Monthly Archives: December 2014

The Sony hack, and why your email might be next

Bob Sullivan

Bob Sullivan

Sony reminds me of the chaos theory in the hacking world. Yes, you should be very afraid of what’s happening at Sony right now. Here’s why.

Four years ago, I wandered the halls at the giant RSA security conference collecting scuttlebutt. Companies spend thousands, even millions of dollars, to make a splash at the annual geek-fest, but on this day, one company completely stole the spotlight. For free. And no one was jealous, because on that day, wanted to be government contractor HB Gary.

Hackers calling themselves members of the Anonymous group had hacked HB Gary servers, stolen the firm’s email, then made it public for all the world to see. Days of embarrassment and nightmarish news followed, from exposure of a less-than-comfortable relationship with Bank of America to incredibly uncomfortable personal emails from workers.

At the time, the smartest geeks on the planet were terrified over the news. These folks weren’t afraid of hackers hell-bent on stealing their intellectual property or their financial information. Most of them had fought off those attacks for decades. What they feared was chaos. The HB Gary hackers weren’t after money. They wanted revenge. And computer criminals who simply want to destroy things are the most frightening. Publishing entire email spools stolen from company servers gains hackers almost nothing. But it exposes everyone inside a company, and everyone who ever communicated with any of those workers, to tremendous embarrassment, or worse. It creates chaos.

It’s an unpopular thought, but it’s true: There is no absolute security. Spend money and time protecting this, and you will leave that vulnerable. That’s how it works at airports, and that’s how it works in networks. Folks who protect digital assets for a living are constantly making trade-offs. Email is often one of those trade offs. Most energy is focused on protecting money. A lot of energy is focused on protecting intellectual property. Four years ago, Anonymous realized email servers are often neglected. And they realized just how much chaos they could cause by publishing…and indexing for easy discovery…HB Gary’s email.

Back then, every confident security professional I knew had two burning questions in mind. One: was I in HB Gary’s email? And two: What about my email server? What would happen if someone published my all company’s email? How many ‘secret’ job searches … sexiest or racist jokes …illicit affairs…might be exposed with an email dump?

There was a great chill in the entire profession. People imagined the worst.

Now, the worst has happened. Execs have been forced to apologize to President Obama for racist comments. Sony has lawyers running around threatening journalists not to publish bits and piece of upcoming movie scripts. Journalists have been exposed for too-cozy chats with sources. Heck, Aaron Sorkin is actually attacking …not the hackers … but those who even looked at what was hacked.

Revenge. Chaos. A crisis that seems without end. Mission Accomplished.

Perhaps, these hackers ultimately have money in mind. Perhaps they are state-sponsored. Perhaps the attack is purely politically motivated. We’ll probably never know, though most certainly, someone in the middle of this simply wants money.

But clearly, the criminals here were out to wreak havoc. Folks who just want to break things are pretty hard to stop. And now the playbook, first established four years ago, has been darn near perfected. Out folks’ private communications, let curious onlookers go to town, and you have a full-fledged techno-disaster on your hands. The point can’t be overstated: In both HB Gary and Sony, hackers exposed their target companies and potentially anyone who had ever emailed with their employees. Publish the email of a big enough company, and you might very exposed a majority of Americans in one hack.

Stealing secrets and dumping them online is the hateful practice of “doxxing” — exposing private parts of victims’ lives online, such as their home address, with the intent to invite harassment — writ large. It’s pretty hard to stop doxxing. You should all just hope no one every finds a reason to do it to you. And it’s almost as hard to stop doxxing on a massive scale. Yes, shutting down a power plant or similar critical infrastructure hack could be a horrible disaster. But I think this kind of choas might ultimately be more damaging to the U.S. It’s certainly easier to fashion.

What’s the lesson here? I’ve said forever that any time you type anything into any kind of keyboard, you should be prepared for the world to see it one day, even if you think your communication is private. That’s good advice, but it has its limits. For starters, we all use chat tools, texts, and even email as casually as we talk now. It’s pretty hard to remember that you are always one co-worker’s stupid click away from your chatter being exposed to the world. A private note with one comment that could be described as racist, sexist, even elitist…..said to one person ….. could seriously tarnish your career or legacy. In that world, being 99.9 percent careful just isn’t good enough.

But the problem is scarier than that. Standards change all the time, but servers are forever. Imagine if we could read long email chats between political or corporate figures from 25 or 50 years ago. They’d all sound awful. It’s really, really hard to predict what something you say today might sound like 10 or 20 years in the future. The old “out of context” explanation doesn’t work any more. This is why the world of pack-rat programming alarms me. Companies (in the U.S.) reflexively save every piece of data for as long as possible. It will be the radioactive fallout of our time. We haven’t even begun to digest the implications of that.

Sony is a pretty good hint, however. Be very, very careful what you type.


The seven reasons consumers still care about privacy

Larry Ponemon

Larry Ponemon

Consumers’ Perceptions about Privacy & Security: Do They Still Care? conducted by Ponemon Institute and sponsored by RSA is intended to understand what consumers think about privacy and information security. Specifically, how have recent mega-breaches affected consumer behavior and attitudes about privacy? Moreover, is the constant sharing of personal information online and with mobile apps diminishing the importance consumers place on their privacy?

We surveyed 1,020 consumers in the United States between the ages of 18 and 65+. Forty-nine percent of respondents say they have been victims of at least one data breach. However, 45 percent are not confident that they know of all instances when their personal information was lost or stolen in a data breach.

Read the entire study (PDF)

Based on the findings we conclude that consumers perceive a loss of control over their personal information because of data breaches, the lack of trust in the security of the mobile apps they continue to use and increased government surveillance. However, they still believe the privacy and security of their personal information is important.

The following seven findings reveal why consumers still care about privacy:

Privacy rights are believed to be at risk. Seventy-five percent of respondents worry that they will lose their privacy rights as the Internet progresses into the future and are very concerned about this happening. 

Privacy and security expectations are high for financial transactions. No matter what their privacy profile is, respondents have high expectations for privacy and security when filing a tax return, making mobile payments or banking.

Privacy and security on the Internet and when using social media is important.  Respondents are spending an average of 56 hours per week on the Internet and 27 hours using social networks, social messaging and other social media tools. They rate the importance of the security and privacy of these activities as very high.

Prompt data breach notification is important. Seventy-seven percent of respondents say prompt notification about the loss or theft of their personal information is either very important (56 percent) or important (21 percent).

Respondents worry about the theft of certain information. Most respondents are concerned about the theft or misuse of their Social Security numbers, passwords or PIN and payment information such as credit card number.

Strong online authentication procedures are very important. Fifty-four percent strongly agree or agree that the websites they use have strong authentication procedures that can be trusted to safeguard their sensitive or confidential information. They also do not trust systems or websites that only rely on passwords to identify and authenticate users or consumers (62 percent). Similarly they do not trust systems or websites when identity and authentication procedures appear too easy (62 percent of respondents).

Biometric authentication methods are viewed favorably. Seventy-eight percent of respondents say they would prefer authentication procedures that verify their identity without requiring them to share personal information such as a name, address, email and so forth.