news
Society | DOI: 10.1145/2018396.2018404
Leah Hoffmann
Risky Business
Governments, companies, and individuals have suffered
an unusual number of highly publicized data breaches this year.
Is there a solution?
NeWS ABoUt DAtA breaches has been everywhere this year, with each new inci- dent seemingly worse than the previous one. An attack
on direct marketer Epsilon put an estimated 60 million records at risk. An
intrusion into International Monetary
Fund servers may have exposed confidential data about national economies.
Attacks from Jinan, China sought to
compromise the Gmail accounts of senior U.S. government officials and others, while Lockheed Martin suffered
“a significant and tenacious attack” of
an as-yet unspecified scope. And then
there’s Sony. One million passwords
were stolen from Sony Pictures, 77 million accounts were compromised at
the company’s PlayStation network,
and 25 million records were breached
at Sony Online Entertainment. Taken
together, it is the largest data breach
on record. Although the annual number of breaches has fallen over the past
few years, according to the Open Security Foundation’s DataLossDB, the
stakes are higher than ever—and there
is a lot of work to be done to protect
our sensitive data.
Attacks vary widely in scope and
motivation. Some hackers work for
their own disruptive pleasure, or “for
the lulz,” as one prominent group
would have it. (Lulz Security, or Lulz-Sec, has claimed responsibility for
a number of prominent attacks this
year and regaled the world with statements like “You find it funny to watch
havoc unfold, and we find it funny to
cause it.”) Others are politically driven. However, most attackers are in it
for the money.
“Revenge is a powerful motivator,
but you need a return on your investment,” explains Scott Ksander, chief
information security officer at Purdue
University, whose networks are tested
with, by his estimate, an average of
300–500 incidents each week. “Some
Data breaches are most often motivated by financial or political gain, but some hackers, like
Lulz security, attack companies for their own enjoyment or “for the lulz.”
people develop and sell tool kits for ex-
ploits, and the current estimate holds
that this industry is worth $100 million
a year. Others mine and sell personal
information. The more I know about
you, the more effectively I can mas-
querade as you. It’s the same concept
that marketers use.”
Attack methods are changing, too.
A June report by Cisco Systems notes
a steep decline in the number of mass
attacks, such as self-propagating
worms, DDoS attacks, and spam. In-
stead, attackers are turning to small,
highly focused campaigns that are
customized to specific user groups or
even specific users. Spear phishers,
for example, use data about the places
people bank or shop to more effective-
ly trick them into clicking on malware-
infested email attachments or logging
onto fraudulent Web sites.
The cost of mounting such attacks
is not trivial—perpetrators must ac-
quire quality victim lists, conduct
background research, and generate
sophisticated-looking email messages
and Web sites—but conversion rates
are high. Also, the payoff per victim—
an average of $80,000, by Cisco’s esti-
mate—is up to 40 times greater than
it is for mass attacks. Spear phishing
is what victims of the Epsilon breach
were warned against; ironically, it is
also what caused the breach.