Uncertain Future – Part VI – If the Feds Aren’t Safe, What Makes You?

Ok, so maybe various versions of making people look bad on the internet aren’t nearly as terrifying as legitimate terrorism, but what about the presence of true cybercrime, those who use the internet with no agenda for reform, no desire for publicity, and who 99% of the time, you never knew existed? What about when the threats aren’t out to make you think about some subjective moral wrongdoing, but steal your money and ruin your life. What’s really scary is that no one is safe – quite literally no one. Not even the director of the United States Central Intelligence Agency.

A group of young hackers, using rather unsophisticated methods, broke into the CIA Director John Brennan’s personal email. So that we are all aware, the director of the CIA is the guy in charge of all US spies and one would thing be well beyond the reach of hackers… especially a group of teenagers. Much to the chagrin of the US government, he really wasn’t. This one, however, wasn’t really his fault. The method the hackers used was to implement a tactic that predates modern computing by only a few thousand years. They pretended to be people they weren’t, tricked a Verizon worker and got Brennan’s email password changed the old fashioned way… by lying. The term they used is “social engineering”. While they didn’t find much, they did find were some documents important to him. Then they bragged about it on Wired. While all of us think this one is hilarious, if a story turns up about a few of these kids turning up missing in a couple of years when no one remembers their antics… don’t say this wasn’t foreseeable.

The same group were responsible for this breach also targeted the FBI… because they are just ballsy I guess… and broke into portals used by police and federal agents to share intel. The site is also used to book suspects, and while it isn’t known how much was taken, hundreds of thousands of users may be vulnerable, many already being leaked following the hack.

2015 saw attack after attack like these, and some of the most massive breaches to internet security the world has yet seen, all with little other incentive than stealing money, stealing information, and extortion. Like my fictional spy from the future, there are many who profit heavily from the information you keep secret. Over the course of the last year, it is estimated that some 70% of the US population experienced some form of cyber attack and over 2.1 billion internet users worldwide.   In a Verizon Study of 90 Security breaches, there were 285 million data exposures. Unsurprisingly, attacks are getting much more advanced, with hackers sometimes using multiple attacks simultaneously to succeed in a breach, such as malware, brute force, and SQL injection. Furthermore, 74% of the attacks were external, meaning that 26% were executed from within the companies we are trusting with our data.  [21]In a related vein, but just as disturbing, we are now seeing more breaches being discovered by employees than outsiders. Traditionally, these sorts of attacks were discovered by feds or other companies detecting the irregularities. [22] Now, it is much more likely that when you’re breached, you’ll be the first to know… which for some of us, isn’t that comforting.

Depending on how you look at this, it could either be welcome news or utterly terrifying. On the one hand, this means that internal security is at least able to grow to the point that they become aware of their own breaches. On the other hand, it means that the number of breaches, and all the possible avenues of failure have become so numerous, that no government agency can possibly be aware of the threats anymore, let alone protect us from them.

The next troubling discovery, this one from the 2014 report, was exactly how big the hacking business is. In spite of the whole last section of activities by groups such as Anonymous, malicious hackers working with financial motives still account for some 60% of cyber crime. Corporate spying, those seeking intellectual property and trade secrets accounted for some 25% (up from previous years). Those hackers who were not set on serious crimes (you know, for the lulz) or hacktivists with some ideological agenda, in spite of all the news, accounted for next to nothing. [23]That means that in spite of internet hacktivists publicised achievements, the vast majority of illicit attacks happen for no other reason than to rob of us of something precious.

Some of the biggest of these hits last year:

  • Excellus Blue Cross/Blue Shield – 10 million records lost including names, birth dates, social security numbers, mailing addresses, financial accounts, and claims information [24]
  • Anthem Health Insurance – Access to 80 million current and former customers names, Social Security numbers, birth dates, addresses, and income data [25]
  • Experian – 15 million T-Mobile customers names, addresses, birth dates, drivers’ license ID numbers, and passport numbers. Encrypted Social Security numbers were also stolen, which may provide some measure of safety, but the company warned that encryption may have been compromised [26]
  • Scottrade – 4-6 million customers contact details compromised [27]
  • CVS, Walgreens, Rite Aid, and Costco – millions of customers’ credit card, email, postal addresses, phone numbers, and passwords. [28]
  • Donald Trump’s hotel chain – many thousands of guests’ credit card data [29]

Several people probably noticed that last line and thought to themselves, “Ha, that will show the asshat.” Well, we need to think about that one again, don’t we? Who was hurt by the breach at Trump hotels? Innocent people. Really think about who these people are who are hurt; people who slept at a place. Imagine yourself, really just you, getting a hotel anywhere in the world, never really thinking about the guy whose name is on the side of the exterior wall and if one day he may potentially run for President of the United Freaking States. No, you just slept in a place and now your information is floating around the internet by people who are trading it for money. So to those who are getting their lulz right now from finding out that the “Orange carpeted clown” got pwned (“laughing hard at the misfortunes of Donald Trump” for those not accustomed to the vernacular of the lower internet), you’re real a-holes.

To illustrate this point, as shown already, some the biggest breaches didn’t steal money directly. The big payoff was information. Hackers who can get access to data about real people, not just one, but millions of people at a time, are the biggest scores in the illicit industry of online invasion. Stealing a whole database with customer or employee names, birthdays, SSNs, or any other useful private information can open the door for those people to be targeted later for individual attacks. These attacks may be for money, or they can be for more information, perhaps even national secrets, incriminating information for blackmail, or worse. Often, this information is collected and merged into larger databases, where users are profiled and where that which is stolen can be used against them in some of the most terrifying ways imaginable later… like a hack on the Internal Revenue Service.

The IRS is a common target of hacking. As the central collection agency for all taxes of all people of the United States, it is one of the largest gold mines ever created. In 2015 it suffered the largest breach in its history. It acknowledged that hackers had gained access to view more than 300,000 previous tax returns. They did this through a tool made available by the IRS called “Get Transcript”. Get Transcript allows users to view old returns. The safety in this system is that it requires numerous layers of identifying information to access Get Transcript and view those old returns. The types of information needed: names, social security numbers, birthdates, addresses – the very same items stolen from the other hacks mentioned above. This means that the hackers were able to make one of the largest internet heists in history, only through access of stolen information, gathered, collected, and organized by other hackers in a cyber black market where your information is the most valuable and most traded commodity there is.

Relying on personal information — like Social Security numbers, birth dates and street addresses — the hackers got through a multistep authentication process. They then used information from the returns to file fraudulent ones, generating nearly $50 million in refunds. [30]

That means that each of the victims were hacked not once, but twice. The big takeaway from the 2015 IRS Hack is that there is growing evidence of the existence of something we are all afraid of. Databases out there that are growing day by day, where cells of each of our data are collected and merged without our permission or our knowledge, and that these databases are being traded by people across the world, with no good intention for us. This leads many to believe in a future decades from now which has no secrets, where all of our information is direct and open to the public. For those of us with bank accounts, street addresses, or children, that’s not the idealistic image of an open society that some would paint. The fact is, we live in a state of danger everyday because of the secrets we entrust to others. In the next few decades, for companies to remain viable, they are going to have to prove they can be trusted with our information. More so than this, if we ever want to feel safe again, perhaps the most valuable enterprise in the future of internet security might not be the next guy who is able to steal our information, but the first guys who figure out how to get it back.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s