Germany's Mega-Leak Takeaway: Noisy Young Hacker Got CaughtBut Quiet Nation-State Hackers and Cybercrime Gangs Can Exploit the Same Flaws
Police in Germany say a 20-year-old student has confessed to leaking personal details - including private mobile phone numbers, children's pictures and chat discussions - stolen from 1,000 German politicians, celebrities and journalists, including Chancellor Angela Merkel (see: German Police Identify Suspect Behind Massive Data Leak).
But any senior executives breathing easier or planning to slash their cybersecurity budget - because they see this case as a sign that all hackers wear hoodies and live in their parents' basement, committing relatively minor infractions by gaming people's bad password choices - need to think again.
"My concern is that the less informed ... will use such examples to downplay the threat from organized crime gangs and nation-states."
"This [case] plays to so many stereotypes, I fear it will simply reinforce the public's view that nation-states are not a threat, but instead we should be worried about youths closeted in their parents' basement," says Alan Woodward, a professor of computer science at the University of Surrey.
"My concern is that the less informed, who don't want to spend money on what they see as ethereal defense, will use such examples to downplay the threat from organized crime gangs and nation-states," Woodward tells me. "The point is that this one got caught - the others tend not to. It's a case of real news contributing to confirmation bias for decision makers and legislators who do not really understand the threat landscape that is evolving."
Indeed, more advanced attackers - as in, ones who work to avoid detection by practicing better operational security - can exploit the same types of flaws allegedly targeted by the 20-year-old suspect for more malicious ends.
Young Hacker Problem: OPSEC Deficit
Compared to nation-state attackers or organized crime gangs operating online, security experts say young hackers are more likely to get caught.
In this case, a 20-year-old German national who's being tried in juvenile court and who has not been named by police confessed to the crime on Monday, saying he leaked the data via accounts using the handles "G0d" and "0rbit."
Police are being assisted by a 19-year-old German witness to whom the suspect reportedly bragged about his data leaks via the encrypted messaging app Telegram. Some news reports have said the suspect had used his own phone number to register for Telegram, making it child's play for police to identify him.
At a Tuesday press conference, Holger Münch, chief of Germany's Federal Criminal Police Office, the BKA, said the attacker had principally targeted victims' "bad passwords," German weekly news magazine Stern reported.
The suspect said he was self-taught and working alone, police say. They have also noted that he was a suspect in another data theft case two years ago, for which he was never charged.
Think of this case as a litmus case for being able to stop what is often the least advanced type of attacker on the planet: a teenager who has sufficient time, inclination and sometimes, lack of moral judgment, to hammer away at an online target until they succeed.
Where young attackers are concerned, no matter how many get arrested, there will always be more (see: Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).
But teens aren't unique: All attackers typically pursue the path of least resistance, whether they're stealing personal data out of alleged anger at politicians and public figures, conducting corporate espionage, gathering dirt on rivals or engaging in nation-state intelligence-gathering.
For criminals, time is money. So they typically opt for the simplest tool that will get the job done. And for intelligence services, using commonly seen attacks provides better untraceability and deniability (see: Nation-State Spear Phishing Attacks Remain Alive and Well).
Advanced Attackers Make Less Noise
How bad is the cybercrime problem? Last year, McAfee and the Center for Strategic and International Studies estimated "that cybercrime may now cost the world almost $600 billion, or 0.8 percent of global GDP."
Trying to quantify computer crime, however, suffers from this paradox: No one knows just how bad it is. Authorities say only a fraction of victims - individuals or businesses - report such crime to authorities (see: FBI to DDoS Victims: Please Come Forward).
Hence online crime defies easy quantification. While the FBI can count the number of bank robberies, likely very accurately, it relies on U.S. businesses that lose data or money due to hack attacks to self-report many such incidents, including the particulars of the crime. And that assumes that the business in question has even spotted the crime.
Lessons to Learn
Individuals and organizations would do well to treat the German personal data mega-leak as a cautionary tale (see: Ransomware School: Learn Lessons From How Others Fail).
Here's the right question for all public figures, politicians or celebrities to be asking right now: "Could I fall victim to any attacker who used the same tactics, and how do I protect myself?"
If so, the obvious next question is: "What should I do now to solve it?"
Authorities in Germany say they're crafting guidelines for their country's politicians in the wake of last month's mega-leaks.
Arguably, Germany's cybersecurity agency is already well behind the curve. "Why are standards agencies only now telling politicians and others how to protect their ID?" Woodward asks, noting that in the U.K., the National Cyber Security Center has long provided information security advice to lawmakers.
On the other hand, "I'm not entirely sure politicians listen to that advice, or even read it," he says.
But it should be brutally obvious to everyone that all types of attackers may come gunning for any and all online accounts used by politicians (see: British Parliament Targeted by Brute-Force Email Hackers).
Likewise, the 2014 dump of celebrities' nude photos, stolen from iOS device backups to iCloud should have served as a wake-up call to anyone with a public profile that any and all information they store in the cloud is at risk.
This plays to so many stereotypes I fear it will simply reinforce the public's view that nation states are not a threat but instead we should be worried about youths closeted in their parents' basement https://t.co/fCRdE2nof7— Alan Woodward (@ProfWoodward) January 9, 2019
At least for politicians, "maybe the time has come to enforce 2FA," Woodward says, referring to two-factor authentication, which can block outright many types of account takeovers - even if users pick weak passwords - regardless of whether the attacker might be wearing a hoodie.
Because at the end of the day, it's never about your attacker's age, motivation or sartorial choices, but rather the strength of your defenses.