Column: Data downer: Hackers will grow increasingly bold in 2017
The new year begins with two big unanswered questions on the cybercrime front: Did the Russians influence the U.S. presidential election and how did hackers gain access to 1.5 billion Yahoo accounts?
The fact that we may never have definitive answers suggests that 2017 will be just as digitally perilous for most people as last year.
Businesses, meanwhile, will continue grappling with the spread of ransomware — malicious software that encrypts and holds computer files hostage until money gets paid, typically in the form of untraceable bitcoins.
Bottom line: Hackers often have everything to gain and little to lose from their criminal activities, which leaves our increasingly techno-dependent society vulnerable to all manner of mischief.
“Someone asked me the other day how much progress we’ve made on cybersecurity,” said James Andrew Lewis, director of the Strategic Technologies Program at the Center for Strategic & International Studies, a Washington think tank. “The answer is not so much.”
The intelligence community seems to have reached consensus that Moscow was behind cyberattacks on Hillary Clinton’s campaign for the purpose of helping ensure an election victory by Donald Trump. Lewis said his intelligence sources confirmed that belief.
It’s now up to investigators to determine the scope of what happened and what can be done to prevent future election tampering from abroad.
The Yahoo hacks are more easily understood — and better represent for consumers the ongoing threat to people’s privacy and digital livelihoods.
Nothing is safe. Not your email, your personal information, your photos, your files. If it’s stored online, it’s theoretically accessible to anyone with the skills and wherewithal to grab it.
According to the Identity Theft Resource Center, nearly 900 million records might have been accessed in almost 7,000 known data breaches since 2005. The actual number of breaches is undoubtedly higher because not all security lapses are publicized.
A few weeks ago, Yahoo reported what is believed to be the single largest security breach ever — 1 billion user accounts potentially accessed in August 2013. Yahoo said it only discovered the incident recently, which does little to ease concerns.
The attack apparently was unrelated to a separate breach in 2014 involving 500 million accounts, which Yahoo revealed in September. The company blamed that one on an unnamed foreign government.
Other noteworthy breaches taking place or coming to light last year included databases penetrated at the U.S. Department of Justice, the Internal Revenue Service, UC Berkeley, 21st Century Oncology, Premier Healthcare, LinkedIn and AdultFriendFinder.com.
Exacerbating the problem is that few if any corporate and public-sector databases are encrypted, which would make their contents unintelligible to hackers. Thus, any successful breach will result in cyber-loot to be stolen.
“Using encryption would be a big improvement,” Lewis told me. “Big companies should be encrypting data.”
The reason they don’t is because it’s expensive and because encryption can slow things down by requiring system users to use digital keys to access data.
With Yahoo in mind, I can think of 1.5 billion reasons why those aren’t very good excuses.
Ransomware is a particularly insidious problem. IBM reported recently that 70% of businesses infected with ransomware have quietly paid off the perpetrators to regain access to their files and data systems. In half the cases, the ransom was at least $10,000.
Among consumers, IBM’s study found that more than half of those surveyed would be willing to pay to recover financial data and 43% would cough up some cash to unlock a mobile device. Ransom demands involving individuals typically run a few hundred dollars.
Jonathan Fairtlough, managing director for cyber-security and investigations at the Los Angeles office of Kroll, said a ransomware shakedown once would have been considered a highly sophisticated crime, requiring great expertise on the part of the perpetrator.
“Now it’s a common one,” he said. “It’s become a self-service crime you can do easily.”
In a sign of how bold hackers have become, we learned last month about a new ransomware racket called Popcorn Time. After encrypting the victim’s computer files and demanding a bitcoin payout, the software offers another choice: Help infect the computers of at least two of your friends.
If you do, and if they pay off the hacker, you’ll receive a free software key to unlock your own files. That’s just evil.
Fairtlough said there are steps businesses and consumers can take to protect themselves, but there will always be a trade-off between security and ease of use.
“The more secure you make something, the less operable and interoperable it will be,” he said.
And it’s important to have reasonable expectations. As security measures grow stronger, so too do the cunning and sophistication of hackers.
Your pricey antivirus software from the likes of Norton or McAfee will get you only so far. It’s designed to respond to known threats — a not insignificant consideration. However, anything new that hackers come up with often will be beyond the powers of protective software to stop.
“You can take a lot of steps to make your house secure, but that’s not going to stop a battering-ram bulldozer,” Fairtlough observed.
He advised consumers to use so-called multi-factor authentication when available for online accounts. Instead of just a user name and password, such systems may include additional security questions or sending an authentication code to one’s mobile device.
Fairtlough also suggested having different email accounts for different needs, so that a security breach won’t be catastrophic throughout your digital life, and using a password-management tool such as LastPass (which, ironically, had to patch a security hole earlier this year that could have allowed hackers access to millions of user accounts).
Will such steps keep you safe? In a word, no. That’s no longer the world we inhabit. What you’ll be is safer than you were before.
And until the private and public sectors step up their cybersecurity game, which they remain reluctant to do, safer is about the best you can shoot for.
David Lazarus’ column runs Tuesdays and Fridays. He also can be seen daily on KTLA-TV Channel 5 and followed on Twitter @Davidlaz. Send your tips or feedback to [email protected].