Thursday, February 27, 2014

We Are the Weakest Link!


What do Facebook, Twitter, Microsoft, Apple, NBC, Evernote, TJ Maxx, Snapchat, Kickstarter, Skype, Target and Neiman Marcus have in common… with thousands of other small to middling to huge organizations (including the United States government) have in common? They’ve all been hacked! Sometimes the intrusion is minor… and sometimes the release of credit card and personal information can be devastating to massive numbers of individual victims or a hard slam to our national security priorities. Edward Snowden anyone?
“‘These days, criminal hacking is a business,’ Patrick Thomas, a security consultant at Neohapsis, [says] ‘Everything that is done has a chain linked to real dollars. And hackers are looking for the shortest chain.’… Sometimes, that entails stealing credit card numbers directly. Other times, it's selling user emails and passwords en masse on the deep web. Whether it involves an SQL [Structured Query Language, a data management program] injection or, in the case of Snapchat, the exploitation of faulty script [an error in the underlying code], these recent incidences again beg the question: Why do major Internet companies keep getting hacked? Shouldn't we have learned our lesson by now?” FastCompany.com, February 24th.
In many cases, we are dealing with programming superstars with malevolence on their minds. They spend endless hours “data scraping,” or searching programs for entry-points, programming errors or, as noted above, injecting their own disruptors and deflectors into the existing code in data systems and online financial programs. But so many of the problems derive from the world of human error. When new software programs are released to the public, beyond the initial beta testing that is pretty routine, everyone expects problems. We are all familiar with the litany of patches and updates that follow as the selling company discovers all the little glitches (some not so little) in the millions and millions of lines of code embodied in the new release.
Imagine building cars that way. We rush to get the vehicles to market, and as people crash and burn on the highway, we issue patches and updates! Sure there are recalls, but they are considered extraordinary remedies, since there are rather stringent government tests required for any vehicles licensed for sale in the United States. Clearly, no parallel program exists for software. Why?
One reason: Human beings are still the weakest link in the aforementioned chain to real dollars. ‘Humans can't be upgraded,’ says security blogger Graham Cluley in a phone conversation. ‘You can't fix the bug in people's brain that makes them click a link, or choose a really dumb password.’
“Take the recent Target hack, which leaked the personal data of 110 million customers. The breach reportedly began as an email-based phishing scheme. Although the retailer's consumer-facing website is well defended, hackers were reportedly able to gain access into Target's corporate network by using stolen authentication credentials from a subcontractor that dealt primarily in air conditioning. Someone in that subcontractor's office clicked something bad.
“You can hardly blame them, though. Social engineering attacks over email have been refined to a point that they're, at first glance, unremarkable. They're now built to ‘sail right through spam filters,’ explains Thomas. ‘It might look professional and well worded. It might use words from your business. It might even look expected.’” FastCompany.com. And damned fool people open these phishing expeditions, often responding and even providing the requested information without giving it a second thought.
And software engineers love all the cool new bells and whistles of their work… Security isn’t part of that new cool. “While the human element is an inescapable part of our hacking vulnerability, the other, equally messy part of the equation is that security is rarely a priority for the companies actually building software. Developers would rather ship a product fast than spend time testing a product for potential risks…‘The bigger problem is that security is just not top of mind for most developers,’ says Chris Eng, vice president of research at Veracode. ‘It's not something that has worked its way into a product's life cycle.’" FastCompany.com
So add a dollop of common sense and a dash of skepticism to your online presence and your use of software (especially the newest adds to your system). Love apps for your phone? So do hackers! Make sure you have the latest (and continuously updated) malware protection, a firewall, and make sure they are on and operational. Change your passwords regularly, adding a bit of complexity and unpredictability to your choices. Check your credit card statements carefully. And hold on, nothing is going to make this an easy and ultra-safe ride! There are a whole lot of nasty people out there who want your money… and your most private information.
I’m Peter Dekom, and individual cyber-security does require some localized individual responsibility.

No comments: