by Claudiu Popa
Talk to anyone in the world of business about their biggest hacking fear and you’re bound to hear that “embarrassment” ranks right up there near the top.
Everyone knows that to do a proper job of alienating clients and embarrassing your organization you need to not just be good at, but excel at three things:
- amateurish planning in protecting against security and privacy problems
- boneheaded response once a breach has taken place
- abject failure to make sure it doesn’t happen again
I know what you’re thinking: “Hey! That sounds pretty difficult to pull off! I was hoping for an easy way to annihilate my audience and damage my credibility! I thought you were good! Can you at least give me an example?”
Okay, if you’re gonna be like that, I’ll give you three!
Sony: Still tops
Not to harp on the now familiar PlayStation Network breach, but by many accounts, it wasn’t just one, but by some accounts some 18 different breaches that impacted over 77 million users. That’s more than twice the population of Canada plus all the bricks in theEmpireStateBuilding (that’s right, I did my homework, folks)!
If you’re looking for a perfect example, look no further:
- poor or no protection for private information & confidential data: check (12 million unencrypted credit cards: exposed)
- weak, delayed, ineffective response to the breach: check (this week, 93000 users were surprised to find that Sony has locked them out of their accounts as it still struggles to contain the breach)
- will it happen again? Yes, but only 17 times. Stay tuned. (the figure was later revised to 101.6 million compromised records)
Our favorite stunt was the gazillions supposedly spent on ‘thanking’ users for their loyalty by offering a couple of free games. The catch? You forget about download caps and exercise patience as you strive to download the multiple DVDs worth of data. Thankfully, the load on the Sony servers was such that most users simply gave up trying.
RIM, made a run for the top spot this month when it apologized for an extended blackout that left an estimated 17 million Blackberry – mostly business – users worldwide without data service for the greater part of a week. RIM’s CEO stated the obvious: “We’ve worked hard to earn [customer] trust over the past 12 years, and we’re committed to providing the high standard of reliability they expect, today and in the future”. The predictability of this event notwithstanding, RIM has declined to offer any other compensation than, you guessed it, some downloadable time-wasters. And you guessed again, when trying to cash in on their stated $100 value of the 8 games on offer, the message predictably says: “Blackberry App World is having trouble connecting… verify your connection and try again…”
The U.S. military: A good one, but not in a good way
You may have heard that the U.S. Air Force’s deadly unmanned drone program routinely employed in Iraqand Afghanistanwas inadvertently infected with data-stealing malware. #1: check.
As it turns out, the malware wasn’t the highly targeted infection by an evil foreign nation that everyone said it was. According to the Air Force, the virus was simply designed to steal logins and passwords from regular users (not military personnel, you see), with a particular affinity for online games. So there you have it, nothing to worry about: it wasn’t so serious, just some plain old malware that happened to infect the Predator and Reaper drones’ ground systems. Thanks for the clarification. #2: check.
Will it happen again? “It’s standard policy not to discuss the operational status of our forces” said a spokesperson but added: “The ability to fly the drones remained secure throughout the incident”. According to some reports, the malware resisted several attempts to clean infected systems. In its statement, the Air Force did not name the threat or state whether it had been expunged from affected systems. #3: check.
The German government: Still fans of people watching
As the story goes, government officials have been spying on their citizens’ Internet use, e-mail, chat and 15 popular Windows programs you’ve heard of. The undetectable software was detected by the (in)famous Chaos Computer Club (CCC) who upon dismantling it, found the names of the two famous Star Wars droids embedded within. Dubbed R2D2 (which is better than the two alternatives currently in use, 0zapftis and Bundestrojaner), the software initially prompted the government to clam up, but in the face of public outrage, an investigation was initiated by the German Justice Minister. To date, four German states have confessed to using the program. #1: check.
The four state authorities allege that the software was only used with court orders and specifically to conduct wiretaps on encrypted Internet telephony, however the forensic analyses performed by CCC and other companies indicate that its use was to broadly capture activity through all installed browsers, keyboard and other applications. It was also created to allow remote control, software updates and on-the-fly customization to add or modify its functionality, thus voiding any claims of its legality. To top it all off, it was found to have security vulnerabilities, further exposing the users. The state authorities have offered no explanation or clarification so far. #2: check.
When this all hit the fan, a German firm called DigiTask came forward and indicated that the software was likely theirs, having sold it to the government for the equivalent of millions of dollars back in 2007. The company also volunteered that it had sold it to other governments, such asAustria,Switzerlandand theNetherlands. Given the European nation’s Nazi and Communist past, the degree of outrage and potential ramifications of this embarrassing event couldn’t be overstated, even by me. #3: check.
So there you have it, your very own free checklist with very real examples! The very complex process of damaging public trust and confidence. I simply couldn’t make it any easier than this. It’s as easy as 1,2,3!
|About the author:|
|Claudiu Popa, Principal Risk Advisor at Informatica Corporation (www.SecurityandPrivacy.ca).Follow him at http://Twitter.ClaudiuPopa.com or http://subscribe.ClaudiuPopa.com. A published author, lecturer and entrepreneur, Claudiu enjoys writing incendiary pieces of great interest to ITBusiness readers.|