A "Whodunnit" to end the Year of the Data Breach
If I were a C-level person, meaning Chief Executive Officer(CEO), Chief Operating Officer (COO), Chief Financial Officer (CFO), Chief Information Officer (CIO), Chief Bottle Washer (CBO)... I would certainly bring up certain questions regarding my company's data security and what will, can or even could happen if the hackers get in. Sure, all these folks want to talk about is money, but look what can happen if you either a) trust your IT people without question or b) ignore the issue.
Strategic Forecasting Inc., known better as "Stratfor", was the latest hacking victim over the weekend. This company's product is essentially cyber security. These guys are supposed to be the real deal; with major governments and corporations from around the world being member clients of this "Stratfor." I mean, when the US Military is buying your newsletter and research papers on cyber security, it must be pretty good, right? (well, there was that whole Iran drone theft problem)
So, how embarrassing is it that group of hackers can break into a company whose purpose is to teach others how to secure their information. Well, it appears someone did just that and stole a lot of information; and if current media reports are correct, it's A LOT of information. There is some question as to exactly what was taken and Stratfor is asserting that the "confidential client list" was not taken (of course they are).
To add insult to injury, it appears that Stratfor stored credit card numbers of their members in plain text (not encrypted) even though (according to a Threat Level story) they seem to have had a product in place that would have encrypted the credit card information had they not "turned it off" or otherwise disabled it. Oh, it looks like they had those CVV numbers as well... (3 digits on back of some card) - usually a no, no.
There I am at Christmas dinner, the CIO of a major cybersecurity company and I get THE call. What??? Really??? I better have those Christmas present receipts, because it looks like I'm gonna have to start returning some of the more expensive items I bought...
I just can't get my head around how this can happen. OK, since I'm not a computer expert hacker guy, I will just accept that if your computer is connected to the Internet it's never completely safe. I will even accept the fact that most company seem to store purely internal information that can be accessed via the Internet. I cannot accept the fact that a company will store credit card information without encrypting it AND store the CVV numbers, (which is usually a violation of the credit card company's PCI-DSS regulation), all accessible via the Internet.
What if, just ponder the thought, that those who actually did this are "pretending" to be the loose knit group of hackers known as Anonymous. Would I know how to make a hack look like it was them? Probably. Maybe the real goal of this hack was much more nefarious. A major world power (see: China), who has teams of hackers working round the clock could certainly design an operation that makes it look like someone else did it.
The real goal of the operation was probably to steal information, and not the credit card numbers. But to fool people, you take the credit card info, use it to donate some money, go all twitter-crazy, make outlandish statements about "world order" and whatever other quotes you can find in Orwell's "1984." Sure, I bet you could make it look like Anonymous did it.
At the same time, this Anonymous thing is so amorphous, it could be anyone with the right skills.
With four days left in 2011 and the hacks still coming, will this be the Year of the Data Breach? Or will this trend continue into 2012? Well, check out the recent story that "computers traced to China breached the US Chamber of Commerce...", apparently the US Chamber has quite a library of valuable information. The hackers had access to those files and sensitive information for over a year.
Ya, we're going to see more of this next year, for sure...