In the news lately, there have been reports about the hacking of contact information, user names, passwords and account numbers for a myriad of companies. From LinkedIn to Sony to VeriSign, companies are falling prey to cyber thieves who slyly steal millions of pieces of data from vulnerable companies. Unlike bank heists or muggings, these thefts occur gracefully in cyberspace, without guns or masks. Yet, the consequences can be just as damaging and costly to the companies and their customers as an old-fashioned burglary. And there may be even greater consequences to society at large. Security experts believe hackers are frequently targeting valuable digital information. The first step is to understand that no company is either too ‘big’ or too ‘smart’ to be attacked by hackers. Cyber-security is becoming increasingly important to every company – and perhaps even to national security. The second step for companies and individuals to protect from such predators is to be vigilant and implement ever more sophisticated security systems. Let’s start by reviewing the most recent cyber attacks to determine what can be learned.
A week or so ago, LinkedIn confirmed that a cache of passwords were stolen by a hacker. Reportedly, the hacker accessed LinkedIn’s servers and uploaded (a euphemism for stole) 6,458,020 passwords. LI had secured their users’ data using SHA-1 cryptographic hash function (cyberlingo for security coding), which proved insufficient. LinkedIn said it immediately changed the passwords of all affected accounts. Supposedly, the stolen passwords did not include usernames. But, even without the usernames, programming experts believe the passwords themselves can be reverse-engineered using other cryptography systems. Those passwords will also probably be added to a dictionary list of programs that attempt to break into various accounts. Thus, LinkedIn users whose information was stolen have had their security seriously compromised… and not just on LinkedIn. After all, most people use the same username and password on multiple sites.
LinkedIn users will know if they were one of the accounts hacked when they try to log in because their password will no longer be valid. Affected members will receive an email from LinkedIn, like the one below. Beware: there won’t be any links in that email.
Unfortunately, this attack was not a fluke. The same hacker who stole the LinkedIn passwords also hacked into an online dating site, stealing 1.5 million passwords. That user data had been stored using MD5 (yet another encrypting function), which also proved vulnerable. The hacker posted the data online on an underground website forum. As with the LinkedIn leak, usernames were supposedly not attached to the passwords, but the information is probably available to the hackers who obtained the list and possibly others on underground forums. The dating site said it immediately reset passwords.
It is a mistake to think that what happens at LinkedIn or some dating website cannot happen at major, reputable retailers, banks, manufacturers and financial institutions. Here are just a few of the most recent incidents. About two weeks ago, The Hacker News reported that a group hacked computer manufacturer Acer Europe server and stole sensitive information. They posted a screenshot of the data reportedly collected which included the personal information of 40,000 customers, including their names, addresses, phone numbers, e-mail addresses, and the names of products they had purchased.
The Microsoft office in India was recently hacked. The virtual thieves, allegedly belonging to a Chinese group called Evil Shadow Team, struck in February 2012, stealing login ids and passwords of people who had shopped for Microsoft products on the site. It is hard to decide what is more troubling about that particular theft… that the hackers were able to breach security at a website owned by one of the biggest IT companies in the world…. or that user details, including login ids and passwords, were reportedly stored in a plain text file without any encryption.
Electronics giant Sony has been hacked twice this year. In April, hackers launched a sophisticated attack against Sony’s PlayStation Network and Qriocity services. The hackers also breached Sony Online Entertainment. After discovering the breach, Sony had to take the services down. More alarming, though, is that Sony reported that the personal information of over 100 million users had been exposed. That makes LI’s hacking seem small in comparison. Sony reassured users that their credit card data was encrypted. Since then, Sony indicated that no identity theft has been reported because of the breach.
Then two weeks ago, an organization posted links on Twitter to data stolen from Sony’s internal networks and from the networks of Sony Pictures, Sony Music Belgium, and Sony Music Netherlands. They claimed to have obtained over 1 million users’ personal information, including passwords, e-mail addresses, home addresses, dates of birth, and all Sony opt-in data associated with their accounts. They also compromised 75,000 ‘music codes’ and 3.5 million ‘music coupons.’ The group claimed the data was not encrypted and had been left for the taking. So months after the first attack, Sony still had unencrypted customer data on its servers.
This month, Google also announced that it had “detected and disrupted” a phishing attack on its own servers by the same group that hacked Sony. The failed attempt sought to access hundreds of Gmail accounts belonging to senior U.S. government officials. Google said it believed the attacks originated from Jinan, China. It seemed that attack may not have been economically motivated, showing that cyber-theft can be driven by a desire for political as well as financial gain.
In February, 2012, Reuters reported that numerous publicly-traded companies had failed to disclose recent hacking incidents to investors even though the SEC last year urged publicly traded companies to begin disclosing such incidents. Publicly-traded U.S. companies whose computers were infiltrated by cyber criminals in the last 6-8 months include defense contractor Lockheed Martin (which experienced a “significant and tenacious” cyber attack on its networks), Internet infrastructure company VeriSign Inc., credit card and debit card transaction processor VeriFone Systems Inc., defense and technology firms Mantech International Corp. and CACI International, Inc., Sikorsky Aircraft, Pentagon contractor Northrop Grumman Corp., Juniper Networks Inc., which makes gear for routing Internet traffic, and computer chip-maker Intel Corp.
Corporate Security Measures
What lessons can we glean from these recent data hijacks? First, companies must increasingly focus on data security. Vulnerable data is not restricted only to online accounts or online activity. Any data – from tax records to loan files to financial documents to personnel records – can be hacked if it is stored on a server that is connected to the Internet. It behooves companies to be increasingly vigilant of their method for storing data, including confidential documents, account numbers, user names and passwords. It should go without saying that storing such information using SHA1 and MD5 – or just plain text files — is not enough. Ever increased security is needed including salting password databases, not just hashing them.
Savvy companies can leverage this issue to their benefit. By investing in state-of-the-art cyber security systems, companies can market their security as a key benefit. As more hackers wreak havoc by using stolen information, customers will increasingly value companies that offer maximum data security.
Individual Security Measures
Customers, however, cannot sit back and leave it to companies to stay ahead of the hackers in protecting their personal data. The onus for security is shared by companies and their customers. In addition to security measures that companies should implement to keep customer data safe, there are things individuals can do as well to keep hackers out.
1. If you are a LinkedIn user, change your password. If you also use the same login/password combination for any other sites, change your password on those sites as well.
2. Create stronger passwords that use numbers and letters or numbers and symbols. Don’t use your birthday, home address or other numbers easily related to you in your password.
3. Change the password on your account every few months.
4. Do not use the same user name and password for every website.
5. Have security software installed on personal and company computers and networks.
6. Maintain current software and updates.
7. Never share passwords or passphrases.
8. Never click on random links.
9. Do not download unknown software off the Internet.
10. Do not pass on hoaxes or chain emails.
11. Log out / lock your computer any time you walk away.
12. Shut down lab / test computers.
13. Remove unnecessary programs.
14. Frequently back up important files.
15. Treat sensitive data carefully, only storing information that is absolutely necessary.
16. Remove (don’t just delete) data securely. Data that is deleted is still on the computer.
17. Use data encryption when possible.
As technology continues to invade every aspect of life, security will become increasingly important. Following best practices now will help companies and individuals to avoid being a victim of a cyberattack.
Quote of the Week
“Every society, all government, and every kind of civil compact therefore, is or ought to be, calculated for the general good and safety of the community.” George Mason
© 2012, Written by Keren Peters-Atkinson, CMO, Madison Commercial Real Estate Services. All rights reserved.