Companies are paying “white hat” hackers to
probe their cybersecurity systems for weaknesses—but some say that so far, they
aren’t paying enough.
The cybersecurity expert Chris Rock is an
unconventional killer. At this year's Defcon hacking conference—one of the
largest conferences of its kind, attracting more than 6,000 hackers and
security experts from around the globe—the Australian information-security
researcher demonstrated how to manipulate online death-certification systems in
order to declare a living person legally dead. Potential motivations for
hackers, he explained, range from plain revenge to financial gain in the form
of life-insurance payouts.
Rock began researching these hacks last year,
after a Melbourne hospital mistakenly issued 200 death certificates instead of discharge notices
for living patients. He also uncovered similar vulnerabilities in online
birth-registration systems. The ability to create both birth and death
certificates, Rock told a packed session at Defcon, meant that hackers could
fabricate new legal identities, which could in turn engender new types of money
laundering and insurance-fraud schemes.
In the hacking world, Rock is known as a
“white hat”: an ethical hacker who exposes vulnerabilities in computer systems
to improve cybersecurity, rather than compromise it. In recent years, white-hat
hacking has become increasingly lucrative, as companies have turned to
professionals like Rock to protect them from the growing threat of cybercrime.
But to combat the sophistication of more malevolent hackers, the ethical-hacking
industry still has a long way to go.
In a threat report published by the U.S. director of
National Intelligence earlier this year, cyberattacks were listed first among
global threats, above both terrorism and weapons of mass destruction. “We
foresee an ongoing series of low-to-moderate level cyber attacks from a variety
of sources over time, which will impose cumulative costs on U.S. economic
competitiveness and national security,” the report reads. “During 2014, we saw
an increase in the scale and scope of reporting on malevolent cyber activity
that can be measured by the amount of corporate data stolen or deleted,
personally identifiable information (PII) compromised, or remediation costs
incurred by U.S. victims.” According to the security firm Gemalto, an estimated 1 billion records worldwide
were compromised in 2014.
David Burg, the head of global and U.S.
cybersecurity at PricewaterhouseCoopers, says that public data breaches—like
the high-profile hacks of Ashley Madison, the Office of Personnel Management,
and Sony Pictures over the past year—comprise just a small portion of the
hacking activities that take place. Attacks that relate to payment cards, PII,
or protected health information are publicized because of mandatory
breach-disclosure laws, but “most of the cybercrime that occurs, which is of the
economic-espionage variety, is never made public,” he says. “Attack activity is
very big business. You’re talking trillions of dollars in wealth being
transferred globally.”
No comments:
Post a Comment