• United States



Today’s security hacks are after more than bank info

News Analysis
Sep 16, 20145 mins
Data and Information SecurityData BreachSecurity

Customers cringe every time they hear about a bank, retail or healthcare hack that puts personal or financial data at risk. Today's hackers are after much more that credit card numbers, though -- and most firms are powerless to stop them.


The beat goes on. In recent weeks, both JP Morgan Chase and Home Depot have been identified as the latest victims of large-scale cyberattacks.

JP Morgan Chase was among a handful of U.S. banks hit by hackers in a series of attacks in August. A few days later, Krebs on Security released details about a spring attack on Home Depot. The scope of the attack has not yet been determined, but it could be bigger than last year’s Target breach. Oh, and investigators found another hack in July, too.

This is bad news for consumers – but such attacks carry potentially heavier weight than just stealing John Doe’s bank login or credit card information. When the hackers behind the Home Depot attack posted credit card information on the black market, for example, they labeled it “American Sanctions.”

“It’s political hactivism,” says Charles Tendell, founder and CEO of Azorian Cyber Security, a white hat hacker with a background of cybersecurity work for the federal government. “In a lot of cases, they’ve got a statement they want to make.”

McAfee estimates that the annual cost to the global economy from cybercrime is somewhere between $375 billion to $575 billion. “Even the smallest of these figures is more than the national income of most countries and governments,” the firm said in a cybercrime report released in June. They also predicted that the cost of cybercrime and losses from theft of intellectual property will continue to rise.

Hackers Making Political Statements

In the case of the Home Depot attack, hackers very clearly stated the purpose of their work. Hacks can also be statements about corruption and power.

“While there’s no huge political implications for them, the statement is that the U.S. can’t even protect [its] own computers,” Tendell says. The hackers are saying of the U.S., “They’re weak and we’re going to continue to attack them.”

Larry Ponemon, chairman and founder of the Ponemon Institute, calls these “calling card attacks,” not just because hackers leave a literal calling card on the label of that credit card information, but because they show their skills – not to mention how much further they could go. He also cites the August attack on Community Health Systems, which stole information on 4.5 million patients, as a calling card attack.

“They’re bringing down a company, but they could bring down critical infrastructure,” he says. “They have excellent expertise and would have the ability to do some serious damage.”

[ More: Community Health Breach Highlights Healthcare Security Vulnerabilities ]

Larry Ponemon, chairman and founder of the Ponemon Institute

What’s more, Ponemon says, attacks have differed, making them difficult to detect. The JP Morgan Chase hack focused in part on SQL injection, which is relatively low-tech and preys on website weaknesses. Home Depot, however, appears to have been a persistent attack, where multiple pieces of information infiltrated the network but didn’t activate until they were all together.

“It’s a little scary, these nation-sponsored attacks,” he says. “In the last several years, it was a hypothetical – until now.”

Espionage Troublingly Easy

Smaller, but possibly more troubling, hacks come in the form of espionage, whether for political or corporate reasons. “It only costs a couple thousand dollars for me to hire one of these hackers overseas,” says Tendell. “There’s good money to be made for the hacker who sells his service to be able to hack into other companies and spy on other companies.”

That could be done at the behest of a company trying to get an edge over a competitor, or of another government.

[ Analyses: Why You Should Care About Cyberespionage ]

Some of this espionage is extremely low-tech, Ponemon says. Using an insider to stick a USB into computer, for example, can be the only way to install malware on a computer that contains information so sensitive that it’s not on a network.

“They’re going to get in by joining a paper-shredding company or becoming an employee working in the cafeteria,” he says. “It’s low-tech but very dangerous.” Ponemon says he has seen this used to try to hack into defense contractors and steal things such as designs for a new weapons system or changes to aircraft design.

High-tech espionage, on the other hand, looks for small pieces of information. However, it’s information that’s extremely valuable – one document with a top-secret number on it – and it’s information that could come from something as simple as a memo.

[ Feature: 10 Security Nightmares Revealed at Black Hat, Def Con ]

That information can be much more valuable to someone than selling a few million credit card numbers on the black market. It doesn’t help that the government looks for patterns of stolen data such as Social Security numbers and not individual memos, Ponemon says.

Fighting Losing Battle Against Foreign Hackers

Right now, the prognosis of fighting these kinds of attacks isn’t rosy. “Hands down, flat out, the U.S. is losing,” Tendell says. He doesn’t have high hopes on this being figured out any time soon, either. “[Companies are] going to try to augment security in places where the old-school type of hacks were – but hackers aren’t attacking that way.”

[ Tips: How to Do Security Training Better ]

One way to a solution, he says, is consumer pressure. “The only way we’re going to solve the security issue is awareness and training and, for lack of a better term, just consumer information in general,” he says. Pressure from consumers will increase as they perceive their information to be unsafe in a business’ hands.

Poneman is a bit more positive, saying that a lot of very smart people are working on the issue. “The good news is that companies and security experts are on top of it,” he says. “The bad news is that we can’t stop it.”