Breached! The Dangers of the Digital Era (cover story)

This article was first published by dmcityview.com


Can anyone truly prepare for a crisis? One can purchase insurance, open a rainy day savings account or plan an escape route in case of a fire. But being prepared for a crisis, in a way, changes the very definition of the word. For instance, imagine reaching for your phone and not only being locked out from using it, but the screen is showing someone making huge purchases, controlling your device remotely.

Being hacked is the most modern digital crisis imaginable. Sure, you have a passcode on your phone or virus protection software on your computer, but if either fails, you will likely find yourself helpless to whims of whatever has impinged on your digital liberties.

The Urbandale hack
Doug Stillwell, superintendent of the Urbandale School District, knows the feeling all too well.
Doug Stillwell, superintendent of the Urbandale School District

Around 8:30 a.m. on Thursday, Feb. 14, 2014 — approximately the time most people were settling into their desks, drinking coffee or having a morning laugh with coworkers — Stillwell and his staff suddenly discovered their website had been hacked. Not only had someone taken control of the site’s content, but the hacker had posted pornographic images on the front page.

Stillwell acted immediately to remove the offensive imagery, but the damage had already been done — students had seen the material. Luckily Stilwell’s quick moves to remedy the situation kept parents from getting too upset.

“We quickly communicated with all of our staff what happened, and we were as proactive as possible,” recounts Stillwell. “I didn’t really have anybody banging on my door at all, and I think that’s because of the way we handled it and communicated it. We didn’t fight it, we didn’t say it didn’t happen. We sent an email to our parents and let them know what we had done to address it.”

Stillwell has been guiding Urbandale’s schools since 2010 and admits that prior to last February he knew only the basics about data security. While no financial or personal records were exposed from the Urbandale website hack, he contends the episode made him more wary about the district’s digital footprint.

“It’s one of those things where, until it happens, you don’t give it much consideration. Probably like most people who don’t work in the field of technology, you know that everything’s connected to the web is susceptible. You kind of keep that tucked in the back of your mind, and you have the ongoing question about how safe our data is,” said Stilwell.

The year of the hack
Put into perspective, while X-rated, Urbandale’s web hacking experience was miniscule compared to the full picture of data security. If 2014 will be remembered for one thing, it will be the rise of weaponized cyber attacks. Altogether, 783 data breaches were reported in the United States last year with more than 675 million records exposed. Easily the worst year for data breaches on record, 2014 cost businesses billions in repair, recovery, lawsuits and settlements.

Beginning in late 2013 with the Target credit card breach to last month’s Sony information systems meltdown, most Americans have been susceptible to personal information data theft. Data security was such a big issue in 2014 that other web attacks against eBay, Michael’s, JPMorgan Chase, Jimmy John’s, The Heartbleed bug, Neiman Marcus and Home Depot barely made headlines — as was the case a little closer to home at Iowa State University in Ames.

Even the strongest are vulnerable
Last April, the Information Technology department at Iowa State discovered almost 30,000 student records had been compromised. The breach included five servers on campus, which housed social security numbers for students who majored in computer science, world languages and cultures, materials science and engineering while attending the university between 1995 and 2012. According to school officials, students’ data was not the target of the attack, but an innocent bystander. Hacker’s disregarded social security numbers, instead attempting to use the university’s powerful, massive network to create bitcoins, a digital currency.


“We had some servers that weren’t patched appropriately, and a hacker took advantage of that,” said Andy Weisskopf, an information security officer at Iowa State. “We found out within about a month of it happening. Unfortunately some of the data that was stored on those systems did contain former student social security numbers.”

What’s telling is how Iowa State — one of the most accomplished computer science and engineering institutions in the country — couldn’t fend off the intruder. Weisskopf said organizations the size of Iowa State are under constant attack from hackers and malicious web users. But even with its diversified force of IT personnel scattered across its seven colleges, it fell victim. While they, too, employ armies of highly skilled IT personnel, it’s understandable to think that Sony, an entertainment corporation, or Target, a mega-retailer, are prime targets for data breaches. But the institution that invented the computer?

