The crowd of sharply dressed business leaders and innovators shuffled out of the lake-effect cold and into the posh and purple-lit Venue SIX10 on South Michigan Avenue in downtown Chicago. The sense of urgency surrounding this year\u2019s Bloomberg Government<\/a> technology panel, entitled \u201cDigital Trust,\u201d was palpable. What would it take to prevent the \u201cnext Sony\u201d?<\/p>\n If the diverse panel had one message, it was that the 99 percent of law-abiding Internet users need to take ownership of protecting themselves. Any other scenario \u2014that the hackers will quit, or that the government will step up its game\u2014 is wishful thinking, panel experts said.<\/p>\n \u201cI think with government specifically the challenge we have is just jurisdictions,\u201d said Roger Liew, senior vice president and chief technology officer at Orbitz Worldwide<\/a>. \u201cIf our computers in the Chicagoland area are hacked by somebody not in the city of Chicago, which is very likely, then we can\u2019t call the police.\u201d<\/p>\n The panel talked through a number of potential fixes for both big companies and individual Internet users, including better and more consistent encryption. But the buzziest strategy \u2014and one that has been floating around in cyber security circles for years\u2014 is two-factor authentication, which basically means relying on two identifying components rather than one. Anyone who has swiped a credit card and then entered a PIN number to verify that it is really you on the other end of that transaction is familiar with the procedure, and it could be making its way online soon. Possibilities include the use of USB stick tokens, transaction authentication numbers, and even fingerprint and iris scans.<\/p>\n Another tool for the good guys is the much heralded \u201csmart card\u201d or \u201cchip card,\u201d a bank card with integrated circuits. Unlike the magnetic strip cards widely used today, smart cards store funds on the cards themselves, making them considerably harder to exploit. Additionally, chip circuits carrying encrypted data are extremely difficult to replicate, acting as an additional deterrent against fraud.<\/p>\n The Toolbox<\/strong><\/p>\n This tech world arms race is a necessary response to a growing threat. While there are literally thousands of ways for hackers to compromise a given computer system, most targets are still readily susceptible to the most basic weapons in a hacker\u2019s arsenal.<\/p>\n \u201cMost breaches occur because the hackers were able to brute force a password or because something was easily guessed,\u201d said Ken Westin, a security researcher based in Portland, Oregon.<\/p>\n In computer parlance, \u201cbrute forcing\u201d refers to an infiltration method in which hackers use specially written programs that try millions of potential passwords to unlock private online accounts. It\u2019s the equivalent of unlocking a safe by trying every possible combination, albeit much, much faster.<\/p>\n Disturbingly, many hackers are able to avoid brute forcing altogether by making educated guesses about their target\u2019s passwords. Christopher Chaney<\/a>, who in 2011 gained notoriety and a 10-year jail sentence for breaking into celebrity email accounts, admitted to police that cursory research often revealed everything he needed to guess the passwords of stars like Mila Kunis and Scarlett Johansson.<\/p>\n Similar vulnerabilities may have allowed hackers to target the Apple iCloud<\/a> accounts of A-listers like Jennifer Lawrence, Kate Upton, Kaley Cuoco, and Ariana Grande during a massive photo leak in September. The names of pets, kids, and hometowns become frequent and predictable passwords to aid the hacker.<\/p>\n Somewhat more sophisticated are the hacks that allowed criminals to break into the networks of retailers like Home Depot<\/a> and Target<\/a>. These attacks often involve point-of-service (PoS) tampering, in which those wishing to compromise a network will infect available devices like company computers or automated registers with malware that gather sensitive data like account numbers from debit and credit cards.