A few hours ago, I read a story posted on the Guardian's website about the arrest of Raynaldo Rivera -- a 20-year old hacker with the hacking group LulzSec: an offshoot of the hacktivist group Anonymous -- in connection with the Sony network security breach that compromised data belonging to nearly 77 million users in April 2011. Looking back at that attack, the actual network breach itself was perpetrated using a SQL injection attack which saw the attackers by-pass Sony's security systems and gain access to their application servers, but once the attackers were in, they were only able to obtain sensitive user information because the database tables storing the data was left unencrypted. For many (myself included), the Sony security breach only reinforced the need for encryption of data on networks and computer systems. Encrypting data makes it much more difficult -- in some cases impossible -- for an attacker to successfully decipher data, even if they manage they gain access to the data. Information threats and attacks are getting more (and more) sophisticated, and while it may not always be possible to prevent unauthorized access to computer systems, steps can be taken to render data "unreadable" in the unfortunate event that it does fall into the hands of an attacker. This line of reasoning does not only apply to databases; websites, web/database/email servers, and gateways need to be encrypted as well, because an attacker could successfully intercept sensitive data that is sent across these systems while in transit. The same goes for wireless networks and connections, and even files saved on a local PC hard drive -- if your computer is lost or stolen, you need not worry about sensitive data getting into the 'wrong' hands. I regularly come across websites that require users to enter sensitive information over an unencrypted connection. This is (very) dangerous practice because a skilled hacker could easily intercept such data even as it is it being sent from the user's PC to the web server serving the website. Even scarier is the fact that most users maintain the same passwords for multiple systems, which means that aside gaining access to the user's account on your website, the attacker could potentially have access to all of the user's data on other websites -- from social networks, to email and even financial records. At the very least, an SSL certificate should be installed to provide encryption for web pages that require users to enter sensitive information. This minimizes the risk of sensitive data being intercepted by an attacker. Another dangerous trend I see (especially around my neighborhood) is the use of the outdated Wired Equivalent Privacy (WEP) security algorithm on some wireless networks. The sad thing is that some of these networks belong to reputable organizations whom I imagine stand to lose a lot -- in terms of productivity, integrity, and probably revenue -- in the event of an attack on these network systems. It's often quite scary trying to imagine the outcome of an attack on such inadequately protected systems. A knowledgeable attacker, using attack techniques such as a man-in-the-middle, could ultimately gain complete control of the entire network and ALL computers connected to the network. It gets scarier because all that is needed, in most cases, is a WiFi-enabled laptop computer. An attacker could utilize "war driving" -- a technique where the attacker searches for Wi-Fi wireless networks in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA) -- to identify potential targets with vulnerabilities and then proceed to launch an attack on such networks. Data encryption is vital in ensuring the security of important data and can often be the last line of defense against network-based attacks. Network intrusion systems, firewalls, etc can be by-passed, and in most cases -- as with the Sony case -- the security breach may not be detected until after vital data has been compromised.
