Only idiots get hacked, right?
Having weak passwords is like smoking or regularly eating copious amounts of sugar. Everyone knows it’s bad, but few seem to really care because cancer and diabetes only happen to ‘other’ people . . . and only idiots get hacked.
Today, my data was compromised, which is rather ironic because I’m halfway through a ‘Cybersecurity for Business’ program at Colorado State University.
I don’t use a password manager, but my passwords are long and use a combination of numbers, symbols and upper/lower case letters. They’re also dynamic, so no two services would have the same password. I know they could be better, but at least they’re not the typical ‘letmein’ or ‘123456’.
Nevertheless, today I got a sobering wake-up e-mail from one of my favourite web services, Freepik, from where I get most of the royalty-free images I use on my articles.
“Dear Freepik User, we experienced a security incident and have identified that your e-mail address has been accessed together with your encrypted password.”
Fortunately, they won’t get much since I didn’t store personal data there, and it was the hashed version of the password that was leaked. But still, with today’s machine learning capabilities, that’ll get cracked in three . . . two . . . one . . .
Other Breaches
The website, https://www.privacyrights.org/data-breaches, keeps a decent historical record of notable security breaches. My final task for the ‘Cyber Threats and Attack Vectors’ course was to download their register and review some notable breaches. I chose three from many years ago to illustrate that this is by no means a new threat.
Data Breach 1: Stratfor [Hack]
In 2011, Strategic Forecasting Inc. (Stratfor.com), a global intelligence company from Texas, was hit by hackers through their website, compromising over 68,000 credit card numbers with their respective security codes and customer details, and hundreds of thousands of other sensitive customer records, including 200GB worth of e-mails. The data breach was found out after the hackers themselves boasted about it.
After obtaining the data, the hackers then used a combination of social engineering, malware and impersonation techniques to pose as Stratfor officials to systematically infect government agencies by sending government customers infected links via e-mail. This attack was no amateur attempt. It was carefully planned and masterfully executed. The main vulnerability that led to this jackpot hack was that the data was, quite shockingly, not encrypted. This is rather ironic, considering that the target was a global intelligence company, which goes to show that even the best in the field are neither invulnerable nor off-limits. Eventually, the hackers were caught, but not before the damage was done, costing Stratfor close to $1.75m in fiscal damages, and an incalculable amount in brand destruction.
Recommended by LinkedIn
Data Breach 2: Guide Publishing Group [Hack]
Again in 2011, another similar hack occurred, this time against Guide Publish Group (GuideYou.com), and the data breached included credit card numbers, security codes and the personal information of the customers. Basically, everything needed to make purchases with their money. The breach was discovered by GuideYou.com a full year after their systems had been compromised, meaning that the attack went undetected for all that time.
Hackers managed to insert malicious code onto the server that hosted their website using either a Drive-by-Attack or an SQL Injection Attack (details unknown). These types of attack result from lazy website and database coding by programmers who sacrifice security to gain flexibility, convenience and speed. This lazy programming exposes the database to snippets of code that hackers can enter into search fields to reverse engineer the names of the columns in the database tables, eventually uncovering the ones that relate to sensitive data, which can then be extracted quite easily using the website’s own search field. While this used to be done manually by hardcore hackers who enjoyed the fun of it, today, professional cyber criminals use automated scripts that save them time and effort.
To see how easily an SQL injection attack can be carried out, check out this surprisingly entertaining video from computerphile: https://www.youtube.com/watch?v=ciNHn38EyRc
Data Breach 3: Towers Perrin [Insider Attack]
Since I’ve now reviewed two electronic hacks, I’d like to switch it up by reviewing an Insider Attack. This one occurred in 2006 and the company compromised was Towers Perrin, a human resources company from New York. The data breach was immediately discovered after five laptops were stolen. Originally, they thought they had been stolen by a former employee, but later it turned out they had been taken by a current junior-level employee.
This incident illustrates how not all attacks are electronic in nature, even if the data breached is. In this case, saying that the data was ‘breached’ is perhaps an overstatement, since the main vulnerability was that the customer data stored in the laptops was not secure. The resulting jackpot consisted of over 300,000 employee records with sensitive information such as social security numbers, from big household name firms like Random House, Stanley, Prudential, Time Warner, Major League Baseball, and more. The employee responsible was eventually discovered and arrested.
---
In conclusion, even when the perpetrators are caught, we cannot say that justice is served, since once the data is out there . . . it’s out there for good. We must ensure that we’re not supplying more personal information than what’s absolutely necessary to our digital services and that we're making an honest effort to come up with fairly complicated passwords.
It's a small price to pay for what's generally a sufficient layer of protection.
