epic fail – hackers gonna hack… unless they don’t have to

Earlier this week, an Australian firm providing billing and support services to web hosting firms found that their web site had been destroyed, their Twitter account hacked,  and 1.7G of data (including customer information and hashed passwords and credit card numbers had been posted to the Internets for the world to see.

You’d think that the hackers who went on this rampage must have been really clever and exploited some arcane vulnerability to gain access to all of this valuable data.  Or maybe they used some uber-slick piece of malware to get the information.  You’d be wrong.

What appears to have happened is that the attackers were able to figure out the answers to the “security questions” for the company’s lead developer and use this information to con the webhost running the company’s web site to provide him with the administration password.  It appears that the admin password was also the corporate Twitter account password.  Doh!

Lessons we can learn from this:

  • Security questions suck as an authentication mechanism.  Think about the last few times you had to establish security questions – how easy would it be to guess your answers by looking at your Facebook, LinkedIn, or Twitter accounts?  If the information is not there, a quick browse throw people search web sites may yield the information.
  • Using the same password for multiple sites is a bad idea.  It appears that the same password was used for both the victim company’s server administration and corporate Twitter account.

What you can do to protect yourself and your company:

  • Build yourself a legend.  Come up with a set of (false) security question answers which cannot be guessed by attackers.   For example, your first car could be a “1931 Bugatti Royale Kellner Coupe,” your first school could be “Harvard,” and the town you grew up in could be “Peoria”    (or if you are really good, one of these places).  Above all, don’t use answers that can be found on your social media profiles or by Googling yourself.
  • Don’t use the same password for multiple sites.  You don’t want the compromise of one password to lead to an attacker getting access to all of your stuff.  Use a password manager like LastPass or Keepass to easily and securely save you (per site) passwords as well as the fake answers to your security questions.

 

epic fail – hackers gonna hack… unless they don’t have to

sec breach reporting requirements for publicly traded companies

If you are an information professional at a publicly traded company, I would strongly suggest reading a recent blog post by Richard Bejtlich about the SEC’s requirements for the disclosure of cybersecurity breaches.   Bejtlich points out that the ramifications of these requirements go well past getting in to hot water with the regulators – they also raise other risks, such as whistleblowing by employees or third parties as well as the potential for shareholder lawsuits when companies do not take the proper steps to secure information (or are perceived as not doing so).  Having a conversation about this issue with your General Counsel before an incident occurs makes a lot of sense.  All this being said, kudos to the SEC for recognizing the role  of cybersecurity in good corporate governance.

sec breach reporting requirements for publicly traded companies

gimme some of that old time religion (and malware)

According to a recent study by security firm Symantec, you are far more likely to encounter malware when visiting religious web sites than when visiting, ahem, adult sites.   In an article describing the finding, Network World had this to say:

Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site–a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.

In (related?) news, the University of British Columbia reported a study showing that encouraging people to use their analytic thinking skills causes a reduction in religious belief, even in pious persons.  Unfortunately, the study did not touch on whether the reduction in superstition was tied to increased use of, ahem, adult sites.

 

gimme some of that old time religion (and malware)