Crooks and kids (not scary spies paid by govt overlords) are behind most breaches Despite the hype about state-sponsored hackers, most breaches are actually the result of either criminal activity or "kids messing around", according to breach expert Troy Hunt. Hunt, operator of the breach notification service Have I Been Pwned, noted that many of the current spate of breach disclosures actually stem from …
"TallkTalk was “negligent”"
I'm sorry, but if kids are behind a significant portion of breaches, then it's the negligent companies which are actually responsible. I don't think the 15 year old kid using free software is the problem in TalkTalk's case. I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was.
"I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was."
Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things.They happen because people choose to go the complex route instead of the simple and elegant one. They happen when someone creates a complex web GUI using multiple highly complex frameworks, just to do something a couple of shell scripts could have done, accessed via ssh.
"Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things."
Actually they DO happen because of a lack of money.
The discussion usually goes along the lines of management asking how much it will cost and what's the benefit - then deciding they won't fund it.
When the benefit is described as "you don't get to go to jail if we get hacked" they tend to perk up their ears a bit. Keep the interest personal and companies will do the right thing (and if you're ever refused permission to do somehting critical on cost or other grounds, keep the email and reasoning behind it in a safe place where it can't be deleted/removed. It's called covering your arse. Bear in mind that management like this are sociopaths who will happily throw you under a bus to save their own skin.)
A long time ago in a different country, laws were passed which made management personally culpable for certain activities in addition to criminalising them. The day after, the CEO of the company I worked for circulated a memo which started "Because I have no desire to go to jail because of the actions of an employee, these activities are utterly prohibited..."
It seems whenever there is a major breach the first accusation is blame the Russians, Chinese, or NORKS without thinking. Government hacking and spying will directed to gain information the government finds useful or wants. This accusation allows the victim to blame shift from their own bungling incompetence that make Colonel Klink look a military genius to they never had a chance against a major spookhaus.
Criminals are interested in stealing information they can convert into money such as credit card numbers relatively easily. Others are interested in embarrassing public figures and companies for extortion though you can not embarrass low lifes like politicians and most celebrities. Neither is something governments generally care about.
Totally in agreement. You note that as soon as a sacred cow is touched (like the Democratic Party servers for example) then it's all "Chinese/North Korean/Russian hackerz!!!11!!".
On the other hand when the person is caught and it turns out to be a local then it becomes "oh he has Asperger's and he doesn't know any better".
The laugh test for most breaches is all about the data. State sponsored attacks don't hit retail stores or go after money. Think about it for 2 minutes, and you'll get why.
State actors go after technology, military, large business products for intelligence and to reverse engineer/steal and copy, and huge business assets/powerful individuals to gather inside information for investment. Attacking Google, Yahoo, Target, etc. doesn't provide this.
"Attacking Google, Yahoo, Target, etc. doesn't provide this."
If you collect enough account details then you are in a position to paint a good picture of individual users, you know what they like to do, who they like to talk to, what services they buy from and ... drum roll ... how they like to format and chose their passwords - that is, assuming that they don't use the same password everywhere.
This is useful information ...
To criminals maybe, not nation states.
I think you'll find that having control of the personal e-mail of an employee at AWE or BAE systems, or knowing they are on Ashley Madison could be of enormous use if you were hoping to leverage someone to gain access to information on more secure or air-gapped systems.
This is the reason Enhanced Vetting asks some extremely intimate questions about one's sexual preferences and fetishes (amongst other things). Reduces the risk of blackmail because HR already know your dirty secrets an you won't have any problem walking in and saying "I've been approached by someone threatening to release x about me."
"If you collect enough account details then you are in a position to paint a good picture of individual users"
This is exactly why Bletchley Park kept everything - and the intelligence they deduced from this stuff was often more useful than directly decoded strategic commands (much of the more sensitive stuff wasn't able to be intercepted because it was on landlines or face-to-face meetings, but could be deduced from intercepts showing ABC person ordered to XYZ site, based on known past activity, locations and affiliations)
That's why this kind of activity is still done, but it's worrying on several levels that intelligence agencies are hoovering up every possible bit of information about everyone they can, "just in case", instead of concentrating on known problems and the circles they move in.
“Blaming state hackers has become like a ‘dog ate my homework’ excuse,” he added.
Quite. Like I said two weeks ago, claiming hacks are state-sponsored is the new black.
It's actual difficult to change password algorithms when your user base is casual and you are using a hash because you have no way of determining the hashed password other than brute force, dictionary or rainbow attack, you have to passively wait for the user to authenticate again and force them through the change password roundabout.
But I am under no illusions that crooks and kids are supposed to A) behave responsibly and B) work for us.
Plus crooks and kids don't really have the power to subvert standards, infrastructure and even logistics systems to insert vulnerabilities into the system for their own selfish reasons, and that leaves doors open for the crooks and kids to come streaming into your network.
"Plus crooks and kids don't really have the power to subvert standards, infrastructure and even logistics systems to insert vulnerabilities into the system for their own selfish reasons"
All too often we're not talking about standards. We're talking about badly configured installs that should have been secured and weren't. The kids attacking TT were using one such known exploit that was older than they were.
You have to wonder how good your security wall is when a script kiddy breaks in. I'm not knocking the kiddies - they provide a useful service, trying all the doors and knocking on the windows - but let's face it, they should not be able to break in if you've actually secured the place.
Virtually every "attack" that succeeds is because someone left a "door" open - that's NOT the kiddies fault - that's YOUR fault.
Of course most breaches are by crooks and kids. However, state-sponsored attacks are still an additional item of concern; for one thing, since such attacks are more sophisticated, they remain a threat to those (few!) who have taken the necessary precautions to mitigate most of the threat from the lesser actors.
Plus, of course, the zero-days of yesterday get into the hands of the script kiddies of tomorrow, as we've recently seen, and so the state-sponsored hackers, especially since they are starting to get caught once in a while (which is actually good news, not bad news, at least in some respects, from a security viewpoint) are adding to the "real" threat from "crooks and kids" too.
No, the sky is not falling, but given that our operating systems and software are notoriously insecure, heightened awareness of security just might stimulate some progress in the right direction.
> most breaches are actually the result of either criminal activity or "kids messing around"
But it is in nobody's interest to admit this.
The police look stupid if they have to admit they are unable to detect the majority of reported hacks - when they are merely the work of children "messing around". The targets (are they really victims when their security is so lax?) will lose the confidence of their users / customers and suppliers if they are found to be hacked so easily.
So, just like a cage fighter would be embarrassed by getting beaten up by a 7-stone weakling, it is in the interests of all concerned (including the hackers) to big-up the skills and luck of the hackers. That absolves all parties of blame and of the need to put in place even basic security measures (measure #1 - sack your security manager, if you get hacked again: sack the CEO).
However, this does rather assume that the same outfit isn't hacked again a short time later, when the questions about why start to be asked of the higher echelons.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
