Posts Tagged ‘hacking’

October in the technology world is “cyber-security awareness month” (can’t believe I just wrote that).  Yet, with all the awareness that popular media outlets like The Wall Street Journal, The New York Times, 60 Minutes, et al, bring, little in the way of solutions is being offered – which goes to the extent of how serious this issue is for many businesses.  Recently, when a huge cyber-attack was launched against JPMorgan Chase and nine other financial institutions, the White House received periodic briefings of the attack in real-time.  The problem was, no senior White House official could tell the President of the United States “why” the attacks were occurring.  According to a report from The New York Times, the answer simply came back as – “We don’t know for sure [why the cyber-attacks are occurring].”

The answer is quite simple, “because the can.”  Such news is not advisable to mention when you are the one who has to deliver it to the President of the United States.  In an interview with 60 Minutes a few Sunday’s ago, FBI Director, Mr. James Comey, said there are two kinds of “big” companies in America, “those who have been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”  Large corporations have a vast repository of information related to company data, customer data, and customers customer data.  However, to date, the risk implications associated with a cyber-attack, both monetarily and non-monetarily, create little incentive for the large companies to respond proactively.  Consider the amount of fines, penalties, and associated expenses Target, Corp., had to pay when it was victimized by a cyber-attack – $148 million dollars.  That’s a ton of money, but the data breach did not prevent customers from shopping at Target.  Post-breach, Target customers paid for their purchases either using cash or pre-paid cards.  The recouping of the costs related to the cyber-attack took little time and likely was minimal to the company’s bottom line.

As an advisor to startups and small businesses, most entrepreneurs do not consider cyber-security in developing their business plans.  This is mainly due to some naïve notion that the Chinese (or Russians for that matter) are only out to get the “big” corporations.  That could not be further from the truth.  Many times, the advice I give to entrepreneurs is that if the business idea is too good, consider that your competitor is paying a third-party to find out the recipe for your secret sauce.  From there, anything and everything is possible, starting with reverse engineering the ingredients to make a better sauce.

The U.S. governments public response on cyber-security is a mass hysterical game of shadows, whereby companies need to look over its shoulder to see who may be watching them.  A different response should be to fight back.  Build up defenses within your business, regardless of size, that allow you to take the fight to the criminals, or deter it.  Know where the weaknesses in the organization lie, and address it accordingly.  Make the time it takes for a criminal to hack into your business unappealing so that they will move on to easier targets.  Large organizations are easy targets, because they are bureaucratically driven by leaders at the top who are chiefly concerned about exceeding shareholder expectations – which has more to do with profits and loss than cyber-security.


Read Full Post »

The New York Times reported that login credentials of a Dropbox employee were stolen from an unrelated hacking incident, and led to a spam attack within its own network.  The incident occurred when hacker’s used a stolen password to log into the Dropbox employee’s account that had content which contained Dropbox user information.  From that point, the hacker’s launched a spam attack on the e-mails contained within the account.  This latest data breach highlights the value proposition for why hacker’s want to hack into data systems.  As quoted in TNYT, “at first glance, [the usernames and passwords] may not appear to contain any valuable financial or personal information. Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

When speaking to an audience regarding data governance, I am constantly having to remind the crowd that the problem is more than just updating your anti-virus, firewalls, WiFi, or encryption methods.  It is about being vigilant, and educating yourself, and employees, on the latest trends in securing mission-critical information (i.e. not having a universal password for work/personal Web sites, etc.).  The Dropbox incident highlights the use of universal passwords by individuals, and how hacker’s can take advantage of this to their benefit (and the user’s detriment).  Human instinct relishes convenience, and we are creatures of habit – that is what adversarial actors are banking on in the 21st Century.

Read Full Post »

In The New York Times today, Ms. Nicole Perlroth, started her column with “LinkedIn is a data company that did not protect its data.”  This is a very powerful statement coming on the heals of a cyber-attack that posted the usernames and passwords of over 6 million LinkedIn users on a Russian Internet forum.  Has the collective conscience of Internet users become so numb to the daily occurrence of data breaches, that they simply dismiss the necessity for protecting their privacy?  Does privacy have a value any more?

