…is no longer a secret.

The media is awash with stories about a couple of special interest dating web sites being hacked and the personal information that had been submitted into them being leaked for the amusement of the public at large.

OK. Actually, there’s only a little bit in the papers and on the news web sites about it.

Unfortunately, most of the coverage focusses on how the unscrupulous evil hackers are leaking the personal preferences and credit card details of the subscribers of the sites. Or it promotes schadenfreude over the unscrupulous evil subscribers getting their just deserts for using such disgusting sites. Or even how the unscrupulous evil web site operators did not actually delete data that they told their subscribers they had. All of which rather misses some important points. Well, we wouldn’t want people to actually think about it, would we?

  • Was security of the hacked sites significantly inferior to that of other web sites? Obviously, the fact that information was stolen from the sites suggests that security must have been weak, right? Well, no. Although we’re unlikely to ever hear the details I expect that the operators of the sites used all the standard techniques to secure the sites and they were run using standard software out of standard datacentres using standard procedures as most other standard subscriber sites are. Everything standard.

    So how could their information be stolen? Essentially, in the same way that data was stolen from the US Office of Personnel Management (OPM) or from Target or from South Korean credit card companies or from many, many more*. I don’t mean that the same technical weaknesses were exploited each time but that the hackers will have identified some organisation as likely to have valuable information and will have looked for weaknesses in either the standard software they were known or expected to use or their procedures or their staff. Most hacks are usually the result of acquiring key insider information by first hacking or tricking or bribing a member of the management staff. Very few hacks are the result of original research in discovering a software weakness and breezing in and stealing the data the same day. Hacking is usually a long game with snippets of information collected and combined over a long period of time until enough is known to take control of a site and copy everything useful from it - and the longer the hackers can remain in control and undiscovered the longer they have to exploit the information they have stolen. Fact: Target was already compromised on 27 Nov 2013 and did not close the door on the hackers until 15 Dec 2013 - the bad guys were in control for at least 18 days. Target did not alert its customers until 20 December - until after the hack was already being reported in the media.

  • Why would these particular sites be targeted? Obviously a collection of credit card details could be used for fraudulent purchases if the criminals act before the credit card companies close down the accounts, but the real value is in amassing enough personal detail on enough individuals such that real identity theft can be attempted. Not hammering a few credit card accounts for a day or two, but taking over some people’s identities to the extent of obtaining new e-mail addresses, phone numbers, photographic ids, licences, setting up new street addresses, new bank accounts, social media accounts and ‘verifying’ other completely fake identities. Subborned and fake identities can then be used for money laundering or other criminal activity including election fraud with the person who’s identity was stolen taking the blame, at least initially. We already know that hackers play a long game - criminal hackers’ gambits do not stop once they have acquired a bunch of information; it’s really just starting. A web site is a good target if it has many subscribers submitting personal information. Social media, dating and shopping sites are ideal. The OPM was a pot of gold.

  • So is it weak security - even if it’s management systems and not web site systems that really get hacked? Again, no. The ones we hear about in the press are the ones that are discovered - or perhaps they just have a salacious angle with which the media can boost their circulation. The ideal for a criminal hacker is to gain control of a site and then just sit back and wait and watch and only dramatically exploit the information they acquire if a unique opportunity presents itself. Attracting attention is counter productive. Far better to stay quiet and perhaps later acquire control of other sites that the same management team is in charge of. The hacks we hear about are the ones where security was sufficiently tight to discover the hack. OK, OK. Yes, it is weak security. The sites that don’t even know when they’ve been hacked are the ones with the really weak security.

Fortunately the motivation of the people who actually do hack into services is not always criminal exploitation of the information they find. If the hacked organisation is really, really lucky the perpetrators will only riducule their lack of security awareness by bragging about the attack to the media and won’t actually attempt to steal from their subscribers.

So, think carefully before you sign up to jMelody or PhysiognomyFolio or Chirrup or whatever service. If you’ve decided to sign up you obviously trust the company that runs the service to do what they say they will - but what do you really know about their security abilities? How can you assess this? The view that ‘Oh, they’re huge - they couldn’t possibly fail’ or ‘If they fail I’ll get compensation’ is self-delusion. Just how much of your life history will you share with them; if they are hacked how much of your life will be made public? And do you really need to tell the world that you just bought a widget from WhatsitShop and that it’s brilliant? Or that the rival doodad from Doofers-R-Us is sooo much better? Really? Is the world a better place because you let it know that you have a customer account with those retailers? Be careful who you share your secrets with.

* Of course, all the examples given are unrelated, one-offs, exceptional circumstances, negligence by an individual, lack of proper governance… etc etc. Yeah, right. For a US-centric view of how very common these data breaches are check out the Privacy Rights Clearinghouse Chronology of Data Breaches.

9 Aug 2015: News today that a technology retailer has been hacked and the details of 2.4m customers MAY have been stolen. I do hope that the reporting is inaccurate and that the company concerned knows the extent of the data loss but has decided not to tell the media yet.

29 Sep 2015: News today that a hotel group may have been hacked and a ‘large number’ of credit cards have been compromised. The significance of this item is that security experts suspect that the hack was against this hotel chain and that the hotel chain is now investigating… If it is shown that the hotel chain is indeed the source of the data leak then this is an excellent example of weak security - they didn’t even know they’d been hacked until someone outside their organisation told them. It really does not matter whether the data was compromised through malware on PoS terminals or via an ‘inside job’. The point is that they didn’t know.

8 Oct 2015: A superb example of poor security in the news today. A ‘smart technology’ payment group was hacked and did not notice. The bad guys were in their network for 5 months.