Hacking Is Changing: Should Our Data Security Change?

In meetings with data security professionals, the same topic tends to arise: Why are we fighting the same security battles now that we fought 20 years ago?

The history of network and cyber security seems to be a recursive loop of threats and solutions.  The bad guys use similar tactics, from zero-day vulnerabilities to phishing, to gain access. The good guys are constantly shoring up their network hygiene with accepted strategies.  Like the cobra and the mongoose, this eternal struggle continues unabated.

But not unchanged. Threats and counter-moves are shifting all the time – sometimes subtly, but always in important ways. The technology advances. New threats arise. New tools are created and disseminated on both sides.

The recent hack of the Twitch gaming platform illustrated shifts in motivations for hackers, which may require the network guardians to rethink their protection priorities. For decades, one primary worry for CISOs was concern about being hacked for the purpose of gathering personal data to be sold on the dark web. For a number of reasons, the hacking priorities seem to have shifted.

One of those reasons seems to be pure economics. Your personal data is simply not worth as much right now as the same stolen credentials would have been worth 10-15 years ago. A study last year by privacy affairs shows surprisingly low costs for full sets of stolen information on the dark web, including:

• Online banking logins cost an average of $25
• Full credit card details including associated data cost $12-20
• A full range of documents and account details allowing identity theft can be obtained for $1,275.

The researchers note that the costs have dropped because so much data is currently available and easy for criminals to obtain.

So such attacks are not stopping, because new credentials – especially cards and account access – are always more valuable than older versions. But the big-time criminal cannot make as much money selling a slate of stolen personal information online as they used to be able to generate. This means that it is much less work, and probably more economic benefit, to sell a stolen set of credentials back to the company the hacker took them from.

This may be a reason for the prevalence of sophisticated ransomware attacks where the attacker both tries to lock down company computers, but also steals information to sell back to the victim. The rise of cyberinsurance encourages this trend. Not only is life easier for hackers to sell the data back to one motivated buyer, but with cyberinsurance, they can be sure the victim has available money to pay. Plus, if insurance pays, it is easier for company management to make part with the money. The most prominent hacking categories in the past year – ransomware and email-enabled fraud – are exactly the hacks with the most direct pay-outs. The criminals receive large payments directly from the victims, rather than being forced to sell stolen personal information and account data after it was captured.

Another change in hacking over the past 15 years is the easy availability of hacking tools on the dark web.  As noted in IT Securty Guru, “even rookie fraudsters can get their hands on what they need to commit online fraud for less than the cost of a beer. While guides about how to commit these crimes abound on the dark web, many of the listed tools come readymade for people with even the most basic of understandings.” So many more people have the opportunity to hack and are doing different things once they get into a site. They may not be motivated by maximizing profit from a hack.

The Twitch hack was devastating by all accounts. It seems that the hackers were able to exfiltrate the entire source code for the gaming site, plus security defense strategies, new unreleased products, and information about the earnings of site participants. This appeared to be a hack based on pure malice. No clear profit motive or strategy was evident. Instead the hacker was interested in punishing Twitch and its owner Amazon, although the reasons for punishment seemed hazy. The publication of source code and security information could lead to further hacks.

In this way, observers were reminded of the hack of Sony pictures, credited to the North Korean government, which evinced more malice than profit motive, also releasing new material that was expected to be the foundation for the victim’s future profit streams. But it was obvious that the North Korean hack was punishment for Sony’s movie showing the Dear Leader of North Korea in a bad light. The Twitch misbehavior is less obvious, only because it could have many possible sources. Both Twitch and Amazon have been mired in controversy lately, so either side of these public battles could have seen the attack as advantageous to their goals.  On the other hand, sometimes hackers just manage to breach security at a site, and then decide on goals once they are inside. These actions can be based on opportunity, not always politics or economics.

Ideological hacks are as old as networks and the original hippie/hacker ethos of the 1980s and early 1990s. But we have been building our systems to fend off attacks on useful consumer and patient data, maybe leaving ourselves open to other kinds of hacks from other directions. So much vital information was taken from Twitch without warning alarms that one is tempted to think the “call is coming from inside the house.” The hack could be very hard to pull off without inside help. So maybe our lesson from Twitch will ultimately be to refocus our awareness of the threats related to administrative system access.