Two Billion Compromised Accounts

The internet can metabolize almost anything within 48 hours, and the Ashley Madison hack was no exception. It hit like a meteor, its molten core roiling with 9.7 gigs of user data and white-hot facepalm. The detonation swallowed marriages and careers, even lives in the case of two suicides... And then it slipped beneath the waves, its ripples restricted to the people it devastated directly.

You probably noticed Ashley Madison, but for every high profile hack, there are quite a few that don’t make the news. I bet you didn’t notice that so far this year three health care providers - Anthem, Carefirst, and Premera - lost a combined 92 million accounts complete with personal information and SSNs. Or that Experian lost 15 million T-Mobile records just days ago.

Security disasters are business as usual. You can blink and miss the leak of your own credentials. The sorry state of security is a problem few of us are able to influence, so unless there’s a compelling story, as with Ashley Madison, it’s just noise.

It is worth checking in on the situation though. As of January 2015, one point nine billion accounts have been compromised.   That’s billion with a B. And that was ten months ago.

So what happens when, in the age of big data, hackers and hostile governments are able to mine as many as 5.9 accounts per US Citizen? What’s the motivation for all this, particularly in the case of health insurance hacks? And perhaps the most important question of all… What would it take to fix the problem?  

The State of the Union

2014, panned by many news sources as The Year of the Hack, marked a significant shift. It showed a 78% spike in personal data records compromised compared to the previous year, with up to 47% of U.S. adults exposed. Some sources say a billion records were compromised in 2014 alone, and the pace has continued so far through 2015. As far as the economic cost goes, a recent study by Grant Thornton International showed that, globally, cyber-attacks cost businesses at least $315 billion over the previous twelve months.

So what changed, and why now? 

Two major factors contribute to what will surely go down as the dawn of organized cyber-crime. First, it is clear that hackers have coalesced into sophisticated teams with new levels of technical and organizational capabilities. Second, and this is the enabling factor… The market conditions are right. 

Deep in the darknet, there exists a thriving crime-as-a-service ecosystem. The roots go back to a familiar name for those of us who followed the bitcoin craze: The Silk Road. Founded in 2011, the Silk Road was an online marketplace for drugs that used cryptocurrency, Tor encryption, and modern eCommerce practices to provide both unprecedented anonymity and, if the vendor ratings can be trusted, quality. You could buy anything from steroids to black tar heroin, and there were a few vendors who dabbled in other areas, including hacking services. Silk Road did about a third of its business inside US borders and its founder was actually brazen enough to reside in San Francisco, which, predictably, was a fatal mistake. By the time it was shut down by the FBI in late 2013, the Silk Road had generated roughly $214 million in sales, tremendous demand, and a model that, with a little tweaking, appeared workable to many. Their absence left a gaping hole in the market.

The result? A fragmented black market now exists, spread out across at least 55 sites, each of which is specialized, decentralized, secure, and elusive. 

Some of these markets focus solely on hacking services. Anyone with a computer can buy stolen credit cards and attempt to monetize them, or rent a botnet to perform DDoS attacks. This is where you find people who know how to infect a credit card processing system, and, most importantly, it’s where you monetize assets like credit card lists and health care records (insurance fraud is the new hotness).

Without this pipeline, it would not make sense for a room full of Russian hackers to spend a month or more stealing 40 million credit cards from Target. Who would buy the list? Even with buyers, it’s a race against the banks to monetize before the cards are cancelled. The confidence these groups have in the market is clearly strong.

As it turns out, in the case of Target, 1 to 3 million credit cards were successfully sold, generating around $53.7 million for the hackers, and presumably much more for buyers.  The logistics speak to not only an efficient criminal organization, but also to a mature and enabling black market.

Cyber Espionage and Cyber Warfare

According to Paolo Passeri’s work on the Cyber Attacks Timeline, cyber-crime such as credit card theft constitute more than half of all attacks, with the balance split between hacktivism, cyber espionage, and the occasional flare-up of cyber warfare.

The last two, espionage and warfare, are growing threats. In April, President Obama recognized this by declaring cyber-attacks a national emergency and issuing an executive order to enable sanctions against overseas cyber threats. 

