Introduction\n\nI believe that the law is there to protect ordinary citizens from harm in their day to day lives. As our lives become more and more connected to the digital world, the law should of course cover these elements to ensure that we are protected. With the General Data Protection Regulations (GDPR), as well as other protections including the Computer Misuse Act, we have a wealth of options that should deter people from damaging our lives in bad faith. Unfortunately, not everyone plays by the rules which is why Data Controllers, Data Processors and companies that handle all manners of computer-related tasks are expected to adequately protect their equipment from malice.\n\n(Explicit) Digital Graffiti\n\nSo with all of this in mind, how is it that we get situations where attackers can visibly deface public property like billboards?! How are they able to put inappropriate material on company controlled systems with these safeguards in place? Why would they do this kind of thing in the first place and what is the end goal?\n\nAsics Apologises for Porn Playing for Hours Above Auckland Store\n\nPornographic Video Plays on Billboard Along I-75 in Auburn Hills\n\nAre Laws Made to be Broken?\n\nNo. You don't need to tell most people not to try and put swinging genitals on public signs that all sorts of people, including children can see. Many would rather avoid such a visual spectacle when popping out for a pint of milk and a packet of custard creams, and most in our society would respect this and keep this content for their own private time of inclined to do so. The law is in place, and these people will likely obey it to respect people's personal boundaries.\n\nHacker picking their next billboard to deface!\n\nCriminals however don't obey the law, which is likely why we have the police. If you access a sign system and alter it in any way, then you've fallen fowl of the Computer Misuse Act, which is:\n\nAn Act to make provision for securing computer material against unauthorised access or modification, and for connected purposes.\n\nIt's probably not a good idea to go poking around in systems that don't belong to you anyway, but going to the extreme and deciding to loop hardcore imagery probably won't win you many fans with the general public! People will likely stop and watch out of curiosity though, so maybe I'm wrong (they did in the ASICS article). Ultimately, there really isn't a justification for defacing someone else's infrastructure other than to cause harm, and the laws exist to bring about justice should this occur.\n\nBut Something Must Be Broken?!\n\nAs I mentioned earlier, the law (used somewhat like a deterrent) is but one element in all of this. Another factor which (in my honest opinion) is FAR more important is the care and attention of the companies who actually own and/or manage the infrastructure. In the wake of numerous hacks/beaches/leaks that seemingly are always hitting the news along with the generally AWFUL responses put out, it seems that many companies aren't adequately doing their bit to keep their architecture safe. They tell us that they "take the privacy and security seriously", but do they? I've talked about how many companies act in the event of a breach before, and there is a great article by TechCrunch that shows just how truly valueless this stupid privacy-security is.\n\nThe Privacy and Security of Our Data\n\nStop Saying, ‘We Take Your Privacy and Security Seriously’\n\nIf you follow enough security researchers for long enough, including reading their detailed reports and watching their fascinating presentations, you'll see that whilst many companies SAY they are doing security properly, their words may not always sign with their actions. In fact, quite a lot of security is what I like to call "security" which is based solely in theatre, and has no fact in the real world. Take the following example, where a security researcher (who I have followed for a long time and likes to make his own hot sauce 🌶️🌶️🌶️) had a bit of trouble with a billboard company.\n\nSomeone Hacked a Billboard in Atlanta to Display Goatse\n\nBack in 2015, Dan Tentler (known as @viss) notified a billboard company ahead of time that their systems were freely accessible TO ANYONE on the internet without authentication. The company at least responded, however with the (unfortunate) "not interested but thank you for the follow up"! Not really grasping the severity of their predicament, their billboard was subsequently defaced with the infamously disgusting (if you are squeamish DO NOT Google) Goatse image. I'll bet THEY WERE INTERESTED after that!\n\nChild performing a facepalm after seeing all the infrastructure getting "hacked" on the internet\n\nAfter reading that, let me ask you a question. Do you think that the company was actually hacked? To me, hacking implies that something was done (by a hacker) to bypass security measures and break into a system. It requires a certain level of skill and expertise, but in this case, the company was warned that their system was FREELY ACCESSIBLE on the internet. In this case, where is the skill? Most people can navigate to a web address in their browser (you made it here right), so I don't think the barrier to entry is too high. Alright, so they'd need to know the address, but Shodan, ZoomEye, Censys and Nessus are popular tools for this purpose! They allow you to specify a running service that you are interested in, and then scan all machines on a network (e.g. the internet) for this service whilst you go and make a cup of tea and toast a couple of crumpets!\n\nWhat happened was the equivalent of someone leaving the front door of their house unlocked, wide open and a passer by who just happened to be a thief noticed this and popped in for a quick five finger discount. Now does that sound like taking privacy and security seriously to you?