Hacks, Hackers and Hacked

Posted    |    Rating: not yet rated

2019 is shaping up to be a really energetic year. Even before January 1st, different events were already set in motion for a colorful round of stories. At the heart of the public’s interest in computing is hacking, the deep and swirling mystery; at the heart of hacking is curiosity: the desire to untangle deep and swirling mysteries. While similar, the two groups couldn’t be farther apart. Any tinker or hacker wonders why common knowledge isn’t so common and common thinkers wonder what all the bother is.

Stuck in the middle are the manufacturers; producers who depend on computer tinkers and hackers to deliver a service or product to the broader market. If you think of it that way, as being two sides to the consumer coin (one full of questions and one full of data), it’s easy to understand why different companies put such distance from one group or another. One German teen recently found a bug in the Mac OS relevant to passwords but won’t tell because Apple’s bug bounty program is lousy. This comes almost days after the mother and son duo who found an exploit in Apple’s FaceTime that turns unanswered calls into eavesdropping spy phones (and Airs and tablets) make the six o’clock news and grant wild numbers of interview requests.WSJ We can infer toward which camp Apple leans. EDIT It’s taken 10 days to fix the flaw. Daily Mail

There is a natural law of distribution at work here where it seems the top 1% of bug bounty hunters are earning 80% of the awards but the details that different organizations say they’ve collected to prove different power law sums are disputed. What’s a nice turn for the times is that many organizations consider the open scrutiny of hundreds of strangers a valuable discovery tool. While in-house security detection and correction is still a better choice for most companies, consider this shift in mentality…

A history of access

Years ago, some web surfers were introduced to the idea that ATM passwords remain as their factory defaults. ATM “operator mode” via a master password allows about any imaginable control over the machine. Today, there’s still online access to the factory passwords and that puts a lot of people in a peculiar moral spot; physical access to physical objects is just as intrusive as virtual access to personal data. These days, however, not enough people are inhibited by feelings of wrong-doing when they get their hands on potential ‘keys.’ So there’s a greater factor of importance today on discovering and repairing bugs or exploits or changing default passwords.

Gambling with security

You’d think producers would recoil at the idea of compromised security considering the “treasure troves” they’re often supposed to be accountable for. One blithe and dramatic oversight is playing out right now. A duo of hacker-tinkers stumbled onto a server passing and storing information without encryption. Even unencrypted data takes a while to figure out and they eventually determined they accidentally backdoored a company responsible for Las Vegas casino rewards program members. Present in the data were photocopied IDs, bank accounts, money, Social Security Numbers and virtually nothing stopping real damage or theft from occurring.

The duo connected with a mentor-type who then connected the duo with FBI and the servers owners. A big party-line call took place and the company that owned the servers ended the call by asking if they could go private with the duo and talk about a bounty or reward. The company now has allegedly strung the duo along, never fixed the problem, gained more customers, offered more services that gather more data including points for facial recognition and then there’s the face to face meeting the company didn’t expect at an expo in London a little while ago that “blew up” on social media. How that attention goes for everyone involved hasn’t finished playing out yet but I framed that story this way, “these days, not enough people are inhibited by feelings of wrong-doing when they get their hands on potential ‘keys,’” and this company may have skated too long on good luck.

More eyes are better

Since locks, master keys have always existed but only recently has the culture of jiggling the lock gone from shameful, dirty-for-even-thinking-it, to misunderstood but possibly-a-necessary-evil. What the idea of hacking should do is align in the public’s imagination with other issues of safety where it’s a given that “it takes a village.” That it might take a village is a phrase used when talking about keeping kids safe. On that note…

When government entities find flaws, no one bats an eye as to how it got done. Smartwatches for kids were another case where data at the backend went unencrypted allowing anyone to alter commands to the kid’s watches, speak through them, track them via GPS, sift through data stored on the account and more. It stands as one of the first cases of tech-toy EU recalls though other tech-toys have been cited as dangerously flawed.

The lede in that story doesn’t have to be the smartwatch or the EU recall or the unencrypted server. People like Christian Bernieri, an Italian data protection expert, added to the alarm. Hackers or pentesters or White Hats can point out other dangers that organizations or governments might not be able to discuss or investigate as freely. What Christian brought attention to was that China seemed more in control of the smartwatch and its app than anyone else.

There’s no magic, just people

The chasm between the tinkers and the general consumer is perceived as being wider than it actually is. Take this humble-pie tweet from a respected hacker (with over 18K followers):

“I don’t know how to hack everything, never will, and neither will any of you. If that makes me a “noob”, a word I think is asinine, OK, then that’s what I am. I am also not a thought-leader, influencer or expert. I just know some stuff about computers and love them, dearly.” -blackroomsec

It’s really up to the corporations to convince the buying public that it’s magic that powers their products; magic of the deep and swirling mysterious sort. The presence of hackers, tinkers, pentesters (‘penetration testers,’ shortened) and InfoSec onlookers should hint to regular users that there’s no magic going on. While this doesn’t mean every technology has an affordable, $35-dollar Raspberry Pi counterpart waiting to be built, it does mean that the knowledge of what’s happening is within the grasp of regular people regardless of the smoke and mirrors. And there’s evidence that some hackers are ready for the audience.

Not long ago I came across a tweet among the White Hat crowd I follow and it said something to the effect of how they were all just wizards trying to impress other wizards. It certainly stuck with me; what hackers will hopefully gain as the days and months go by this 2019 is a good couple PR events: babies saved, gambler’s IDs protected, phone security locked down and coming across as the brainy and strategic class of folk we need who also need us.

Categories ,