Clearing up some common misunderstandings and inaccurate reports in the news.
In recent months there has been a lot of coverage on web and IT security breaches but unfortunately the news outlets don’t always get it right. Sometimes this is because of a lack of understanding from the ‘journalist’ which might be understandable in the more complex cases, if it weren’t their job to research and report on facts. Sometimes it’s outright sensationalism and scaremongering when ratings and sales take priority over reporting the news.
In this post I hope to clear up some of the common mis-informations that crop up in the news…
A lot of the events being reported as hacking are in fact nothing of the kind. Several high profile websites have been attacked with a Distributed Denial of Service (DDoS’ing) which is no more hacking than overloading a system with thousands of emails.
A DDoS is when a group of people flood a website with more requests than it can handle and the website effectively becomes unavailable. These attacks usually use freely available tools where the attacker simply types in the website they want to target and press Go, needing no discernible skill or experience.
When this happens, the website itself and all of the data that it contains remain intact and once the attackers get bored and move on, the website returns to normal. There is typically no permanent damage, no defacement and no loss or leak of data. Attacks on SOCA, BPI, PayPal and several game developers websites were of this kind.
Lost Laptops, CDs and USB drives
There has been a spate of misplaed laptops and storage media containing all manner of sensitive information. From leaving a laptop on a train to discs getting lost in the post, the reasons range from stupidity to malicious acts. News reports are always quick to highlight what data was or might have been contained, going into great depths of how damning this data might be in the wrong hands.
What they often neglect to mention or gloss over is the encryption and password used on whatever has been lost. This is not to say that every bit of kit that’s been lost was strongly protected, no doubt some of the lost data was readily accessible. However some of the kit would have been protected by encryption and passwords so strong that they are unlikely to be cracked in your lifetime.
Of course this would change a headline from “Company ABC lost a CD containing personal information of a million customers” to “Company ABC lost a CD containing utter gibberish to anyone other than Company ABC” which doesn’t make for very exciting news. If you read a story like this that doesn’t specifically mention encryption and passwords then it has either been intentionally omitted or it has been reported by someone that doesn’t understand the terms. In either case I’d be dubious over the validity of any horror stories therein.
Truth be told though there have been quite a few real incidents but unfortunately they become diluted amongst the non-news that is overblown. These legitimate hacks vary from taking advantage of poorly written websites to technical feats which take several months of research, probing and escalation.
The first attacks on Sony that resulted in personal information of more than 100 million customers being leaked supposedly took eighteen months to achieve. The (reportedly unsuccessful) attacks against three US DoD military contractors (Lockheed Martin, L3 and Northrop Grumman) used information that was gathered from an attack against IT security company RSA three months earlier.
Most of the hacks though have merely exploited loopholes caused by poor workmanship, rushed deployments or unpatched systems, all of which have no place in a corporate website. The recent attack on theSun and theTimes websites for example was the result of poor coding, bad practice and a lack of cleanup. The attack could have been prevented with a few hours work if anybody had cared to check.
The hacking groups behind some of these attacks claim to have the public’s interest at heart and liken their activities to whistle blowing. There is some truth in this although it’s hard to support the hackers when they intentionally publish personal records into the public domain. It is fair to assume that if they hadn’t taken this step it’s unlikely that the hacks would have received quite so much publicity and companies would carry on neglecting security, jeopardising their customers personal information. In my opinion the hacked companies are equally as liable as the hackers themselves for any damage caused.
Two points to remember; 1) If your personal information is compromised then the company responsible is legally obligated to notify you. 2) If you think you may have been affected by a hack you should change your passwords immediately.
So to sum up, don’t believe everything you read! If you come across a story and you’d like some validation of the facts please feel free to drop me a line and I’d be hapy to help 🙂
Image Attribution: Thanks to jscreationzs, renjith krishnan, digitalart and Salvatore Vuono @ FreeDigitalPhotos.net for the images