So You’ve Been Breached

Breaches happen the way Hemingway said you go bankrupt: gradually then suddenly. There is no telling where and when a hacker can enter your servers and there is no telling when or where all of your customer’s private information will appear – whether neatly packaged for sale on the dark web or splashed on a torrent site. All that is clear, however, is that breaches affecting millions of people are now commonplace and smart companies are getting hit all the time.

We are getting punched full of holes as surely as if we were orbiting the Earth through a field of space debris. And, according to experts, the pace is not letting up.

A breach is simply a digital break-in and the loot usually consists of customer records and code. Recent high-profile breaches include the “dating site” Ashley Madison and a breach of 15 million records at Experian. One British broadband provider TalkTalk was shaken down for £80,000 in Bitcoin after hackers stole thousands of customer records.

Breaches are happening every day and to tally the total number of records affected would be folly. Fifteen million stolen here, 36 million stolen there – at this point the numbers seem perfunctory. All we know is that none of our data is safe. In fact, it’s almost hopeless to use old methods of information security to prevent theft.

“There is no one single way to detect a security breach,” said Matt Harrigan of PacketSled. “Most importantly, the enterprise needs to be able to continuously monitor their environment for advanced attacks using attack chain modeling, analytics, and continuous monitoring. Systems that incorporate expert knowledge about corporate environments are critical to detecting these attacks.”

But what happens during a breach? And where does our data go? I spoke to some folks who have come face to face with hackers and saw their data leak out of secure servers… gradually, then suddenly.

password-balloon-alt

Into The Breach

One prominent breach started off as a ping in an engineer’s inbox. The company, whose CEO wished to remain anonymous in order to offer unvarnished descriptions of the experience, received a notice from white hat hacker bounty company HackerOne that a new exploit had opened up on their network. It was a fairly big hole – primarily associated with some debug code that was accessible from the outside – and it gave hackers access to old customer data.

HackerOne is a middleman between the world of penetration testers – folks who can figure out where a website is suffering from insecurity – and internal sysadmins. The company notified the company at night, waking one of the programmers with the news. According to the company the ticket arrived late Saturday and the hole was patched by Monday. But, in the interim, an unknown hacker exploited the vulnerability.

“He fixed the vulnerability about 24 hours too late,” said the company spokesperson. That meant data that had been stored in a former version of the site was now public domain. It was data that was obviously important – all consumer data is – but it was old enough to be considered stale. Still, it was a chunk of data stolen and passed to unknown hands. It was embarrassing and exhausting for the founder I spoke to.

The founder immediately made a number of calls. First he reached out to his investors who were, at best, curious as to what had happened. At the same time he hired an outside security firm to begin a full audit. Then the founder did a full-court media press, penning a blog post so carefully worded that it almost sounded like a report on a rec center soda machine in a suburban newspaper. The goal, ultimately, was to reduce fear and prevent another attack. In fact it seems like breaches are often bracing events that ensure that the hackee never has to write another sad missive again. But this is rarely the case.

Many companies don’t know what they’ve lost even after it’s gone.
The Identity Theft Resource Center found that there have been 783 individual breaches in 2014 alone, an increase of 27.5 percent over 2013. The Center, which has been tracking breaches for a decade based on media reports, said that 675 million records have been exposed since 2005. The Ashley Madison breach alone amounted to 40 million customer records. In short, hackers have stolen, over the course of the decade, the equivalent of half of Facebook’s 1 billion regular users.

“Breaches happen in a variety of different ways: Some occur as a result of unknown vulnerabilities, like zero days, but many breaches actually occur after the known vulnerability has been reported and as a result of companies not taking the proper steps to protect their systems,” said John Dickson, Principal at Denim Group, an application security consultancy.

Dickson also sees phishing as an attack vector gaining in popularity. He said, according to the Verizon Data Breach Investigation Report, that “attacks are shifting from the use of default credentials to the use of stolen ones.”

In the end the founder battened the hatches and apologized. The hackers took no important data and, this, like most breaches, was simply an embarrassing breach of trust.

Take TalkTalk for example. When hackers discovered that chat service called TalkTalk had a massive security hole a freelance researcher posted the vulnerability on security sharing site XSSposed and talked about finally doing professional security work. That good will didn’t last, however. Soon after the hacker took advantage of the security hole and sent a denial of service attack to distract from the process of siphoning off the user database. The resulting data then appeared on AlphaBay, a “deep Web black market that specialized in selling stolen goods and illicit drugs.”

Interestingly, it’s possible that TalkTalk doesn’t even know how much data they lost. A post by Brian Krebs suggests “that there were only a few thousand customer records exposed in the breach,” a far cry from the 400,000 names and numbers originally mentioned by the company after the break-in. Luckily TalkTalk spotted the hole fairly early. Many others aren’t so lucky.

“This is the truly disconcerting thing: on average at the moment from breach to acknowledgement it’s about 18 months,” said Mike Baukes at ScriptRock. “I do believe it’s going to get a lot worse in the short term. Like cockroaches, a truly embedded breach can often result in a burn down of the network and a new provisioning for most of the infrastructure. This is itself hard, when combined with the need to protect forensics and hopefully enough state data around the systems from prior to the breach it’s possible to trace a path of destruction. Business disruption is one of the many factors that are commonly known, the real costs are felt by consumers and there’s often irreparable brand damage.”

