back to article Crooks and kids (not scary spies paid by govt overlords) are behind most breaches

Despite the hype about state-sponsored hackers, most breaches are actually the result of either criminal activity or "kids messing around", according to breach expert Troy Hunt. Hunt, operator of the breach notification service Have I Been Pwned, noted that many of the current spate of breach disclosures actually stem from …

  1. NoneSuch Silver badge
    Big Brother

    The pros seldom leave tracks and don't need to break individual systems when they have access to the networks in-between. Skewed statistics, no doubt.

    1. Destroy All Monsters Silver badge

      ...in particular, if they have access to the sysadmin.

  2. EnviableOne Silver badge

    400k may be a paltry fine but its the biggest they have handed out and 80% of what they are allowed to hand down at the moment, if it had been post may 2018 it probably would have been closer to the 20 million euros.

    1. Oh Homer
      Trollface

      But, but...

      400k ought to be enough for anyone.

  3. Naselus

    "TallkTalk was “negligent”"

    I'm sorry, but if kids are behind a significant portion of breaches, then it's the negligent companies which are actually responsible. I don't think the 15 year old kid using free software is the problem in TalkTalk's case. I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was.

    1. Doctor Syntax Silver badge

      "I don't think the 15 year old kid using free software is the problem in TalkTalk's case. I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was."

      The two are not mutually exclusive. In fact, it was a combination of the two.

    2. Christian Berger

      If it was about paying

      "I think TalkTalk deciding that they didn't want to pay for any serious investment in IT security infrastructure was."

      Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things.They happen because people choose to go the complex route instead of the simple and elegant one. They happen when someone creates a complex web GUI using multiple highly complex frameworks, just to do something a couple of shell scripts could have done, accessed via ssh.

      1. Alan Brown Silver badge

        Re: If it was about paying

        "Problems in IT security don't happen because of a lack of money, but because people decide to do incredibly stupid things."

        Actually they DO happen because of a lack of money.

        The discussion usually goes along the lines of management asking how much it will cost and what's the benefit - then deciding they won't fund it.

        When the benefit is described as "you don't get to go to jail if we get hacked" they tend to perk up their ears a bit. Keep the interest personal and companies will do the right thing (and if you're ever refused permission to do somehting critical on cost or other grounds, keep the email and reasoning behind it in a safe place where it can't be deleted/removed. It's called covering your arse. Bear in mind that management like this are sociopaths who will happily throw you under a bus to save their own skin.)

        A long time ago in a different country, laws were passed which made management personally culpable for certain activities in addition to criminalising them. The day after, the CEO of the company I worked for circulated a memo which started "Because I have no desire to go to jail because of the actions of an employee, these activities are utterly prohibited..."

  4. a_yank_lurker Silver badge

    The Usual Suspects

    It seems whenever there is a major breach the first accusation is blame the Russians, Chinese, or NORKS without thinking. Government hacking and spying will directed to gain information the government finds useful or wants. This accusation allows the victim to blame shift from their own bungling incompetence that make Colonel Klink look a military genius to they never had a chance against a major spookhaus.

    Criminals are interested in stealing information they can convert into money such as credit card numbers relatively easily. Others are interested in embarrassing public figures and companies for extortion though you can not embarrass low lifes like politicians and most celebrities. Neither is something governments generally care about.

    1. GrumpyKiwi

      Re: The Usual Suspects

      Totally in agreement. You note that as soon as a sacred cow is touched (like the Democratic Party servers for example) then it's all "Chinese/North Korean/Russian hackerz!!!11!!".

      On the other hand when the person is caught and it turns out to be a local then it becomes "oh he has Asperger's and he doesn't know any better".

  5. Aodhhan

    Targeting

    The laugh test for most breaches is all about the data. State sponsored attacks don't hit retail stores or go after money. Think about it for 2 minutes, and you'll get why.

    State actors go after technology, military, large business products for intelligence and to reverse engineer/steal and copy, and huge business assets/powerful individuals to gather inside information for investment. Attacking Google, Yahoo, Target, etc. doesn't provide this.

    1. Version 1.0 Silver badge

      Re: Targeting

      "Attacking Google, Yahoo, Target, etc. doesn't provide this."

      If you collect enough account details then you are in a position to paint a good picture of individual users, you know what they like to do, who they like to talk to, what services they buy from and ... drum roll ... how they like to format and chose their passwords - that is, assuming that they don't use the same password everywhere.

      This is useful information ...

      1. JonP

        Re: Targeting

        This is useful information ...

        To criminals maybe, not nation states. I'd seriously doubt that knowing a bunch of Yahoo passwords is of any interest to North Korea or China or $current_bogeyman.

        1. rh587 Silver badge

          Re: Targeting

          To criminals maybe, not nation states.

          I think you'll find that having control of the personal e-mail of an employee at AWE or BAE systems, or knowing they are on Ashley Madison could be of enormous use if you were hoping to leverage someone to gain access to information on more secure or air-gapped systems.

          This is the reason Enhanced Vetting asks some extremely intimate questions about one's sexual preferences and fetishes (amongst other things). Reduces the risk of blackmail because HR already know your dirty secrets an you won't have any problem walking in and saying "I've been approached by someone threatening to release x about me."

