When you work for Bit9, or any company in the security industry, the idea of threats, exploits and the need for constant vigilance is never far from your mind. Some might consider that being a bit paranoid, but I’ll defend it as being smart.
Case in point, the first big security breach of 2014 came to light on the first day of the year, as the user names and phone numbers of 4.6 million users of Snapchat, a popular disappearing-message service, were stolen by an anonymous entity and posted to the Internet. But wait, there’s more.
Skype, Microsoft’s widely used Web messaging and calling service, was hacked as the new year began, with the Syrian Electronic Army claimed responsibility. This led Skype, which regained control of the accounts the same day, tweeted the following:
You may have noticed our social media properties were targeted today. No user info was compromised. We’re sorry for the inconvenience.
And bitcoin, the open-source, digital alternative to money, was the subject of a clever “heist” when a Bloomberg TV anchor displayed to the camera a bitcoin gift certificate he was about to give to a colleague. With the certificate clearly displayed in HD, a sharp-eyed viewer took a picture of the QR code and was able to help himself to the $20 value. The amused anchor, Matt Miller, reached out to the “thief” via Reddit: “So freaking classic but also a GREAT lesson in bitcoin security! You can keep the $20 – well earned.”
That $20 was money well spent in the opinion of those of us concerned about the security of our money—and our bitcoins. It demonstrated yet again that if there is something of value in our pockets, on our computers or on a company’s servers, someone wants it and will probably try to steal it.
Whether it’s currency, user names, passwords, phone numbers, domain controllers, etc., there is a market for whatever it is we hold precious. And that’s why security—both personal and professional—is a 24/7/365 job.
Few people had heard of Snapchat or bitcoin a year ago. But their newness didn’t make them invisible to people who wanted to exploit their value. While the “Bloomberg bitcoin burglary” was not exactly the Brink’s Job, it also was not the first time the nouveau currency has been stolen. If you asked most of the people you know to explain exactly what bitcoin is and how it works, you’d probably get very few correct answers. But even if it’s a mystery to the masses, the stuff has value and that makes it attractive to people who prefer to work for your money, rather than earn their own.
Back to Snapchat, while personally identifiable information is very valuable to the individuals to whom it belongs, it’s more difficult to put a monetary value on it. Certainly identity theft happens with alarming regularity in the United States and other parts of the world, but as with people who can correctly explain how bitcoin works, most of us have not had our identities stolen, even if our credit card numbers or online user names and passwords have been hacked by one threat actor or another. But that doesn’t mean the problem is any less real or we are any less vulnerable to it.
There’s no such thing as “too much security.” At Bit9, we are justifiably proud of how well our platform protects endpoints and servers from advanced threats. But we are equally passionate that our customers deploy a defense-in-depth strategy that involves several layers of physical and digital security to help ensure that they don’t fall victim to the growing number of sophisticated nation-states, hacktivists and cyber criminals who are out to exploit them.
But even with the heightened awareness of security that is driving continued strong growth at many security companies, Bit9 included, businesses are still too often cavalier about protecting their own assets—and their customers’ identities.
In the case of Snapchat, the company had been warned in August 2013 about the possibility that its users’ private information could be hacked and made public. In a Dec. 27 blog post, the company said: “[O]n Christmas Eve, security group posted documentation for our private API. This documentation included an allegation regarding a possible attack by which one could compile a database of Snapchat usernames and phone numbers.”
Snapchat wrote that it is “grateful for the assistance of professionals who practice responsible disclosure and we’ve generally worked well with those who have contacted us.”
The company continued: “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. It closed the blog post with: “Over the past year we’ve implemented various safeguards to make it more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”
More difficult? Perhaps. Impossible? Obviously not. In a Jan. 2 blog post, Snapchat said it “will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.” All good ideas, but they should have been implemented before the horse left the barn.
I am not singling out Snapchat, bitcoin or Skype for having insufficient security. They are just a few of the most recent examples of entities that have been breached. I’m using them as a way to show that effective security is an iterative process, like a chess match between masters. One side makes a move and the other counters. The only way to give yourself—and your organization—an advantage is to ensure that you are employing the latest, most comprehensive and more proven security products and solutions to protect the information that you value. If not, then your organization might be facing a checkmate that you didn’t see coming and weren’t prepared to stop.