I’ll have to resist making a “Hackers love Cox” joke.
If you’ve ever heard of PHI, PII, or any other industry-specific term for “customer’s private information”, CPNI shouldn’t be too hard of a concept to grasp. Just like PHI refers to your health information stored with, for example, your health insurance provider, CPNI (Customer Proprietary Network Information) refers to personal information stored with your telephone provider. Just like PHI and all the rest, CPNI is, under federal law, considered pretty sacred. So much so, that service providers who mishandle CPNI are subject to six-figure fines per occurrence, per day.
The FCC just handed down such a fine, to the tune of nearly $600,000, after Lizard Squad script kiddie “EvilJordie” (also operating under the alias “GDKJordie”), posing as Cox IT support, socially engineered a Cox representative into entering her work credentials into a webform he controlled. This allowed the child to log into private Cox systems under the representative’s name, giving him unauthorized access to a large amount of CPNI for a short while until the account was disabled.
This fine is a wonderful thing, and we need to start seeing more of them, and for larger amounts.
From a layman’s point of view, it’s very easy to look at Cox as a victim, after all, they were attacked by a well-known hacking group, and hacking groups don’t become well-known for no good reason. Except, this one did. Lizard Squad is pretty well known for their Christmas Day DDoS attacks against Sony’s PlayStation Network and Microsoft’s Xbox Live, but what the layman doesn’t know is that DDoS attacks require very little skill. To reiterate: Lizard Squad, and each of their constituent members, couldn’t hack their way out of a paper bag. They only know how to pick up a phone.
What I’m trying to say is, Cox didn’t succumb to a sophisticated, multi-pronged, Hollywood-style cyber-onslaught. Cox was breached by a phone call and a balloon-headed customer service representative.
If you look past all of the hype over “hacker gangs” and all the rest, it’s actually pretty easy to explain what happened. Someone called the 1-800 number for Cox customer support, waited for a person, and when one answered, just pretended to be from IT, and told the person who answered the phone to type her username and password into a “special website”. That’s all. Anybody with a convincing voice and a telephone can pull off this “hack”.
It seems we’re hearing more and more of underaged children causing thousands of dollars worth of damage per event, hundreds of times per day. We hear about all the damage caused, and we hear puffery from the breached/DDoS’d entities and law enforcement about how such will not be tolerated and that “whoever’s responsible” will be brought to justice. And that sounds good, but then we hear about how “whoever’s responsible” happens to be a minor, and as such, got no jail time for over 50,000 counts of credit card fraud.
Yes. It is time to bring “those responsible” to justice, and there’s two parties responsible for every security breach: The attackers, and the target, who failed to adequately protect their systems and train their people against such laughably cliche “hacking” methods. Again, the only computer skill needed for this particular breach was enough web design to make a convincing login form. Not technical skill, design skill.
The problem with targeting the perpetrators of cyberattacks lies in our country’s (and most others’) laws: Individuals of the age we find carrying out cyberattacks are shielded from prosecution, due to their age. And this isn’t a secret to them. Remember Hack the Planet? Notice how they’re not around anymore? One of their former members revealed the simple answer as to why that is:
We just had as much fun as we could before we turned 18. That was the plan. Do it while we’re untouchable and stop when we turn 18.
One “member” (tagalong fits better) of Hack the Planet was a tad younger than all the rest and of course didn’t turn 18 when all the rest did. His name? Julius Kivimaki. The same Julius Kivimaki that proudly took credit for the Christmas Day DDoS attacks against PlayStation Network and Xbox Live. When Hack the Planet died, Julius found a new group of minors.
A promise to bring cybercriminals to justice is an empty one, because we’re finding that an overwhelming number of cybercriminals, due to their age or nationality, carry a “free pass” to commit any crime they want. The current laws protecting children from prosecution are wholly outdated, and need to reflect today’s society. Any network-connected individual, regardless of their age, carries the same capacity to cause obscene amounts of damage to businesses around the world. Our policies need to either hold minors over 13 to the same standard as adults in cybercrime cases, or not allow them to use the Internet at all.
Until then, the solution to our cybercrime problem lies within Cox, Sony, Microsoft, Google, Network Solutions, and every other company targeted by cybercrime. Right now, these entities are putting the bottom line before the security of your data. That’s what these fines are all about, and that’s why they need to be more severe.
Right now, a company you trust with your data can safely bet that any fine they receive as a result of leaking your information, is less than what it would cost to secure it properly. So, they take the risk, and if they get a fine, they pay it, and probably pass the cost along to you as a new line item on your bill. After all, it just makes good business sense. If the FCC, FTC, and all the rest start coming down with costlier and more frequent fines, the math suddenly changes. Suddenly, it becomes less expensive for them to actually secure your data and train their employees than to pay the egregious government fine.
When people not even old enough to drive are capable of sweet-talking your support representatives into handing over the keys to federally protected data, you’re clearly not paying enough attention to information security. It looks like you forgot to set aside some money in the budget for security. Did you want us to add one for you? No? Start training your people properly.