<\/p>\n Also in this league are Structured Query Language attacks \u2014also known as SQL injection attacks\u2014 which use malicious code to corrupt and exploit vulnerable software, including the programs that run magnetic stripe readers and ATMs. SQL injection was the preferred hacking technique of Albert Gonzalez<\/a>, an American criminal whose credit card theft ring amassed over 170 million stolen numbers by targeting companies like TJ Maxx and 7-Eleven.<\/p>\n A Defining Moment<\/strong><\/p>\n For all the emotional hurt and financial damage these cyber attacks inflict, it is doubtful that any of them were as sophisticated \u2014or as destructive\u2014 as December\u2019s Sony Pictures Entertainment<\/a> hack. The attack did not just compromise data, it destroyed<\/em> data by installing a malicious storage erasing program known as Wiper. The hack hampered the release of The Interview<\/em>, a Seth Rogen-helmed action comedy, ignited an impassioned national debate about free speech, and cost the multinational corporation billions of dollars and considerable prestige in the cloistered world of Hollywood.<\/p>\n \u201cThe term \u2018systemic failure\u2019 is not out of place [to describe the Sony hack],\u201d said Stephen Cobb, a senior security researcher at technology firm ESET<\/a>, during a BrightTALK web seminar in January.<\/p>\n According to Cobb, sections of Sony\u2019s network fell outside of the company\u2019s security capabilities. Once hackers were able to compromise the weakest areas of Sony\u2019s security, they wormed their way to the most sensitive data, including the now infamous personal correspondence of executives Amy Pascal and Scott Rudin.<\/p>\n The Sony hack has inspired a security gut check in the world of American business. Compromised data is bad enough. Even worse is being left with no legal recourse or compensation when the responsible parties vanish into the cyber ether. Law enforcement agencies like the FBI can almost always check website user logs to determine the Internet Protocol (IP) address of computers connected to a victim network, but most hackers have ways of disguising their IPs through anonymous routing services like Tor. If a given IP is found to be a mask, the trail can go cold.<\/p>\n \u201cIt\u2019s very easy to make it look like North Korea hacked Sony,\u201d said Westin. \u201cIt\u2019s very difficult to place a person behind the computer.\u201d<\/span><\/p>\n The Sony hack could very well inspire a corporate security race-to-the-top now that the American business community fully realizes what is at stake.<\/p>\n The New Wild West<\/strong><\/p>\n Despite our best precautions, the Internet is a difficult world for asserting the rule of law. In some ways, it resembles a digital Old West, where even the good guys resist control. As powerful and resourceful as law enforcement and the business community might be, they will often encounter highly motivated cadres of criminals and net delinquents who know the lay of the land better than they do and whose motives are difficult to rationalize.<\/p>\n Take, for instance, the Lizard Squad<\/a>, a hacker collective known for temporarily bringing down PlayStation and Xbox by overwhelming them with traffic, a tactic known as a distributed denial-of-service (DDoS) attack. Unlike the Guardians of Peace (who claimed responsibility for the Sony hack) and Anonymous<\/a> (who are known for their leftist rhetoric), Lizard Squad has no politics, espouses no agenda, defends no state, and collects no money. When Lizard Squad attacked PlayStation on Christmas Day, the motives that surrounded the Sony case were strangely missing.<\/p>\n \u201cThe DDoS Lizard Squad attack reminds us of something we in security tend to get wrong,\u201d said Cobb. \u201cA lot of what they are doing is because of the fun of it.”<\/p>\n![\"Figure](\"http:\/\/news.medill.northwestern.edu\/chicago\/wp-content\/uploads\/sites\/3\/2015\/02\/Screen-Shot-2015-02-24-at-2.28.00-PM.png\")
<\/a>![\"Hacks,](\"http:\/\/news.medill.northwestern.edu\/chicago\/wp-content\/uploads\/sites\/3\/2015\/02\/Screen-Shot-2015-02-18-at-9.15.58-PM.png\")
<\/a>![\"The](\"http:\/\/news.medill.northwestern.edu\/chicago\/wp-content\/uploads\/sites\/3\/2015\/02\/Screen-Shot-2015-02-24-at-1.45.19-PM.png\")
<\/a>