It’s everyone’s worse fear. Having their identity stolen and taken over. We choose impossibly difficult passwords (especially to remember), change them consistently (hopefully), and hope that the companies that we entrust with our personal information protect it to their utmost ability.
But as we find out more and more, information security seems to not be a huge worry to companies. A month ago I explored the dark side of hacking. I talked about the US government’s Office of Personnel Management (OPM) which had 21 million federal workers’ information stolen by the Chinese, the password vault LastPass being hacked, as well as the IRS hacking which stole 100,000 taxpayers’ information. Beyond those there was also the highly publicized hacking of Target’s customers’ information in late 2013 (40 million credit card numbers stolen), Home Depot in 2014 (56 million credit card numbers stolen), and the hack into Sony.
The Moral Dilemma of Information security
So why are these massive companies with limitless resources getting hacked so viciously? To me, it boils down to a moral dilemma. The profits over all mentality that capitalism breeds.
Why fix an issue, like information security, that isn’t your problem: especially if it doesn’t cost you money?
When initially reported, the hack on Sony was going to cost the company more than $100 million and the full movie that was leaked online well before its release date, “The Interview”, was going to be a complete bust. Well, after all was said and done “The Interview” made a profit and the total loses to Sony was a much more manageable $15 million.
This represents 0.9% to 2% of Sony’s sales for 2014. No sweat for Sony, really.
Similar to the housing bubble that burst in 2008 and caused the Great Recession, the majority of the risks rests on the individual consumer, not large companies.
To drive home this point, let’s look at Target, who was breached through an affiliated HVAC company. The gross cost to target was $252 million. After insurance reimbursement and breach related tax deductions (yes, really), it cost them a grand total of $105 million.
Which is 0.1% of sales from 2014.
It cost the banks and credit unions $200 million to issue new cards, 1-3 million card numbers were sold on the black market before they were able to be cancelled. Not to mention the 70 million records that was stolen that included name, addresses, email addresses and phone numbers of consumers that could then be sold on the black market and used in subsequent attacks.
Information security simply doesn’t pay.
As I said before, people assume that companies are taking their consumers privacy as seriously as the general public is. However, how much effort (read: money) are companies spending on security. While these figures are incredibly hard to come by, one figure does give us an example to go by.
In the never-ending struggle to spend the least amount of money to make the most amount of money, information security has been the victim. JP Morgan Chase’s CEO says his firm spends $250 million each year on securing their information. Initially that sounds like a lot of money. But in reality it’s only 0.35% of the firm’s annual expenses.
Nowadays, the security threat is deepening. Not only do you have to worry about your identity getting electronically hijacked: your car is also susceptible.
In 2013 Andy Greenberg from Wired became a test dummy when he allowed two hackers, Charlie Miller and Chris Valasek, in the backseat take control of the car he was driving. At that time they were wired into the car via USB. Recently, though, they upped the ante by taking control of a 2014 Jeep wirelessly. The hackers, turned on the AC, turned on the radio, controlled the volume and windshield wipers, and even shut down the engine while Andy drove down a highway 10 miles away.
The duo was also able to take control of a Toyota Prius and Ford Escape through a wired connection.
This is not the first time a car has been remotely controlled. The first known event of a remote take over was in 2011 when scientists at University of Washington and UC San Diego created software that could track a car’s movements and hack into the control system like the brakes, engine, and transmission via the tire pressure sensors that transmit radio wave signals every 60-90 seconds.
Jeep has since issued an update to patch the security flaw that lies in its head unit and the wireless system UConnect. The only problem with this: it has to be done manually.
A Ray of Sunshine for Information security
It seems as though most companies would rather ignore information security issues and the potential assets that hackers like Miller and Valasek are.
Jeep is setting a good example by taking heed to others’ hacking abilities, but not all companies are following suite. GM, for instance, is taking a hard stance against hackers.
Automakers like GM are using the DMCA section 1201 to ward off potential warnings. Section 1201 prevents circumventing “technological protection measures”- and classifies doing so as a copyright infringement with up $150,000 per violation.
It seems they would rather ignore these threats than admit any flaws in their engineering. Which really shouldn’t be a surprise. Remember the case that was highly publicized in 2014 in which GM hid fatal flaws in the ignition system that killed somewhere around 100 people over 10 years?? If they’re willing to hide a deadly flaw then overlooking an information security flaw is child’s play
And to be fair, it isn’t just GM that is perfecting the head-in-sand technique: the Association of Global Automakers backs their stance. Plus, many companies in other industries are reluctant to do business with hackers.
This New York Times article details Michiel Prins and Jobert Abma hacking journey from amatuers to the co-founders of HackerOne. The ray of sunshine that brings individual hackers and corporations together.
Together, in 2011, they hacked 100 high-tech companies, including Facebook, Google, Twitter, Apple, and Microsoft. When notified of the vulnerabilities, about a third of the companies completely ignored them, a third reluctantly thanked them- but didnt fix the flaws, and the last third took corrective actions.
Google was one of the first companies to offer a cash incentive for finding exploits in their system. Five years ago they started paying upwards to $3000 for a single exploit.
A few months ago a cybersecurity expert claimed to have altered the course of a United Airlines plane while in flight by hacking into the plane’s system via the in flight entertainment system. His claim is still hotly contested. But who knows, maybe this is what happened to MH370. Earlier this month United Airlines took a huge step forward by giving a million flight miles to two people who found exploits in their system: the first hacking incentives they have given publicly.
Microsoft has been known to pay $150,000. Apple on the other hand pays nothing. Which allows exploits to be sold on the black market to the tune of half a million bucks.
So far, HackerOne has 1,500 hackers that have fixed 9,000 bugs and received more than $3 million.
Some people think that hackers are low life criminals after a quick buck. I would argue that hackers are simply people who found something that they are good at. Sure, some like to just see how big of a problem they can create- just like some people just enjoy stealing, or serial killers just like killing. But at the end of the day hackers are just people with a talent. And to be afraid to tap into that talent is incredibly naive, expensive, and most of all dangerous.
By companies getting in front of this problem now and taking the hacking community under its wing by offering incentives to give them the exploits, instead of selling it to someone with malicious intent; it can save a lot of heartache in the future.
Because as they say (at least I think they do?), “hackers gonna hack”.
You can follow your favorite VPN service @LiquidVPN
You can follow the author @FreelanceTony
Sharing is caring