The days of newscasters fretting the entire Internet might be shut down by a simple (but effective) computer worm are over, but that doesn’t mean that online security is no longer a worry. Threats have become more complex and, worse, are now coming from places that most would never expect – like the government. Here are 5 hard lessons we learned about online security in 2013.
The Government Is Watching You…
The biggest computer security talking point of 2013 was, of course, the revelation that portions of the United States government (primarily the National Security Agency) have been spying on citizens without restraint.
According to documents leaked by former NSA contractor Edward Snowden, and reinforced by other sources like former NSA official William Binney, America’s intelligence services have access to not only phone records and social networking metadata but can also tap into a wide range of services including cell phone calls, emails and online conversations, either through direct wire-tapping or by serving secret warrants.
What does this mean for you? That’s hard to say because the NSA insists the program is a national security secret. While whistle blowers have pointed out that the size the NSA’s data centers imply that the government is recording and keeping a fairly large volume of video and audio data, there’s no way to know for sure what has been recorded and stored so long as America’s spymasters continue to stonewall the public.
The disturbing conclusion is that there’s nothing you can do to ensure your privacy, because the extent to which it can be compromised, and how it might be compromised, is only half-known.
…And So Is Everyone Else
Not just the government is interested in spying on people. Individuals also can make use of covert video or audio taken from a victim’s computer. Often it has less to do with fraud than it has to do with pranks and porn, though the two can converge.
The underground world of watching unsuspecting victims, called “ratting” was brilliantly exposed in an article from Ars Technica. Though turning on a person’s webcam and remotely recording them is often thought of as hacking, it can now be accomplished with relative ease using programs with names like Fun Manager. Once a ratting client has been installed on a victim’s PC, ratters can tap in and see what’s happening.
Often, “what’s happening” directly translates to a chance to see unsuspecting women with their clothes off, though the software can also be used to play pranks like randomly opening disturbing images to see the victim’s reaction. In the worst cases, ratting can directly translate to blackmail, as the ratter captures embarrassing or nude images of a victim and then threatens to release them if they’re not paid a ransom.
Your Passwords Still Aren’t Secure
Password security is a common worry, and for good reason. So long as a single string of text is all that stands between the world and your bank account, keeping that text secret will be of upmost importance. Unfortunately, companies that ask us to login with a password aren’t as concerned, and are losing them at an alarming rate.
This year’s major breach came courtesy of Adobe, which lost over 150 million passwords in a huge attack that also (according to the company) allowed attackers to make off with code for software still in development and steal billing information for some customers. While the passwords were encrypted, they were all secured using an outdated encryption method and the same encryption key. Which means de-coding them was far easier than it should have been.
While similar breaches have happened before, Adobe’s is the largest in terms of the number of passwords lost, which shows that there are still companies that don’t take security seriously. Fortunately, there’s an easy way to know if your password data was breached; just go to HaveIBeenPwned.com and enter your email address.
Hacking Is A Business
As computers have become more complex, criminals looking to use them as a means to make an illegal profit have also become more sophisticated. The days of a lone hacker brazenly releasing a virus just to see what happens appear to be over, replaced by groups that work together to make money.
One example is Paunch, a hacker in Russia who headed sales of an exploit kit known as Blackhole. The kit, created by Paunch and several co-conspirators, was developed partially clever business tactics. Rather than trying to come up with zero-day exploits on their own, Paunch’s group purchased zero-day exploits from other hackers. These were then added to the kit, which was sold as a subscription for $500 to $700 per month. A portion of the profits were re-invested into buying even more exploits, which made Blackhole even more capable.
This is how any business works. A product is developed and, if successful, part of the profit is re-invested to make the product better and hopefully attractive even more business. Repeat until rich. Unfortunately for Paunch, his scheme was eventually tracked down by Russian police, and he is now in custody.
Even Your Social Security Number Is A Few Click Away
The existence of botnets has been known for some time, but their use is often associated with relatively simple but massive attacks, like denial of service or email spamming, rather than data theft. A team of teenage hackers in Russian reminded us that they can do more than fill our inboxes with Viagra advertisements when they managed to install a botnet into major data brokers (like LexisNexis) and steal volumes of sensitive data.
This resulted in a “service” called SSNDOB which sold information about United States residents. The price? Only a couple bucks for a basic record and up to $15 dollars for full credit or background check. That’s right; if you’re a U.S. citizen, your social security number and credit information could be obtained for less than the price of a meal at The Olive Garden.
And it gets worse. In addition storing information, some data brokerage companies are also used to authenticate it. You may have run across this yourself if you’ve ever tried to apply for a loan only to be greeted by questions like, “What was your address five years ago?” Since the data brokers themselves were compromised, such questions could be answered with ease.
2013 hasn’t been a great year for online security. In fact, it’s been a bit of a nightmare. Government spying, stolen social security numbers, webcam blackmail by strangers; many imagine these as worst-case scenarios that could only occur in the most extreme circumstances, yet this year proved all of the above possible with surprisingly little effort. Hopefully, 2014 will see steps taken to resolve these glaring problems, though I personally doubt we’ll be so lucky.