The last week of tech headlines reads like some sort of cybersecurity end-of-days scenario.
The New York Times hacked.
The Wall Street Journal hacked.
The Washington Post hacked.
And finally on Friday, Twitter — one of the world’s largest Internet communication services — also hacked.
“Who’s next?” you may be thinking. But the question to ask isn’t “Who’s next?” The question is, “Who will admit itnext?”
You only need to look back on Twitter’s blog post from Friday afternoon, which stops just short of directly naming other companies, although it all but confirms this problem isn’t just affecting Twitter alone.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Director of Information Security Bob Lord wrote in the company blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
This shouldn’t be surprising to anyone.
Of the many members of the security community I’ve spoken to over the last 24 hours, all have said the same thing: Companies large and small all over the world face cyberattacksall the time. Sometimes these attacks are potentially connected — as in the case of the Times, Journal (which, full disclosure, is owned by News Corp., which also owns All Things Digital) and Post. But many attacks occur in isolation or at random, from groups or collectives, different nations (especially from Iran, Syria or Russia) and even solo hackers.
The point is that “high value targets,” such as prominent Web companies, hold massive troves of interesting data, making them obvious and constant targets for outsider attack. It’s simply that we, the public, rarely hear about it.
But right now, during a week-long spree of hacking disclosures kicked off by the Times, we’re more apt to hear about other companies getting hacked than ever before.
“There’s a herd mentality when it comes to disclosure,” independent security researcher Ashkan Soltani told AllThingsD. “Having other companies disclose their breaches makes it easier for your company to as you’re less likely to get singled out in the press and public eye.”
In that vein, notice the timing of the hacking announcements last week. The Times kicked off the week of announcements on Tuesday evening. The Journal followed shortly thereafter. Then the Post. And finally Twitter.
So who will fess up next? Experts said now is the best time to come out with it, whether it’s connected to other hacks or entirely separate.
To be fair, there are often reasons that may keep hacked companies from coming out with a disclosure of their own. For one, the company may be working on an ongoing investigation with law enforcement to monitor hackers who may have infiltrated their systems in the past. Tipping the hackers off by “coming out” may jeopardize existing surveillance.
Or even scarier: Perhaps these companies aren’t aware they’ve been hacked in the first place.
“I truly believe we’re going to see quite a bit more of these annoucements as companies start to get smarter and look more closely at their systems,” Soltani said. “It’s not a matter of whether or not you’ve been compromised. It’s whether you have the expertise to tell.”
Even the New York Times wasn’t aware of hacks that had occurred on its network for months on end; the company’s security software, provided by Symantec, failed to identify all but one of 45 separate pieces of custom malicious software over a period of three months.
“Perhaps the press coverage might push them to take a deeper look inside their network,” said Soltani. Indeed, all three of the major papers that were hacked went to outside security firms for aid, and Twitter is currently working with the federal government to track down the hackers responsible for its own network breach (my guess is that Twitter is paired up with the Department of Homeland Security).
But here’s the truth: No system is 100 percent safe. No matter how secure a company tries to make its network, there’s still one giant, glaring point of access that hackers will always go after — you, the user.
“Humans are the weakest link in any security strategy,” said Soltani