Tag Archives: Sony

Cybersecurity: After Ashley, Sony, and Target

Abstract image of padlock against blue tech background.There have been several high profile cyber attacks over the last two years, some for financial gain, some out of malice, and some from hacktivists trying to right what they see as moral wrongs. Has anything changed since these security breaches? Do we take security more seriously now? Do company leaders pay more attention to technology and security?

Grey Hat Hacktivism

I wrote about grey hat hacktivism after the breach of the Ashley Madison website. Hackers threatened to publish the names of Ashley Madison members unless the site was taken down. They did this under the guise of moral outrage that the website was encouraging and enabling adultery by matching members. The hackers later published a few of the names, and then the full list. Whether the full list was published purposefully or accidentally is still unclear.

While the hack and the revelation of member names has interrupted many lives, Ashley Madison and its parent company, Avid Life Media, are still operating as usual. The CEO resigned last year after the breach, but the company states it “continues to have strong fundamentals with tens of thousands of new members joining AshleyMadison.com every week.” If the company claims are true then the hackers did not succeed in their objective. Hopefully it has caused people to be more careful about their own security and dealings on the internet. There is no evidence that Ashley Madison has changed its security policy to prevent future hacks.

Right on Target

In December 2013, Target was breached and 40 million debit and credit card accounts were exposed. In the aftermath, Target hired cybersecurity experts to probe the network and they found that once inside, hackers had access to every single cash register in every store. Target has taken steps to ensure this particular breach will not be repeated. It is thought that the initial entry came through a heating and air conditioning contractor who had a virtual private network (VPN) tunnel into Verizon for the purposes of exchanging contracts and work orders. Once the contractor was breached, the hackers had access to Verizon through the VPN and once in Verizon, they could go out to the point of sales systems to collect customer information. Even one weak link can cause incredible damage.

It is not clear how much customer information was actually used or sold but Target suffered, at least temporarily. Short-term earnings were down after customers lost confidence in the company. The CEO and CIO both resigned over the incident and Target has since worked to examine every aspect of their network for possible security holes. In short, security is serious business now, even at the highest levels.

Sony Hack

In November 2014, hackers breached the Sony Studios network and made public information about personnel, including salaries, unreleased films, and e-mail correspondence between Sony employees. They demanded that the upcoming movie, “The Interview” not be released. The movie was a spoof about North Korea, which led to the conjecture that the North Koreans were behind the hack. I will go on record as saying that I believe that the hack was an inside job, either by disgruntled employees or perhaps even orchestrated by the company to create publicity around a potentially bad movie. In any case, the movie was not released to theaters right away and Sony Pictures chief Amy Pascal was fired. It is not clear what Sony has done to shore up their defenses from further attacks but this is a case where limited and targeted inside information was exposed instead of customer information.

Thoughts

These are just three of the recent high profile attacks perpetrated for financial gain, moral outrage or embarrassment. High-level executives lost their positions and organizations lost credibility in the eyes of customers. Here are three take away messages for me:

  1. Security does matter and it should matter in the highest levels of an organization. In the old days, the shop proprietor locked the front door when she went home at night, but it is not that simple anymore. With the increase in cloud computing and storage, there are a lot more doors to secure. It is complex and it is important.
  2. Organizations need to evaluate their security threats from both the outside and the inside. Employees know the systems and networks better than hackers. Are they with you or against you? How do you know?
  3. Security matters to each individual. We need to be diligent about our own digital presence and tracks on the Internet. Are your transactions secure? Are you using solid passwords? Are you encrypting your personal information when necessary? We all have a personal responsibility in that regard.

Those are my thoughts. Let me know what you think.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

Hacktivism: Is it a Forgivable Crime?

A hacktivist is defined as one who breaks into a computer or network for political or social motives. The more I read about hacktivists, the more I wonder if they are hackers cloaked in the ideals of activism, or activists borrowing a page from the hacker playbook to further their cause? In this post, I will highlight a few recent incidences of hacktivism and let you decide.

Sony Hack

The Sony hack tops the list, both for its recency and its impact. A group of hackers called The Guardians of Peace broke into Sony’s internal computers and released sensitive documents and e-mail exchanges, some of which involved Sony partners. Five movies were released to download sites, four of which had not yet been released in theaters. They blocked the release of the movie The Interview by threatening to bomb theaters that showed the film. The Interview is a comedy about a plot to assassinate North Korean dictator Kim Jong-un. Ironically, or maybe not, as of this writing the FBI is claiming the hack originated from North Korea. Was this an attempt to expose Sony’s inadequate defenses, a case of defending a country’s honor from a fictitious film, or was it plain and simple malice? Whatever the motives, The Guardians of Peace crossed the line from hacktivism to terrorism when they threatened to bomb theaters.

Africa

The hacktivist group Anonymous Africa attacked and closed down fifty websites during the 2013 Zimbabwean election, including those associated with the ruling Zanu PF party and those of the newspaper The Herald. The group claimed President Robert Mugabe’s regime dominated the Internet and airwaves and did not allow access to the opposing party. Was their attack successful? Ninety-year-old Mugabe is still in power, but the oppression in Zimbabwe was exposed, if only briefly.

Arab Spring

The Arab Spring was sparked in January 2011 by an uprising against the ruling party in Tunisia. The hacktivist group Anonymous stole Tunisian government documents and funneled them to the website Wikileaks, which published them. The documents showed a pattern of abuse by the government against the citizens. In Egypt, when citizens tried to expose government oppression and the government responded by trying to shut down the Internet, various hacktivists provided alternative methods for citizens to expose the actions taking place in their country. In these instances hacktivism was a weapon, just like bombs or guns, and hacktivists tried to win the hearts of the people and expose activities deemed to be unfair and oppressive. The same method is being used in Syria today.

Thoughts

So is hacktivism good or bad? That depends. There are definitely economic losses in politically motivated hacks, so it is not a zero-sum activity. There can be embarrassment and expense for those who are hacked. I think that these hacks may have started out with reasonable and objective motives, but more often than not they cross the line into cyber-terrorism. I believe that there are better ways to further a cause than breaking into electronic files and exposing them, preventing them from being seen, or outright stealing them.

Hacktivism is criminal, but is it justified? Let me know what you think.
Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.