Friday, 27 May 2016

Indicting Hackers and Known Vulnerabilities

In March, the Justice Department unsealed an indictment against seven Iranians for hacking the U.S. financial sector and a dam in New York. Debate ensued between supporters and skeptics of using indictments to hold hackers accountable. Supporters like FBI Director James Comey believe they can discourage hackers with the message that “The FBI will find those behind cyber intrusions and hold them accountable — wherever they are, and whoever they are.” Skeptics, like Fred Kagan, argue that unless the U.S. imposes more meaningful consequences, “just naming them gives them street cred in Tehran.”

Lost in this debate, however, is what we can learn from this episode of Iranian hacking to protect ourselves in the future. Fortunately, the indictment reveals a clue for how to do so. In 2012 and 2013, several Iranian hackers overloaded the websites of major U.S. banks with extra traffic from the Internet. To accomplish this, these hackers scanned the Internet and identified computers and servers running “software that had not been updated to address certain known security vulnerabilities.” With this line, the Justice Department clarified what information security officials have argued for years: that the vast majority of hacks exploit known vulnerabilities. (We know less about how one of the hackers gained access to a SCADA system that operated a dam in Rye, New York.) For the full article click here 



from hacker samurai http://ift.tt/1UiiK9i
via IFTTT

No comments:

Post a Comment