The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.
This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.
The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.
It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.
The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.
It wasn’t until the damage was done that this assassin was given a name.
We called him Stuxnet.
Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.
Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.
Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.
In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.
- Step 1: Build Malware
- Step 2: Infect Drone
- Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant
Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.
For now though, I’d turn down that job as an Iranian nuclear scientist.