So, who really hacked Sony?
How much should we fear high-profile hacks of retail stores and government computers?
What, if anything can we do to secure our smart phones?
Today, we explore the technology behind the news with a top expert on the subject, Dr. Richard Ford, Head of the growing Computer Sciences and Cybersecurity Department at the Florida Institute of Technology in Melbourne.
Question: You told me a year ago that foreign powers “own” our systems to a degree the public and news media could not yet imagine. Had you just predicted the Sony hack that embarrassed Hollywood and delayed release of “The Interview?”
Ford: The really surprising thing about Sony is that we’re surprised it happened.
The last few years, you see big target after big target â€” no pun intended â€” getting knocked over with cyberattacks. Sony is the most public, but it may not be the worst.
Email never goes away. When you pull people’s email out and release them out of context, they can be extremely costly. Some of the estimates we’ve seen of damages to Sony are pretty staggering.
Everything now goes through our digital devices, and often through a single point.
The whole username-and-password thing is starting to creak under the stress.
Q: What is your department at Florida Tech developing in response?
Ford: We’re doing a lot. One or our newer faculty members, Dr. Heather Crawford, does interesting work on how password authentication might change.
With cell phones, you can do things like two-factor authentication where if you log in from a new device, the system sends you a text with an extra piece of security information you have to provide. That’s effective at the consumer level.
We’re doing (defense) research on whether computers can attack other computers and also defend themselves without a person in the loop.
Q: So, who really hacked Sony?
Ford: We don’t really know. Looking at that evidence, you would say some of the people involved were Korean. When you compile a piece of code â€¦ it leaves some fingerprints like the language pack for the machine that compiled it. And that was Korean.
On the other hand. If you’re a hacker and you’re not stupid â€¦ I could set my language to French, and now you have a different set of fingerprints.
In the public world, you look at the modus operandi of the criminal and say, “This is how they got in, these are the tools they used â€¦ this fits the M.O. of a particular group of people.”
Then you’ve got the classified world. If I have your phone tapped, I might know exactly whether you did it or not, because I know what you did that day. But I’m not going to tell anyone I had your phone tapped.
It’s difficult to draw the line between a nation-state and a rogue group of hackers. Nation-states leverage these people all the time to do their dirty work.
Q: Which of these recent storylines is scarier? The mass theft of credit-card information from big-box stores like Target and Home Depot? Or the succession of Chinese hacks of our national weather system, Postal Service, information on dams and other federal data.
Ford: They’re both equally terrifying because it’s not even clear they’re separate people. If you’re a hacker working for the Chinese government, you might be tempted to do some extracurricular activities â€” scam 16 million credit cards in your spare time.
These people are not well-behaved. They’re hackers, right?
Q: New smart phones come out every year, almost all connected to the Internet. What precautions can consumers take?
Ford: It depends on the type of cell phone. Apple has this walled-garden, making it a little safer. In the free-wheeling world of Android, you can install pretty much anything you want on your phone, including bad things.
So, with Android, think carefully before you install things from other places. If you install a free game, it’s probably not free. You’re the product, and someone’s making money somewhere. It could be a little ad, which is fair, or it could be asking for permissions to look at your contacts and data, which is tricky.
We don’t realize the value of what we’re sharing. Any one point doesn’t tell you much. But when you see all the points linked together, you can see a trajectory that tells me exactly what I want to know about you.