What the Real Apocalypse Will Look Like – Response to the Sony Hack
Everybody loves a Zombie-Apocalypse story. Ok, maybe everyone doesn’t, but everyone should love a Zombie Apocalypse, they are so much fun to read and postulate about. I mean, after all, look at Zombieland. How awesome is that movie? (You heard they are making a sequel, right? Well of course they are because it was flipping fantastic.) But as far as real life Apocalypses go its pretty far off the mark. Re-animated dead people? Come on.
Or what about Environmental Apocalypses? We’ve seen our fair share of movies and books walking us through that swath of scenarios. The drying up of the seas (Mad Max), the freezing of the planet (Day After Tomorrow), what have you. And all those things may happen. What do I know? But before they do, I see an apocalypse coming that seems off everyone’s radar.
Over the past year or two (or week or two) we have seen an interesting shift in the world of the internet. The Sony hack is a massive tide shift in the world of the internet. I promise, it will be seen as a turning point in the future. It is such a seismic change that it really has given me pause for the future. So much so, it is where I believe the real global Apocalypse will come from.
I really don’t want to turn this little opinion piece into a corporate powerpoint presentation. But this chart sort of spells out our dependency on the internet fairly clearly. Its hard to put a trillion dollars in revenue (which is what this chart shows for the global community) in perspective. But to say that it would be missed is an understatement. But the internet isn’t just the crux of a trillion dollar opportunity for online resellers. It’s also how brick and mortar shops work as well. It’s hard to explain to someone that doesn’t work inside of IT just how critical the internet (“the cloud”, which is a funny rebranding of the internet in my opinion) is becoming. Call centers can’t process credit cards without 3rd party tokens now a days. Phone calls can’t be made or received without the internet. Call centers in general won’t work without the internet because our staffs are global now. Transactions can’t be fulfilled, or shipped without the internet.
So while there is a trillion dollars in revenue each year now directly connected to the internet… that is only the tip of the iceberg regarding our ever-growing dependence on the interwebs. I’ve included a fairly clever little infographic detailing out some of the larger and most interesting interrelationships of the online and real-world universes. Basically my point here is to say that our online worlds and internet worlds are inextricably intertwined. The list of hacked major corporations just grows and grows; Target, Neiman Marcus, UPS, Goodwill, P.F. Chang’s, Michaels, Home Depot and don’t forget the original Sony hack.
But it’s this latest Sony hack – which has now been directly linked to North Korea – that should give everyone great pause. (Which was confirmed by the FBI that it was in fact Sony today, January 8, 2015.) It is in a very separate league, with very elite company. I would argue that the only corollary to this latest Sony hack would be the US/Israeli created Stuxnet virus. Both of these run at a nation state level. Both bring the offenders out of the realm and responsibility of local authorities. And both work for different agendas and causes than most hackers have operated under. Well, save for, maybe Anonymous. Which could be argued I’m sure. But it isn’t the trend of the nation state hacking that is going to bring us to a global apocalypse. Its just the frightening trend of methods and actions that should make us collectively nervous.
Let me geek out on you a minute. Otherwise you won’t understand a thing I am about to say. In response to all of the latest hacks and the loss of millions of credit cards and the rippling impact to all the credit card holder’s information being lost the credit card companies have begun to institute new standards. These standards are called PCI DSS or Payment Card Industry Data Security Standards. They are a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. That’s good. PCI is protecting us all.
Or can it?
Obviously there are best practices that can make all our vendors more secure. Encrypt all card data in transit. Never store cards at rest. Utilize tokenization in order to obfuscate credit card numbers for one time use. Create secure coding best practices and train regularly on the latest threats. Implement locked down firewalls with an accompanying Application Security Manager (ASM) appliance in place as well. These are all great ideas.
Every year now, everyone that handles PANs (Primary Account Numbers) are required to answer hundreds of questions around how they protect that information. If you use a secondary clearing house like Paypal, or whatever, your exposure drops to just 4o or 50 questions. And it is through this level of auditing and controls that the credit card industry is trying to ratchet up security for everyone.
Here’s the problem… the control questions are ratcheting up their complexity rapidly, but they will never stay in front of an infinitely nimble crew like Anonymous, let alone a nation state with access to all manner of zero day OS risks.
Here’s the bottom line – the internet as flawed at its core. The point of the interwebs is to allow free and open sharing of ideas and information. Right? Well, it is that same openness that has crippled the web from day one, its just that we don’t know it yet. This kind of openness is the risk and the simultaneous reward.
Curious just how bad it is? I’ll show you a fairly lame example that is out of date…
Type this into google.com and hit enter: inurl:wp-config.txt
You’ll find a pile of really lame websites that haven’t upgraded to a fairly recent enough version of WordPress. If you were to click on any of the links that came up you would not only have in your hands the user names but also the passwords to gain access to these wordpress sites. Sure, wordpress got a clue and changed this vulnerability. I could post a current example, but in the week I queue this post to publish the example will be dead. I actually attempted twice to add real examples only to notice that they were blocked by google or patched by the time I came back to continue writing this article. I probably shouldn’t be posting real examples anyway. One of these examples called SoakSoak allowed a Russian crew the ability to take over at least 100,000 wordpress websites. These sorts of hacks will continue to increase.
Interested in seeing a list of just a small subset of vulnerable websites? Take a peek at this particular website: http://punkspider.hyperiongray.com/lists/blacklist.list – and this is just one small small site scanning for a small small subset of known vulnerabilities. Take one of those site names, and enter it into this search engine at http://punkspider.hyperiongray.com and it will tell you what the vulnerability is for the site. Do a little research about the vulnerability – run it against the site, and the site is yours. I found that particular site in 5 seconds. And its just one of many. Anonymous was known to echo site lists like that one into their chat channel constantly as their bots found new vulnerable sites.
I actually predict that internet hooligans will bring about a modern Armageddon that we won’t see coming. We’ll whine and complain about these annoying folks inside Annonymous, Lulzsec, and Lizardsquad who are enjoying their lulz and accidentally bring about a breach of confidence for the New York Stock Exchange or other foreign markets, that cause a vote of no confidence on the larger world wide web. Which in turn will shell shock the world’s markets and cripple the economies of the world. Too much hyperbole? I think not. Most people just don’t understand how vulnerable they are.
I know this isn’t my normal kind of post. And it won’t be read but by 5 or 6 people. But that’s fine by me. I just had to get that off my chest. Think you are safe online? I promise you, you are not.