Tag Archives: Ashley Madison

Cybersecurity: After Ashley, Sony, and Target

Abstract image of padlock against blue tech background.There have been several high profile cyber attacks over the last two years, some for financial gain, some out of malice, and some from hacktivists trying to right what they see as moral wrongs. Has anything changed since these security breaches? Do we take security more seriously now? Do company leaders pay more attention to technology and security?

Grey Hat Hacktivism

I wrote about grey hat hacktivism after the breach of the Ashley Madison website. Hackers threatened to publish the names of Ashley Madison members unless the site was taken down. They did this under the guise of moral outrage that the website was encouraging and enabling adultery by matching members. The hackers later published a few of the names, and then the full list. Whether the full list was published purposefully or accidentally is still unclear.

While the hack and the revelation of member names has interrupted many lives, Ashley Madison and its parent company, Avid Life Media, are still operating as usual. The CEO resigned last year after the breach, but the company states it “continues to have strong fundamentals with tens of thousands of new members joining AshleyMadison.com every week.” If the company claims are true then the hackers did not succeed in their objective. Hopefully it has caused people to be more careful about their own security and dealings on the internet. There is no evidence that Ashley Madison has changed its security policy to prevent future hacks.

Right on Target

In December 2013, Target was breached and 40 million debit and credit card accounts were exposed. In the aftermath, Target hired cybersecurity experts to probe the network and they found that once inside, hackers had access to every single cash register in every store. Target has taken steps to ensure this particular breach will not be repeated. It is thought that the initial entry came through a heating and air conditioning contractor who had a virtual private network (VPN) tunnel into Verizon for the purposes of exchanging contracts and work orders. Once the contractor was breached, the hackers had access to Verizon through the VPN and once in Verizon, they could go out to the point of sales systems to collect customer information. Even one weak link can cause incredible damage.

It is not clear how much customer information was actually used or sold but Target suffered, at least temporarily. Short-term earnings were down after customers lost confidence in the company. The CEO and CIO both resigned over the incident and Target has since worked to examine every aspect of their network for possible security holes. In short, security is serious business now, even at the highest levels.

Sony Hack

In November 2014, hackers breached the Sony Studios network and made public information about personnel, including salaries, unreleased films, and e-mail correspondence between Sony employees. They demanded that the upcoming movie, “The Interview” not be released. The movie was a spoof about North Korea, which led to the conjecture that the North Koreans were behind the hack. I will go on record as saying that I believe that the hack was an inside job, either by disgruntled employees or perhaps even orchestrated by the company to create publicity around a potentially bad movie. In any case, the movie was not released to theaters right away and Sony Pictures chief Amy Pascal was fired. It is not clear what Sony has done to shore up their defenses from further attacks but this is a case where limited and targeted inside information was exposed instead of customer information.

Thoughts

These are just three of the recent high profile attacks perpetrated for financial gain, moral outrage or embarrassment. High-level executives lost their positions and organizations lost credibility in the eyes of customers. Here are three take away messages for me:

  1. Security does matter and it should matter in the highest levels of an organization. In the old days, the shop proprietor locked the front door when she went home at night, but it is not that simple anymore. With the increase in cloud computing and storage, there are a lot more doors to secure. It is complex and it is important.
  2. Organizations need to evaluate their security threats from both the outside and the inside. Employees know the systems and networks better than hackers. Are they with you or against you? How do you know?
  3. Security matters to each individual. We need to be diligent about our own digital presence and tracks on the Internet. Are your transactions secure? Are you using solid passwords? Are you encrypting your personal information when necessary? We all have a personal responsibility in that regard.

Those are my thoughts. Let me know what you think.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

The Double Edged Sword of Information Availability

Photo of man using a smart phone in front of a computer.I recently came across the Harvard Genome Project. For the project, a team of Harvard researchers are collecting personal genome information to share with researchers who hope to create breakthroughs in disease eradication and prevention. It struck me that with our ability to share information and make it available to different groups, either intentionally or unintentionally, we have created a double-edged sword. On the one hand, with technology we have greatly expanded research opportunities and created the infrastructure to track down long lost relatives. On the other hand, our privacy may be jeopardized if that research information falls into the wrong hands or if a long lost relative prefers to stay lost. Is the genie out of the bottle, or are we still in control of the exabytes of information in the cloud, some of it personal?

