We're all cracked

Citibank got cracked. The breakin, for so we must consider it even though no physical building was penetrated, resulted in the theft of over 200,000 customers' card numbers and contact information. Citibank is getting well-deserved flak for its failure to notify its customers; one wonders if they would ever have found out had the Financial Times not broken the story and ruined Citibank's cone of silence.

I was all set to be outraged until I searched for information about the breach. Here are some of the pieces I found:

• "Yet another hack, yet another delay in reporting it"
• "It's not just Citi that was hacked ... more online security breaches" (a virtually content-free come-on that creates FUD around the breach to steer the reader to a conference/show -- who says only the crackers can profit from Citi's troubles?)
• "Did Sony's hacking troubles inspire other hacker attacks?"
• "Regulators pressure banks after Citi data breach"
• "We have a right to information on data security breaches"

The breach is certainly not unique, nor is Citibank's failure to report it. Too bad on both counts.

It's also too bad that the political response is unsurprising, as some of the listed pieces report. The FDIC wants "some banks to strengthen their authentication when a customers signs onto online accounts." Well, that would be nice. I have a low opinion of the quality of authentication methods I am allowed to choose from in the case of several large organizations with which I have an online relationship. However, is that really the, or even a, leading cause of breaches like Citibank's?

Nowhere have I seen any details about how the crackers actually broke into Citi's systems. I'd be surprised, though, if they got in by compromising a customer account. Cracking a customer account shouldn't give you access to the entire backing database that includes other customers' information. If it does, I'd argue that the real problem lies in how the customer-facing software is allowed to access that database. After all, that means that any of the company's legitimate customers could crack the system, too.

A more serious breach occurred in March, when crackers broke into RSA Security "and made off with information about its SecurID products." RSA didn't think the matter was too serious until it determined that information from that breach was used in an attack on Lockheed Martin, an RSA customer, in May.

Why does the RSA breakin matter? Well, RSA Security is a respected security solutions vendor, one that has provided hardware and software solutions to others for years. If RSA can't guarantee the security of its servers, who can?

Nobody, says Bruce Schneier.

"Everyone is probably equally sucky," he said of network security in general. "Some may be better than others.

"Unfortunately, the moral here is that you give your information to a third-party, blindly trusting them, a bank, a credit card company, a phone company, Amazon, J. Crew, or Sony. You are blinding trusting that they will use the information wisely and secure it. And you have no say how they do that and you have no recourse if they fuck up."

Other observers agree. Regarding the group responsible for the recent breaches of, among others, Sony's Playstation Network:

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.

Some even think the U.S. government likes it that way.

To this point most data security systems have been proprietary and secret. If an algorithm appears in public it escaped, was stolen, or reverse-engineered. Why should such architectural secrecy even be required if those 1024- or 2048-bit codes really would take a thousand years to crack? Isn’t the encryption, combined with a hard limit on login attempts, good enough?

Good question.

Alas, the answer is “no.” There are several reasons for this but the largest by far is that the U.S. government does not want us to have really secure networks. The government is more interested in snooping in on the rest of the world’s insecure networks. The U.S. consumer can take the occasional security hit, our spy chiefs rationalize, if it means our government can snoop global traffic.

Cringely thinks that truly good encryption isn't on the market because the N.S.A. is quick to squash any business that looks like it is marketing a high-security product the N.S.A. can't crack. All the existing solutions have been made vulnerable, in his opinion, so as to allow the N.S.A. to decrypt and to monitor supposedly secure communications. Most governments, though, already suspect the N.S.A. of such capabilities, so they roll their own secure communications protocols -- again, according to Cringely.

My take is slightly different:

Even if the United States put surveillance-friendly technologies in place, what on earth would induce the rest of the world to follow suit? And if the rest of the world is doing something else, or more likely a lot of something elses, how useful is the ability to conduct domestic surveillance? The targets of interest aren't domestic, remember?

Ah well, it's late, and I'm discouraged. I'll give Schneier the last word:

"You're doing OK, I'm doing OK. I buy stuff online all of the time. I bank online. And what other option is there?"

We're all fu--I mean, cracked.