Tuesday, July 7, 2015

Cybersecurity & Civic Hacking # 5: Even Cybersecurity Companies Get Hacked!

This week’s  ‘Cybersecurity & Civic Hacking’ post was going to be about a different topic, but a cybersecurity event over the weekend seemed more important to highlight for you.

People in NE Wisconsin who worry about computer viruses might wish they worked for a company or government agency that deals with cybersecurity. Guess what?

Even cybersecurity companies get successfully attacked.

This weekend Hacking Team, an Italian company that sells computer security services to government security organizations and law enforcement, apparently had its computer systems successfully attacked. Definitive proof of the attack is unlikely; Hacking Team denies they were attacked. The Guardian’s article about the purported attack says:
The cybersecurity firm Hacking Team appears to have itself been the victim of a hack, with documents that purport to show it sold software to repressive regimes being posted to the company’s own Twitter feed. The Italy-based company offers security services to law enforcement and national security organisations. It offers legal offensive security services, using malware and vulnerabilities to gain access to target’s networks. According to the documents, 400GB of which have been published, Hacking Team has also been working with numerous repressive governments – something it has previously explicitly denied doing. It has not been possible to independently verify the veracity of the documents.”
When NE Wisconsin has the Cyber Defense Force group of civic hackers who assist with cybersecurity, you'll be able to ask them questions you have about incidents like this weekend's Hacking Team story. Numerous online media sites covered this story, partly because of the irony of the situation and partly because the reportedly leaked data shows them to be an unsavory and unscrupulous company, charges that have been repeatedly levied against them in the past. But it's hard for the average resident of our area to know if an article like this is news hype or if it affects them personally.

[Note: The company’s history and amount of data supposedly obtained from their site, 400GB, indicates it probably came from a successful hack. However, the Wall Street Journal and Wired present the attack story as having definitely occurred, although I’ve not seen any articles that offered proof of an attack or that quoted Hacking Team admitting they were successfully attacked. But that’s a different can-o-worms…]

An article by CSO Online, “Hacking Team responds to data breach, issues public threats and denials,” quoted a Hacking Team employee as saying:
Don't believe everything you see. Most of what the attackers are claiming is simply not true...The attackers are spreading a lot of lies about our company that is simply not true. The torrent contains a virus...We simply provide custom software solutions tailored to our customers needs...”
It will be interesting to read updates about this incident in a couple weeks to see what Hacking Team says at that point.

The Hacking Team incident isn’t the only computer security company in the news for this reason. Two other recent examples of cybersecurity firms being attacked are discussed in the BBC’s article “Kaspersky Lab cybersecurity firm is hacked” and Time’s article “Cybersecurity Firm LastPass Hacked; User Data Stolen.” Kaspersky sells anti-malware for PCs, and LastPass sells password management software for PCs. If cybercriminals can successfully attack companies who say they will keep malware off your computer and keep your passwords safe, how secure does that make you feel when you’re doing online banking? It would be good to have a civic hacker group like the Cyber Defense Force who can help us make sure we're using top quality anti-malware and password managers AND help us make sure we're using them effectively and updating or replacing them when needed.

CSO Online presents an ominous 30,000’ view of cybersecurity in their article, “Every company is compromised, but most infections not yet at critical stage.” Saying that ‘all companies' networks’ are compromised is a bit of hyperbole (although probably not factually untrue) from a company that sells software / hardware packages to deal with cyber attacks. But a frequent warning from cybersecurity experts is "There are only two types of companies - those that have been hacked, and those that will be."

The goal of this post is not to tell you to stop using computers and smartphones just because even cybersecurity companies can be attacked. None of you are likely to give up your smartphone or computer. I’m writing this post to persuade you to support the NE Wisconsin collaborative cybersecurity initiative outlined below and encourage others to support it!

I propose one or several NE Wisconsin colleges launch a collaborative regional cybersecurity pilot initiative. Civic hackers known as the Northeast Wisconsin Cyber Defense Force (NEW CDF), in collaboration with the new college cybersecurity program, help area residents and businesses maintain the best possible computer security and personal privacy. NEW CDF is a cadre of ethical and knowledgeable technologists working together to improve and practice their cybersecurity knowledge and skills. CDF provides practical training for business and personal computer security at the CDF Cybersecurity Training Center or onsite at northeast Wisconsin businesses and organizations. This community of cybersecurity civic hackers also helps catalyze and spin off cybersecurity startups and other high tech businesses.

The top cybersecurity expert at Yahoo says, “...I’m not very happy with where we are as an industry...We’re really focusing on the 1%,” he added, referring to the small number of companies that can afford to spend on cybersecurity teams and products, and the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online...“The vast majority of people are not safe using the internet everyday…”

The goal of the proposed NE Wisconsin cybersecurity initiative is to help residents and companies in our region be part of the 1%,the minority of internet users who are literate enough to jump through the hoops that are needed to be safer online.”

What can you do to improve your online security?

You can contact your friends and influential people you know, and urge them to support the launch of this cybersecurity initiative!


DHMN Civic Hacks posts about 'Cybersecurity & Civic Hacking':
C&CH # 01: "Cybersecurity: A New Horizon For Civic Hacking?"
C&CH # 02: “Cybersecurity & Civic Hacking # 2: Public Wi-Fi
C&CH # 03: "Cybersecurity & CH # 3: The Right Person / Topics Of Interest"
C&CH # 04: "Cybersecurity & CH # 4: Malware"
C&CH # 05: This post, published July 7, 2015
C&CH # 06: "Cybersecurity & CH # 6: How Cybersecure Is Your Car?"
C&CH # 07: "Cybersecurity & CH # 7: Data Breaches"
C&CH # 08: "Cybersecurity & CH # 8: Hype or Reality?"


1 comment:

  1. I heard a lot about cloud computing and its role in operating user's data. It's convenient and it’s safe (for personal data). Is it save enough for business data that is hacked much more often than personal one? I know that Ideals virtual data rooms is trusted and protected enough for this purpose but still I have some doubts.