Did America lose its cyber mojo? (Part 1)
By Sing Koo
?Introduction
· JPMorgan’s 2014 Hack Tied to Largest Cyber Breach Ever Bloomberg
· Home Depot hackers exposed 53 million addresses
· Hacker steals 360 million MySpace accounts
· 117 million LinkedIn emails and passwords stolen
· 65 million Tumblr accounts for sale
· FriendFinder discloses 412 million user data breach
· Yahoo discovers hack - says 500 million accounts stolen
· Yahoo discovers another hack: 1bn accounts stolen - the biggest data breach in history
Cyber-attacks have become common events. As the number of attacks and severity grows with each headline, the shock quickly wears off and the numbness begins to set in. Everyone from consumers to business managers and political leaders are increasingly resigned to cyber-attacks as inevitable as bad drivers and car accidents. As our society becomes increasingly connected, the reach and boldness of each successive cyber-attack has grown – from credit histories to identity theft to fake anti-virus software to potentially endangering our democracy. This week, President Obama formally accused Russia of hacking the Democratic National Committee, indirectly influencing the outcome of the U.S. election, announced sanctions and expelled Russian personnel from the country.
Regardless of Russia’s culpability, I wonder have we done our fair share to maintain our cyber defenses? Have we done enough to prevent and defend against hacking? I recently read about a city that stopped an entire town from drinking or using tap water out of concern that harmful chemicals may have contaminated the water supply. If we know the Internet is endangering our democracy, why can’t the U.S. government take actions to prevent these cyber-attacks? Do we honestly expect strict words and sanctions to stop hackers in their tracks?
Is the Internet Defendable by Design? (Yes.)
While I see the issue of hacking is no longer a joking matter, our response has become a joke. Let’s use some common sense. Do we leave our cars unlocked when we take a trip to the city? Do we leave our doors unlocked at night when we go to sleep? If a company exposes their network to vulnerabilities and gets hacked, do we blame the hacker and hope they’ll stop? This is silly. As a network engineer and a computer scientist by training, I have been using the Internet since the seventies when it was called ARPANET. ARPANET was originally sponsored by the Advanced Research Projects Agency – that’s how it got the name. The first network to implement the protocol suite TCP/IP, ARPANET was created during the Cold War and was meant to survive in the event of a nuclear war. It comes with a lot of technology that enable users to defend their information from theft or abuse. Over time this technology evolved to become what we know as the Internet. I am convinced that there are better ways to protect our Internet. If we have the will to do so, we can build computer systems that are 100% defensible such that no hacker can ever compromise our security. This sounds like a big statement, but for those who know the technology, they know I am correct. I shall discuss more on the defensive mechanisms in my next article.
Why is today’s Internet vulnerable to cyber-attack?
· Social Media Exposes User Data to 3rd Parties for Profit with Little to No Liability
· Interconnected services interconnects risk
· The single point of failure is always Human Error
· Unsafe Info-Security Policy at Large
Social Media Exposes User Data to 3rd Parties for Profit with Little to No Liability
Fast forward to today and, thanks to social media, the Internet has become the perfect medium for cyber-crimes of all kinds. Social media is a dangerous game of quid pro quo. Users willingly provide deeply personal information – address, DOB, gender, preferences – in exchange for social utility (connecting with old friends, free photo libraries, free messaging applications, free email, etc.). There’s no such thing as a free lunch. These services, networks, and applications have a material cost. Social media companies aggregate the data provided with information acquired – tracking user locations, transactions, browsing history, credit history, shared content, and more – under the guise of providing better service. The resulting datasets are sold and/or licensed to 3rd parties (marketers, advertisers, financial service companies, and more) for billions of dollars of profit. These 3rd parties – and their 3rd parties – are free to do anything with the data – virtually free of liability.
In the wrong hands, it doesn’t take a good imagination to see how this information can be used for identity theft, spear phishing attacks, and other complex activities that put the user, their friends, family, and jobs at risk.
