Example https://en.wikipedia.org/wiki/2014_Sony_Pictures_hack
Maybe I misunderstood what a hacker can do, but why not rob someone’s credit card or bank account if they can do it to Sony?
Most people have little for hackers to gain / exploit by hacking them.
As everyone knows, hackers must wear a ski mask while hacking
It prevents that the bugs flying in their faces. It’s an OSHA requirement.
Why would anyone hack me? I’m poor, I’m boring, I have basically nothing to offer
The best thieves steal from the poor.
If I went to all the trouble of hacking you and I emptied your bank account and savings, I’d get $12.
If I emptied Sony’s accounts, not only would I have potentially millions or more, but I could also get industrial secrets that could be worth even more, or possibly could be used to further my own electronics industry.
One of these isn’t worth the effort.
That does happen, but mainly through automated mass means like phishing and ransomware. Individuals also get targeted by tactics like romance or finance scams. I think you could probably see how a large corporation would be a more lucrative hacking target worth a lot of dedicated time vs. one individual.
Sometimes the victims even pay the attackers money upfront and install the wiretap themselves. looking at my IPTV box suspiciously, while the robotic vacuum hums in the background
Also, one can lead to the other. If you catch the right fish with a scam, they may just unwittingly give you a way in to an institution. Only the latter would make the news, though.
Yeah, there is a whole playbook for it called pig butchering
You have to pay a highly educated individual to spend hours finding any weakness to hack anything.
If you hack a big organization you’ll get more then a few dollars from a bank account. They also have a lot more things that could be vulnerable to hacking.
It’s a question of effort. Sony has a shitload of public presence. For social engineering I can learn many mid level manager names from LinkedIn for example and their infrastructure is necessarily public facing to allow people to work there.
And that’s not talking about their public web presence and services.
And now we’ll switch to … You! If I’d try to target you I would have to first find anything from you to actually target.
Once I have your phone number, public IP or anything that gives me a lead I have to find my way in. And that way in will be because you’ve made a mistake, are lax with your passwords or use an out of date service.
But that’s like 2/3 of the work I had for Sony as well. And now I see that you’re a student with a net fortune of 50$ and a car from 1989.
To out it another way: for companies I aim with s rifle as they are a worthy prey. For individual people I use a shotgun and hope something hits something.
Because they don’t need to. As Zuckerberg himself said: people will voluntarily give all kinds of private information to corporates without being asked or by the gentlest of requests.
Keep in mind, in some cases it’s harder to hack an individual, especially if they are the slightest bit security conscious. Big corporations often use outdated software, sometimes painfully so. It’s not really uncommon to hear about corporations using software that has been abandoned for decades. Meanwhile, your laptop and cell phone automatically update. Meaning, there’s a chance you are a little more secure than your average corporation.
Also your data is meant to be private and accessed by a single person. Basically a big wall around your stuff with a single door.
Corporate data, by design, needs to be accessed by many people inside and outside the company. So they are adding another door for each person, department, or API that needs access. Even if the wall is higher and stronger, it’s still full of doors to try.
The amount of effort necessary doesn’t make it worth it usually
Yeah this is like asking “Why rob a bank when you could just rob a random person on the street”
Sure you can do that, but the comparably tiny amount of money you get is not really worth the effort and risk.
Effort vs Reward vs Ability vs Inital investment
In most cases, think of this kind of thing like a legitimate business. Same concepts. I’ll grade a few scenarios based on what I have seen over the last 20 or so years. (The ratings are arbitrary and just trying to explain my point.)
Do you have the means to rent a botnet and phish a few million people for lots of credit card numbers? Can you manage that kind of data, test all those numbers and maybe end up just selling that data? Low Risk/Moderate Reward (“Selling shovels” analogy is probably a better scheme than actually renting the botnet, IMHO)
Could you setup a “call center” in India and run a scam ring like an 8-5 business? Are there enough people you can hire to do this work? That requires training, infrastructure and time. You also may need to “work with” law enforcement to ensure your scam isn’t busted by legitimate cops. Moderate Risk/Moderate Reward.
Are you part of a small group with an insane amount of skill that has the time to pull off an extortion scheme against a Fortune 500 company for a few million bucks? High risk/High reward
Those are all normal scenarios above and it’s based on profitability and initial investment. Risk/Reward is always a balance.
(Sorry. I pulled a “wHellll aKshUallY” when you said it’s not worth the time for the small targets.)
Not everyone has access to a Gibson.
I think the Sony hack is not a great example because there is a very good chance it was more politically motivated than financially. It’s one of those cases where we might never know but there is a good chance it was orchestrated by North Korea in response to a Sony movie that made Kim III not look very divine. NK is most likely connected to other hacks as well that were really just a way to get hard currency/to evade sanctions.
Effort and reward are like supply and demand. If I want to steal your credit card number to go shopping, it might take me a long time to get to it. And then it turns out there is only $500 left on it. Too much effort for not enough reward. That’s why phishing, Nigerian princes, texted IRS/DMV fines, missed FedEx deliveries, and all that jazz happens. Low effort to throw a net out and then catch the dumbest of the fish. If you are a person of interest to me though the math if different. Maybe I’m a stalker (look behind you, I’m there right now). Or maybe horny me is looking for your (perfectly legal) sexting thread. Or you’re a pedo, a socialist, a cult leader, or all of the above. Private people get hacked. But it rarely makes a splash in the news like the Sony hack.
Also, hacker ≠ hacker. There are good guys who hack stuff to show what needs fixing or to hold people to account. There are bad guys who do it for money or because they like it. There are those with one foot on either side of that fence. Motivations differ wildly.
Sounds like someone hasn’t been a target of fraud or a scam.
I’m Canadian, and when my phone rings with a unfamiliar number, I assume it’s someone trying to trick me to get my money, usually by pretending to be Chinese and having a package for me.
