Published in Editorials

After 30 Years of "Hacking" Data Security Has Not Changed Much

by on26 July 2013 2208 times
84

Data security (and privacy) has been in the news a lot lately as if it is a new and troubling issue. In fact this has been a major topic of discussion going back to the mid-1980s when the first consumer available modems hit the market. This started the practice of war dialing where phone phreaks would dial random numbers to see if any would answer to their computers. One of the more famous phone phreaks is none other than Steve Wozniak, Co-Founder of Apple Computers. These are the guys that pioneered the hacking scene (and in some cases the piracy scene as well). Back then security was primitive and usually consisted nothing more than a login and a password. Fast forward more than 30 years and the security of some places is little better than what it was back in the war dialing days.

 

The biggest difference between then and now is the sophistication and intent of the guy on the other end. In the 80 and 90s the idea was primarily just to do it; there was little thought by the majority of the players for malicious intent. This is not to say there were not bad guys out there looking to make some money or do damage, but just that it was not the primary goal. You also had a massive difference in the level of hardware that a single person could bring to bear against large targets. Now a single person can control a massive distributed compute monster and pound away at the walls of the fort. Even without some of the larger bot nets out there a single person can deploy a rather staggering amount of compute power right in their own home by creating arrays of GPUs and letting them do the heavy lifting.

On top of all of this many companies are not willing to put the money required to maintain proper network security (which is an expensive task). In 2012 alone there were more than 365 breaches meaning that at least once per day a company was successfully attacked and their defenses penetrated. In most of these cases no user data was stolen (which is why very few were reported), but that was not always the case. In roughly half some user or corporate information was compromised in most of these cases the companies involved claimed that data was encrypted and that there was no cause for concern.

Now, remember how we said that companies do not want to spend the money needed to maintain proper security (there is no such thing as complete security)? Well that every so tiny issue also pertains to the encryption. Over the years encryption standards have changed as the “bad guys” have found ways to crack them. This means that companies have to adapt and change the encryption standards they use. A good example of a company that got bit by this is LinkedIn. They were using MD5 to encrypt their user’s passwords and after a breach found that this was no longer any form of protection. MD5 is now very old and it was actually cracked more than 10 years ago making it a very bad choice of protection in the first place. Of course there was more to the issue with LinkedIn than just a bad choice of encryption, they also did not salt the hashed passwords (adding random characters to the password before encryption).

It is not surprising to find that most corporations operate between 5-8 years behind current technology. Yes this is not a made up number, it is rare that companies look to make changes as soon as they hit the street. There are a number of reasons for this (some very valid) including the need to make sure that all internal applications will work with the new software (or appliance). Sadly these are not the usual reasons why something is not done. This is typically because when the purchase order for the new hardware or software comes in someone in accounting says it is too much to spend. They want to push it to next budget cycle or next year. This puts many companies in a state of vulnerability that is unacceptable.

This is why we are rarely ever surprised when a major breach happens or we hear about another country breaking into a government contractor’s network. Security at these levels is simply not where it should be. There is no compulsion to bring it to the level it needs to be either as companies are allowed to measure risk Vs loss and make judgment calls about protecting user information (including banking) based on this instead of the driving principle of keeping their users’ information safe. To further complicate matters US law enforcement seems much more interested in tracking down all of those dangerous pirates that threaten the copyright lobbies’ business model instead of looking for the real thieves that are stealing millions from average citizens every day.

Maybe corporations should stop spending so much on lobbying to change laws and start spending money on actually protecting the data they are entrusted with. I know, I know, how dare anyone suggest something as radical as that.

Tell us what you think in our Forum

 

Last modified on 26 July 2013
Rate this item
(0 votes)

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.