Are There More Hacks & Breaches This Year... Or Is It Just Shark Attack Week?
from the questions,-question dept
There have been an awful lot of stories of computer hacks and breaches lately, many of them high profile: Google, Citibank, Sony, the US Senate. It certainly feels like everyone's under attack. But is that really true? Bruce Schneier suggests that it's just a media sensation:"I truly don't think there's a higher instance of hacking right now. I think there's been a wave of media coverage," said Bruce Schneier, chief security technology officer of BT and one of the most respected security experts around. "We saw the same thing with shark attacks. It's not that there are more shark attacks. It's that they made the news when people started looking for them."It does make me wonder. The media can be quite efficient at finding evidence of an epidemic when things are actually occurring at a normal rate, but it certainly does sound like some of the attacks lately are landing on bigger name targets. Part of this may also be the more public attacks from groups like Anonymous and Lulz Security, who are doing what they do more for publicity reasons than as criminal enterprises. Either way, I'm curious to see what others think about the issue. Are we really seeing more attacks and breaches today, or is the press just picking up on it lately?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
"They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers."
http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Acces s
Oh, and from the comments
"One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: 'It would have been hard to prepare for this type of vulnerability.'"
http://it.slashdot.org/comments.pl?sid=2239030&cid=36443084
This isn't even a hack, this is just common sense. It's using the system as intended, the system was practically designed to give away personal information.
[ link to this | view in chronology ]
Says it all:
[ link to this | view in chronology ]
Remember Haiti?
When more and more reports came up about hacks and security breaches online, I immediately knew this was just a journalistic frenzy crafted to cause mass panic and gain eyeballs.
[ link to this | view in chronology ]
Tsunamis & Volcanoes
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
One place to consider in terms of searching for who's behind many of these hacks is previous IT employees who have been laid off. Such previous employees are likely to be most familiar with the system and its vulnerabilities (not to mention they may have intentionally created some subtle vulnerabilities themselves during employment) and hacking the system could give their previous employers incentive to re-hire them (since they would need the least training and so hiring them is more cost effective than hiring someone less familiar with the system).
It's almost like arson where someone who gets money either for putting out fires or serving/catering those who put out fires (or otherwise) starts a fire to create a job for himself that he gets paid for.
[ link to this | view in chronology ]
The difference is intent
Headline: Hackers hack to steal credit cards from PSN
....sucks.
Headline: Hackers hack government site as citizen retribution
....awesome.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can not even fathom that the chinese hackers that can pick apart google are inferior to these groups. The level of opposition that countries/states face every day on their systems is far and above anything these groups have done. And I can't think of a country that does not have to deal with attacks on their systems every day (maybe New Zeland, Just kidding! Honest!) These groups are performing the equivalent of throwing a brick through a store window and shouting "Look! They have poor security!" and grabbing stuff and running. Anyone who does that is not going to have a military operation to catch them. They are just that low of priority, and unfortunately we're not going to hear about the real important prioritis which is a different problem.
[ link to this | view in chronology ]
- hot button news: there is currently a push on cyberwarfare and all that, any notable hacking is certainly going to get more attention
- fast reveals of hacks: Twitter and it's ilk allow hack reports to be more quickly spotter, hacked sites are seen before they are fixed, etc. It's also easier to find ways to publish proof of a hack and claim responsiblity in an anonymous fashion.
- Hacktivists: A relatively new concept, people hacking companies not because they want anything, but rather to cuase the company grief, to piss off their customers, or to embarrass the company. These only work if they get significant media coverage, so they are done in with the specific goal of getting exposure.
- More to hack: Online business means there are more things to hack, more juicy targets, more credit card and personal info out there, etc.
I think the hacktivist issue probably driving much of this right now, and the media is receptive because of the banging of the cyber warfare drums.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If a system is cracked...
[ link to this | view in chronology ]
"Like a bearded nut in robes on the sidewalk proclaiming the end of the world is near, the media is just doing what makes it feel good, not reporting hard facts. We need to start seeing the media as a bearded nut on the sidewalk, shouting out false fears. It's not sensible to listen to it."
You can find the speech in its entirety on several websites. I do remember that his website clearly stated he didn't want people publishing it without permission so I won't post a link here. I'd hate to lose Techdirt to an ICE domain name seizure.
[ link to this | view in chronology ]
Mid 80's or there-about a prominent Australian cracker named Force was scanning networks with DEFCON (his network mapping program) and came across an IP address that started spewing out numbers, this lasted for almost 48 hours and turned out to be a massive database of credit card numbers/details.
The machine he was connected to could be prompted to spew out all these details with Ctrl+K or something similar.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Has Sony Been Hacked This Week?
.
.
http://HasSonyBeenHackedThisWeek.com/
twitter.com/HSBHTW
yesterday it said "yes", today it says "not yet"
[ link to this | view in chronology ]
I'm betting that hacking has been going on all around us, but because the hacking has been silent, the hacked don't even know about it and can't even report it if they wanted to.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
compliance
Probably an unreported factor in these breaches is the lack of understanding that if your employees are on Facebook or can actually figure out how to send an email, then they are technically savvy. That is a huge assumption. And it is wrong. I have fielded complaints from a user that they cannot input their password because there are x's over it and they can't see what they are typing. Having 2 million friends on Facebook means nothing.
I don't personally know if breaches are up or not. April of 2010 was a pretty rough month if I remember correctly. I would bet a pretty dollar that while some high value targets have been very, very public, it is still the tip of the iceberg. There are too many detriments to reporting a breach unless you absolutely have to.
btw - I am an (employed) (overworked) application security engineer.
[ link to this | view in chronology ]
WTF 1997
Yahoo was "hacked" this way several years ago and for using the same nonsecurity; username was part of the urls and you could simply try other usernames and there you were, in their account...
This kind of hack is ANCIENT and any site with ANY responsibility for personal info, let alone freakin' BANK ACCOUNT INFO, simply cannot have such a low-level security hole. Period. This hack is taught in web site 101 and has been for the last 12 years or more. It isn't even really a "hack"; it's a bad configuration.
It's shameful and exposes just how lame these financial institutions are and how fast and loose they are with data handling (moddable user data in the url?). Every one of their "IT staff" should be sent to work at McDonalds; the hamburger guy there could probably figure out a more-secure system than this.
[ link to this | view in chronology ]
[ link to this | view in chronology ]