What We Can Learn From The Biggest Corporate Hacks

The past few years have seen an absurd amount of companies getting hacked, from simple passwords to entire databases of email. Wen we’re affected by these hacks, we look for someone to blame — but we rarely stop to look at our own lives and see what we can learn from these companies’ mistakes.

Pictures: marc falardeau, notoriousxl, Billie Ward, Chad Cooper.
Companies often seem like they’re monolithic titans that can’t be touched. Underneath all the branding, however, they’re made up of people. People who can make mistakes, overlook something, or even get lazy. Whether you’re one of the people who works for a big company, or just an average Jane looking to protect her chat logs, we can all learn a thing or two from these slip-ups.

Don’t Neglect The Basics

To say Sony has been making news lately for its round of hacks would be a bit like saying a few people have heard of The Beatles. The biggest problem with the Sony hack was how low the barrier to entry was for the intruders. Massive documents containing master lists of passwords were not only labelled with names like “Master_Password_Sheet”, it also contained plain text with no encryption or other protection. It’s like hiding your entire keyring under the doormat, and putting a note on the door that says “key under doormat”.

If an attacker gains access to one machine that stores these passwords, they can access everything. At the very least, protecting the spreadsheets themselves with a file-specific password might have prevented some damage (in the same way a password manager can protect regular users). However, these were probably neglected because it was assumed that more elaborate measures would keep them safe. As one security researcher told Gawker:

It’s pretty common, I’ve seen, for large non-progressive organisations (older software dev shops, finance places) to have precariously old ways of thinking – like that “their firewall will save them”.

Often, when we analyse our security threats, we can assume that intruders will come from shadowy overseas elite hackers that can break through our locks anyway (and, to be fair, in Sony’s case it was probably true). But that’s no excuse for making it easy on them. Encrypting those spreadsheets — or using proper password management software — could have at least slowed down the intruders.

In Sony’s case, even encrypting those specific files could have helped. For most regular users, our online security checklist can help get you started. We also have a guide for the minimum things you should do to protect your Android phone. They may not all keep out North Korea or whoever, but they at least raise the bar.

Treat Everything Like It Might Be Hacked One Day

When Gawker Media was hacked back in 2010, it wasn’t a beacon of security strength. However, it would have been easy to say that the team was simply outmatched by someone smarter (after all, there’s always someone smarter).

The commenter account leaks would have been bad enough. However, excerpts from internal chat logs also made their way out. Arguably, these were the more embarrassing part of the attack. While we’ve all said things in private that can be interpreted badly if made public, we often don’t think about it at the time — and neither did the folks at Sony, who have found all their emails released to the public domain. Whether it’s right or not doesn’t matter when the damage is done.

You can’t always watch every single thing you say, and it’s hard to endorse obsessive paranoia as the right approach to security. Nevertheless, it’s good practice to treat everything like it will someday be hacked. While our primary goal should be to improve our security, we should also take precautions to ensure that our skeletons aren’t so easy to find. That doesn’t mean you can’t ever speak your mind. Just be aware that you may have to own up to it someday.

Don’t Ignore Physical Security

Most of us don’t have a very accurate idea of what a “hack” looks like in progress, because we don’t see it happen. As a result, we fall back on the Hollywood image of a skinny person in a dark room typing away on a Linux terminal, breaking through layers and layers of complex virtual security. But it’s not always a virtual firewall that gets breached.

When Target in the US lost millions of customer records to one of the biggest retail security breaches in history, it wasn’t because someone hacked the Gibson. They installed malware on the little box that you swipe your card in. While the hack was technically initiated remotely (using network credentials from an HVAC company of all places), most people don’t focus on the physical locations where data is collected, as it’s assumed the “big hacks” wouldn’t happen there.

To bring the point home even further, our sister site Gizmodo has talked at length about card skimmers, which snag credit card information at the source. While the Target hack was done with software and card skimmers use special hardware, the result is still the same. Data was stolen right where it was collected.