Interconnected services interconnects risk
As IoT (Internet of Things) gains popularity, more devices are being brought online. These devices rely on the customer’s home network to remotely connect to the Internet and to their phones, computers. These devices are not designed with security in mind. Often many device software (known as firmware) have simple universal passwords. Once hacked, these devices are virtually unpatchable. Case-in-point: late in October, huge swaths of the Internet was brought to a halt because of a massive DDOS (distributed denial of service) attack was carried out over a network of infected devices. The devices in question were Internet-connected cameras and DVRs.
The rise of social media and the proliferation of cloud computing has also given rise to interconnected services. A compromised service can potentially impact all interconnected services. In 2012, a cyber-attack breached Dropbox user data. Credentials – including emails, salted and hashed passwords – of 68 million accounts were stolen. Dropbox didn’t catch the error until 2016 – 4 years later.
The single point of failure is always Human Error.
I learned my lesson many years ago when an employee – with privileged access to the control of our firewall – was a willing participant in a cyber-crime. He took down the firewall and hacked into my servers to steal valuable intellectual property. Eventually – it took me over ten years – I was able to collect enough evidence with the United States Attorney’s office to criminally prosecute this person. The wheel of justice may be slow, but my technology enabled me to trace the cyber-attack and presented hard evidence to a Federal grand jury for a solid conviction.
Sometimes it has nothing to do with malice. Just today CNN reported that Burlington Electric Company found the same malicious software allegedly used by Russians hackers that targeted the DNC.
“Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.
Friday night, Vermont Gov. Peter Shumlin (D) called on federal officials “to conduct a full and complete investigation of this incident and undertake remedies to ensure that this never happens again.”
If the laptop was not connected to the organization’s power grid systems, they should ask where did the malware came from. Obviously, the malware did not originate from the company otherwise the company entire server system would be infected already. The most likely culprit in this scenario is probably a careless employee browsing the Internet.
Someone once told me that getting infected by an Internet virus is like people having unprotected sex with strangers. The Internet is a great utility, but if used unwisely it can quickly become a manager’s worst nightmare. Attitudes have to change from the bottom up. A few years ago, I attended a CIO conference. One of the keynotes examined how an engineering team had created a “fake” virus, published a webpage with an embedded tracking script, and circulated it as a proof-of-concept. The copy read something like: “Click Here to Get a Virus”. They infected 30-40% of the people in their target department – a harmless, but telling story.
Unsafe Info-Security Policy at Large
In recent years, many companies have encouraged a BYOD (Bring Your Own Device) policy. Once the exception now the rule, employees regularly use personal devices to read email, access company files, conduct company business. When an enterprise allows employees to use their own mobile devices for work, these connected devices can introduce unwanted computer software into the enterprise network. Personal offline devices such, as USB drives, can easily introduce viruses and malware to the docking computer and breach data security without being noticed. When employees take devices with them on trips or connect from foreign remote networks, info-security can be breached without being noticed. Even when companies employ a Virtual Private Network (VPN), it cannot prevent corrupted data or virus from entering into the enterprise network. These aforementioned vulnerabilities can breach even the most vigilant security measures by anyone in the workforce if security enforcement is solely dependent on users exercising their own judgement. If enterprises are knowingly overlooking these vulnerabilities for the sake of productivity and efficiency, can it really blame external 3rd parties when their core business falls victim to a cyber-attack?
In Conclusion
United States of America is the country that invented the Internet. We have a responsibility to take competent action and reasonable steps to defend our Internet services, applications, and networks. Resorting to accusations and resigning to cyber-attacks as a standard de rigeur of business will not do the country any favors. Public custodians of records should be held criminally liable for exposing protected information to hackers. If we do not realign policy, attitude, and action, the consequences (as this past year have shown) will be unforgiving. Silicon Valley is busy building social service startups. We should not forget that cyber security are the founding principle of online commerce. Although hacking is a criminal act, it does not give us, as the guardians at the gate, the justification to lower our defenses or turn over. In my upcoming articles, I shall talk about ways how one can use technology to defend against hackers.