The power to engage in malicious cyberactivity is becoming increasingly democratized and symmetrical, according to experts. For proof, look no further than a string of high-profile attacks perpetrated by teenagers.
"Even relatively non-technical hackers can carry out sophisticated attacks using 'off the shelf kits' that can easily be purchased on underground forums," Andrew Browne, malware labs director at software company Lavasoft, told the Washington Examiner. "This is especially true for social engineering attacks, which are not aimed at a company, but rather an individual."
Since the beginning of October, social engineering attacks by hackers who are believed to be teenagers have breached personal accounts belonging to Central Intelligence Agency Director John Brennan, Secretary of Homeland Security Jeh Johnson, and Federal Bureau of Investigation Deputy Director Mark Giuliano. Authorities have yet to locate the perpetrators. According to Browne, they may never be able to do so relying on technical means.
"Hackers employ myriad tactics to avoid being discovered, such as proxy chaining, where an attack is mounted from a computer that is many computers and probably several countries removed from the origin," Browne said. "This is only one of very many steps a determined hacker can take to conceal themselves. If the hacker has taken enough steps, it's very possible their identity may never be discovered."
Authorities on the other side of the Atlantic have been slightly more successful this month after arresting several teens for hacking British telecom company TalkTalk. The teens attempted to blackmail the company using stolen data on 157,000 customers. In spite of their capture, TalkTalk estimates that costs resulting from the attack could reach as high as $53 million, and those customers could still be vulnerable to phishing attempts in the future.
For the thousands or even millions who have fallen victim to such breaches this year, Browne has several tips for self-defense. In addition to being suspicious of strange telephone numbers and email addresses, Browne said, consumers should be cautious about what they post online.
"A target may have revealed, via Facebook, that a family member is undergoing treatment for cancer," Browne said. "A hacker could create a PDF about a new cancer treatment that contains a backdoor and send it to the target. They may even try to make it appear that the email came from a family member or friend, to give it more credibility. Once the PDF is executed, the malicious code is installed and the hacker can stage further attack."
The increasing symmetry of threats means that digital consumers must worry about defending against attacks from groups as wide-ranging as criminals, terrorists, nation states and "hacktivists" as young as 13 — the alleged age of the hacker who penetrated the CIA chief's email. As a consequence, Browne said, consumers should be prepared to get hacked.
"As long as there are computer systems, there will be vulnerabilities that can be exploited to bypass their security defenses. As long as there is data that can be stolen and used for profit, attacks will continue. The reality is that organizations can only mitigate cyberattacks. If a hacker or group of hackers want to get in and have the technical skills, eventually they will find a way," he said.