Four of the most devastating hacks of the past couple of months – AdultFriend Finder, Cougar Life, Established Men and Ashley Madison – are hacks that are not financially motivated but designed to embarrass, disrupt or to hurt the general populace – in a big way. This is a new and unanticipated notion. If you consider the evolution of the world's hacking problems, we have reached a point where anything is possible – an absolute free-for-all.
The current wave of such attacks really started with LulzSec, a group consisting of mostly teenagers who did things for fun it seemed, including the 2011 attack on Sony Pictures. Then there is Anonymous, which has carried out a multitude of attacks mostly for social or political causes.
Next, the cybercriminal organisations went after retailers; the Chinese came after the US government; the US government went after the American people; and now we have hacks against sites that hold people's darkest secrets – OPM, Ashley Madison, Adult FriendFinder, medical and insurance companies, etc. Automobiles are even hacked. It's Hack Anarchy. The security game is being lost – it's late in the 4th quarter, the security industry is down by 20 and we don't even have the ball. How did we get here?
Step one on the road to where we are today was the universal acceptance of smartphones and other mobile devices, without questioning their global impact. Smartphones are used almost universally by corporate employees to access some part of their corporate data – either their email, or a report that was left unfinished during the week, or an important communication from their boss or co-worker. Part of this access requires a password or other critical information required to gain access to their corporate environment.
It might surprise you to know that somewhere between 100 million and 150 million smartphones and tablets, most of which are owned by people with jobs, have been infected by completely undetectable spyware.
This spyware, in almost all cases, reports and sends, to someone, every keystroke, every email, ever text message, every photograph, every phone call, and, believe it or not, every word that you, and anyone within the microphone's range speak.
In addition, the camera on the device can be turned on at any time and still photos or videos can be made and sent to the person or persons who are interested in your life.
In my numbers, I'm not including the spying done by government and law enforcement agencies. God knows how much of this is happening, all we know is that it is happening. I'm talking about illegal, nefarious spying for purposes ranging from monetary gain to corporate espionage.
The scariest thing is that this spyware, in almost all cases, does not require physical access to the unsuspecting person's phone or tablet. It is remotely inserted into the device. Can't happen, you say? Wake up. This ad from Award Logger, one of the most popular such software suppliers says it all:
Where did I arrive at the 100 million-plus estimate? Let's start with mSpy, one of the popular mobile spy applications. Ironically, mSpy was itself hacked in May 2015. The hackers, on the dark web, claimed the mSpy database contained in excess of seven million tapped phones. mSpy, on its website, claims merely, millions of installations.
mSpy is only one of over 2,000 mobile platform spy manufacturers. A Google search of "Android spy software" (include the quotes) returns 364,000 pages. The same search for "iOS spy software" returns 62,500 pages. A programmed analysis of the results will identify over 2,000 unique software manufacturers. If you include the dark web, the number doubles.
If you add up the claimed installations of the top 25 of these companies, you already have over 100 million tapped phones. Allowing for exaggerated claims (I assumed that only 10% of the numbers were real), then the 2,000-plus companies have installed software on almost 150 million mobile devices.
For the first time in history, there are more mobile devices than the number of humans – 7.2 billion mobile devices. If my conservative numbers are correct, then nearly 2% of the world population is carrying a device that spies on them and nearly everything they do.
This means Walmart, America's largest employer, with a workforce of 2.2 million people, has over 44,000 employees who use mobile devices that contain spyware. Many of them, more than likely, use these devices, at least occasionally, to access some aspect of corporate data. How secure do you think Walmart's data is?
The corporate world has blindly accepted an ancient (by cyberworld standards) security technology to protect themselves from cyberattacks. At first, this truth mystified me. Then came clarity.
The men and women in charge of corporate data security have generally worked themselves up the corporate ladder over many years. At some point, ambition overrides the urge to keep up with the rapidly changing landscape of cyber security.
These people, like myself, are tired and getting old. The day-to-day demands of their jobs have outweighed their need to understand the new environment that we find ourselves in.
Hackers are winning. No one can doubt this. On Reddit, the website for the young and in-the-know crowd, hacking is an extraordinarily popular topic. In one recent post, a user asks the other members to advise them on how they can do the most hacking damage on the smallest budget. It garnered 4,687 replies.
This is the world we are dealing with. And we will continue to deal with this world until we come to our senses. Technology exists to put an end to all of this nonsense. For smartphones and mobile devices, there are application available that will end the open gate they created.
On the corporate side, the business world must accept the fact that only closed systems with dynamic encryption (systems in which encryption keys and algorithms change every second or so) will be able to protect them. The cost of doing this, in terms of time and money, is enormous and requires managers with courage and conviction to implement. Until this happens, I will continue to write about the uncountable hacks to come.