This was in response to the attack on the US Office of Personnel Management, where hackers (allegedly of the Chinese variety) gained full access to the secrets of 21.5 million men and women who applied for US security clearances. The breach includes everything from eye color to addiction history and addresses of relatives for intelligence and military personnel. The applications of these data are dire, limited only by the fertile imaginations of the most dangerous people in the world.

From the outside, governments involved in cyber warfare look like boxers who never learned defense, connecting frequently and with devastating force, but rarely slipping a punch. The reality is a lot more complicated. 

An anonymous source within the Department of Homeland Security told us, “At the DoD, there are thousands of hack attempts every day. Security is taken very seriously. Anyone who gets any sort of admin access is required to obtain and maintain a Security+ certification. Security is everyone’s responsibility.” 

The DoD may risk being so secure that it’s hard to get anything done, but they’re creating a culture of security, and that’s commendable.

On the offensive side, The US certainly appears to be an active combatant in the cyber warfare arena, blamed for sophisticated attacks such as Stuxnet (a SCADA attack which destroyed around a thousand Iranian centrifuges) as well as Flame and the Equation Group, to name a few. 

Mahan famously wrote, “Whoever rules the waves rules the world,” and some later revised that quote to consider air power.  Cyber warfare is still in its infancy, but as we rely more on networks for battlefield operations, the stakes continue to increase. I have a feeling we will soon return to this quote a third time.

The Way Forward

If you’re a private individual unburdened by piles of bankable data assets, it remains very possible to stay safe. Your surface area is small, so you just need to be reasonably savvy,  and, for the love of all that’s holy, avoid situations that might cause you to be specifically targeted.

But woe unto the Enterprise, for their data is valuable and their surface area is vast. Not to mention old. Aging infrastructure is one of big business’s toughest security challenges, because it’s difficult to harden and expensive to replace. By definition, it predates modern security practices, which is why primitive techniques such as SQL injection attacks remain entrenched near the top of the list of successful attack vectors. 

It’s worth mentioning that the Internet of Things (IoT) further threatens to expose the Enterprise’s soft underbelly. More than 13.4 billion smart objects are currently online worldwide, and due to the proliferation of internet-enabled sensors, that number is expected to hit 38.5 billion by 2020. Companies have already been attacked via copiers and internet-enabled heating systems, and many of these new devices have similar threat potential. According to a 2014 HP security study, as many as 70% of IoT devices are vulnerable, so as we begin to blanket the world in IoT devices, it’s critical that we make security a priority. 

After the previously mentioned Target hack, the company reportedly committed $100 million to hardening their defenses, and that’s the level of commitment the corporate world must exert to get in front of this problem. Can companies pull that off without first getting stung? Can they do it at all? The banking industry had similar problems, and they overcame the worst of it, so yes, it appears to be possible. Perhaps it is a matter of time before hackers run out of lumbering, poorly defended industries who are profitable enough to attack. 

Finally, if global law enforcement could find new ways to attack darknet markets, they could hobble hackers by disrupting their ability to monetize stolen assets. As it stands, law enforcement has shown some notable wins, but for the most part finds itself on the losing end of an arms race, unable to bring the weapons of cyber warfare to bear to their fullest. Part of the problem is the lack of visibility. If the average person has ever heard of darknet markets, they certainly do not connect them to the cyber-crime pandemic. Unless darknet markets become high profile targets, law enforcement will continue to struggle. 

Hopefully, this moment where hackers are seemingly able to defeat corporate defenses on demand will be a brief one, and the notion of a Post-Security Era will prove even more hyperbolic than intended. But getting past this requires a shift in the culture of organizations everywhere, an understanding of information technology and security as fundamental skills not for a few individuals, but for companies. It requires huge investments of money and time.

It’s going to happen... But I’m afraid we might be here for a while.

Notes

• The dataset used to enumerate total accounts hacked to date is from data journalist David McCandless's site, Information is Beautiful. It is current as of January 2015 and shows 1.9 billion accounts compromised. From there, if you consider the other breaches mentioned in this article, it's easy to conclude that over 2 billion accounts were compromised.
• If you haven't read Ars Technica's excellent series on the silk road and its founder,  it is definitely worth a read.
• Thanks to Paolo Passeri and the Cyber Attacks Timeline, his work is invaluable in understanding the motivations behind Cyber-Attacks.