Now that we have wrapped up 2014, I thought I would share some thoughts on what we’ve learned and predict what it means for all of us who use technology on a regular basis. And in today’s world, adding the phrase “who use technology on a regular basis” is superfluous. We all now are tied to technology in ways we never imagined. It doesn’t matter if you use a smartphone or if you have a Facebook account or a Twitter handle or send text message or use a computer. You may not have or use any of these things. Nonetheless, your life is completely documented and wrapped up in technology. Just about every business you touch is keeping some record on you on systems that are in some way, shape, or form connected to the Internet. And every level of government now maintains information on you on systems that are connected to the Internet.
Four top stories from 2014 mold my thoughts on 2015 and beyond: Target, Heartbleed, Sony, and Michael Brown. The first three probably make a lot of sense, but the last one is equally important as you will soon see. There are many, many other stories from this past year that could be referenced, but these four give us a broad overview of the challenges we face in our electronically connected lives. And just in case you spent most of 2014 in a cave up in the mountains without any outside communication, I’ll give a brief summary of each of these as I go along.
Target Credit Card Hack
The Target incident was the theft of 40 million credit card numbers, as well as lots of other personal information, in late 2013; the details of this theft emerged in 2014. In this instance, hackers installed malware in the retail stores’ Point-of-Sale system. When a customer had their credit card swiped in making a purchase, the malware captured the credit card number and stored it on one of Target’s servers, where the numbers were later retrieved by the hackers. Every single credit card used in a Target store between November 30, 2013 and December 15, 2013 was stolen. Target’s data security system, installed six months earlier, recognized that there was a breach on November 30th and again on December 2nd, but the alerts were missed or ignored. Target eventually learned of the breach through federal investigators. Similar large-scale breaches occurred at Neiman Marcus, Michaels and Home Depot and small-scale breaches are occurring every single day.
Heartbleed Security Vulnerability
The Heartbleed story broke in April, revealing a significant and serious vulnerability that remained undetected for more than two years after being accidentally introduced by a programmer. Heartbleed was a flaw in certain versions of OpenSSL, a popular web traffic cryptographic software library. OpenSSL encrypts the data traffic to and from your browser to a website. The flaw allowed another user to request chunks of data that may include encryption keys, passwords and credit card numbers from the Web server. It was also impossible to detect that the flaw was exploited. The great majority of websites with this vulnerability were fixed within a few days, but thousands of sites still have this vulnerability. In this case, a company could have been doing everything right, still had information stolen, and never been aware of the theft.
Sony Pictures Hack
The Sony hack is the biggest hacking story ever. In this case, Sony Pictures Entertainment had just about every piece of their electronic data stolen including, passwords, employee social security numbers, salaries, emails, lists of employees with health issues, and unreleased films. Sony Pictures’ computer systems were down for approximately 1 week. Much of the data was released and posted on websites around the Internet. The hacking group identified themselves as the Guardians of Peace. Some security experts, including some associated with the US Government, believe that North Korea was behind the breach and did so as result of their displeasure of the upcoming release of the movie “The Interview,” which was scheduled for full release on Christmas Day. Further threats by the Guardians of Peace eventually led to a large-scale pullback on the release of the movie, mostly fueled by fears from the movie theaters scheduled to show the movie. Promotional tours by the stars of the movie were canceled. The breadth and depth of the data breach is hard to fathom. More recent stories are now pointing to an insider job and this makes much more sense to me.
Ferguson and How the Internet Reacted
This brings us to the single biggest news story of 2014 — the shooting death of Michael Brown in Ferguson, Missouri on August 9th, which led to widespread unrest across the country. The coverage of the story became a big part of the story. Twitter became a constant source of information on events happening across the country and included lots of misleading and wrong information, all of which continued to add fuel to the fire. The hacker collective Anonymous got involved in the story, promising to bring justice on behalf of Michael Brown by means of information warfare and beginning with an identity theft attack on Ferguson officials and their families. One of the first victims were the parents of the mayor of Ferguson. The Mayor’s parents had bank accounts compromised and addresses and passwords changed. $16,000 in bank checks were sent from these accounts to an address in Chicago in the name of the Police Chief of St. Louis County, apparently to make it look like corruption existed within the police department. Many officials in Ferguson and St. Louis County became victims of around-the-clock identity-theft crimes. The Mayor’s parents signed up for LifeLock which did help slow down the barrage, but then someone broke into their LifeLock account and disabled it. When the Mayor’s parents called LifeLock they learned that they were locked out of their own account. Ferguson was a much bigger story because of the Internet. Additionally, the Internet became the attack vehicle for many associated with the story.
What’s to learn?
So, then, what do we learn from all of this? First, for all of the convenience that has come about as a result of living in an electronically-connected world, we’ve also introduced a entire new universe of problems and I do not think these problems are going away anytime soon. Every business is at risk and every person is at risk.
- There’s no such thing as perfect security. It doesn’t exist. When someone asks if we can guarantee with 100% certainty the integrity of their systems, I just say “no.” And anyone who does claim it is either naive or lying. If someone wants in bad enough, they’re going to get in. We should do everything possible to prevent break-ins and compromises, but we also must assume they will happen and have procedures and systems in place to help with recovery.
- On a personal level, assume that everything is at risk. Be diligent in password management. Keep anti-virus software up-to-date on all computers. Review credit card transactions regularly. You’ll almost certainly have to use the web to do this. Waiting for a statement to show up in the mail is too late. Turn on credit card alerts if your credit card provider has them. I get an email each and every time my card is used and I generally get it within 2 minutes of the purchase taking place. Consider using a credit monitoring service. Use PayPal or Google Wallet if you don’t know much about a merchant you’re about to use on the Internet. PayPal and Google Wallet are not perfect, but they’re much less vulnerable to theft than credit cards. If you are not completely certain about an Internet transaction you’re about to make, just don’t do it.