The Open Internet … Expression, Access, Risk
“This thing doesn’t want to show itself, it wants to hide inside an imitation. It’ll fight if it has to, but it’s vulnerable out in the open. If it takes us over, then it has no more enemies, nobody left to kill it. And then it’s won.” – MacReady, “The Thing,” David Foster Prod (1982)
You can’t flip a page, turn a virtual page, hear a newscast without a story of another attack and the growth of cyber mayhem. It’s to the point where it ain’t funny … it ain’t cute … it ain’t nice! It’s not retaliation against the big “evil” companies/governments. It’s putting millions of otherwise innocent people’s personal, private, financial information in harm’s way–or worse.
Recent “intrusions” that come to mind include:
- PBS (Public Broadcast Service) infiltrated because they (We’re leaving out the hackers’ names; they get enough noise.) didn’t like the way WikiLeaks founder was treated
- Lockheed – military/government supplier – hacked for sensitive files
- Citibank hacked with millions of personal records exposed
- Sony PSN (PlayStation Network) hacked more times than we care to think about exposing member names, passwords and who knows what else
- Sony Pictures hacked liberating email addresses, passwords
- Acer Europe database hacked for names, more
- Adobe’s Flash has been used to distribute malware over and over and…
- MS Windows has been beaten up so many times it’s old hat
- Chrome has already been used to open doors, deliver nasty stuff
- Nintendo’s user site was relieved of email addresses, passwords
- FBI security sites infiltrated, reverse engineered
- Hundreds of United Arab Emirates government employee data posted
- Apple’s OS X, iOS hacked, malware distributed
- Skype source code “liberated” because someone felt it should really be open source and free to the world
Unfortunately, we can’t agree with MacReady today, “Why don’t we just wait here for a little while … see what happens.” The list could probably go on for days just itemizing the occurrences over the past quarter. We can remember when referring to someone as a hacker was a wink-wink compliment. Now, attendees to the time-honored Black Hat Conference in July in Las Vegas are looked at as the guys/gals starting WW III.
Cyber War – WW III is already well underway. Governments and agencies are breaking into each other’s networks/websites to plant bogus information and grab important information. Hactivists, vigilanties and cybercriminals have entered the battles but often direct their energies against corporate and individual databases where they can mine and sell valuable information. Their activities are far from victimless crimes.
This isn’t a war against good/evil or filthy rich companies/countries vs. the oppressed. This isn’t about super smart, pasty guys/gals having fun mucking up individual and organization systems. No they’re doing more…lots more. Palmer knew it when he said, “It happens all the time, man. They’re falling out of the sky like flies. Government knows all about it, right?” Source – Computer Security Institute
Getting Worse – Hacking and cybercrime has grown in dollar losses and frequency in the past year and the trend is less than optimistic. Software, security firms and IT organizations can do a lot to limit the losses/damage but they haven’t quite figured out how to protect users from themselves. Source – Computer Security Institute
As the National Research Council pointed out in their 1991 (yes, way back then) Computers at Risk report, “The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”
They Want Yours
This “fact” hasn’t been overlooked by individuals/groups who feel they deserve “their share.” Some of them even have their own publicity machines to promote their achievements. In one instance they targeted the personal and business data of the head of a security system/service provider and they were pretty clear about their objective, “Let’s just simplify: you have lots of money, we want more money.” No wonder organized criminal organizations find cybercrime easier, less risky, more profitable.
Organized Effort – Cybercrime has grown rapidly in size and sophistication. Some have even hired their own social engineers to help them improve their return on effort. Very simply, they convince people to bypass computer security for them or “assist” them in leaving security gates open or developing security holes that can be exploited. Source – TechRepublic
The attacks and well-directed phishing and spear phishing expeditions can produce excellent returns for them. All it takes is a room full of dedicated – really dedicated – people intent on relieving organizations and individuals of personal/private/corporate information they can sell on the open market.
Dedicated Teams – Spread around the globe in dark rooms where tens, hundreds of screens glow or in apartments/homes anywhere there is a good Internet connection hackers, hactivists, cybercriminals no longer simply challenge the system, they’re in it for the money. And they’re getting plenty. It’s easy to put the blame at the feet of software and service firms for delivering buggy software and sloppy service. To some extent that’s true because the philosophy has historically been get the next version out, start the revenue stream and patch the product as we go. Companies like Microsoft, Google, Apple, you name it are only now focusing on better coding practices and constantly checking for bugs during development. At a meeting last week a serial entrepreneur said the only real answer was a whole team of Andy Grove mentality programmers (retired CEO of Intel, author of Only the Paranoid Survive).
Kill Your Own Stuff
He explained, “Half of the team should be developing the software and the other half working their behinds off to find issues, problems, targets of opportunity so the product that shipped was 99.9 percent hack/bulletproof. It may never be 100 percent, but fixing it on the fly doesn’t work. “A lot of the patches are never installed by the IT department or individual user,” he added. PBS (and many other IT groups) found that out the hard way. The updates that would have protected their system were available for over six months but were never installed.
Yes, it’s easy to blame the malicious hackers, hactivists, cybercriminals because that is “our” personal/professional identity/information they’re stealing and using. To look out for our identity/information governments around the globe are busy drafting legislation that will hold the software/service firms and online businesses strictly accountable for breaches of our data. Great, but the weakest link is sitting in front of the keyboard and people have the same philosophy as MacReady, “Now I’m gonna show you what I already know.”
Yeah, You – All of the best software on your company’s network and your system still doesn’t slow people down from doing really dumb, really innocent/greedy things. People regularly download files with viruses, open documents/attachments that wreak havoc on your system and the company. Employees abuse their Internet services and privileges. And they access (and leave unprotected) files, databases that are available to intruders.
Sorry, no legislative body can pass a law to keep you from doing really stupid stuff! A lot of the time they don’t have to spend time and energy getting into the network or system. All they have to do is convince you to open the door for them. And BAM!!! It’s that easy. One click, one harmless conversation, one move on an unbelievable offer and you’ve lit the match that showed the way.
Doesn’t Take Much – Just open an innocent attachment or visit a nice/friendly site and all of a sudden your system and maybe even your network are in flames. Screenshot – David Foster Productions
The hackers, cybercriminals approach their work the same way MacReady did, “If he tries to make it back here and we’re not with him … burn him.” Maybe instead of the UN’s (United Nation’s) Special Rapporteur that emphasizes that there should be as little restriction as possible to the flow of information via the Internet, we should give a little more weight to the EU’s (European Union’s) legislation that gives individuals the “right to be forgotten” … to drop off the grid. There are millions of folks every day who do really stupid things that would love to have their virtual appearance to disappear in a heartbeat. Or, figure out a way to keep the really bad blackhats off the grid.