My son’s second floor apartment in Chicago was ransacked while he was in Austin for the holidays. Thieves climbed up and kicked in the patio door. It’s a grim reminder of the disconnect between our sense of security and its fragile reality. A locked door is nothing to a determined intruder, and who among us is protected by more than a thin pane of glass? Our optimistic efforts at security merely serve to stave off opportunistic threats of the sort that move on to easier pickings when a door is locked or the lights on. The rest is mostly luck.
In the context of data breach, I laugh when companies attribute data breaches to “ultra-sophisticated attacks.” In truth, most intrusions stem from simple vulnerabilities like compromised passwords and unpatched exploits. The victims left the doors unlocked and packages on the porch. Corporations–particularly banks and brokerage houses–aren’t going to admit their systems are so vulnerable that any determined burglar can jimmy the locks. Loathe to confess they fell prey to the bungling burglars from “Home Alone,” companies blame Lex Luthor.
But here’s a refreshing exception to the Lex Luthor Lie: Last night, the New York Times reported that, “The computer breach at JPMorgan Chase this summer—the largest intrusion of an American bank to date—might have been thwarted if the bank had installed a simple security fix to an overlooked server.”
Left shorthanded by a spate of employee departures, JPMorgan Chase’s security team reportedly failed to upgrade a segment of the network to dual-factor authentication–meaning any web surfer with a password could get in and roam around. And roam they did, gaining high-level access to more than 90 of the giant bank’s servers.
Fast forward to the headline-making Sony Pictures hack—what some appallingly call “Hollywood’s 9/11.” Sure, it’s attributed to North Korean hackers; but, it wasn’t necessarily the work of sophisticated North Korean hackers. One recent report makes the case that the Sony hack was anything but the “unique”, “unprecedented” and “undetectable” event Sony’s CEO suggests. If there’s truth to the claim that the intruders spirited off some 100 terabytes of data, that staggering haul suggests weeks or months of unbridled access. The Sony burglars didn’t just kick in the door; they set up housekeeping and hung curtains!
Next time you hear a data breach was the work of “sophisticated hackers availing themselves of zero-day exploits,” take it with a grain of salt. The likelihood is that they entered using a default password or an insecure authenticator like “sonyml3,” the password revealed as that of Sony CEO, Michael Lynton (ml).
Hmmm. Maybe the North Koreans could have spared us “The Green Hornet,” if they’d had “sonyml1” or “sonyml2.” Kimchi for thought.
Celia C. Elwell, RP said:
Reblogged this on The Researching Paralegal and commented:
Why strong, and regularly changed, passwords are more than a good idea. -CCE
Pingback: A Simple Breach | @ComplexD
Michael Carbone said:
Great post as always, and Happy Holidays!
Howard Feldman said:
Great post, but I’m sorry about your son. Happy holidays Craig!
Beyond “default password(s) or an insecure authenticator(s)” as virtual engraved invitations to hack, even LOWER-tech brain eructations like dumpster-diving, entry-door piggybacking and Sharpie-scribbled PIN’s on ATM cards deserve mention. Lack of (employee) attention to physical security of access to information is rampant in many companies who might pursue wasteful investigation of “sophisticated hackers availing themselves of zero-day exploits” or more mundane cyber-gaffes, when the open door is in the LOBBY, not the firewall.
Pingback: Hackability | Cancer Chronicles