The last week of tech headlines reads like some sort of cybersecurity end of days scenario. The New York Times, hacked. The Wall Street Journal, hacked. The Washington Post, hacked. And finally on Friday, Twitter, one of the world’s largest Internet communication services — hacked.
“Who’s next?” you may be thinking. But the question to ask isn’t “Who’s next?” The question is, “Who will admit it next?”
Look back on Twitter’s blog post from Friday afternoon. Twitter stops short of directly naming other companies, though all but confirms this isn’t just affecting Twitter alone. “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Director of Information Security Bob Lord wrote in the company blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
But this shouldn’t be surprising to us.
Of the many members of the security community I’ve spoken to over the last 24 hours, all have said the same thing: Companies large and small all over the world face cyber attacks all the time. Sometimes these attacks are potentially connected — as in the case of the Times, the Journal (which, disclosure, is owned by ATD’s parent company, News Corp.), and the Washington Post. But many of these attacks occur in isolation or at random as well, from groups or collectives, different nations (especially in Iran, Syria or Russia) or even loners acting alone.
The point is, “High value targets” like Web companies hold massive troves of interesting data, and are obvious, constant targets for outsider attack. It’s just that we, the public, rarely hear about it.
But right now, during a week-long spree of hacking disclosures kicked off by the Times, we’re more apt to hear about other companies getting hacked than ever before.
“There’s a herd mentality when it comes to disclosure,” independent security researcher Ashkan Soltani told AllThingsD. “Having other companies disclose their breaches makes it easier for your company to as you’re less likely to get singled out in the press and public eye.”
In that vein, notice the timing of the hacking announcements last week. The Times kicked off the week of announcements on Tuesday evening. The Journal followed shortly thereafter. Then the Post. And finally Twitter.
To be fair, there are often reasons that may keep hacked companies from coming out with a disclosure of their own. For one, the company may be working on an ongoing investigation with law enforcement to monitor hackers who may have infiltrated their systems in the past. Tipping the hackers off by “coming out” may jeopardize existing surveillance.
Or even scarier: Perhaps these companies aren’t aware they’ve been hacked in the first place.
“I truly believe we’re going to see quite a bit more of these annoucements as companies start to get smarter and look more closely at their systems,” Soltani said. “It’s not a matter of whether or not you’ve been compromised. It’s whether you have the expertise to tell.”
Even the New York Times wasn’t aware of hacks that had occurred on its network for months on end; the company’s security software, provided by Symantec, failed to identify all but one of the 45 separate pieces of custom malicious software over a period of three months.
“Perhaps the press coverage might push them to take a deeper look inside their network,” said Soltani. Indeed, all three of the major papers that were hacked went to outside security firms for aid, and Twitter is currently working with the federal government to track down the hackers responsible for its own network breach (my guess is Twitter is paired up with the Department of Homeland Security).
But here’s the thing — No system is one-hundred percent safe. No matter how secure a company tries to make its network, there’s still one giant, glaring point of access that hackers will always go after: You, the user.
“Humans are the weakest link in any security strategy,” said Soltani.
So sit back and watch in the coming days and weeks. We’ll be waiting.
Comments are disabled on this post