Can Technology Companies Ever Keep Our Private Data Safe from Hackers?

Criminal Elements Continue to Access Private Customer Information

Nothing is more upsetting to customers than to learn that hackers have accessed their private online information.

This month, ATT sent out emails to millions of past and present customers that their personal information – potentially including social security numbers – was compromised, making them ripe targets for identity theft.

Hacking is not only costly to companies – casinos in Las Vegas reportedly paid millions of dollars in ransomware demands to recover customer data – security breaches can result in a loss of customer trust and hefty penalties, particularly for organizations that fall under the EU’s strict GDPR privacy rules, which can fine companies up to 4% of their worldwide annual revenue.

Hacking can also be a matter of life and death.

Back in February 2024, millions of Americans were unable to fill their prescriptions at their local pharmacies for weeks due to a cyberattack, purportedly launched by the ‘Blackcat’ ransomware gang against Change Healthcare, a prescription insurance payment clearinghouse owned by UnitedHealth.

Malicious attacks against the nation’s infrastructure could also put lives at risk. In early 2024, Russian hackers allegedly began probing the IT systems of several small Texas water utilities near the New Mexico border. In one case, the hackers purportedly took control of the water tower pump in Muleshoe, Texas, causing it to overflow. Officials are concerned that these might be dry runs before attacks commence on larger utility systems.

Is Training the User Base to be Security Aware Enough to Prevent Privacy Breaches?

Many programming teams get frustrated with their user base when they can’t seem to follow what programmers consider to be common sense security hygiene procedures.

In many cases, this is a valid concern.

Naïve users can be fooled by sophisticated phishing schemes or fall victim to hackers by not using available security measures, such as two-factor authentication (2FA). As we wrote in a recent article, corporate management needs to step up efforts to train users to be cyber security aware.

Yet even sophisticated users, such as the senior executive team at Microsoft, can fall victim to scams by not following best security practices. In this case, Russian hackers used a so-called “password spraying” attack that tried passwords against multiple usernames until a match was found, letting them into highly sensitive online areas.

Ongoing Security Problems in Software Libraries Can Let Hackers Inside

Software developers need to do more to protect users from their lax security habits.

But the reality is most developer teams already have their hands full, trying to keep their code and data assets secure from cyber attackers.

In some egregious cases, development teams have left companies open to attack due to obvious software implementation and data management security errors, such as the lack of using two-factor authentication internally or storing passwords, credit card information, or social security numbers in the database in the clear (rather than hashing them).

However, the larger issue seems to be today’s software development process, which relies heavily on assembling different software component libraries together to create functional products.

Choosing the right combination of component layers, known as the technology stack, is a critical business decision that can have many downstream implications. In the past, Enterprise Java, Windows, and LAMP (Linus Apache MySQL Php) were among the most common choices, but today, developers may choose to incorporate newer language implementations, such as Python or Ruby for web development, Nginx for web servers, or Rust for systems programming.

Unfortunately for software developers and cyber security analysts, security problems often lurk in seemingly insignificant support libraries, accessory system management support tools, networking firmware, or IoT devices attached to the network.

Such was the case with SolarWinds’s Orion, a network systems operator (sysop) control panel used by thousands of different companies and government agencies, including the US Department of Defense, Department of Homeland Security, the US Treasury Department, Intel, Cisco, and Microsoft. This breach, attributed to Russian intelligence service hackers, began in 2019 and went undiscovered for months and may still be ongoing in unpatched systems.

Is the Argument that Open-Source Software is More Secure Still Valid?

Advocates for open-source software, such as the Electronic Frontier Foundation, maintain that open-source software (as opposed to closed, proprietary systems) is the better choice for keeping online systems safe.

They argue that by making the source code available for everyone to review, security problems that crop up can be found and fixed quickly.

On the other hand, open-source software can also be manipulated by hackers.

Such was the case with a commonly used Linux compression utility called XZ.

Recently, Andres Freund, an open-source contributor to the XZ project who also happens to be a Microsoft employee, became curious when he noticed that a development version of XZ ran milliseconds slower than expected; upon inspection, he discovered a clever, well-hidden back door had been inserted months earlier by another contributor.

Had this back door been widely released, it could have given the unidentified hacker/contributor access to millions of Linux installations worldwide.

The moral to this story is that companies who depend on open-source software should be generous with their contributions to open-source projects to enable more code reviews, which could prevent possible hacking intrusions down the road.

Company management also needs to train software engineers to practice better security hygiene when working with open-source repositories. Recently, Mercedes Benz suffered a potentially devastating exposure of its internal self-driving vehicle IP when a GitHub repository token (password) was left exposed.

Caveat Programmator!

CISA and NIST Recommendations for Secure Software Development

Programming is hard. And the scope of the work goes far beyond simply writing an application. As @marianaconsultancy recently wrote on Threads:

Developing software is crazy…

1. 1. 1. You write code to solve a problem
      2. You write code to test your code that solves the problem
      3. You write code to deploy your code
      4. You write code to test that your deployment works
      5. You write code to monitor your solution

Developing a security mindset is critical for programming teams to keep intruders away.

Many IT teams are now implementing so-called Zero Trust Architecture (ZTA) systems (also called the Zero Trust Model), which, unlike most systems, assumes that every user (even company employees inside the firewall) is a potential bad actor and, therefore, must continuously prove their identify as they traverse different sensitive areas of the system. For more information, see CISA’s Zero Trust Maturity Model or the Zero Trust documents from NIST.

Owasp also maintains a “top ten” list of the most common web application vulnerabilities, a resource that front-end programmers in particular need to familiarize themselves with.

Advances in AI and Quantum Computing Technology Put More Pressure on Cybersecurity Professionals Seeking to Keep Our Private Data Secure

Advances in AI tools, such as the introduction of ChatGPT, add new wrinkles to the cybersecurity challenge mix.

On the one hand, AI chatbots can help programmers by providing sample code solutions, potentially speeding up development times. However, security experts caution that code written by AI may not be secure, particularly if the developer is not experienced or unaware of the larger security principles at work.

Critics also point out that hackers may also benefit from using AI chatbots and use these new tools to uncover and exploit new system vulnerabilities.

Advanced generative AI-based video and audio tools also pose another security threat. Imagine getting a video or phone call from your boss requesting access to a secure database or other secure system. Given the advances in AI technology, entire conversations can be spoofed with fake audio (or video) impersonating people you know, creating another threat vector that corporate security officers need to address before it’s too late.

Other technology advances could pose existential threats to long-held security assumptions, such as the security of AES and PGP 256-bit encryption. Security researchers have long fretted that advances in quantum computing systems could break these encryption keys, essentially rendering the entire password-protected internet exposed.

Unfortunately, we’ll have to burn that bridge when we get to it.

Formaspace is Your Laboratory Research Partner

Evolving Workspaces. It’s in our DNA.

Talk to your Formaspace Sales Representative or Strategic Dealer Partner today to learn more about how we can work together to make your next construction project or remodel a success.