Hacked

Hacked

    We've all been there, reading all the warnings to change your passwords frequently, usually to a new password so complex that only a computer itself could remember it; the reason being, of course, that a hacker might break into your computer and thus access many if not all of your accounts stored there, from your banking transactions to your email address lists (and thus more potential computers to hack).  But if you're like me, you've gone to so many doctors and dentists and banks and what-have-you, each of which has asked for your Social Security number (until recently, that number would appear on any driver's license issued here in the U.S.), that you've somewhat thrown up your hands and fallen back on some sort of software program to more or less "protect" you.  This is not a new subject, indeed I first wrote about this several years ago when some of the major stores were being hacked, that being the era of pre-chip cards (many companies now require you to have a chip card --vs. the old magnetic stripe card-- by the end of this month), something that was and is an expensive transition for stores such as Target and Home Depot.  But that was all back then...it's gotten worse.

    For my wife and I, qualifying for speedier passage through security at the airport meant passing several screening processes, from the FBI taking our fingerprints to our info being double-checked by Interpol and other agencies (we passed).  All of this went into their secure databanks, our work and educational history, our Social Security numbers, our birthdates and names of relatives and their addresses, etc....and all of it got hacked.  When we first received our notice that we were among the "lucky" 21.5 million records that were hacked from the government's Office of Personnel Management site, we were admittedly a bit puzzled until we read a bit further.  We were lucky because we were not among the nearly 6 million or so who not only had all of their records hacked, but also their fingerprints.  And indeed, our paltry 21+ million group represented just 20% of the total number of people's records hacked last year (43% of businesses interviewed said that their company records had been hacked in 2014).

    Hacking is appearing to become so commonplace that the consumer is almost growing nonchalant about it.  Free credit monitoring for a year or two sounds great but hackers are very patient and will sit on stolen information for years, often three or more, before trying to access and steal the data.  Even one of the all-in-one secure storage sites has been hacked (services such as LifeLock still remain secure but a similar storage system, this one a holder of passwords, was hacked and some insurance and banking info and passwords were accessed before the breach was closed).  The most recent hack occurred only a few months ago and happened to the large credit record company, Experian (15 million Social Security numbers were stolen before the hack was noticed).  The health insurer Anthem had close to 79 million of its records hacked, while in September of last year, Excellus BlueCross BlueShield had 10 million of its records hacked, including "Social Security numbers, member ID numbers, financial account information (and) other data," according to data acquired in a Money article.  All in all, major corporate hacking has increased nearly 30% since 2014.

    So what can be done?  Change your passwords?  Uh, not very effective as shown in this video where a hacker accesses a somewhat complicated password within seconds (a simple password such as LastName543 takes a hacker an average of 3 seconds to crack).  Much of this happens when using a public WiFi access point, say in a hotel room or at an airport.  Indeed, six years ago, TedX Talks showed what hacker Pablos Holman created, a robotic "roamer" to grab such information, from bank transfers to remotely controlling your television (or to watch what you are watching or searching, be it charging your room balance to bidding on something on EBay to finding an escort service).  And again, that was technology from six years ago.  Says an article by Esther Shein in Inc.: Passwords aren’t enough: Your cloud provider should use encryption or two-factor authentication--whatever technologies “are culturally acceptable that can be used to keep out criminals,’’ advises Mike West, formerly an analyst at Saugatuck Technology.  Passwords, he says, “are a joke.  You cannot design a password that’s not breakable by a kid.”  And it's little wonder that consumers are feeling a bit on the frustrated side when sites such as United Airlines, Turbo Tax and even the Internal Revenue Service have been accessed with stolen passwords and other data. Since 2005, hackers have broken into Facebook (6 million users' data), Adobe Systems (152 million users' data), JP Morgan (83 million users' data) and EBay (145 million users' data), among others.  In an ad by cyber-security firm Norton, the primary targets for hackers are now WiFi users (68%), parents of children 8-17 (65%), mobile device users (63%) and social network users (63%).  And Verizon's 2014 analysis showed that 49% of cyber espionage comes from East Asia with another 21% coming from Eastern Europe...78% of gaining access to a computer's data came from people opening unknown email attachments.

    All of this pales when compared to the Web few of us know exists, the Dark Web.  Estimated to be 500 times as large as the Internet most of us use today, the Dark Web can even limit what Google can see, according to a summary posted in Popular Science.  In the piece adapted from his book Future Crimes, author Marc Goodman writes: According to a study published in Nature, Google indexes no more than 16 percent of the surface Web and misses all of the Deep Web.  Any given search turns up just 0.03 percent of the information that exists online (one in 3,000 pages)...Welcome to the Dark Web, sometimes called the Darknet, a vast digital underground where hackers, gangsters, terrorists, and pedophiles come to ply their trade. 

