Few universities boast as much anti-hacking cred as UCSB, where the Computer Security Group (which we featured in this December 2010 cover story) studies the exact sort of hacking that’s making plenty of headaches for Sony Pictures, not to mention healthy glops of geopolitical intrigue for everyone else.
One of the UCSB Computer Security Group’s main visionaries is Italian-born professor Giovanni Vigna, who also is CTO of LastLine, Inc., a digital security start-up based in Goleta and Redwood City.
He broke away from hosting his extended Italian family during this Christmas week to discuss the Sony hack, why he thinks North Korea is probably innocent, and why complete digital privacy will forever remain elusive. What follows is a streamlined version of our conversation.
Were you surprised at all by the Sony hack?
I don’t think it’s very surprising. Oftentimes, it just takes one mistake or flaw to open up a network completely. One example is JP Morgan Chase. I’m sure they put a lot of effort into protecting their network, and still they were attacked and successfully compromised.
Do you think North Korea did it?
This doesn’t look like a nation state. I don’t see the motivation of a nation state to damage Sony because of the movie. I don’t know if anybody has seen Team America: World Police, but it was much more offensive toward North Korea, but there was not even a comment about it. I don’t think they care, and these are not guys who would shy away from admitting it. If they could damage the United States, they would be writing all over the place about it. It’s not like they’re gonna lose popularity in the country.
So who did?
It’s probably more of a hacking group that’s upset with Sony because the company very aggressively pursues anti-piracy. Hackers will illegally exchange content that gets crushed by Sony, so maybe it was payback, or maybe it was extortion.
And you don’t think this is being done by so-called hacktivists, right?
Hacktivism is more like Anonymous, and they usually have some sort of concrete agenda. The demands here were very vague, so it’s really difficult to call it hacktivism. This is maybe more retaliation or extortion. After the initial moves, they sent messages to the FBI calling them idiots. Why would North Korea go after the FBI with ad hominem attacks? It looks more like hackers, guys who got caught by Sony pirating some software, got slapped on the wrist, are upset, and said, “Hey, let’s get back at them.” That’s a more likely scenario.
Do you think there was anyone inside Sony that helped?
That’s difficult to say. Sony is a gigantic corporation. It could be somebody inside, but this type of hack doesn’t require an insider.
Do you think North Korea’s ongoing web problems are a sign of the United States’ retaliation, or is that some small band of hackers, too?
I think it could be either. These guys have a very, very undeveloped infrastructure, so a small denial of service attack would take them down very fast because they don’t have a lot of resources. It would take four or five kids with a lot of machines to cause enough problems that North Korea would appear to be down.
Should anyone think their digital data is safe anymore?
No, I don’t think you can. It’s a brave new world. You have to always understand that your digital information can be taken, probably will be taken, and the only thing you can do is secure and monitor your assets — and try not to write things in an email that you don’t want the whole world to see. Finally Sony got it. It will take years, years to get back on track with certain celebrities.
What could the U.S. government and/or companies do better to prepare?
There’s a certain level of investment that must be done in security. ‘Til now, we see way too much of a reactive approach where companies get hacked, their data gets stolen and put somewhere on the internet or black market, and then they say, “Oh, we should have had better security.” Unfortunately, security is difficult to invest in because you don’t see an immediate return on investment. You think, “I just bought a $4 million burglar alarm, but I’ve never been robbed. Am I investing too much or enough?” If they’ve experienced a break-in, they can understand why it’s important. But before that event, it takes serious paranoia to invest millions of dollars in order to protect yourself.
Should the government be encouraging more security?
It already does. The FBI does education, the government people have protected themselves, and there are even regulations and standards. If you process credit cards, for example, you have to be certified and audited and have certain countermeasures. But a lot of these evaluations are checklists as to whether you have the tools required. But is the tool being used right? That’s not very easy to determine. The best security teams are the ones you don’t ever hear about because their companies don’t get breached.
Every security measure has different goals. There is a level to protect enough so that hackers will be dissuaded and go to the next target. Then there is a level of security to protect against people who really want to break into your company. And then there is the level of security you need if there’s a government that wants to break into you. These are all levels that are really different.
What level of attack was this?
This particular attack doesn’t require a lot of resources. If you have three people that are super smart and very well trained and well motivated, they could pull it off. You could do it with one, but people have to sleep every once in a while. This doesn’t require a large infrastructure. It’s a moot argument about that. But you do need large infrastructures to monitor large amount of traffic, to fight freedom of expression.
So if you find a target and you are in a country where you know it’s safe and the government won’t come to get you, you can do a serious amount of damage without the need for a manufacturing industry that will build cannons. Just get a PC from Costco, and you’re in business.
How savvy is the United States government when it comes to hacking?
Everybody knows that the United States has made substantial investments in cyber warfare capability. They’re really, really good. It’s always unconfirmed, but the most sophisticated malware we see comes from the United States, usually in collaboration with Israel. They also have a very strong program, and it makes sense. This is a new game, and you have to be ready for both attacks and defense. You have to develop a good program so you don’t get caught unprotected and don’t find yourself unable to counterattack.
Is anyone protecting themselves properly?
The two fields that have the most investment are the financial and health sectors. Companies in the health sector are very concerned about this because of the sensitive information that they handle and that there is possibility for even greater disaster there than in stealing someone’s credit card. If they steal a credit card, you can fix it — you can change the credit card, you can give a refund. But if they steal your personal health data and put it on the web that you have a critical condition, like diabetes or AIDS or cancer, that stuff can destroy lives, and there is no way to fix that problem. That’s gonna hurt a lot of people if and, I say, when that happens.
Should we all go back to pushing papers then?
That’s not an option anymore. We should use papers and pencils for voting, but for everything else, it would increase enormously the costs of doing business for many, many people. So we have to be very, very careful, and we need innovation. We need to find better and better ways to protect this information. In the next five years, the security industry is going to boom. People have started realizing that it’s too important, so we see continuous and incredible interest in all of this stuff. Companies that would never have thought about anti-malware solutions are saying, “Where should I buy?” The problem is finally understood and felt, so we are going to see a lot of big investments in this area.
So maybe it was you doing the hacking as a marketing stunt?
That would be a very myopic growth market strategy, because if you get caught, your company is over and you spend a few years in jail with an orange jumpsuit and not very nice people. So that’s probably not a very good idea. We are in an environment where there are more important issues that need to be solved. It’s a great field to be in.