Don’t be alarmed or tempted to immediately discard your cavalcade of connected devices, but I need to report that another company had its security breached, got “hacked” as the word has now solidly come into vogue. You might think that you are next, and that very well could be. Know, however, that while any person and any thing that gets online is forever vulnerable …. What are the odds? It’s rhetorical.
The fact is that because I only barge into your eyeline once weekly I’m limited to report on less than one-seventh of the cybersecurity incidents. That is to say that one day’s report within any given week can never address even one-seventh of cyberattacks. Even if on that one day, being today, I was given umpteen of these columns—I know, a nightmare for us all—I still could not cover the most meaningful security breaches of that day.
We’ve collectively become somewhat numb to these occurrences. I purposely wrote “occurrence” instead of “attack” or even “incident.” The omnipresence of the hackers has diluted their effects. I say that as someone who cares, on a daily basis, about information security and privacy. If I were a wordsmith, I would find a laxer descriptor than “occurrence” for most layfolk. Seeing that a company got hacked, at this point in history, results in nonplussed responses such that even weather reports provoke more emotion for most of us. Big deal. A company got hacked again.
Acer is one of these companies. You may know Acer, the Taiwanese computer-making powerhouse that’s been around, formally, since the 1970s. Its North American headquarters are in San Jose, not surprisingly. Acer manufactures computers, laptops, tons of IT solutions for business and government, and scads other SKUs in the tech arena. Nearly 20 years ago while I was struggling to earn good marks in college, I was too focused on Acer, and many of its competitors, while I sold most households in the area their first personal computers. Acer was a bread-and-butter option; never too pricey, always good quality, and customer support like the others: nearly nil. Today, it nets almost $8 billion in annual revenues.
Acer is a company that doesn’t regularly run in the ranks of Microsoft, Amazon, or Google, but it deserves to be in that category within many technology or business discussions. It’s a powerhouse, and like all but the most pillar-esque of the industry—think IBM—what firm could be more resourceful or knowledgeable about information security and defense solutions? If its not bullet-proof, who is?
Those are also meant to be rhetorical. First, they’re dishonest questions because within past weeks I’ve shared that Microsoft and its Exchange Servers got smacked by similar bad guys. Secondly, they’re answerable only in the negative because I’d already asked (and, had answered by the circumstances) an even more grandiose rhetorical question after even more grandiose targets succumbed. Why would anyone question whether big companies can defend against hackers when we see that entire governments get snookered time and again? That, too … rhetorical.
When I saw that Acer was victimized I was impressed. Acer’s an age-long player in tech with global reach and shared intellectual resources matched by few others. I’m Impressed that again the lesson is that no person, organization, or device is peerless. Impressed because hackers exert the energy, perseverance, and creativity to circumvent the highest levels of security defense. And, impressed that the Acer attack was another in the category of ransomware, a strategy that the most savvy in security have recently relegated to “commodity” status, implying that as an offensive attack, it’s unsophisticated and relies on volumes of application to be lucrative. In the context of annually reporting about the state of information security, ransomware as compared to more traditional malware, trojan horses, and denial-of-service attacks, is simple and somewhat of a flash-in-the-pan soon to be supplanted by something newer that would again devolve into a commodity.
Essentially, a ransomware attack goes like this, and I hope to be consistent since I’ve explained the bullet-points before. A hacker becomes familiarized with an organization and its processes, and its potential assets, not unlike military reconnaissance. He (sometimes, but seldomly, “or she”) figures out a way to sneak in a phony-baloney email message that looks official. Where I teach, we get these so-called phishing emails:
From: President’s Office.
Re: Campus-wide password resets.
Beginning today, all students, faculty, and administrators must create new passwords with the following characteristics…. Click the following link to activate your new password.
Lo! and behold, by clicking the malicious link something bad happens, sometimes without even noticing—i.e., the link actually works, but also delivers some nasty payload.
In ransomware cases, that payload is a program that encrypts the information on the targeted systems. Then, just like a kidnapper’s ransom, the hacker reaches out and claims that upon payment he will decrypt the data and you can get along with your day. Honor among thieves being what it is, only a proportion of payers get their expected relief.
In the Acer case last week, the word “commodity” could never be used. The hackers demanded ransom of $100 million, only $50 million if they pay quickly. What a steal! After eight days, no more discounts. The criminal enterprise goes by Sodinokibi, which is godawful marketing in my opinion, and its catchier name, REvil (much better). They’re believed to be Russian. I know. Shocking. Some of their other targets included other companies, the former president, or law firms. They’re pop music fans, or the contrary, since going after Madonna and Lady Gaga. They were also implicated the aforementioned Microsoft hack, so Acer seems in good company.
Should you worry about REvil? What can you do? Will you be next? These, as rhetorical as the others, but at least be aware (re-plussed?) of the unending threat.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at email@example.com.