Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is This the Golden Age of Hacking?

Posted by samzenpus on from the timing-is-everything dept.

Barence writes "With a seemingly continuous wave of attacks hitting the public and commercial sectors, there has never been a more prodigious period for hackers, argues PC Pro. What has led to the sudden hacking boom? Ease of access to tools has also led to an explosion in the numbers of people actively looking for companies with weakened defenses, according to security experts. Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets. The pressure to get systems up and running as quickly as possible also means that networks aren't locked down as tightly as they should be, which can leave back doors open for hackers."

7 of 213 comments (clear)

  1. Methinks it be the script-kiddies by amalek · · Score: 5, Insightful

    Meanwhile, the recession has left thousands of highly skilled IT staff out of work and desperate for money, while simultaneously crimping companies' IT security budgets... ?

    1. Re:Methinks it be the script-kiddies by Anrego · · Score: 4, Insightful

      crimping companies' IT security budgets

      Most were already crippled, which is really what I blame for the problem.

      For a _long_ time "this could get hacked" was a theory. Yes if someone dedicated resources at you and knew where to look they could get in.. but who is going to target _us_.

      The availability of tools that can automagically find these vulnerabilities and exploit them is what I blame. All these little holes no one worried about because "no one will ever bother looking there" are becoming a big deal.

      Hopefully companies getting hacked left right and center will put the fear of the great fire cactus to the suits, and they in-turn will invest in real security.

  2. Golden Lulz, not plain old gold by Beautyon · · Score: 4, Insightful

    Umm no, its the Lulz age of hacking.

    --
    ATH0 Bitcoin: 1DnwFLXczVZV8kLJbMYoheUrpqHesjxrSi
    1. Re:Golden Lulz, not plain old gold by Samantha+Wright · · Score: 4, Insightful

      I'd give you a mod point, but instead I'm going to just try and highlight your point more clearly, since you seem to be accruing mod points anyway.

      LulzSecurity is doing a bunch of high-profile, childish, silly things. That's all the weather there is to report. There's nothing else going on. There's no golden age, no silver age, no information age. Just one group being trollish, and otherwise, the attacks we're hearing about aren't that out of the norm. The exponential curve is right on schedule, as usual.

      Hopefully, however, the LulzSec attitude—that you don't have to be important in order to be an interesting target for having your pants pulled down in front of the rest of the class—will drive organizations toward better security policies. TFA is obviously not interested in this aspect of things (and ends in a pessimistic note about people asking for help with test configurations) which is... not that surprising from PCPro.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
  3. Perhaps not more common, just more visible by gman003 · · Score: 5, Interesting

    Haven't RTFA'd yet, but I would suspect that hacks aren't any more common now - just more visible and more reported. It's like when the news media has a "summer of the shark" - after a few notable incidents, the media realizes that these stories bring in viewers, and then any further incidents, no matter how insignificant, are publicized when they otherwise wouldn't be. Just look at the recent Bethesda hack - that kind of thing goes on all the time, and I was surprised anyone bothered paying attention to it. Sure, some of them were big - the first Sony attack was significant, and the US Senate hack is noteworthy - but a lot of these recent hacks have been relatively minor.

    There's also the possibility that all this attention is actually causing more hacks - after the initial Sony hack, hackers realized that Sony was a big, vulnerable target. By extension, they realized that big companies actually aren't bulletproof - in fact, many of them have terrible security. I'm sure such knowledge was widespread in the black-hat world, but now the secret is public knowledge.

  4. Re:Hacking vs Cracking by gman003 · · Score: 4, Insightful

    I think it's time we give up on this. Sure, most of us know about the technical distinction between "hacking" and "cracking". But the mass public hasn't picked up on that, and even many hackers (old sense) now use the term hacking (new sense) for cracking.

    At this point, trying to push the term "cracking" is futile. We won't change anyone's mind. In fact, all we'll do is come across as semantics-arguing dweebs. It's probably best to just accept that "hacking" now means "gaining unauthorized access to a system". It'll be easier to make a new term for "person who messes with computer systems for fun".

  5. Perfect storm actually... by mlts · · Score: 5, Informative

    There are a lot of reasons for this to be an age of intrusions galore:

    1: Corporate philosophy. I mention this often, but it is very true -- security is a cost center, so in a lot of firms, it gets hind teat in the budget.

    2: Ease of getting away with intrusions. Got a botnet? Just create some PPTP/L2TP connections and you can manually try breaking into machines and one can either not be traced, or have the blame shifted to another party. Especially if the intrusions come from a country that is disliked.

    3: Lack of international cooperation. All it takes is one proxy to be in a country that doesn't like another, and there is no way an intrusion can be traced, much less prosecuted.

    4: Lack of meaningful security tools. A lot of the tools used in businesses are all sizzle, and not much steak. Take AV programs. They are great at catching last week's stuff. However, most attacks are polymorphic 0-days that just zing past AV program detections.

    5: Ease of infecting via ad rotation services. Ad rotation services can sling malware without ever getting caught because people will blame the website, not the servers slapping the ads on it. The same ad servers that can target by demographic can target a company and just that company for malware.

    6: Using the Internet for all traffic. In the past, there were backbones that were not accessible to anyone that transactions ran across. Now the same wire that gets pr0n to Joe Sixpack also carries bank data and transactions.

    7: Failure to use basic security protocols in password storage. Hell, crypt(3) is better than most ways passwords are stored. The best thing is to look at known secure utilities like TrueCrypt and follow their example.

    8: SQL injections and parametrized queries. Simple stuff, but because a lot of dev projects just want a code base regardless of bugs, this stuff gets ignored until the breaches start.

    9: No real network security. A firewall doesn't cut it anymore. Instead, companies have to use VLANs and keep departments separated. This way, a compromise in receiving doesn't mean finance or HR is pwned too.

    10: Legacy protocols. FTP (other than anonymous FTP), telnet (except for use for debugging), and other insecure protocols need to either be limited via packet filtering mechanisms and router ports, or eliminated altogether. Instead, if two machines need to share data, have them use a LUN presented to them and a filesystem that allows for this.

    11: Lack of internal policies and procedures. Security isn't just clicking "secure mode" on an appliance and walking off. There needs to be a process if someone calls in from an internal line demanding info, or someone physically is picking a lock.

    12: Separation of duties and data. This is expensive relatively, so it tends not to be done, and the same server with the source code build may have the HR payroll data. This makes for a field day for an attacker.

    13: Chain of custody of data. Either the machine it sits on is properly secured, or the data is stored encrypted with proper key management. For example, some enterprise level backup programs have data encrypted at the client end, and only that end has the key. This way, if the enterprise backup server gets compromised, the data can be destroyed, not accessed or modified.

    14: Morale. Morale is so easily forgotten, especially with companies that do the low bidding among the last 3-5 candidates. High morale means people are proactive on security. Low morale means people will ignore breaches assuming they won't be thrown under the bus.

    15: Cloud computing. There is no benefit for a cloud provider to give anything but token gestures for security financially, so one is begging to be compromised unless there is solid encryption with good key management done before the data leaves the client. Even then, blackhats can have free and unfettered access to the encrypted data and can detect patterns over time. SLAs are meaningless; a cloud provider can change hands or go bankrupt and all the privately stored data can be made into a torrent or sold to anyone with cash.

    Because most businesses pay lip service at best to security, it is no wonder why blackhats are having a field day.