Tuesday, February 12, 2013

Hacked off

Time and again I believe that I've posted for the last time on the topic of Internet insecurity, that there is nothing more to be said on the subject ... only to have events show me otherwise. So what's gone wrong recently?

The hacking of Bush family email accounts at AOL likely didn't entail any great technical skill. What shocked me is how news outlets considered excerpts from the Bush family's email archives to be fair game.

Yes, the family includes two former presidents -- but not everything they do is news. We're not discussing the Pentagon Papers. Does the public deserve access to personal emails in which George W. Bush collects information from his relatives for a eulogy for his ailing father? Isn't the family entitled to any privacy? As the Washington Post comments, "Publication of hacked George W. Bush e-mails raises journalism ethics questions."

About news outlets ... how secure are they? Not secure enough. From IEEE Spectrum, see "Hackers Break Into News Outlets’ Computers." As in Chinese hackers accessing computers at the New York Times. Why? Apparently searching for confidential news sources, like those informing on corruption at the highest levels of the Chinese Communist Party. If the hackers had gotten to that information, the results would have been ugly. (And the hackers aren't only going after the NYT. They also targeted Bloomberg and The Wall Street Journal.)

Meanwhile, an unidentified American client of Verizon discovered a hole in its (normally secure) virtual private network. The vulnerability turned out to be what a person -- if in a charitable frame of mind -- might call entrepreneurial outsourcing. Why do your own job when, for a fraction of your salary, you can hire a Chinese programmer? Give him or her your access codes, freeing yourself for more important tasks -- like watching cat videos at your desk. Also from IEEE Spectrum, see " 'Programmer Bob': Latter-Day Tom Sawyer or Massive Security Risk?"

Did you suppose that industry has at least gotten better at stopping traditional computer abuse for profit? Not always, to judge from this ABC News story: " 'Massive' Credit Card Fraud Steals $200M."

"Eighteen people have been charged in what federal prosecutors in New Jersey called one of the largest credit card fraud schemes ever uncovered by the U.S. Department of Justice, spanning 28 states and eight countries." Kudos, but the DOJ sure took their time uncovering it. A scam has to run for quite a while to produce 25K fraudulent credit cards.

And if some financial institutions are getting better? The bad guys are adapting, too. From PC World, see "Banking malware is getting sneaker, security firms warn." The takeaway? "Financial malware authors are trying to evade new online banking security systems by returning to more traditional phishing-like credential stealing techniques." But traditional does not mean same old, same old.

NOT the start of the art
Not yet feeling anxious? Then consider, from Mashable, that "Federal Reserve Admits to Getting Hacked." More specifically, the hactivist group Anonymous broke into "an emergency communications system that delivers important messages to banks during natural disasters."

Now consider this op-ed piece from The Wall Street Journal: "Barbarians at the Digital Gate: Its cyberattacks show the world the nature of the Chinese regime." (Yes, the WSJ was hacked, too. And, I would say, unhappy about it.)

Alas, the government is not here to help, no matter that "provide for the common defense" appears in the first sentence of the preamble of the U.S. constitution -- ahead of providing for the general welfare. From another WSJ op-ed (Confronting Cyber Barbary Pirates) just yesterday:
Despite years of cyber attacks, the U.S. has done little to confront perpetrators, as Hillary Clinton acknowledges. "We have to begin making it clear to the Chinese," she said in a recent interview summarizing her time as secretary of state, "that the U.S. is going to have to take action to protect not only our government but our private sector from this kind of intrusion."
So our righteous indignation may soon rise to making clear that we'll think about doing something. Do you feel safer already?

No comments: