What do an infidelity web site, the U.S. appellate court system and millions of hacked personal data records have in common? Together they could help fuel the next evolution of digital security.
We've seen that public shaming, severe legal remedies, and privacy invasions can be powerful motivators. Can these three fates give Internet users (and companies) the drive to alter hacking's acerbic drama - where they often star as the biggest losers.
For most, security and privacy are after thoughts. At best, these variables factor into personal risk equations. But if we've learned one thing, most aren't very good at equations. Habits will need to change and awareness of rights (and risks) will have to rise.
To wit, Ashley Madison's own limits on liability, written in the small type, bound the user to agree the company wouldn't be liable for any damages, including "unauthorized access to a user's content." That's a big flashing warning sign from a company that guarantees, in big type, a 100% discreet service.
We've seen this week courts and regulators that have challenged status quo rulings in order to protect individuals or companies. It isn't whether you're a cheater, a government employee, a financial services customer, an online application or a Fortune 500, it's becoming clear that digitized personal data, in any hands, trusted or not, can instantly unload real and damning consequences.
Is this just a fact of digital life? Or is an Internet population numb to personal data input, and corporations numb to unprecedented data collection, up to forcing a correction? It's time for something to happen.
Perceptions have been challenged in the past weeks as we've been exposed again to criminal hacking minds in new, known, and slow-moving ways, and to court decisions that are challenging precedent.
Overshadowed in the Ashley Madison news was a story that federal prosecutors and Securities and Exchange Committee regulators had busted hackers and rogue traders who teamed in a new and criminally innovative way to fuel insider trading and steal $100 million over a five-year span. The hackers pilfered press releases on the earnings reports of publicly traded companies before those releases were published from the servers of Business Wire, PR Newswire and Marketwired. The rogue traders would then execute trades based on that yet-to-be-public data. Over the course of the crime, 150,000 press releases were stolen.
Paul Fishman, the United States attorney for the district of New Jersey, said at a news conference in Newark. "The hackers were relentless and patient." Team Impact's hackers showed the same patience. They told Motherboard magazine they had been inside Ashley Madison's network for years.
In a more familiar incident this week, the Louisiana Better Business Bureau shut down a rogue website that looked like Dropbox but was part of a phishing scam. The scam involved a fake email from the FBI, a URL, a link to a bogus Dropbox site and malware masquerading as a document. Hackers harvested the victim's Dropbox credentials, likely as fodder for another hack like one launched at the service in 2014.
In that incident, Dropbox was attacked by hackers re-using passwords stolen in a separate attack. In response, the file storage service added a smart-phone based two-factor authentication (2FA) option for users. Such services, however, are showing weakness as evidenced by Iranian hackers this week that attacked a Google 2FA system based on codes delivered via smartphones.
Earlier this month, however, Dropbox pro-actively upped the ante adding support for hardware-based, public-key cryptographic 2FA built on the Universal Second Factor (U2F) protocol developed by the FIDO Alliance. Google adopted the same scheme last October. The 2FA support means that even if a user's password were stolen, hackers would also need to have stolen the hardware device.
Major online services and applications are trending toward 2FA options, but the rub, as always, remains user adoption. The web site twofactorauth.org maintains a list of sites and the types of two-factor authentication they support, giving users a starting point for improving account security. The site also calls out other sites that have not yet added 2FA.
More online services need to turn away from passwords and to stronger methods of two-factor and multi-factor authentication. And more users need to adopt those technologies.
Will 2FA solve hacking problem for generations to come? That would be a bold prediction. But today it allows end-users to protect themselves from themselves (the most popular Internet password is still 123456) by eliminating the password as a security boundary, which is arguably the weakest security principle in networking today. At best, it triggers an upgrade trend that extends to tightening security at other network soft spots.
Meanwhile, companies and organizations are finding motivation to improve their systems in perhaps a harsher environment as legal and regulatory systems more closely scrutinize computer and data security. Some recent rulings and legal judgments are beginning to outline responsibilities, liabilities and potential penalties.
Last week, the Federal Trade Commission closed its investigation into last year's Morgan Stanley hack that exposed customer records saying that although it found improperly configured access controls the company did respond quickly after the hack was discovered and had adequate internal security policies in place.
On the flip side of that, a U.S. appellate court this week ruled the FTC can sue Wyndham Hotels over computer system hacks that exposed 600,000 customer records in 2008 and 2009. The ruling validates the FTC's power to pursue legal remedies from companies it deems to have inadequately invested in computer security as judged by claims made via their privacy policies.
"This is a huge victory for the FTC, but also for American consumers," Electronic Privacy Information Center attorney Alan Butler told Wired magazine.
The hope is that these recent events fuel the evolution of a new standard for security, a modern version that factors in accountability, liability, and emphasizes protection.
Not only for individuals, but also for companies to take responsibility for their actions instead of using privacy policies to write themselves out of the risk equation.