Browsed by
Category: Breaches and Other News

Hacker ≠ Criminal!

Hacker ≠ Criminal!

Whenever a news story breaks about information security (usually a radically bad FAILURE thereof) then “security researchers” or “consultants” get trotted out by the media to give expert soundbites.  David Kennedy was a keynote speaker at the recently-concluded Rochester Security Summit, so he’ll do for my example:

TrustedSec’s David Kennedy on CNN from David Kennedy on Vimeo.

David is a security researcher – which means he’s a hacker.  No, I did not just accuse him of a crime.  He’s a wonderful guy and I would totally invite him to dinner.

The media have abused the the term “hacker” for years now.  The original meaning of the word was simply, “One who is expert at programming and solving problems with a computer.”  That expertise, together with an insatiable curiosity driving one to exercise it, is what genuinely makes a hacker.

Cyber-criminals may or may not be hackers.  For example, if they wish to crack their way into some company in order to plunder its money or sensitive info, they might exercise their own high levels of technical skill.  But they might hire technical capability, and not exercise it themselves.  Or they might be what we call script-kiddies, people who find easy step-by-step recipes for creating digital mayhem, and use them to good effect against poorly secured targets.  They might not even be criminals: they might be state-sponsored, and thus their actions are legal.  At least under their nation’s laws.

But hacking is a set of problem-solving approaches, and a toolbox of techniques.  It’s a way to accomplish a goal, and the goal’s goodness or badness is not relevant.  Hacking is morally neutral.  If, and only if, the goal of the hacking is a crime, then a hacker also happens to be a criminal.

Security researchers (like David) are employed to find ways that our information systems can be exploited.  They might do malware reverse-engineering, or vulnerability discovery and analysis, or refinisng social engineering techniques.  Most of our companies don’t employ them: it’s too specialized.  Large providers and specialty firms (Verizon, FireEye) provide researcher talent, and we consume the output in the form of reports and alerts.

Independent researchers also work as consultants.  They may help companies figure out what happened after an attack, or they may routinely provide bug reports to manufacturers.  They may work on Red/Blue team exercises, where attacks are simulated and defenses are tested.  Without question, Security Researchers are hackers.  If they aren’t, they cannot function in that job.

He’s not a criminal, he’s just cold! 
Equifax – Some Non-Frantic Advice

Equifax – Some Non-Frantic Advice

After every other major breach in recent times, one of the things we’ve all been advised to do is to go to the credit reporting agencies and check for any unauthorized activity.  And who are the credit reporting agencies?  TransUnion, Experian and Equifax.  Now we have news this week of Equifax having suffered a data breach of over 143 million Americans.  That is about 40% of the population, and well over half of those who have any credit records at all.  To help consumers begin to deal with it, Equifax has set up a site whose URL was apprently inspired by all the Equifax-themed phishing emails their staff have seen: https://www.equifaxsecurity2017.com.  Regardless of the terrible URL, that is the correct site.

My personal advice is, go ahead and register for the Trusted ID service that finding your name on https://www.equifaxsecurity2017.com entitles you to.  You can also choose to replicate a lot of what it offers by freezing your own credit reports and reviewing a copy of each one, which you can obtain via annualcreditreport.com.

Much has been made over the fact that the Equifax emergency site asks for some pretty detailed personal information before signing you up.  My take on that issue is simple: Equifax had that information anyway, and much much more.

Here are a few other links to stories from the past few days.  I have tried to filter out some of the more freaking-out ones.

That said: for evil, this story will appeal: Three Equifax executives sold a bunch of stock before the breach went public.

ZDNet says they tested the front end to the identity checker and got wonky results.  I say, if it gets you signed up for the free services you want anyway, it’s fine.

Finally, Patrick McKenzie (@patio11) once made it his hobby to help people with identity-theft incidents.  I like his advice mainly for its level-headed, “don’t panic” gestalt.  Read: http://www.kalzumeus.com/2017/09/09/identity-theft-credit-reports/ 

There’s no value in freaking out.

TWC Breach

TWC Breach

So… this happened. A web developer for Time Warner Cable left data files unprotected on an Amazon Web Services machine.  It held personal information on four million TWC subscribers.  Possibly including me?

They won’t tell me.

I had an interaction with their customer service desk which included the rep telling me it was “fake news.”  In spite of the fact that Time Warner has acknowledged the breach and stated that they are investigating.  Then they generated a “ticket”, but I have received exactly zero communication about that.

Companies that have a data breach have a legal obligation to notify the affected people, but that has various deadlines, mostly measured in increments of months, 30, 60, 90 days.  I suppose I will hear from them eventually, but I did not appreciate being told it’s fake news, and I did not appreciate being fobbed off with a (probably) fake ticket number.

More on this when I get more.