The Robbers Are Already in the Bank

Share on facebook
Share on google
Share on twitter
Share on linkedin
Hacking Incident
June 26, 2016
Over the long history of banks, many mechanisms have been used to thwart would-be thieves. For instance, a bank would protect the transport mechanism (stagecoaches, armored cars) and heavily secure the soft-points, like tellers and bank branches. The vault was the most heavily protected. In the end, it was defense in depth and solid protection, detection and response which ensured only the most determined criminals would be successful.

This real-world example is very relevant to our digital world today. Let’s imagine your information and data are the crown jewels in the vault and the service provider is the bank. In the digital world, we need to start assuming the robbers are inside and behind the teller window. They’re making their way towards the vault or are perhaps already in there. Making this assumption is the only way to keep one’s data safe in this increasingly hostile online world.

Naked Selfies

The recent celebrity hacking scandal drives this point home. Without all of the facts, it’s hard to tell what happened at this point. Initial ideas are that Apple’s iCloud service had an API weakness which allowed hackers to brute-force the passwords of many celebrities and make off with their most intimate photos. (Edit: Apple is now denying this) If this is the case, the real-world analogy would be that Apple forgot to put a camera and/or alarm on the back door. However, if multi-factor authentication had been enabled, or the photos themselves had been encrypted in another container, then the photos would not have been able to be seen or used.

Wild, Wild Interwebs

The Robbers Are Already in the Bank 1

Unfortunately, non-technical people are finding out what InfoSec professionals have been screaming about since the Internet was text-only: it is very insecure out there. And the majority of people using the Internet today can be easily convinced to trade convenience for their security and privacy. Single-factor authentication, chip-less credit cards that are easily compromised, easy-to-guess password reset mechanisms: these are just a few examples of low-security items we use every day. So who’s to blame? Well, if we play that game, then the answer is: everyone involved. Users should have better awareness of what they’re getting themselves into and hold some of the liability for keeping their accounts secure. Providers should offer the highest-level of security by default, not as an Opt-In mechanism. Software makers should be held liable for holes in their software. If all of these things happen, there will still be breaches, but by closing the easiest and most obvious holes, the hackers must then be more persistent and better equipped. It also increases the time it will take for a successful attack, which means they can be detected earlier in the kill-chain and prevented from causing damage.

TL;DR
  • Assume everywhere you place your data has already been compromised.
  • Use Multi-factor authentication on every site and encourage any site that doesn’t offer this option to start offering it. (TwoFactorAuth.org is a great site for this).
  • When storing sensitive files online, encrypt them in a separate container (usingTruecrypt 7.1a for example) with a separate password and, even better, a keyfile.
  • Don’t post sensitive data anywhere unless you have taken steps, such as those listed above, to protect it.
  • Finally, if you’re a high-profile target, hire someone to ensure any sensitive or potentially compromising information is unreachable or protected.
starklogic

starklogic

Incident Response

If you think you have been the victim of a cyber attack, contact us right now.

  • Determining the extent of a breach
  • Performing a full-scope response from Identification to Recovery
  • Incident Response retainer services, including IR preparation for your team

Contact CDG

We mobilize and launch a complete investigation of any suspected incident within 24 hours.

  • Determining the extent of a breach
  • Performing a full-scope response from Identification to Recovery
  • Incident Response retainer services, including IR preparation for your team