Tag Archives: vulnerability

A Hat of a Different Color

Dapper man in white fedora, face partially obscured.It used to be that computer hackers came in two shades, black hat and white hat. Black hat refers to the nefarious hacker illegally trying to exploit network and computer security holes for gain or simple malice. White hat refers to hackers trying to highlight security lapses in order to warn others and work to patch vulnerabilities. With the recent hack of Ashley Madison, it appears that there is a third type of hacker trying to right moral or political wrongs instead of or in addition to potential economic gain.

History

In the early days of hacking I read about the exploits of Kevin Mitnick. As a teenager, he hacked into the networks and systems of technology and telecommunications companies and spent over five years in prison on two different occasions after being sentenced on federal wire fraud charges. Much of his success he attributes to social engineering, or the ability to charm passwords out of unsuspecting people. Now he is an information security consultant. He is a case of a black hat turned into a white hat.

I also enjoyed the 1989 book “The Cuckoo’s Egg,” by astrophysicist Clifford Stoll, which relates the tale of tracking a hacker who broke into Lawrence Berkeley National Laboratory and used it as a jumping off point to burrow into military and defense systems. The hacker was eventually caught, with Stoll’s help, and it was discovered that he was selling stolen information to the KGB.

Computer hacking has existed since computers were connected together in a network and people sought vulnerabilities in the technology. As computer code becomes ever more complicated, it raises the possibility of errors that can and will be exploited by either the black hats for monetary gain or malice or the white hats trying to highlight the vulnerability.

Ashley Madison

The Ashley Madison hack seems at first blush to be a hack of a different color. AshleyMadison.com is a website that matches people seeking adulterous affairs. Hackers identifying themselves as The Impact Team took over the site and announced they had stolen identity information of 33 million subscribers and threatened to publish that information unless the parent company, Avid Life Media (ALM), agreed to shut down the site. It appears the hackers were angry over the content and purpose of the site but in their manifesto they also blasted the practice of ALM charging $19 to have a profile removed from the site. To prove that a profile was not completely removed from databases, they released the names of two members who had paid to be eliminated from the site.

Whether the hackers were incensed with the moral foundation of the site or the economical injustice against members, this seems to be a different type of exploit. The Impact Team could still demand ransom for the stolen information, in which case I would put them squarely in the black hat camp, or they could use this hack as a platform for their cause, whatever that may be. Either way, this will no doubt be a topic of conversation at the upcoming information security conference sponsored by the likes of Microsoft and Cisco, which is oddly named the Black Hat Conference.

Thoughts

What do you think? While hacks of this type are still clearly illegal, their aim seems to be to prove a point instead of seeking monetary gain or notoriety. I wonder what’s next? Other dating websites? Perhaps gambling sites? Let me know your thoughts.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional and assistant professor of practice for the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.

How Safe is the Cloud?

padlocked cloudA lot of attention lately has been paid to the security of the cloud, particularly Apple’s iCloud service. There have been recent high profile celebrity hacks resulting in the sharing of photos that were thought to be private. The question I have been reading in the last couple of weeks, even in my local newspaper, is this: Is the cloud safe? The answer, maddeningly, is yes and no. This blog post will cover the definition of the cloud and how you can make the answer to that question “yes.”

Defining the Cloud

The cloud is really just a term for offsite storage. It is a convenient place to store files, whether they are photos, contact lists, or e-mails, so that you can access them from multiple devices in multiple locations. Say, for example, you take a picture from your smartphone and wish to view those same pictures from your tablet or your laptop or share them with friends. Rather than carrying those pictures around on a hard drive to view them on different devices or show friends, those pictures are stored in a common place, in the cloud storage. The cloud goes by different names such as iCloud, Google Drive, Google+, and Microsoft OneDrive. It also goes by names such as Pinterest, Tumblr, Facebook, and Twitter. Basically it is a common place to store, retrieve, and manipulate your files. The question then becomes: What if you want to take a picture but NOT store it in the cloud?

It’s All in the Sync

The key is to understand when your device is synchronizing with the cloud or with another device. In Android, for example, there is a Google Drive app that is an interface to help you download and sync files between your Android device and the cloud. You can also swap files between Android and your Google+ account or between Android and your Dropbox or Box account using a simple app.

Developers have done their best to make these apps intuitive and user friendly, but they have also masked the complexity of moving files back and forth to the cloud or to another device. As a result, some smartphone users just push the “sync all” button, which duplicates all files to the cloud. This is great for backup, but it also means that your files are now in a less secure area than just your phone. As recent events show, there are still some vulnerabilities in the cloud, and occasionally a cloud service is breached and personal data is compromised. One answer to this is to employ an application such as Encdroid for the Android OS, which encrypts your files and makes them more difficult to hack. Another solution is to understand where your files are and how they are getting there.

Thoughts

My challenge to you this week is to review your files and take an inventory of where you are storing everything. You may have signed up for a Google+ account and forgotten about it. When you get that new Android phone, however, you can bet the good folks at Google have a record of that account and would be happy to send all of your files to be backed up there. Be a savvy technology user and make sure you understand whether you are vulnerable and in what areas. In the end, that knowledge will make you and your data safer.

Author Kelly BrownAbout Kelly Brown

Kelly Brown is an IT professional, adjunct faculty for the University of Oregon, and academic director of the UO Applied Information Management Master’s Degree Program. He writes about IT and business topics that keep him up at night.