venue SIX10 on South Michigan Avenue in downtown Chicago. The sense of urgency surrounding this year’s Bloomberg Government technology panel, entitled “Digital Trust,” was palpable. What would it take to prevent the “next Sony”?
If the diverse panel had one message, it was that the 99 percent of law-abiding Internet users need to take ownership of protecting themselves. Any other scenario —that the hackers will quit, or that the government will step up its game— is wishful thinking, panel experts said.
“I think with government specifically the challenge we have is just jurisdictions,” said Roger Liew, senior vice president and chief technology officer at Orbitz Worldwide. “If our computers in the Chicagoland area are hacked by somebody not in the city of Chicago, which is very likely, then we can’t call the police.”
The panel talked through a number of potential fixes for both big companies and individual Internet users, including better and more consistent encryption. But the buzziest strategy —and one that has been floating around in cyber security circles for years— is two-factor authentication, which basically means relying on two identifying components rather than one. Anyone who has swiped a credit card and then entered a PIN number to verify that it is really you on the other end of that transaction is familiar with the procedure, and it could be making its way online soon. Possibilities include the use of USB stick tokens, transaction authentication numbers, and even fingerprint and iris scans.
Another tool for the good guys is the much heralded “smart card” or “chip card,” a bank card with integrated circuits. Unlike the magnetic strip cards widely used today, smart cards store funds on the cards themselves, making them considerably harder to exploit. Additionally, chip circuits carrying encrypted data are extremely difficult to replicate, acting as an additional deterrent against fraud.
The Toolbox
This tech world arms race is a necessary response to a growing threat. While there are literally thousands of ways for hackers to compromise a given computer system, most targets are still readily susceptible to the most basic weapons in a hacker’s arsenal.
“Most breaches occur because the hackers were able to brute force a password or because something was easily guessed,” said Ken Westin, a security researcher based in Portland, Oregon.
In computer parlance, “brute forcing” refers to an infiltration method in which hackers use specially written programs that try millions of potential passwords to unlock private online accounts. It’s the equivalent of unlocking a safe by trying every possible combination, albeit much, much faster.
Disturbingly, many hackers are able to avoid brute forcing altogether by making educated guesses about their target’s passwords. Christopher Chaney, who in 2011 gained notoriety and a 10-year jail sentence for breaking into celebrity email accounts, admitted to police that cursory research often revealed everything he needed to guess the passwords of stars like Mila Kunis and Scarlett Johansson.
Similar vulnerabilities may have allowed hackers to target the Apple iCloud accounts of A-listers like Jennifer Lawrence, Kate Upton, Kaley Cuoco, and Ariana Grande during a massive photo leak in September. The names of pets, kids, and hometowns become frequent and predictable passwords to aid the hacker.
Somewhat more sophisticated are the hacks that allowed criminals to break into the networks of retailers like Home Depot and Target. These attacks often involve point-of-service (PoS) tampering, in which those wishing to compromise a network will infect available devices like company computers or automated registers with malware that gather sensitive data like account numbers from debit and credit cards.
Also in this league are Structured Query Language attacks —also known as SQL injection attacks— which use malicious code to corrupt and exploit vulnerable software, including the programs that run magnetic stripe readers and ATMs. SQL injection was the preferred hacking technique of Albert Gonzalez, an American criminal whose credit card theft ring amassed over 170 million stolen numbers by targeting companies like TJ Maxx and 7-Eleven.
A Defining Moment
For all the emotional hurt and financial damage these cyber attacks inflict, it is doubtful that any of them were as sophisticated —or as destructive— as December’s Sony Pictures Entertainment hack. The attack did not just compromise data, it destroyed data by installing a malicious storage erasing program known as Wiper. The hack hampered the release of The Interview, a Seth Rogen-helmed action comedy, ignited an impassioned national debate about free speech, and cost the multinational corporation billions of dollars and considerable prestige in the cloistered world of Hollywood.
“The term ‘systemic failure’ is not out of place [to describe the Sony hack],” said Stephen Cobb, a senior security researcher at technology firm ESET, during a BrightTALK web seminar in January.
According to Cobb, sections of Sony’s network fell outside of the company’s security capabilities. Once hackers were able to compromise the weakest areas of Sony’s security, they wormed their way to the most sensitive data, including the now infamous personal correspondence of executives Amy Pascal and Scott Rudin.
The Sony hack has inspired a security gut check in the world of American business. Compromised data is bad enough. Even worse is being left with no legal recourse or compensation when the responsible parties vanish into the cyber ether. Law enforcement agencies like the FBI can almost always check website user logs to determine the Internet Protocol (IP) address of computers connected to a victim network, but most hackers have ways of disguising their IPs through anonymous routing services like Tor. If a given IP is found to be a mask, the trail can go cold.
“It’s very easy to make it look like North Korea hacked Sony,” said Westin. “It’s very difficult to place a person behind the computer.”
The Sony hack could very well inspire a corporate security race-to-the-top now that the American business community fully realizes what is at stake.
The New Wild West
Despite our best precautions, the Internet is a difficult world for asserting the rule of law. In some ways, it resembles a digital Old West, where even the good guys resist control. As powerful and resourceful as law enforcement and the business community might be, they will often encounter highly motivated cadres of criminals and net delinquents who know the lay of the land better than they do and whose motives are difficult to rationalize.
Take, for instance, the Lizard Squad, a hacker collective known for temporarily bringing down PlayStation and Xbox by overwhelming them with traffic, a tactic known as a distributed denial-of-service (DDoS) attack. Unlike the Guardians of Peace (who claimed responsibility for the Sony hack) and Anonymous (who are known for their leftist rhetoric), Lizard Squad has no politics, espouses no agenda, defends no state, and collects no money. When Lizard Squad attacked PlayStation on Christmas Day, the motives that surrounded the Sony case were strangely missing.
“The DDoS Lizard Squad attack reminds us of something we in security tend to get wrong,” said Cobb. “A lot of what they are doing is because of the fun of it.”