What does this mean for you? For starters, don’t assume that you’re safe just because you use 1048-bit, end-to-end encryption on your files stored in heavily guarded server facilities. While Google or Dropbox may be able to provide reasonable protection from remote hackers, if you don’t protect your desktop, someone can walk right in and see your files. Lock the doors to your office, enable a PIN on your phone, encrypt your Wi-Fi, and don’t let your laptop out of your sight. Just because some hacks happen over the internet doesn’t mean you can forget about the places you physically interact with technology.

Be Mindful of Connected Accounts

Google, Facebook and Twitter have all made efforts to make it easier to access services on the internet. This is a handy way to avoid keeping track of yet more passwords. While Google and Facebook are pretty secure, if you use a smaller service to connect your accounts, and it gets hacked — like bit.ly did — it can introduce new problems.

For those who don’t recall, bit.ly is a URL shortener. It allowed users to connect their social media accounts so it could post for you. When it was hacked, the company warned users that their authentication tokens — the keys that allowed bit.ly to access Facebook or Twitter on your behalf — were stolen as well.

This meant that even though neither Facebook or Twitter were hacked, people’s accounts were still semi-vulnerable. Hacks of this kind allow the intruders to gain access to whatever information the service itself had, including your name, email address, phone number, timeline activity, or even the ability to post for you.

Previously mentioned security audit service MyPermissions can help you do an audit of your accounts and see what apps you’ve given access to your account. You can also check Facebook, Twitter and Google at these links to revoke permissions directly if necessary. You may not want to do this for applications in active use, but get rid of anything you don’t recognise or use anymore. In Google’s case, you can also see physical devices that still have access to your account, so even if you use MyPermissions, double check with Google.

More importantly, if a company gets hacked, check your accounts, even if you don’t use that service anymore. Similarly, you should be careful of which companies you entrust your accounts to. Don’t just ask “Would I let this company post to my timeline for me?” Ask “Do I trust this company not to get hacked?”

Even Experts Can Be Vulnerable

When you think of companies that are likely to be hacked, a firm that specialises in computer security doesn’t sound like it would top the list. Nonetheless, RSA Security found itself the victim of what it described as “an extremely sophisticated cyber attack“. How did they do it? By sending phishing emails — emails designed to look like they come from a different, trustworthy entity — to a small group of employees.

As regular consumers, most of us don’t tend to familiarise ourselves with the intricacies of enterprise-level corporate security. In fact, most of us get bored reading that phrase. Instead, we fallback on the comfortable notion that “They’re experts. They can handle it.” And, in many cases, that’s true! People who are trained and paid to know more than we do can probably handle things better than we can.

However, nothing is foolproof. Even people who work in information security for a living can be hacked. By a similar token, we can think that because we read Lifehacker, use a password manager and enable two-factor authentication, obviously we could never be hacked.

Neither case is true. We all take risks, of course, but we should never assume that a system is bulletproof just because we (or the people we trust) are smart. There’s always someone smarter out there. Be aware of your vulnerabilities. Patch the holes. Backup your data. And, like we said earlier, assume that you will get hacked at some point, and take the necessary precautions.

When Something Bad Happens, Take Action As Soon As Possible

When something bad happens, it’s natural to want to deny it. It can upset your entire day (or week), throw you off your schedule and put you in a bad mood. However, the longer you wait, the worse it gets. Just ask Monster.com, who waited several days after discovering a hack to disclose it.

Now, this is obviously problematic for a variety of reasons. Monster’s customers were none too pleased that their accounts were vulnerable without their knowledge. During that timeframe, scammers with full access to users’ accounts were sending emails from what appeared to be recruiters to other users, asking for financial information.

This wasn’t just an issue of Monster’s reputation getting damaged. Users were in active danger because the accounts weren’t closed down immediately. When major hacks happen, it’s important that we inform users immediately so that action can be taken to prevent abuse.

Of course, companies that get hacked and news outlets like us can only do so much. If you discover a vulnerability in your accounts or devices, don’t hesitate. Take action immediately to fix the problem. It may suck for a while that your day had to be interrupted with yet another security problem, but it’s far better than letting a hacker run wild with your data.