Thieves, vandals, pranksters, and whistle-blowers are exploiting system vulnerabilities and harvesting data right this second. Companies can face millions in losses and private citizens can have their most private information exposed to the public if the wrong person access the wrong things. Any company can be a target, but the world’s most notorious hacks, leaks, and breaches have key learnings for any IT pro responsible for keeping systems secure. Let’s dive in.
The iCloud Leak
In August of 2014, a user on the imageboard 4chan posted nearly 500 private photos of celebrities like Jennifer Lawrence and Kate Upton, which were leaked from their private iCloud accounts. Following an FBI investigation, a total of 5 men have been convicted in connection with the leak. The hackers gained access to the accounts using a targeted phishing attack that sent spoofed emails from Google and Apple, asking the celebrities to provide account details. Many did. With credentials at the ready, leakers had full account access and grabbed everything they wanted.
Phishing is still an incredibly effective way for hackers to gain access to end-user credentials, and anyone can be a victim. Measures for preventing phishing attacks range from teaching employees how to spot nefarious emails to software that lets you test users with simulated phishing emails.
Yahoo Data Breaches
In 2014, a Yahoo Data breach resulted in at least 500 million exposed accounts. In 2013, another Yahoo breach resulted in 3 billion exposed accounts (every Yahoo account). Attackers used manufactured cookies to falsify login credential and log in as any user, which allowed them to harvest and sell data including email address, names, telephone numbers, dates of birth, and hashed passwords. To date, Yahoo has had some of the largest data breaches in history. It’s also worth noting that they didn’t disclose the 2013 or 2014 breach until 2016.
Yahoo provides a few lessons. One, it’s wise for a company to disclose a breach as soon as possible. Yahoo’s delayed disclosure led to lawsuits and congressional investigation. The second is more sophisticated hackers want a big pay out and attack entities with lots of valuable data. As one of the internet’s early giants, Yahoo was a massive target, but any company with sensitive data is at risk.
Snowden Surveillance Disclosures
In 2013, whistle-blower Edward Snowden released around 12,000 sensitive NSA documents that shined a light on far-reaching global surveillance programs. For Snowden, getting the information was surprisingly simple. He was an NSA contractor with top level security clearance and administrator-level access to the entire NSA intranet. With clearance like that, Snowden could have simply copied the data he wanted to a flash drive and walked right out the door.
Snowden’s surveillance disclosures offer a few lessons. First, third parties can be a weak link in your security chain. Snowden was a contractor for the NSA, and he used his access to gather and disclose sensitive information. Trust wisely when you use outside help for sensitive work. You may also try insider threat management software. The second lesson is that older systems aren’t secure. One intelligence official noted that at the time the data was stolen, the NSA was still using technology from ten years earlier to protect some of America’s most highly sensitive information. Legacy systems are at greater risk for leaks than those that are fully up to date.
The Maskelyne Hijack
In 1903, two pioneers in radio technology were demonstrating an early method for transmitting Morse code using a long-range wireless communication device. One of the men was to send a Morse code message from a high clifftop station 300 miles away to the other, who was in a packed London lecture hall. Before the duo could begin their presentation, a number of facetious messages came through, mocking the presenters. In this moment, one of history’s first hacks was committed by another wireless enthusiast named Nevil Maskelyne. Maskelyne was a magician who had been using Morse code in mind-reading magic tricks, but had ambitions to build and sell wireless technology. Maskelyne infiltrated the demo out of frustration. The broad patents held by the two presenters prevented him from realizing his ambitions.
Hacking is as old as technology itself. The final lesson is that we must always be vigilant, stay apprised of the latest trends in information security, and work diligently to prevent attacks now and forever. Whether their motivations are political, financial, or even just for fun, there will always be people looking for ways to steal data, disrupt systems, and wreak havoc online. Only by staying one step ahead can you stop them.