\n\nThis isn't just billboards, this kind of (let's call it) lax security is "protecting" so much of our services at the moment. In this case hackers are merely scanning the internet for open data sources (which should be locked down) and helping themselves to the contents before making off quietly, or deleting the contents and demanding a ransom. Again, can this particular use case be classed as hacking?\n\nExposed, Misconfigured Databases Put Patient Data at Risk\n\nMongoDB Leak Exposed Millions of Medical Insurance Records\n\nUnsecured Database Containing 188 Million Personal Records Discovered Online\n\nMongoDB Databases Still Being Held for Ransom, Two Years After Attacks Started\n\nIn the future, I ask that you look out for the line "the attacker used sophisticated methods" in breach notices released by companies. If they were hacked/"hacked" (depending on your opinion) because they left their systems freely online without any authentication, was the attack really that sophisticated? I like to ask these questions because much of security is (sometimes purposely) shrouded in mystery by organisations, and I see far fewer notices that give details of the breach and how an attacker was able to penetrate defenses (assuming they were actually in place). I would love to live in a world where these organisations all published detailed lessons learned showing how their processes have changed and allowing everyone else to improve their systems. One can only dream 😂😴!\n\nSo Why is This Happening?\n\nThere is a lot of Fear Uncertainty Doubt (FUD) information being spread, and that isn't the aim of this piece. However, I believe that general company security needs an overall makeover as attackers are exploiting very simple weaknesses to make off treasure troves. We need to get the basics right, including locking things down by default and exercising proper password hygiene whilst also securing ALL of our databases with strong passwords for EVERY account. Unless your service (like a billboard administration dashboard) and/or database holds information and actions that are intended to be publicly accessible, THERE IS NO REASON TO MAKE IT PUBLICLY ACCESSIBLE. Going a step further, we should make it as IMPOSSIBLE as possible to mistakenly put these tools online, and have a strict procedure to enable even public tools to be internet accessible. Where permitted, (to get techy for a moment), bind your service IP to an INTERNAL address only, and whitelist IP addresses that can access them. If you REALLY want to go overboard, use Mutual TLS Authentication and deploy certificates to trusted devices 😉. Finally, when a service is online, please PROPERLY protect the accounts!\n\nSecuring our assets with PROPER locks\n\nCriminals are going to commit crimes. That's a fact and there's not really much we can do about that. We have passed laws, and criminals break them by exploiting weaknesses in organisational infrastructure. They can even create weaknesses in said infrastructure by blackmailing staff, installing malicious software, phishing, spear phishing, vishing etc. We know this, and we need to protect ourselves by securing our perimeters and most importantly, EDUCATING our people. People are frequently referred to as the weakest link in security, but they don't need to be. With PROPER education initiatives (not just security training that tells people not to click links), the people in an organisation can be turned into the best line of defence against attackers trying to steal from us. They become our eyes and ears, our informants from different backgrounds with different perspectives to bring.\n\nSecurity researchers (like Dan Tentler mentioned earlier) provide a INTEGRAL service to the internet, and like the bad people out there will walk by your house and investigate any wide open doors, windows and gates. The difference between them and the bad people is that they won't exploit these weaknesses and rob you, instead they'll leave a handy note detailing what they've found with maybe a few recommendations before carrying on their merry way. You can even pay them to do this properly, or even set up programs (known as bug bounties) which formalise the process and give you far greater insights. For many of them, they just want us to be more secure and they make a living doing just that. This is why we should be thankful when they take the time to provide this information to us free of charge.\n\nFinally, I'll give a quick mention of the people out there who have stumbled across the open windows, are just having fun, looking to make a name for themselves or even those who believe that the only way to get organisations to act is by embarrassing them. They may not 'break in' using my house analogy, but the moment they perform any defacement, they have stepped into criminal territory. Noticing a vulnerability shouldn't be deemed criminal (some companies unfortunately go after those who report issues), but exploiting a vulnerability makes you a criminal even if it was a bit of fun and nothing was actually stolen. Think of it as spray painting the walls, breaking a few decorative ornaments and putting the Playstation 4 through the flatscreen TV. Theft and extortion aren't the only crimes that you can commit when discovering weaknesses.\n\nBillboard Headline\n\nBillboards are just as much a target for attackers as our online data and should be subject to the same protections that we expect. Organisations should exercise proper security controls as we cannot rely on law and order to keep attackers away. They can cause very real damage with insecure systems for a variety of reasons, notably a huge amount of embarrassment and shame so we must be vigilant. Taking privacy and security of our systems involves far more than empty, copy-pasted words and includes proper education and also listening to people who may know more than we do.\n\nTake care and all the best. Si.