      2. Alan Brown Silver badge

        Re: Targeting

        "If you collect enough account details then you are in a position to paint a good picture of individual users"

        This is exactly why Bletchley Park kept everything - and the intelligence they deduced from this stuff was often more useful than directly decoded strategic commands (much of the more sensitive stuff wasn't able to be intercepted because it was on landlines or face-to-face meetings, but could be deduced from intercepts showing ABC person ordered to XYZ site, based on known past activity, locations and affiliations)

        That's why this kind of activity is still done, but it's worrying on several levels that intelligence agencies are hoovering up every possible bit of information about everyone they can, "just in case", instead of concentrating on known problems and the circles they move in.

  6. VinceH

    “Blaming state hackers has become like a ‘dog ate my homework’ excuse,” he added.

    Quite. Like I said two weeks ago, claiming hacks are state-sponsored is the new black.

  7. John Smith 19 Gold badge
    Unhappy

    "Dropbox" ".. halfway through moving from the ageing SHA1 technology.."

    And how long has that technology been obsolete for?

    Remind me what is Dropbox's core business.

    Something about the backing up data that people and businesses feel are personally critical to the, isn't it?

    1. Adam 1

      Re: "Dropbox" ".. halfway through moving from the ageing SHA1 technology.."

      It's actual difficult to change password algorithms when your user base is casual and you are using a hash because you have no way of determining the hashed password other than brute force, dictionary or rainbow attack, you have to passively wait for the user to authenticate again and force them through the change password roundabout.

    2. Doctor Syntax Silver badge

      Re: "Dropbox" ".. halfway through moving from the ageing SHA1 technology.."

      "Remind me what is Dropbox's core business."

      Never mind about their core business, remind me who's on their board.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Dropbox" ".. halfway through moving from the ageing SHA1 technology.."

        "Never mind about their core business, remind me who's on their board"

        The NSA.

  8. Anonymous Coward
    Holmes

    Yes, I believe that crooks and kids are behind most attacks

    But I am under no illusions that crooks and kids are supposed to A) behave responsibly and B) work for us.

    Plus crooks and kids don't really have the power to subvert standards, infrastructure and even logistics systems to insert vulnerabilities into the system for their own selfish reasons, and that leaves doors open for the crooks and kids to come streaming into your network.

    1. Doctor Syntax Silver badge

      Re: Yes, I believe that crooks and kids are behind most attacks

      "Plus crooks and kids don't really have the power to subvert standards, infrastructure and even logistics systems to insert vulnerabilities into the system for their own selfish reasons"

      All too often we're not talking about standards. We're talking about badly configured installs that should have been secured and weren't. The kids attacking TT were using one such known exploit that was older than they were.

  9. Version 1.0 Silver badge

    Blaming the aspergers generation

    You have to wonder how good your security wall is when a script kiddy breaks in. I'm not knocking the kiddies - they provide a useful service, trying all the doors and knocking on the windows - but let's face it, they should not be able to break in if you've actually secured the place.

    Virtually every "attack" that succeeds is because someone left a "door" open - that's NOT the kiddies fault - that's YOUR fault.

    1. Cook942

      Re: Blaming the aspergers generation

      I'm sorry but no, you hold a portion of the blame granted but someone committing criminal acts is still committing criminal acts regardless of the difficulty they had doing it

  10. Mikel

    Nothing new

    Almost nobody employed in technology understands security. As it has ever been, as it ever shall be.

    1. Naselus

      Re: Nothing new

      The problem is more that despite extremely few qualified infosec professionals being out there, there's even fewer unqualified IT guys who realise they're not qualified to be security guys.

  11. John Savard

    Don't Minimize Anything

    Of course most breaches are by crooks and kids. However, state-sponsored attacks are still an additional item of concern; for one thing, since such attacks are more sophisticated, they remain a threat to those (few!) who have taken the necessary precautions to mitigate most of the threat from the lesser actors.

    Plus, of course, the zero-days of yesterday get into the hands of the script kiddies of tomorrow, as we've recently seen, and so the state-sponsored hackers, especially since they are starting to get caught once in a while (which is actually good news, not bad news, at least in some respects, from a security viewpoint) are adding to the "real" threat from "crooks and kids" too.

    No, the sky is not falling, but given that our operating systems and software are notoriously insecure, heightened awareness of security just might stimulate some progress in the right direction.

  12. Pete 2 Silver badge

    Talk big, do nothing.

    > most breaches are actually the result of either criminal activity or "kids messing around"

    But it is in nobody's interest to admit this.

    The police look stupid if they have to admit they are unable to detect the majority of reported hacks - when they are merely the work of children "messing around". The targets (are they really victims when their security is so lax?) will lose the confidence of their users / customers and suppliers if they are found to be hacked so easily.

    So, just like a cage fighter would be embarrassed by getting beaten up by a 7-stone weakling, it is in the interests of all concerned (including the hackers) to big-up the skills and luck of the hackers. That absolves all parties of blame and of the need to put in place even basic security measures (measure #1 - sack your security manager, if you get hacked again: sack the CEO).

    However, this does rather assume that the same outfit isn't hacked again a short time later, when the questions about why start to be asked of the higher echelons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022