In short, many companies don’t know what they’ve lost even after it’s gone. The Ashley Madison hackers marveled at how open the servers were while they roared through millions of pieces of personal data. Without proper intrusion detection, in the end only the hackers know how much data they’ve stolen and most of them don’t make that data public – or the make it public for a price.

password-balloon-three

The Aftermath

The process of reacting to a breach consists primarily of communication. Once the passwords and credit card data is compromised – and it is discovered that none of this information was encrypted – the average company immediately goes into spin mode. The company we talked to spoke to its investors first and then prepared a reaction post. Simultaneously the engineering team tried their best to piece together the entire attack. In most cases the hole is blatantly obvious. Other times things are more nefarious.

The problem with breaches, ultimately, is that it is a snapshot of a business in flux.
Retailer Target lost millions of customer records when hackers installed a piece of malware called BlackPOS. The malware stole card data when customers swiped at self-checkout kiosks. This malware grabbed 40 million credit card numbers between November 27 and December 15, 2013 and was one of the most effective and awful breaches in recent history.

“People want the data for different reasons too…they might include espionage, to sell or even to barter for other information elsewhere, for bragging rights, or simply to disrupt the company in the case of Hacktivists to cause revenue loss, embarrassment or more,” said Irfan I. Saif, a Principal at Deloitte & Touche and a cybersecurity expert. But, in the end, most of the data ends up on the black market.

The problem with breaches, ultimately, is that it is a snapshot of a business in flux. While wholesale leaks like Ashley Madison’s are essentially a death knell for companies and, more important, a wildly rich vein of insider information for journalists and competitors, most breaches leak data that is old and might not reflect the current state of the company. This is helpful and harmful. On one hand old information means that newer customers aren’t compromised but, on the other hand, there is no telling how far back the breach went and, in many cases, there is no way to contact the affected parties. In the end most companies simply lock up the store, post a message to their site (“Please change your password”) and hope it doesn’t happen again. It’s akin to locking up the garage and posting a No Trespassing sign after kids break in to steal your beer.

password-balloon-four

The Way Out

“Data can get stolen or lost, systems can be compromised, but how vigilant an organization is in monitoring, performing threat intelligence and leveraging that insight and internal analytics and baselines can help them detect an upcoming or in-flight attack and give them time to stop it more quickly,” said Irfan I. Saif, Principal at Deloitte & Touche LLP. “They must also be prepared to ‘bounce back’ from attacks – minimizing their impact and damage to the company, brand, and customers. Preparedness including simulations, establishing the right internal and external relationships, and lots of planning is key to being ready to respond when an incident occurs.”

The playbook for bouncing back is fairly simplistic: know who is coming and when. Most security experts believe that intrusion detection is the way to go and that defense – the cat-and-mouse game – is always going to fail. Assume, they say, that you are already breached. How will you know what they’re doing in your servers and when?

Further third party apps and partners must be vetted and controlled. Most breaches happen because something is misconfigured – the FBI claimed that it broke into the original Silk Road due an incorrectly installed Captcha graphic – and someone finds out. If there’s any cat and mouse then the mouse is usually just too slow and fat to get into the hole and ends up bumping against the wall until the cat comes along and takes her time.

And what about your data? The names, addresses, and credit cards that were stolen? Most companies can do little to help the afflicted, a byproduct of the scattershot nature of breaches. However, the primary thing we lose in each of these breaches is a sense of safety coupled with a desensitization for the average consumer. My data is out there, we assume, and nothing can be done.

I became fascinated by breaches after speaking to the Ashley Madison’s ex-CEO, Noel Biderman, a few months before his company and career were blown apart. He was jolly, chipper, and full of answers to all the hardest questions. But those answers primarily revolved around the business model, how people aren’t naturally monogamous, and how they were making lots of people happy. It was an interview with a CEO in his prime.

My data is out there, we assume, and nothing can be done.
A half a year later I was unzipping the Ashley Madison dumps, the files that contained 36 million individual records. They were massive files and most of the data was unencrypted. It was a snapshot that many used to discredit the company’s mission and success and others used to blackmail folks looking to have a good time, damn the cost.

Each of those records was a person. Each of those emails connected you a keyboard and then to a pair hands and then a face and head. I pulled out the biggest file, the customer database, and started to import it into an instance of MySQL I had installed. The process was frustratingly slow, each record popping up and off the screen like champagne bubbles. And I realized, near the middle of the transfer, that those were people. That breaches are real, that breaches toss men and women who wanted to buy a jug of Red Vines at Target as roughly as the men and (fake) women who wanted a brief foray into the wild unknown. This wasn’t my data and, although Ashley Madison and Target are equal fools for letting it out, it wasn’t mine to peruse.

The records scrolled past, one after the other, and I hit the stop button. I didn’t know these people. I didn’t know what they had done. Their data, their digital fingerprints, were not mine to magnify.

The data winked out a moment later. I deleted it. We are breached so often now that we often feel full of holes. Why should I add one more?