“There are many types of attacks,” Weisskopf said. “There are patch attacks like we incurred, there are phishing attacks on users attempting to gain credentials, there are networked servers that offer services that might be exploited. There are just too many to count.”

The university actually lucked out with its type of breach. The now-notorious Sony hack exposed employees’ emails, personal information and the organization’s financial records and locked users out of the network for weeks. The Iowa State hackers could have done similar damage by absconding with priceless student, research and institutional data, but instead vacated the system after failing to leverage the network for its purposes. In the long run, the hackers might have done ISU a favor, allowing the school an opportunity to discover its vulnerabilities.

Tricking the user
Doug Jacobson, professor of electrical and computer engineering and director of the Information Assurance Center, said many cyber attacks focus on “vulnerabilities” or systems that have initial design flaws.
Doug Jacobson, professor of electrical and computer engineering
and director of the Information Assurance Center at
Iowa State University

“Another common attack happened just recently where the military lost control of its Twitter account for a while,” he said. “Someone probably figured out the password.”

That “someone” is a hacker, i.e., a programmer who either personally uncovered access to closed IT systems and software or built a program that can break access login profiles to guarded information. Many of these programs attempt what is known as a “brute force attack,” or automated, repetitive attempts at passcodes until one works.

“The analogy is someone has a large keyring and walks up to an arbitrary door trying every key,” said Jacobson. “There may not be a match, but if one works, they’re in the house with free reign.”

Confounding the issue is the modern technology environment. Computer, smartphone, software and website designers build their products with ease of use in mind. Not only are they easy to operate, they’re easy to access as well. Sometimes the concern over ease of use even topples to kings of tech, such as this past August with Apple and the celebrity phone hack.

When more than 100 female celebrities’ private iPhone photos were exposed this past August, a brute force attack was first believed to be the way they were hacked. While Apple never publicly detailed how hackers were able to break the accounts, it did say phishing and social engineering were more likely the reason for the breach. Phishing has been a hacking tactic for years, whereby users are deceived into handing over financial or online account information to someone posing as a legitimate business. Social engineering takes phishing to a much more devious level.

“The user is the biggest vulnerable piece in this equation,” said Jacobson.

Tech users build a connection with their devices and start to feel comfortable with the digital environment they maneuver every day innocently downloading software, mp3s or email attachments because they are easy and available.

“So when hackers look at attacking systems, they look at users as part of the system,” said Jacobson. “Hacking technology is a lot harder than tricking the user.”

A large bag of tricks
Social engineering dupes users in many ways, from replicating trusted brand design, impersonating customer service operations, accumulating online information about a target and using it against him or her, impersonating friends and family or simply playing to desires and providing links to tempting material. This is only a small sampling of their bag of tricks. The best way to look at them is not as hackers, but as con men.

“People need to understand their interaction with a computer as an interaction with some other computer somewhere,” Jacobson said. “It’s strange, but people tend to do things and say things online that they would never do in person.

“We tend to see people do things that make them more vulnerable. If that interaction was a stranger walking up, we’d walk away. Technology can be enhanced to protect systems, but behavioral issues are much harder to teach.”

These online behaviors might have been what made celebrities like Jennifer Lawrence, Kate Upton and Ariana Grande at risk to be hacked, but for the nearly 30,000 Iowa State students whose personal information was exposed, their only part in the data breach was attending the university.

Iowa State did remedy its vulnerability by contacting those whose information was unearthed, by offering third-party identity protection services, and by purchasing one year of credit monitoring for those whose social security numbers were exposed. Plus, the institution completely addressed its IT hierarchy with a 62-page proposal submitted just last week to the Iowa Board of Regents.

“We don’t do a good job of telling the populace what’s safe and what you can and cannot trust,” Jacobson said. “With efforts like Iowa State’s Information Assurance Center, we can go a long way to shoring up technological behavior that leads to data leaks.”