Research for a Brighter Tomorrow

The Internet that we know today was born as the ARPANET under a contract to the United States Advanced Research Projects Agency. Its original intent was to connect research facilities to share information. In December 1969, Stanford University, University of California Santa Barbara, University of California Los Angeles, and the University of Utah were connected to collaborate and advance research. By 1971, several other prominent universities, private research firms, and government agencies had joined ARPANET, extending the geographical reach well beyond the southwestern U.S. The original Internet was intended to further scientific research, not to share cat videos. In that vein, the Harvard project exemplifies the positive aspects of information sharing.

Technology and Democracy

Before we were all connected by technology, there was radio and television, which are “one to many” media. One broadcast, such as the nightly news or a presidential fireside chat, went out to those who chose to listen or watch. There was no way to give feedback or to refute what might be misinformation. Now people around the world can share real time information on developing stories; we no longer have to wait until the five o’clock news or place complete trust in the newscaster.

We can also take on the role of broadcaster. We can participate more deeply in the democratic process by speaking out on issues of the day and join with others to have an impact on legislation that affects our lives. Whether we live in the safety of the U.S. or in a war ravaged country, we have a voice and it can be heard, thanks to technology.

The downside is the ability to spread misinformation. It is important that we choose carefully the news sources that we trust. The Onion has made a sport of parodying trending news but their articles are sometimes quoted as facts. It is up to each one of us to distinguish truth from fiction.

The Privacy Issue

I wrote a blog in July highlighting the breach of private information submitted to the website Ashley Madison. Users expected their personal information to remain private, but hackers who broke into the site published that information. This is where I wonder if the genie is out of the bottle and any information we choose to share, be it our genome data, private photos, our current location, or politically sensitive information, should be considered potentially public. Would we conduct ourselves online differently if we expected our information to go public? Would we be more careful?

Thoughts

Technology advances have allowed us to share research, information, product reviews, political news, or even to find each other. I believe though that with this new power and connectivity comes responsibility that we sometimes take lightly. We need to approach this new world with eyes wide open. Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

A Hat of a Different Color

Dapper man in white fedora, face partially obscured.It used to be that computer hackers came in two shades, black hat and white hat. Black hat refers to the nefarious hacker illegally trying to exploit network and computer security holes for gain or simple malice. White hat refers to hackers trying to highlight security lapses in order to warn others and work to patch vulnerabilities. With the recent hack of Ashley Madison, it appears that there is a third type of hacker trying to right moral or political wrongs instead of or in addition to potential economic gain.

History

In the early days of hacking I read about the exploits of Kevin Mitnick. As a teenager, he hacked into the networks and systems of technology and telecommunications companies and spent over five years in prison on two different occasions after being sentenced on federal wire fraud charges. Much of his success he attributes to social engineering, or the ability to charm passwords out of unsuspecting people. Now he is an information security consultant. He is a case of a black hat turned into a white hat.

I also enjoyed the 1989 book “The Cuckoo’s Egg,” by astrophysicist Clifford Stoll, which relates the tale of tracking a hacker who broke into Lawrence Berkeley National Laboratory and used it as a jumping off point to burrow into military and defense systems. The hacker was eventually caught, with Stoll’s help, and it was discovered that he was selling stolen information to the KGB.

Computer hacking has existed since computers were connected together in a network and people sought vulnerabilities in the technology. As computer code becomes ever more complicated, it raises the possibility of errors that can and will be exploited by either the black hats for monetary gain or malice or the white hats trying to highlight the vulnerability.

Ashley Madison

The Ashley Madison hack seems at first blush to be a hack of a different color. AshleyMadison.com is a website that matches people seeking adulterous affairs. Hackers identifying themselves as The Impact Team took over the site and announced they had stolen identity information of 33 million subscribers and threatened to publish that information unless the parent company, Avid Life Media (ALM), agreed to shut down the site. It appears the hackers were angry over the content and purpose of the site but in their manifesto they also blasted the practice of ALM charging $19 to have a profile removed from the site. To prove that a profile was not completely removed from databases, they released the names of two members who had paid to be eliminated from the site.

Whether the hackers were incensed with the moral foundation of the site or the economical injustice against members, this seems to be a different type of exploit. The Impact Team could still demand ransom for the stolen information, in which case I would put them squarely in the black hat camp, or they could use this hack as a platform for their cause, whatever that may be. Either way, this will no doubt be a topic of conversation at the upcoming information security conference sponsored by the likes of Microsoft and Cisco, which is oddly named the Black Hat Conference.

Thoughts

What do you think? While hacks of this type are still clearly illegal, their aim seems to be to prove a point instead of seeking monetary gain or notoriety. I wonder what’s next? Other dating websites? Perhaps gambling sites? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.