« Memory hole | Main | Software is forever »


"Your printer is probably full of vulnerabilities," an interviewee said to me cheerfully this week. His company sells network security scanning software he thought I should test on my home network. I wouldn't be at all surprised, although he thought I would be.

This is the current normal: everyone's network is full of vulnerabilities: even if you patch everything and tie up the network so effectively that none of the computers can communicate with each other you still have all those human weak links.

A certain amount of the coverage of this week's announcement of the eBay data breach has focused on the length of time it took the company to realize its systems had been breached - they're talking intrusion in February or March, discovery in May. The 2014 Trustwave Global Security Report, also released this week, suggests that eBay's time to discovery was about average (ouch). In the 691 investigations Trustwave conducted in 2013, the median number of days it took companies to detect intrusions was 87. The good news is that the time lag has substantially decreased since 2012. The bad news is that an attacker can bed in very thoroughly and steal massive amounts of information in two months. At least eBay detected the intrusion itself; 71 percent of compromises were discovered by a third party - and in those cases both detection and containment took longer. The 2014 Verizon Data Breach Investigations Report, released a few weeks back, points out a more depressing disparity: the time to intrusion is measured in minutes; the time to detection is measured in days.

That's to go with all the other disparities. Attackers are better funded and are better at sharing information - and only have to find one hole. Experience, as shown by the breach at eBay, one of the first handful of all ecommerce sites, doesn't count if you don't keep up. Which eBay clearly hadn't: reports say that customer information such as names, addresses, phone numbers, and date of birth were all stored unencrypted, and The Register also questions its methods of protecting passwords. The affected 145 million of eBay's 233 million customers now need to change passwords (or delete their accounts) and wait to see how the rest of their information is misused. The one bit of entertainment really isn't worth the trouble: for a modest 1.45 bitcoin ($770) you can buy a fake copy of the customer database. Somewhere else, doubtless the real thing is being sold and parceled into other services and profiles in a shadowy imitation of the legal advertising and profiling industry.

The fallout from this breach will be long-running as the stolen information radiates outwards and is matched to databases copied in other breaches and used to craft better and more persuasive scams. It is a massive resource for those who want to perpetrate identity theft, and there is nothing any of eBay's customers could have done to protect themselves: we have no right to audit the company's security arrangements. Our only option would have been to use an old-style accommodation address for all transactions and lie about everything else. The truly outrageous thing is that eBay still has not officially notified its customers.

Target's CEO resigned - but will eBay's? Lawmakers are not helping as much as they should. The state of European data protection reform is still uncertain. Yesterday, the House of Congress passed a weakened version of the Freedom Act - so weak that its original sponsors were disappointed, and tech-savvy civil society organizations that originally supported it such as CDT, EFF, and Access Now all disclaimed it - passed 303 to 121. It now goes to the Senate, where we can only hope it gets fixed. And even if it does, there will be no reprieve for non-Americans.

This is also the current normal: the vast majority of us are being extensively profiled and surveilled by three separate sectors, all extremely well-funded: the commercial advertising and marketing industry; official state-sponsored security agencies; and criminal enterprises. From the last 11 months of revelations from the Snowden documents we know that the first of those - advertising - provides opportunities for the second to exploit. The NSA has been found exploiting advertiser-placed cookies and availing itself of user data collected by companies such as Facebook and Google. Despite the lack - one hopes - of formal agreements to collaborate, these three sectors magnify each other's efforts. Both security services and criminals exploit the vulnerabilities in computer systems; in some cases we know the NSA has acted to create them.

Most of these sectors' surveillance is not active or targeted at us as individuals. Instead, it's what the STRINT workshop in March was trying to fix: passive pervasive monitoring that leaves each of us randomly vulnerable in ways we can't predict. To understand your security risk, first you have to understand the threat model: who are your attackers, and what do they want? George Orwell posited the state as Big Brother. At CFP 2000, Neal Stephenson posited commercial companies as Little Brothers. Here in 2014, the risk we face is all of those - and more.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)