Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.
— briankrebs (@briankrebs) September 26, 2018
Earlier this month I wrote about how we can’t trust Equifax with our personal data. I’m not sure we can trust them with a cotton ball. Today, we discover Equifax has been sending consumers worried about their personal information leaking to the wrong site.
Read MoreThere’s been a lot of discussion about the Peeple app, which lets random individuals provide reviews of other people. The founders of the company seem to believe that no one is ever mean on the Internet and that all reviews are accurate. They’ve tried to assure us that no negative reviews will be published for unregistered users. They’re almost charming in their naivety, and it might be funny if this wasn’t so serious.
The app is an invitation to online abuse and harassment. And based on the public comments I’ve seen from the founders they have no idea what kind of pain their app is going to cause. They just don’t seem to have any idea of the amount of abuse that happens on the Internet. We work with and provide tools to abuse and security desks. The amount of stuff that happens as just background online is pretty bad. Even worse are the attacks that end up driving people, usually women, into hiding.
The Peeple solution to negative reviews is two fold.
Cybersecurity has been on my mind lately. There is a lot of bad stuff going on, from giant dDOS attacks, to subscription bombing, to the ongoing low level harassment that some people have to deal with on a daily basis. I’ve written a lot about how I think marketers are going to have to step up and stop being a conduit for abuse. I do believe this. There are a lot of different issues to discuss but there are also many, many different stake holders in the issue of cybersecurity.
I’ve been on multiple calls with different groups over the last few weeks discussing the implications of the subscription attack and how it was carried out. The majority of my focus is email and how to protect senders from becoming a conduit for abuse. Other folks participating on the call are looking at what abuse is out there and how to stop it or minimize it.
One thing that came up on a recent call is that the bulk of dDOS traffic that took Brian Krebs’ website down was from various Internet of Things devices. Security cameras, DVD players, televisions, lightbulbs and other connected devices were part of the problem. It’s a huge issue, and one that cannot simply be mitigated by just ISPs and providers. But convincing individuals to secure their lightbulbs can be a challenge, we can’t even protect their computers completely. Convincing companies to stop providing default usernames and passwords or using the same keys for every device is another challenge.
These are big issues that we’re going to have to deal with.
Last night, with 100 million of my virtual friends and a small group of local ones, I watched the first Presidential debate. Part of the debate was about cyber security. To misquote Vice President Biden, “Cybersecurity is a big freaking deal.” We have nation states, and groups with the resources of nation states, conducting covert operations online. We have hacking, compromises, bonnets and other malicious activity occurring every, single day. And, the more complex the site and the more users it has the more likely it is to be compromised. Cybersecurity is a critical part of national security and our own individual security. We must take it seriously and we must address it.
Now, I’ll be honestI don’t think there is a solution to the problem. I think, though, that there are hundreds of things we can do as individuals, as companies, as nations, as volunteer organizations, as NGOs and as coalitions to solve different parts of the problem. We all need to think about what it is and who’s doing the bad stuff.
It’s common to think of hackers as lonely boys in basements who have too much time and too little to do. Back in the ancient days of the spam wars some folks referred to them as “chickenboners“: beer drinking rednecks who ate fried chicken and threw the bones on the floors of their trailers. The reality even then, though, was that many spammers ran businesses and made a lot of money. Admittedly, the descriptions of how the business was run are cringe inducing and full of illegal activity.
Now, much of the hacking is actually organized crime outside the US. This makes it hard to address successfully through legal channels.
It’s all very complicated. But I think we can agree security is a big deal. We are all part of the solution, by securing our sites and our personal devices. We’re also part of the solution by paying attention to the larger issues and events going on around us.