The Future Of Hacks May Lead You To Debt Or Prison
I seems like almost every week we hear about some company or government agency getting hacked. It's mostly lots of data being stolen, and the attackers sitting inside of their networks for months, or years. That's not too surprising since the average time for discovering an attack is usually a year… that's really sad. It's also sad that most attacks that happen today don't require an attacker to use any advanced attacks, they don't need to take advantage of any 0dayz or anything like that. For the most part they need to just use social engineering.
You as a security professional can throw up all the security software you want, and physical security, however, the wrong person clicking on a phishing e-mail sending their credentials can be game over. Even if they don't have access to the social security database, they have access to inside company knowledge or e-mail lists ( aka future targets) possibly compromising OpSec. They can use that e-mail to get other users. A lot of user question e-mails when getting outside e-mails, but when it's from someone inside the company they tend to not question that. It's even worse because you don't even need to hack an account to send e-mails, spoofing e-mails is really easy.
A lot of hacks are discovered because the IT/Security team sees lots of data leaving the company, an outside company or government agency has alerted the company to a possible attack because they found data belonging to their company on the Internet (maybe for sale), or because a ransom note was sent. But what if the attackers didn't want to take anything, they didn't extract huge amounts of data from a company or government network. What is the attacker didn't want to sell the information; they could make money on altering data, not extracting it. These attackers are loud, and bring attention to themselves. They tend to break the Availability and Confidentiality of the CIA triad that security professionals try to uphold; that is Confidentiality, Integrity and Availability.
Future hacks may just affect the Integrity of data. Lets say a hacker was hired not to steal company data, but to alter it. Lets say they wanted to take a company down, or at the least loose lots of money. What if an attacker was hired to take a competing peanut butter company down. Leaking data doesn't seem to be the best way as most people are numb to this news now, but what if you could affect the companies finances is a big way… the trust of the customers.
A hacker is hired to take down a peanut butter company, instead of extracting data from the company and selling it to the competition they instead get into the machinery that's printing the labels on the peanut butter bottles. They change one small thing that most people wouldn't even question or notice, the expiration date. They could set the expiration date to a year past the expiration, causing hundreds if not thousands of people to get sick. Destroying the trust in the company. Now this would be a slow take down.
That may not be the best example, but can be horrible for people if the attacker was paid to take someone down, it wouldn't be the first time a police station was hacked into. The attacker could replace fingerprint information with yours. Lets say you had an Android phone, specifically a Samsung phone, there was a vulnerability in the Samsung phones not too long ago that allowed an attacker to extract finger prints from the phone. Now they could replace the finger print of a case with yours. The attackers could then put in an anonymous call to the cops for a lead on the case, wham, they have you. It would be VERY difficult for you to prove those aren't your prints. And if you don't have a solid alibi proving you weren't at the scene.
Those might not be the best examples, but I think you get the picture. Changing data will be the future of some hacks, it won't replace all hacks, some people still want to make money selling stolen credit card information. But you can affect live(s) by changing the integrity of data. This isn't completely new, it's no different than changing your grade. Ware Games was one of my favorite movies and he changed the integrity of his grade.
Let me know what you think of this article on twitter @martinoj2009!