The first two months of 2013 have seen a stunning number of the world's best-known companies get hacked. And they're not afraid to tell us about it.
Apple, Facebook, Twitter, and Tumblr have all been breached. The New York Times extensively documented its own attack, as did the Washington Post. Jeep and Burger King lost control of their Twitter accounts for over an hour. NBC was hacked, embarrassingly and publicly, just a day ago. Minutes before this story was published, Microsoft announced that it, too, had been compromised.
A casual observer would be right to ask: What the hell is going on here? And why can't anyone seem to stop it?
The answer appears to be a kind of perfect storm. The hackers have been getting better, and their targets haven't been keeping up. Meanwhile, some victims have begun to believe that rather than concealing their compromised data, their best bet is to speak up about it, in hopes of improving security measures.
"It's always tough to say whether we're seeing a spike in incidents or if we're merely becoming more aware of them," says Brian Krebs, of Krebs On Security. "In some cases, multiple successive compromises at high-profile sites have followed the discovery in the underground of a vulnerability in some kind, he says, "[while] in other cases, it's merely a footrace that the attackers win when the defenders fail to keep up with patches."
But these targets have been unusually forthright in telling us they've been hacked— this recent spate of breaches, for the most part, haven't affected user data, which would legally require the hacked companies to notify the public. These companies — including Facebook — have not been legally compelled to say they'd been hacked at all, but have anyway.
This, apparently, may have been self-interested — and indeed, the publicity around the attacks is a kind of plea for help.
"These companies recognize that the government tends to mobilize additional resources when they admit to a breach," says Tom Kellermann, Special Advisor to the ICSPA and former member of the Obama administration's commission on cyber security. Particularly, he adds, "when they admit to a breach that might create systemic risk via island hopping." "Island hopping," which is moving laterally from one hacked system into another secure one, Kellermann says, "is mainstream now."
Chester Wisniewski, Senior Security Advisor at Sophos, agrees that much of the public's perception of what's been happening over the last few months comes down to transparency, whatever the motivation. "We're hearing about it more and more frequently, but not necessarily because its a new problem," he says. "Things have been terrible for twenty years."
This, too, is a refrain repeated by many security researchers: that the problem isn't new, people are just hearing about it for the first time. But that doesn't mean the problem, as familiar as it is to the security world, isn't getting worse. "I hope we're reaching some awareness," says Wisniewski, "considering how frequently [these hacks] are happening."
The internet we use today, and the myriad security systems built around securing it, especially passwords, are beginning to show their age. The web as we know it, says Wisniewski, "was all designed in this perfectly academic world, where everyone trusted everyone else."
"As we're learning in the 21st century," he says. "we need to trust no one."
Richard Forno, Assistant Director at the University of Maryland Center for Cybersecurity, agrees. "People like me have been been making warnings," he says, with "reports and conference keynotes and analyses about this going back to the 90s, talking about this very stuff."
"For me it's like, what changed?," he says. "Are you now going to listen to us? Can I say, 'we told you so?'"
Aside from timing, the recent rash of attacks shares little in common. Some highly advanced hacks, such as the one mounted against the Times, appear to have been sponsored by governments — particularly the Chinese — while others, such as Facebook's, seem financially motivated. Twitter's hijacked brand accounts were the work of young vandals, probably just having fun, and were likely the result of weak passwords. This isn't, in other words, a concerted effort as much as a broad matching of hackers' strength with victims' weakness.
The incentive and ability to hack major companies is as great as ever, but their security — though every one is ostensibly (and always) planning to improve — hasn't kept pace. Companies like Facebook and Twitter and Apple, says Wisniewski, have "a billion dollar target painted on their back."
"These companies represent the biggest possible target you could imagine," he says. And hackers — unrelated and largely disorganized — are winning the battle against an equally diffuse security establishment. "It's important for Internet users to remember that most malicious sites are in fact legitimate sites that have been hacked," adds Krebs.
"The finding that I hope we collectively take away from this," says Forno, "is that we realize how insecure and how vulnerable we really are."
Perhaps, as the public begins to worry more about cybersecurity and more major companies, such as Twitter, take broad steps forward in user security — two-step authentication is going to become very important, very soon — we will find ourselves on the cusp of a Great Securing, after which bad passwords no longer exist and Apple engineers don't run Java in their web browsers. "Facebook is making a solid effort to protect its users' data. All the big internet companies do. I don't think people should panic," says Wisniewski. "If people get too scared of the internet it could had a massive impact on the economy." Stories like Mat Honan's account of his own hacking, which describes wide ranging human and technological breakdowns in Apple and Amazon's user security systems, however, don't inspire confidence.
Forno, too, worries that a panic could do more harm than good, particularly if federal legislators take notice: "What Washington tends to do with whatever it politically expedient, cheap, and relatively uncontroversial," he says. "A lot of [what it does] is reinventing the wheel, doing something we don't need, or it benefits special interests. They don't address the underlying reason why we're under attack."
But until this Great Securing takes place, whether voluntarily or by mandate, security is both as intractable as it's ever been and getting tested with unprecedented frequency and zeal.
"I think it is worse than ever," admits Wisniewski. "Our privacy is currency and our information is currency, and the criminals have figured that out." Criminals and, according to reports, the Chinese government, which would constitute a cyber-threat with an unprecedented combination of resources and motivation.
In other words, it's not just a perfect storm. It's a perfect storm with no forecasted end.