    None of this bothers Nico Sell, "CEO of Wickr, which makes what the company says is an all-but-unhackable mobile messaging app."  In a story by Inc.'s editor Will Bourne, he writes: There's a lot you won't learn about Nico Sell in the course of this story.  You won't learn how to follow her on Twitter or Instagram or Vine.  You won't learn her age, or where she lives, exactly, or the year she graduated from Dartmouth.  You won't find out the names of her two girls or her husband's name or whether hers is Nico Sell at all.  You won't even really see her face (she is prone to fedoras and dark glasses when there's a camera around).  The woman is careful, or "properly paranoid," as she puts it.  "You give people 10 data points about you and they can steal your identity," she says.  "It's really pretty simple."

In this graph from the Inc. article, Wickr's encryption data is stored outside of a central server...




    Says editor Bourne in the piece: ...Sell is not naive enough to think she can get the kind of traction she'll need to replace Skype by relying just on kids to find her app in the App Store.  She may have built Wickr to be consumer facing, but she is also attacking the problem at the topmost level.  Essentially, she plans to incorporate Wickr tech into servers, routers, phones--wherever it can add value.  "We want to be running all the financial transactions in the world," she says, as an example of the scale of her ambition..."I am under many NDAs," (non-disclosure agreements) Sell cautions later, via Wickr. But she goes on to confirm that "we have signed one of the largest gaming companies and one of the largest financial companies in the world.  We are negotiating terms with at least one carrier now.  That is all I can say." ...When a technology like Wickr "¨becomes embedded in hardware, "¨everything changes.  When a huge telecommunications company can guarantee its users anonymous and secure communication, why would anyone sign on with a carrier that didn't offer it?  Given a choice between a secure alternative to email (Wickr's next objective) and email from Google that comes with both advertising and the risk of NSA eavesdropping, who would opt for the latter?

    But there's another side to this, and that is using hacking to one's advantage as Eben Upton has done, becoming "an icon of DIY culture," says Popular Science.  He created Rasberry Pi, "the cheapest hackable computer on the planet," says the piece by Michael Nunez.  His computer sells for $20 to $35...and he's sold 5 million of them (so far).  Nunez: You keep coming out with cheaper computers.  Is your business plan just a race to the bottom?  Upton: You can do two things with Moore’s law: You can keep the price constant and add features, or you can keep the feature set constant and lower the price.  Companies always like to do the former--they don’t want to have their revenues decline year after year.  What we feel we’re doing is using Moore’s law to save people money.  We’re going to make computing available to an entire swath of people who don’t feel they can justify spending a few hundred dollars on a PC and don’t need that level of performance anyway...We wanted to build something affordable and programmable and fun and robust that kids would want to have in their lives.  You know, it sucks being a kid.  You have no power.  You basically do what other people tell you to do for 18 years.  The nice thing about computer programming is you have this venue in which you have power.  You have agency.  You have the ability to take charge, be in control, and build the thing you want to build.  And kids like that maybe their parents don’t understand it.  The new Raspberry Pi 2 is the size of credit card, has quad-core processing, 1GB of RAM, and will carry Windows 10...the new price?  Same as the old...$35.

    So back to the question of what can be done, an answer which is likely summed up in Upton's phrase, "...parents don't understand it."  Certainly, sites give you the five or six basic precautions such as keeping your updates current, or buying the latest cyber-security software, or not opening email attachments if you don't recognize the sender (banks, the IRS and most other companies almost never ask you to resend them your password information), or falling for phishing scams, etc.  But for the legitimate companies where you are initially setting up an account --say a health care provider or a new savings account-- there's actually little you can do on your end (https everywhere is one good place to start however, a simple app that adds an additional layer of encryption...any and all financial or important websites you deal with should always start with www.https and not just www.http...the app, unfortunately, is not available for Internet Explorer users).

    This is a cautious and opportunistic world we are now living in, and anonymity and deep sea phishing are the new sports of many in the shadows.  Common sense might be your best defense, that and perhaps paying a tiny bit more to stay with the current cloud software.  But it's a cat & mouse game for many companies and governments (a much more detailed story comes from an extensive look at the Sony Pictures hack, written by Peter Elkind in Fortune), and they are far more frustrated and spending far more money than you or I...and as you're now aware, have still been hacked.



   

Comments

Popular posts from this blog

Dashing Through the S̶n̶o̶w̶...Hope

Vape...Or

And the Winner Is...