3 Cases of InfoSec Hubris That Led to Big Breaches
Hacks happen. But sometimes organizations seem to make themselves targets with behavior that is a bit too boastful, judgmental or egotistical.
Every few months, a newly discovered hack on a high-profile organization is in the headlines. Retailers, restaurants, banks, health care organizations, government agencies; no one is immune. All breached, all compromised and all facing the costs of data loss.
But do some of the organizations deserve it, in a karmic way?
Tragedy -- classic, Aristotelian tragedy -- requires that the central character suffer "a fall from a great height" caused by a tragic flaw. Traditionally, the tragic flaw in question is hubris (i.e., excessive pride and excessive egotism). Examples include Agamemnon's steps on a purple carpet reserved for the feet of the Gods, Oedipus' attempts to avoid the Oracle of Delphi's prophecy and MacBeth's murderous ambition to be king.
In the world of infosec, there are lots of examples of boastful yet less-than-secure organizations getting pwned. Here are three notable ones.
The Democratic National Committee
In May, a BuzzFeed article featured quotes from information security pundits criticizing the cybersecurity postures of both the Republican National Committee (RNC) and the Democratic National Committee (DNC). Among their offenses, both had handed out thumb drives at conventions. As the technologically savvy know, for anyone to actually use a freebie thumb drive would be a huge cybersecurity no-no.
"It is borderline stupidity to give them out to people, or for people to even think of using them," BuzzFeed quoted Ajay Arora, CEO of cybersecurity firm VERA, as saying. "These politicians [who] are saying they want to decide what to encrypt, … regulate and give back doors to are these same people who are turning around and saying 'here, take this piece of hardware which is proven to be the worst thing security wise, and put it into your computer,' ... which shows just how unqualified they are being able to talk about security and cybersecurity, let alone legislate on it."
Fast forward to earlier this summer, when a hacker calling himself (or herself) Guccifer 2.0 took credit for breaching the DNC and Democratic Congressional Campaign Committee (DCCC) in a major way -- purportedly stealing and releasing a plethora of passwords, phone numbers, communications and other documents.
While far from the worst cybersecurity faux pas (even big companies with highly qualified cybersecurity consultants like PwC give out thumb drives at conferences), the DNC's wanton thumb-drive giveaways may have been symptomatic of larger problems in organizational thinking on cybersecurity. According to Guccifer 2.0, some of the most common DNC/DCCC passwords included such gems as "democrat" and "welcome."
"The complexity of the passwords leaves much to be desired," opined Guccifer 2.0.
In a twist of irony -- and, arguably, perversely poetic justice -- one of the compromised and leaked emails was a note from Eric Walker, deputy communications director for the DNC, calling the BuzzFeed story criticizing the DNC on cybersecurity "the dumbest thing I've ever read."
BuzzFeed, for its part, gleefully pointed this out and linked to the email in a July follow-up piece.
TJX Companies, Inc.
In December 2006, TJX Companies discovered that it had suffered a data breach exposing 45.6 million credit and debit card numbers (among other customer credentials). The hackers had reportedly engaged in wardriving -- driving around in search of insufficiently protected Wi-Fi networks -- to attack retail stores' systems. Two Marshall's stores with Wi-Fi access points weakly encrypted with outdated (even in 2005) WEP technology allowed the hackers to access more than 94 million credit- and debit-card transactions.
In a recent presentation at the MIT Chief Data Officer and Information Quality Symposium, Stuart Madnick, an MIT professor and director of the MIT Sloan School of Management's Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, insisted that this could have been avoided if TJX had been PCI-DSS compliant by, among other things, upgrading its WEP technology to WPA. (Visa had cited TJX several times for non-compliance with PCI-DSS since at least 2004.)
PCI-DSS did not explicitly mandate WPA at the time, but given TJX's overall weak security posture and nascence to Wi-Fi, in TJX's case WPA was necessary for both good security and holistic PCI-DSS compliance, according to Madnick.
"TJX was one of the first retail [companies] to go heavily into Wi-Fi," Madnick told Symposium attendees, "except it turns out it was new to them, and they hadn't thought about the fact that it may provide an open door … to their organization."
Consequently, per Madnick, presumptuousness and penny-pinching led to TJX's downfall. To illustrate his point, Madnick pointed to this pointedly worded email sent in November 2005 by TJX's then-CIO, Paul Butka:
"My understanding [is that] we can be PCI-compliant without the planned FY07 upgrade to WPA technology because most of our stores do not have WPA capability without some changes. WPA is clearly best practice and may ultimately become a requirement for PCI compliance sometime in the future. I think we have an opportunity to defer some spending from FY07's budget by removing the money for the WPA upgrade, but would want us all to agree that the risks are small or negligible."
"This is called a question where the answer is embedded in the question," observed Madnick.
Still, a handful of staffers spoke out against Butka's position -- but only a handful.
"The absence of rotating keys in WEP means that we truly are not in compliance with the requirements of PCI," wrote Richard Ferraioli, TJX's then-vice president of IT Operations, in response to Butka's position. "This becomes an issue if this fact becomes known and potentially exacerbates any findings should a breach be revealed."
Ferraioli and his likeminded brethren, however, were drowned out by Butka's coerced democracy of yes-men and yes-women. The result? The overconfident leadership of TJX caused the company to suffer what was, at the time, the largest data breach in history.
Black & Berg Cybersecurity Consulting
Five years ago, LulzSec represented the hot new kids on the block when it came to malicious hacking. The group, known for a fondness for both hacktivism and pure mischief making (i.e., "Lulz"), gained tremendous notoriety by compromising high-profile targets, leaking their data and defacing their websites.
In June 2011 Joseph Black, senior cybersecurity advisor of Black & Berg Cybersecurity Consulting, apparently decided it would be a good idea to get into a Twitter taunting match with LulzSec and offer, as a publicity stunt, $10,000 and a job at his company to any hacker who could change the picture on Black & Berg Cybersecurity Consulting's home page.
LulzSec promptly responded. Soon enough, the Black & Berg Cybersecurity Consulting homepage featured the group's mascot, Mr. Lulz, superimposed over the original homepage picture.
The newly defaced page also had a message for Black in response to his offer: "DONE. THAT WAS EASY. KEEP YOUR MONEY WE DO IT FOR THE LULZ." Eventually, Black was compelled to plead, "Please unf**k our website."
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.
By Jeff Goldman
July 12, 2016
The three recent breaches exposed thousands of customers' personal and payment card information.