Hacking on the rise
Service providers are responding to security breaches of all sorts.
There have always been hackers, but as computer and telecom networks merge and become more extensive and interconnected, it seems that the incidence of hacking is increasing.
A partial list of some of the more prominent breaches of security in just the past 12 months or so includes:
- Last year, Sony’s PlayStation Network (PSN) was hacked, with information from 10 million user accounts stolen.
- Also in 2011, hackers stole data on 200,000 accounts from Citibank.
- In March, a New York City cab company was hacked, leading MasterCard and Visa to notify some customers that their accounts were compromised. (No numbers were given on how many accounts were compromised.)
- In June, LinkedIn acknowledged a security breach involving millions of account passwords.
- In July, hackers got into a Yahoo server and stole information on as many as 400,000 VoIP subscriber accounts (the company said less than 5 percent of those accounts were accompanied by valid passwords).
- Security experts informed Skype more than a year ago that it might be vulnerable to a hack that would enable unauthorized geographical tracking of users running the program on mobile devices (no actual hack has been reported).
Little comfort should be taken from the observation that none of these organizations have core competencies in networking or telecommunications, which could presumably mean they might be a little more sophisticated about security.
In May, the U.K.’s Ministry of Defence acknowledged its computer systems had been hacked. Just prior to that, the U.K.’s Serious Organised Crime Agency (SOCA) was forced to take its website offline after being overwhelmed by a distributed denial-of-service (DDoS) attack.
Last year, the U.S. Department of Defense said one of its computers had been hacked, and 24,000 files had been stolen. That was exactly a quarter of a century after Cliff Stoll caught a West German hacker working for the KGB hacking into the U.S. defense network (Stoll’s book about the episode, “The Cuckoo’s Egg,” remains a good read).
The point is that no organization should feel cocky about its security. There is no one too big or too small to avoid being a potential target, and no one too sophisticated about cybersecurity that they can’t be successfully hacked.
Verizon in its 2012 Data Breach Investigations Report (DBIR) reported having looked into 855 incidents of corporate data theft, representing 174 million compromised records. The company uses a framework for describing security incidents in a uniform way; it’s called Verizon Enterprise Risk and Incident Sharing (VERIS), and it’s now publicly available.
On the possibly positive side, Verizon noted that most corporate hacking subjects – 79 percent – were “targets of opportunity.” In other words, these companies had security weaknesses that could have been eliminated had they implemented available countermeasures.
The DBIR report notes that 85 percent of breaches took weeks or more to discover, and of those, most were discovered by a third party – far too often a customer.
It is possible that the amount of hacking over the last few years has been roughly steady, it’s just being reported more frequently, and therefore the breaches are more alarming.
On the other hand, it could be exactly what it appears to be: a rise in the amount of hacking. The reasons seem to be proliferating, as well. Some hacks are pranks, some are the means to theft, some are done as protest/retaliation (sometimes called hacktivism – think of WikiLeaks and its sometimes defender, the hacker group Anonymous), some hacks are industrial espionage, some is cyberwarfare.
"There is an economic cyber war going on today against U.S. companies. There are two types of companies in this country: those who know they've been hacked and those who don't know they've been hacked," according to Rep. Mike Rogers (R-Mich.), chairman of the House Intelligence Committee.
That may be a bit hyperbolic, but it supports the contention that the number of cyber attacks is increasing.
Rogers delivered the comment late last year when he introduced the Cyber Intelligence Sharing and Protection Act (CISPA).
CISPA is still being considered. It gained passage in the House in April but is bitterly opposed by those who object to provisions that give the U.S. government sweeping rights to gather personal data collected from commercial companies – including, but by no means restricted to, cable operators, phone companies and other broadband service providers.
The NCTA remains officially in favor of CISPA, at least since its passage in the House, largely because the legislation avoids specific regulations for cable companies.
That might not go over well with cable customers with privacy concerns, however. Early this year, the Stop Online Piracy Act (SOPA) was blocked by a coalition of interest groups because of privacy concerns. Many participants in that fight are lined up against CISPA for the same reason.
Still, the U.S. government is compelled to do something to improve overall computer security. The Information Technology & Innovation Foundation (ITIF) has proposed creating an R&D roadmap for privacy to help address consumer privacy concerns, better align R&D investments with strategic objectives and enable more innovation.
China is widely believed to be aggressively exploring cyber war technology and techniques.
Arbor Networks traces cyber attacks of various sorts on a daily basis. On one day in mid-August, it traced the largest percentage to China. As a point of information, on the same date, the U.S. ranked second in this regard. Recall, for example, that the U.S. designed the Stuxnet virus specifically to disable Iranian nuclear facilities.
Cyber warfare hasn’t been science fiction for some time; it’s been ongoing for years now. The U.S. in 2009 proposed an official “International Strategy for Cyberspace,” which included the following policy regarding the U.S.’s intention to dissuade attacks on the country’s computing and communications infrastructure: “Protecting networks of such great value requires robust defensive capabilities. The United States will continue to strengthen our network defenses and our ability to withstand and recover from disruptions and other attacks. For those more sophisticated attacks that do create damage, we will act on well-developed response plans to isolate and mitigate disruption to our machines, limiting effects on our networks and potential cascade effects beyond them.”
Arbor Networks, a company that specializes in network security products, including solutions specifically for DDoS attacks, said that recently it detected that a rise in “DDoS aimed at telecommunications is being used to create distractions that allows other crimes to go unnoticed for a longer period.”
In March, several of the largest ISPs, including AT&T, CenturyLink, Comcast, Cox, Sprint, Time Warner Cable and Verizon, agreed with the FCC to adopt a set of security recommendations developed by the Communications Security, Reliability and Interoperability Council (CSRIC).
These recommendations are designed to deal with botnets, Domain Name System (DNS) attacks and Internet routing hijacking.
The Anti-Bot Code of Conduct for Internet Service Providers (ABCs for ISPs) has broadband providers scan for and detect botnet activity on their networks, notify affected customers, help with remediation, and collaborate with other ISPs. Several ISPs have already adopted the ABCs, and initial results include reductions in upstream traffic, spam and help desk calls.
Regarding DNS hacking, broadband companies are adopting Domain Name System Security Extensions (DNSSEC) – secure protocol extensions. ISPs will also be adopting techniques to minimize IP route hijacking.
At the beginning of August, Comcast announced in its corporate blog that it will be taking steps to prevent what it called unintentional network abuse.
The company has put in place a means of preventing one form of DDoS attack – those that utilize the Simple Network Management Protocol (SNMP) reflected amplification technique, a type of attack that exploits the fact that some networks do not implement address source verification.
Jason Livingood, Comcast’s vice president of Internet systems, described that as “an attack that can occur when SNMP queries with a spoofed source IP address are sent to our customers' home gateway devices. Those home gateway devices, or routers, are customer-owned and not Comcast-managed. The SNMP queries result in a response from a home gateway device that is reflected and amplified, directing an overwhelming volume of traffic against a target.”
Comcast is working with the Broadband Internet Technical Advisory Group (BITAG) to publicize the problem and the proposed countermeasures. BITAG published a report on the issue simultaneous with Comcast’s blog post.
According to BITAG, the problem can be circumvented by implementing the recommended practice of address source verification. Many networks apparently still don’t, leaving them vulnerable to contributing to attacks originating from hosts in their networks, which contributes to making all other networks vulnerable to such attacks.
Comcast said it will gradually change its default residential Internet device boot file to restrict SNMP by default. The company said that if customers wish to use SNMP, they can contact its Customer Security Assurance team to be switched to a boot file that allows SNMP.