Security: The Sky Is Already Falling. Seriously.
By Mark Devlin
April 5, 2012
Another Security Breach; Another Truckload of Data
What started off last Friday as an apparent breach of more than 50,000 Visa and MasterCard Credit cards has in only a few days grown to the potential hacking of anywhere from hundreds of thousands ‘up to ten million’ cards, according to this article (with FAQs) at Ars Technica.
When? From Ars, links intact…
The compromise, according to both KrebsonSecurity and The Wall Street Journal, happened sometime between January 21 and February 25. It's not clear if attackers had access for that entire period.
Who? Well, we’re dealing with a couple of Who’s. Visa and MasterCard? No, apparently they’re not at fault. The breach hit a ‘payment processor’ for Visa and MasterCard, called Global Payments Inc. Ironically, GPI’s website tagline is ‘Trust in Every Transaction.’ Visa, MasterCard, banks, and even the U.S. Secret Service have been notified.
The other Who? Of course, there’s the alleged Who that attacked. So far, according to KrebsOnSecurity…
Also am hearing that law enforcement investigators believe that this breach may be somehow connected to Dominican street gangs in and around New York City. This comes from two reliable sources.
Why? Why attack a payment processor instead of Visa or MasterCard directly? According to James Cowing, managing director of security assessment firm Digital Resources Group, "When people are attacking them, they are going for big-time gold. They're the big vault that people who are trying to attack and steal card data would go to for the big pay off."
Perhaps helping to put such a breach in perspective, even for industrial companies, Cowing says…
These types of breaches happen all the time to smaller organizations and they don't get the notoriety, but when you hit one of the top 10, you make the front pages of all the newspapers," he explains.
In a related VentureBeat story, outgoing FBI executive assistant director Shawn Henry says about cyber-security (Link intact.)…
“We’re not winning,” the nation’s top cyber-cop told the Wall Street Journal. ”I don’t see how we ever come out of this without changes in technology or changes in behavior, because with the status quo, it’s an unsustainable model. Unsustainable in that you never get ahead, never become secure, never have a reasonable expectation of privacy or security.”
Of course, trying to get companies to invest in better security during a time of economic struggle will be about as successful as attempting to wring blood from a stone.
Richard A. Clarke: All U.S. Electronics from China Could Be Infected
We’ve covered the renowned, experienced, MIT-graduated, and seemingly very wise Richard A. Clarke: former bipartisan counter-terrorism czar for three administrations. He also authored the excellent book, Cyber War, and we’ve mentioned him on many occasions within the virtual pages of IEN. He strikes me as The Guy that companies and government should be paying attention to, but they’re all too distracted with other, much less important Things Political.
(Unfortunately, the Sky Is Falling! dynamic usually infects really smart, intensely experienced people trying desperately to get others to listen. I’m surprised that dynamic hasn’t already infected Mr. Clarke.)
You know what, folks? In terms of personal and national security, the sky is already falling.
Clarke’s latest observation? Here’s a clip from an interesting Defense Tech brief…
Richard Clarke is coming out and saying that all electronics made in China may well have built-in trapdoors allowing Chinese malware to infect American systems on command. The malware could do everything from take over a device to disabling it to secretly siphoning information off of it.
Supporting that position, DT says that there have been ‘countless reports’ of critical, F-35 Joint Strike Fighter data ‘plucked from defense contractors’ networks—with China being the main suspect.’ Of course, the U.S. unabashedly sources military electronics—including processor and circuit boards—that end-up on advanced weaponry and everything from U.S. fighter jets to nuclear subs. Planned or unplanned, counterfeits from China are everywhere, even in the U.S. military.
Here’s a quote from Clarke, presented on Ars Technica and sourced from this Smithsonian.com article…
“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China.…After a while you can’t compete.
And it’s not only about the military. Clarke is quoted in this Gizmodo piece, saying something that to which every industrial company in the country should take notice…
I'm about to say something that people think is an exaggeration, but I think the evidence is pretty strong. Every major company in the United States has already been penetrated by China.
Gizmodo says that maybe he’s right, or maybe he’s trying to drum-up more business for his own security firm, Good Harbor Consulting, LLC. They’re not mutually exclusive positions. One can, of course, be right and also want to grow their business. Nothing wrong with that.
He’s right, dammit. Right. Right. Right.
IF Clarke’s right, and if I’m right about Clarke being right, then we also need to worry about things like this (from an excellent Wired Enterprise article here)…
Over the past few years, the giants of the web have changed the way they purchase tens of thousands of the network switches inside the massive data centers driving their online services, quietly moving away from U.S.-based sellers to buy cheaper gear in bulk straight from China and Taiwan. According to J.R. Rivers — an ex-Google engineer — Google has built its own gear in tandem with varous Asian manufacturers for several years, and according to James Liao — who spent two years selling hardware for Taiwan-based manufacturer Quanta — Facebook, Amazon, and Microsoft are purchasing at least some of their networking switches from Asian firms as well.
I disagree with Clarke’s metaphor. It’s more, potentially, a case of a billion, unnoticed Trojan Horses, not death of a thousand cuts.
This isn’t just government, consumer conglomerates, and military. Even the CEOs of small- to global-sized industrial companies should be on high-alert. Heck, we should all be on high-alert—but most of us are just too pacified and anesthetized by the same technologies that could form a continent-sized bear trap capable of ripping huge, nasty chunks out of our collective American butt. (Want a bit more info on that? Check out this BBC article, Small Firms ‘Easy Targets’ for Cyber Crimes.)
It’s gonna be an interesting year, folks. If you have a security crash helmet, now would be the time to pull it on and flip-down the visor—if you haven’t already done so.