Ms. Perlroth’s beginning statement is not as profound as what followed later in her article: “[a] company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.”  As a publicly traded company, who is subject to the recently released “guidelines” on computer security by the Securities and Exchange Commission, are the corporate officers and board members liable to the shareholders for a lack of due diligence in safeguarding their most critical asset?  Do the shareholder’s even care about the data leakage?

The article rightfully points out that because the legal consequences are minimal at best, and that the harm caused as a result of the breach is negligible (they didn’t lose any customers), the ability for shareholders to make a claim against the board of directors or corporate officers is a tough standard to overcome (the stock price went up after the data breach announcement).  So where does the necessity to secure mission-critical data begin and end?  Have we become immune to our private information being stolen?  Is having my information stolen, really my problem?

“Computer security is not regulated and even as loads of sensitive personal, corporate and financial data gets uploaded daily, companies continue to skimp on basic protections. If 5 percent of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits, a cutback in air travel and airlines’ stock prices would most likely suffer.” – The New York Times, June 11, 2012

Read Full Post »

Documents filed in federal court regarding the January data breach of Amazon.com subsidiary, Zappos.com, shows the online shoe retailer’s data security team had detected the cyber-intruder while the hack was in progress.  Zappos.com team members were able to thwart the breach before critical customer data was stolen, but the damage to its brand reputation continues to this day.  This incident highlights tremendous obstacles that Internet-based companies face when it comes to building and maintaining client confidence.  Customers feel that companies are not doing enough to protect their online personal and financial information from hackers, and such sentiment has emboldened plaintiff class action attorneys to file lawsuits.

This leads to the question of “cloud integrity,” and more specifically to the integrity of Amazon.com’s cloud, since it is presumed that’s where the hacking incident spawned.  Until ecommerce businesses can assure their clientele that personal and financial information is secure in cyber-space, the growth of the industry will only be moderately successful.  In thwarting the attack, Zappos.com showed it had a comprehensive team and plan in place that could take adequate measures to prevent a cyber-incident from happening.  Yet, with all those measures in place, their mission critical data was infiltrated, and the damage to Zappos.com’s reputation may override the utility of the information sought by the hackers.

Read Full Post »

Federal Authorities released a statement that they are looking into a report of a cyber-attack on critical government infrastructures in Central Illinois.  According to the report cited by the Associated Press, the hackers appear to have gained remote access to a water pump which supplies water to communities west of Springfield, Illinois, and shut it down.  Allegedly, the hackers were able to gain access to the water system by obtaining credentials stolen from a company that creates software code used to control “industrial systems.”  The U.S. Department of Homeland Security and Federal Bureau of Investigations has stated that at this time there is no “credible threat” to public safety or endangerment.

State and Federal agencies have been on the frontline’s of the Cyber-Wars, both from a defensive and offensive position, but the latest breach once again highlights the extent to which deviant individuals will go to in order to capture and control mission-critical information or systems.  Organizations not only must critically examine their internal policy controls, but attention must be paid to external ones as well.  Critically venting the product, as well as the company supplying the product, are but just a few steps an organization can take to make an informed decision (i.e. ask the question – Has the product code ever been compromised?).

Read Full Post »

Point-of-Sale (“POS”) fraud is on the rise last holiday season, and once again federal and state authorities are warning the public to be weary of “skimming” techniques this holiday season.  According to the Associated Press today, 28 people were indicted in New York for running an ID-theft ring, whereby waiters were recruited to use POS devices that would copy credit card information from patrons at high-end restaurant establishments.  The downloaded information would then be used to purchase luxury merchandise from well-known retailers.  Though the victims were not responsible for the items purchased, the banks and insurance companies undoubtedly will trickle the losses derived from the fraud back on to the customer via fees and other miscellaneous charges.

Read Full Post »

Older Posts »