Obama's exercise in can kicking the NSA down the road is today's focus of attention. It doesn't seem to me to have enough substance to warrant a serious discussion. One thing that is significant about Snowden's highly specific and detailed revelations about the activities of the NSA has accomplished is to make it impossible for the public to go on pretending that the internet and all of its associated technology is a benign tool that gives them instant access to sports scores and celebrity gossip. The power that provides such convenience also clearly has the potential to invade the most private and personal aspects of their lives and to cause them direct personal harm.
Various people have been expressing concerns about internet privacy issues for sometime. These are matters not just about the activities of the government but also about the personal data that we entrust to private companies. Most Americans have typically been willing to shrug it off as long as nothing was happening to them. The recent mass data breech at Target that impacted about 70M costumers, should be a big enough deal to penetrate the fog. The real story about Target is that it really is nothing new. While there are indications that cyber criminals are getting more technologically sophisticated, it has all happened before.
A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country.The information that is coming out about the latest Target attack that the hackers were able to gain access to the corporate network and plant a piece of custom designed of malware on the point of sale terminals where you swipe your credit card. The type of POS terminals that are presently in use in most large retailers have a significant security flaw. While the card data is encrypted when it is sent out to the credit card companies, it is stored on the actual terminal in plain text. This made it possible for the hackers to capture it and store in on a server in the Target network that they had commandeered and to eventually to transfer it to a string of other systems that were operating under their control. For anybody who is interested in a technically detailed description of what is known about the attack at this point Brian Krebs has two very useful articles here and here.
Target and Neiman Marcus last week? Nope. This oh-so-familiar attack occurred in 2005.
That’s when Albert Gonzalez and cohorts – including two Russian accomplices — launched a three-year digital rampage through the networks of Target, TJ Maxx, and about half a dozen other companies, absconding with data for more than 120 million credit and debit card accounts. Gonzalez and other members of his team were eventually caught; he’s serving two concurrent sentences for his role, amounting to 20 years and a day in prison, but the big-box breaches go on.
The latest string of hacks attacking Target, Neiman Marcus, and others raise an obvious question: How is it possible that nearly a decade after the Gonzalez gang pulled off their heists, little has changed in the protection of bank card data?
People are inclined to assume that a large profitable company like Target would take the necessary precautions to install the best possible security protections. This massive breech is going to cost them a great deal of money in fines and legal settlements. However, there are already several indications of steps that they could have taken and did not. For example there are POS terminals available that encrypt all data at every step of the process. However, that requires new hardware features, not just a software upgrade. It would mean ripping out the existing network and installing new terminals. They appear to have made a decision to run the risk of the breech that did occur rather than undergo the certain expense of a system conversion. There are other important questions under investigation as to how the hackers got access to the network to begin with.
At this point the NSA is likely the world's leading developer of hacker technology. I plan on exploring those activities in more detail looking at their potential for causing collateral damage. Meanwhile the Dept. of Homeland Security which has a brief for dealing with cybersecurity has taken a very hands off attitude when it comes to imposing security standards on private companies. What we hear is that recurring neoliberal refrain, regulation stifles innovation.