Cloud computing and the Internet of Things are a magnificent leap for mankind and are set to be the future of the Internet as more manufacturers, business and enterprises are adopting these technologies.
The ability to be connected and to make our lives easier and faster utilising the Internet of Things, combined with the processing power and the storage capacity of the cloud lends our future a considerable degree of possibility. And with data use and output growing exponentially, daily increases in technology and capacity are changing how businesses operate.
Yet amongst the sunshine and lollipops of these amazing technological advancements comes a dark cloud – that of security and privacy. As the technology evolves, so too do the crafts and attacks of malicious hackers. Your precious data, regardless of your industry or enterprise, is bait for hackers. Whether using it for their own nefarious deeds or selling on the darknet for profit, nothing good can come of having your data – or that of your customers – exposed.
With that in mind, we’ve come up with the five hacks your business needs to know about. Discover how they were perpetrated, what weaknesses were exposed and how your business can learn from them. Ranging from extramarital dating sites to American political parties, this list goes to show that no company or entity is too big or too small to escape the clutches of criminal hack-tivity.
The Ashley Madison 2015 Hack
Kicking off with the ever so saucy Ashley Madison hack of 2015. With a tagline of “Life is short, have an affair…”, this online dating site for those in search of extramarital affairs is certainly polarising. Whatever your personal stance on the spousal cheating site is, its downfall (or exposure) is a brilliant example of ransomware hacking.
Ransomware is a type of malware that is installed on the intended victim’s device, which then typically encrypts their data and holds it hostage for a ransom. The threat being that the hacker/s will either delete, sell or expose that data. What the ransom is depends on the group or hacker holding the data hostage. This can either be a one-off payment, a demand of bitcoins, or in the case of Ashley Madison – an order to cease and desist.
The company was hacked by a group calling themselves The Impact Team and their motives were two-pronged in approach. These hackers clearly had a bee in their bonnet about the ethics of Ashley Madison and their parent company – Avid Life Media.
The demand from Impact Team was that Ashley Madison and a sister site, Established Men (a sugar daddy website), needed to close down, permanently. If Avid didn’t enforce this, Impact Team threatened to expose users/philanderers data. Avid ignored the threat, Impact Team followed through on its promise.
Names, passwords, addresses, the account holders personal sexual preferences and credit card details were released. Over 9.7 gigabytes of data, plastered over the internet for anyone to see.
The really interesting part that largely got lost in the mainstream media’s gosh/shock/horror coverage of the brand stance on extra-marital affairs, was that they had a scheme in place to ‘protect’ their clients’ history and anonymity on the site. By signing up to pay a fee of $19, the user was promised that their data would be erased on the company servers. However, Ashley Madison only deleted this from the public facing server – not the back end servers. Naughty, naughty Ashley Madison.
The would-be philanderers were caught, red cheeked, so to speak. So black hat or white hat hacking? Whatever your stance, this idea of ransomware is very much a real and present threat.
What’s the takeaway?
Whether you handle your own security or outsource to a managed IT service – make sure that they are using the most up-to-date security measures. End-to-end encryption, SSL and various other steps and security measures are crucial for securing your database. Ensuring that your database is not able to be breached via the internet is digital security basics. Also, if you are doing something dodgy, with high secrecy attached, know that it will be an attractive target for hackers. Simple as that.
2016 Democratic Party Email Hack
The 2016 email hack and subsequent leak of the American Democratic party is a story that could come out of a crime-thriller plot. A high stake, international espionage, politically motivated hack that has arguably had a significant impact on current American politics – seems unreal right? How can leaked emails hold the potential to critically injure a political party?
It can if it reveals the inner rifts and workings of the party, as was the case with the leaked emails of the Democratic National Committee. Particularly at a time when Hillary Clinton and Bernie Sanders were fighting for the democratic election for the presidential campaign. A divided political party is not considered a safe bet. Any sign of inner turmoil is hidden behind smiles and firewalls.
That is, until the DNC email was hacked and the cracks within were revealed, thanks to Wikileaks. These included cross-party derision of Bernie Sanders, the fiscal donors and their donations to campaigns, staff social security numbers and off-the-record interactions between Democratic party staffers and members of the press.
