Is This the Golden Age of Hacking?

Barence writes "With a seemingly continuous wave of attacks hitting the public and commercial sectors, there has never been a more prodigious period for hackers, argues PC Pro. What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers."

Methinks it be the script-kiddies

[amalek]

Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets... ?

Re:Methinks it be the script-kiddies

[Anrego]

crimping companies' IT security budgets

Most were already crippled, which is really what I blame for the problem.

For a _long_ time "this could get hacked" was a theory. Yes if someone dedicated resources at you and knew where to look they could get in.. but who is going to target _us_.

The availability of tools that can automagically find these vulnerabilities and exploit them is what I blame. All these little holes no one worried about because "no one will ever bother looking there" are becoming a big deal.

Hopefully companies getting hacked left right and center will put the fear of the great fire cactus to the suits, and they in-turn will invest in real security.

Re:Methinks it be the script-kiddies

[JoeTalbott]

This reminds me of a plumber I once knew who bumped his head on a brick and a gold coin fell out. Ever since then he's been bumping his head on bricks looking for hidden coins. A sad tale indeed from which I learned that 'security through obscurity' depends largely on the obscure remaining so.

Re:Methinks it be the script-kiddies

[cgenman]

Citi got hacked because you could plug anybody's account numbers into a website once you had logged in, and it would spit out valid information. That's just a complete lack of basic security. That's just bad initial design that wouldn't have cost any extra to secure if it had been developed by anyone with a clue.

And automated tools have existed for years. I'd say that the big difference is that it used to be very few people knew how to move 200k freshly stolen credit card numbers. Sellers and buyers had to know specific IRC channels or dial-up BBS's to log into. Now, thanks to social networking and the explosion of 0-configuration bulletin boards, anyone with a use for a million credit card numbers can hop onto Google and find a place where sellers hang out. People can make a good living renting out botnets or selling identities in a way that had been very difficult.

Re:Methinks it be the script-kiddies

[AmiMoJo]

From the board room's point of view security costs money with no tangible benefit. They find it hard to say to investors "we spent lots of money on securing our systems, it reduced our productivity and increased the size of our IT department but we were saved from all these hacking attempts, honest". On the other hand if they buy some cheap "network grade" anti-virus software they can claim to be both diligent and securing their systems and to be helpless victims of elite cyber criminal masterminds when things do go wrong.

Golden Lulz, not plain old gold

[Beautyon]

Umm no, its the Lulz age of hacking.

Re:Golden Lulz, not plain old gold

[Samantha+Wright]

I'd give you a mod point, but instead I'm going to just try and highlight your point more clearly, since you seem to be accruing mod points anyway.

LulzSecurity is doing a bunch of high-profile, childish, silly things. That's all the weather there is to report. There's nothing else going on. There's no golden age, no silver age, no information age. Just one group being trollish, and otherwise, the attacks we're hearing about aren't that out of the norm. The exponential curve is right on schedule, as usual.

Hopefully, however, the LulzSec attitude—that you don't have to be important in order to be an interesting target for having your pants pulled down in front of the rest of the class—will drive organizations toward better security policies. TFA is obviously not interested in this aspect of things (and ends in a pessimistic note about people asking for help with test configurations) which is... not that surprising from PCPro.

We need to take users out of the loop.

[FyRE666]

The problem most websites have is one of users choosing insecure login details, either through ignorance, laziness or disinterest. Although this is not a huge problem if it's front-end users, the same problem exists with admins, and those with elevated privileges. The most secure fortress is little protection if the passcode to open the front door is "1234".

I don't think this problem can be fixed by "forcing" users to choose long passwords, or to have a different password on every site they use. As we've seen, they simply won't do it, and why should they? It's different if you have a technical, or security-related background, and understand the risks - the average Joe isn't interested in spending the effort to maintain and organise a secure list of passwords in an offline location.

i think the only way this can be fixed is by using SecureID style authentication - either with stand-alone units, mobile apps, or units built into laptops or keyboards (separate from the other components). Obviously it would need to be physically separated from the machine being used to login (or at least sandboxed, in the case of a mobile app). We just need a good cross-platform authentication API that's easy for developers to implement, and cheap hardware/free software for the client.

Re:Hacking vs Cracking

[gman003]

I think it's time we give up on this. Sure, most of us know about the technical distinction between "hacking" and "cracking". But the mass public hasn't picked up on that, and even many hackers (old sense) now use the term hacking (new sense) for cracking.

At this point, trying to push the term "cracking" is futile. We won't change anyone's mind. In fact, all we'll do is come across as semantics-arguing dweebs. It's probably best to just accept that "hacking" now means "gaining unauthorized access to a system". It'll be easier to make a new term for "person who messes with computer systems for fun".

Weak Security

[wintercolby]

What do you expect to happen when you hire Systems Administrators for 6 month contracts to build your systems, and then let the contract expire after the servers are built? Servers don't usually patch themselves, nor do they remain compliant with your security standards once you give developers and DBA's root access.

No it's not

[blahbooboo]

The golden age of hacking was the late 1970s and 1980s. Things they pulled off back then were far more impressive and interesting to watch.