Friday, December 26, 2014

2014, the year of the Cyberbreach

This interactive chart from www.informationisbeautiful.net/ shows some of this year's biggest hacks.
Looks like 2014 is ending much the same way it began, with another major hacking incident.

And I’m not talking about North Korea’s much ballyhooed hacking of Sony Studios to prevent the release of its film, “The Interview,” which features the assassination of dictator Kim Jong-un by two bumbling journalists, played by James Franco and Seth Rogen.

The Lizard Squad: 
Cyber Grinches
No, what I’m talking about is a group of Grinches calling themselves the “Lizard Squad”  who tried to steal Christmas from thousands of kids this year by launching a distributed denial of service attack on new Sony PlayStation and Microsoft Xbox game consoles.

The attack, which succeeded in overwhelming Sony and Microsoft’s servers with so much fake internet traffic that they crashed, prevented owners of these new gaming systems from connecting to the Internet. The attack, however, did not affect games that did not require an Internet connection to play.

While the motives behind North Korea’s alleged hack seems akin to an unruly child throwing a temper-tantrum because someone was planning to make fun of it, the aims behind the Lizard Squad’s latest action are somewhat unclear.

In an article on the Winbeta blog, the group claims its motives were more pure. They claim they did it to show consumers just how bad Microsoft and Sony were at protecting their data and to force both companies to upgrade their security. Doing it on Christmas day, they said, would “would anger and reach the largest amount of people – more people [more] angry calls for a greater response from the companies.”

Whether or not you believe their goals were as altruistic as they claim – and it’s hard to, when in that same article, the group also claims to have launched the attack “for laughs” – they are correct. This past year seems to have been the year where Cybersecurity has failed the consumer in some very big ways.

It all started in November of 2013 with the hacking of Target, where 40 million credit cards numbers were stolen. Then in January came news that millions of SnapChat accounts were hacked and info on users, including their phone numbers had been posted online for anyone to download. Then in the Spring, Home Depot fell victim of a cyberattack where approximately 53 million email addresses and 56 million credit card accounts were compromised.

In the summer, while most of us were relaxing at the beach, beside the pool, or with friends and family at barbecues, hackers were hard at work. In May came word that the world’s largest online auction site, E-Bay, had its user database breached, which gave cybercriminals access its customers’ names, account passwords, email addresses, physical addresses, phone numbers and birth dates. Then in June the U.S. Secret Service tipped off the popular Asian-themed restaurant chain, P.F. Chang’s, that 33 of its locations had their credit-card-processing terminals compromised and that the hack had been going on for eight months.

Not even big banks, who you’d assume have some of the most secure computer systems on the J.P. Morgan Chase & Co. as well as four other banks, had their systems breached.  In this attempted cyber bank heist, J.P Morgan reported that as many as 76 million households were affected and that the names, addresses, phone numbers and e-mail addresses of  its clients had been exposed. It was also recently revealed by the New York Times, that the hack was made possible because the company “failed to upgrade one of its network servers” and “switch on two-factor authentication” meaning that access was possible without knowing a combination of a password and the value of a one-time code.
planet, were immune from this summertime hack-attack. In late August the Wall Street Journal reported that

Attacks continued into the Fall with breaches at Google, where in September almost 5 million Gmail usernames and passwords were hacked and posted to a Russian web site, and most infamously at Apple, where hackers broke into the company’s iCloud storage site and stole nude photos of celebrities such as Jennifer Lawrence and Kate Upton and released them on the Internet. That was followed by an attack in October, targeting software giant Adobe, in which 38 million of its users had their account and credit card information exposed.

I could go on and list more – and if you are really interested there is a pretty cool graphic showing the relative size of all the major databreaches in the past few years here  –  but I think we all get the point. Cybersecurity is nowhere near as “secure” as it needs to be in a world where we conduct and store much of our lives online.

Being in the IT industry myself, I’m not going to point any fingers here, because I know how hard it is keeping computer networks safe with the crop of tools currently at our disposal. That said, I think it’s well past time that the IT industry came up with better methods of keeping our data safe. Chief among these new strategies should be the ditching of any method based on password authentication.

Let’s face it, typing in a password to a computer was OK back in the ’90s when dialup was still the norm and e-commerce was just a dream. But in today’s world, we need a more sophisticated method of identification. Next year I might take a stab at suggesting a few alternatives, but in the meantime, I think the IT industry needs to concentrate on making 2015 the year of REAL cybersecurity.

Posted by at No comments:
Labels: , , , , , , , , , , , ,
Subscribe to: Posts (Atom)