“We need to train more of the techies to help combat the ever-increasing sophistication of these attacks — the Targets and the Sonys — but where we have a bigger gap is a tech-literate community,” he said.

More targets than ever before
Educating modern technology users is important, however, today’s tech environment is more diversified than ever before. Ten years ago, smartphones were in their infancy, tablets and mobile applications didn’t exist, and the overwhelming majority of web usage was done on machines running Microsoft Windows using Internet Explorer. Cyber attacks were mostly concentrated to single-user environments, with malicious programs and downloads targeting Microsoft operating systems and machines. Tech in 2014 is much more varied with platforms such as Android, iPhone, Blackberry, Windows Phone and many more running their own distinct systems.

“The more things out there, the more targets there are,” said Jacobson. “You don’t have to be the fastest gazelle, just not the slowest.”

In other words, the easiest target, with the most valuable user base to exploit, is mostly the target of choice for villainous programmers. For some that might mean the iPhone, which has shown to have the app store with the most commercial transactions; Windows Phone that was programmed using familiar code; Blackberry, which is traditionally a business user’s phone; or Android with the largest overall global user base. Still, tech diversity also makes it harder for hackers to hit paydirt within the unknown mobile market, something that has actually protected mobile systems somewhat to this point. For this very reason, retailers, corporations and government systems are much more attractive prey.

While the Sony hack may be the most recent, and the celebrity phone hack the most malicious, Target’s hack might have been the most costly. After the dust cleared, 40 million customer credit cards were duplicated and stolen via Target card swipers. Reportedly, three million cards were sold on the black market, amassing nearly $54 million in fraudulent charges. Banks set aside more than $100 million to cover card fraud issues with customers, with Target’s profits falling 46 percent in the fiscal quarter immediately following the attack.

“Target was bad — terrible — but you and I couldn’t do anything to fix that,” Jacobson said. “In many of these larger hacks, such as Target or even Iowa State, the victim is unaware they’ve been exposed, and the organization was vulnerable due to a tiny flaw. Hackers have an incredibly wide range of ways to get in.”

Unstoppable
The Target hack shows the intricacy of these systems and vulnerability of those who interact with them. One of the data vulnerabilities that came to light in 2014 was the Heartbleed bug.

Heartbleed wasn’t so much the story of a single perpetrator but a widespread vulnerability in a web security that multiple hackers have been exploiting for years. The Heartbleed bug left an opening for any hackers to sneak into secure websites that used a certain security protocol. Simply put, there was nothing users could do about Heartbleed, as fixing the issue was requisite of the sites with the issue.

“Heartbleed was a problem, and people worked to fix it, but it wasn’t something the user could fix,” said Jacobson.

Whether shopping at Target or frequenting a site with the Heartbleed vulnerability, users were powerless to remedy the situation.

“Grandma at home couldn’t do anything about Heartbleed,” Jacobson said. “It was a problem with servers owned by organizations. Whereas the military losing control of its Twitter account was probably use of a poor password or user error.”

The world we live in
Compared to Sony, Target and even Iowa State, Stillwell feels very fortunate that his school district’s experience was relatively easy to clean up and virtually free to repair.

“At some level it can certainly cause people to worry about how trustworthy an organization is, but I think that gets back to how we respond,” contends Stillwell. “Because we pay a fee to our provider, it was something they’re paid to correct. The real concern was protecting our kids from what was on the site.”

Almost one year later, Urbandale schools have weathered the run-in with cyber crime, but Stilwell isn’t naïve enough to guarantee it will be the last.

“We just know this is the world we live in, and there’s always that chance that something is going to happen,” said Stillwell. “And it’s a really good teaching moment, not only for the kids but for our staff. So you put together protocol to try to avoid it, stay diligent, and stay on top of it.”


Patrick Boberg is a central Iowa creative media specialist. For more tech insights, follow him on Twitter @PatBoBomb

Comments

Popular Posts