The fallout from this is still occurring, but in the aftermath, five prominent DNC members resigned. It’s a dubious claim to make that Hillary Clinton lost the presidential race thanks to these emails, but they certainly played a part. No doubt music to the ears of Wikileaks founder Julian Assange, who spoke of his desire to bring harm to Hillary Clinton’s presidential campaign, as one of his reasons for releasing the information.
But who passed it to Wikileaks? Obviously, they’re not telling. It is a convoluted story, with many twists and turns which have still not concluded in 2017. Purportedly a command and control type of malware was used, which entails the use of botnets and zombie computers. The emails and information were then hacked and passed onto Wikileaks to disseminate. Was it Russian hackers, was it Republican influencers, was it an internal job?
Was it the self-proclaimed lone-wolf hacker Guccifer 2.0? Fingers are pointing towards Russian influence in this instance – allegedly. But those fingers come from top cyber security firms called in to investigate. It’s worth noting that nothing has been proven and this hack is still being investigated.
What’s the takeaway?
No single company is too big to fail. If a presidential campaign can be unhinged, so can your business. If you are operating in a delicate industry or field that could provide bait to hackers, you need to employ some serious security. Don’t be cheap in that area. Don’t be complacent with the livelihood of your business or your client information. The risk is too high.
The Sony Pictures 2014 Hack
The infamous Sony Pictures Hack of 2014 was an absolute treat for many. The near mythical inner workings of a massive Hollywood Studio were exposed for all to see. The public found out that the studio execs considered Angelina Jolie to be “a minimally talented brat”. It also found out what many had long speculated, that female movie stars were paid considerably less than their male counterparts. Some might credit this exposé as a good deed, revealing the dark and seedy underbelly of the Hollywood film industry.
This seems innocuous enough, but much like the democratic and presidential leaks, this was a political move from malicious parties. Allegedly the North Koreans, to be exact.
Why might you ask?
In answer to the dark comedy film, The Interview, set to be released by Sony Pictures. Starring actors Seth Rogen and James Franco, the film was based on the premise of an assassination of North Korean leader Kim Jong-un. It transpires that North Korea does not have much of a sense of humour.
A group calling themselves ‘The Guardians of Peace’, made a targeted attack on Sony Pictures, using a form of wiper malware. It is alleged that the hackers used a phishing technique, which involves sending an email with an attachment that contained the malware. An innocent individual within the company could have clicked on this and unwittingly unleashed the seeds.
Once in the system, hidden, the hackers were able to find key passwords, and key internal users, referred to as escalated privileges. They then were able to implant the malware, which first stole Sony’s data and then deleted and destroyed it on their way out of the system. Salting the earth, so to speak. In the process, discovering other passwords and essentially exposing databases, internal emails, film releases and schedules. This cost Sony many monies. The hacked emails, confidential employee information and data were then leaked, losing the company millions while causing mass embarrassment and revealing top studio execs inner workings. Which included slamming prominent celebrities and racist banter about then president Barack Obama.
Sony was sent emailed warnings from the hacker group that they would be attacked and serious damage done if the studio did not stop the release of the film. Unfortunately for Sony, these emails were either lost in the systems or completely ignored. So GOP followed through on their threat, in spectacular fashion.
At the very least, the public learned that George Clooney is actually deep down, charmingly insecure. At the very worst end of the spectrum, North Korea (allegedly) took a rather large potshot at freedom of speech. Either way, Sony Pictures very public shaming leaves us with some interesting lessons to be learned.
What’s the takeaway?
Aside from don’t annoy North Korea, the key takeaway from the Sony Pictures hack is that you should never underestimate the security or importance of your employees’ or customers’ private data and security. Having databases offline from the internet is not the end line in securing them, they also need to be encrypted. You need to do your basic, household, locked key and coded security measures too. That and to take threats seriously and quickly, if they do emerge.
NB: It’s important to remember that it can often be very hard to pin down definitively who is behind individual hacks. There are many prominent hackers and security experts who have cast doubt on the North Korean blame game. So everything is alleged until proven.
2016 Red Cross Blood Donation Service Data Leak
According to the 2016 IBM Cyber Security Intelligence Index, the healthcare industry was one of the most cyber-attacked industries of 2015. It may seem unusual, however when you think about the private and personal medical information that healthcare companies store, it adds up. That is information which the average person would desperately like to keep private.
For example, when you sign up to the Red Cross Blood Service, many personal details are needed. These include any recent risqué sexual behaviour, your blood type, date of birth and various addresses – plus much more extremely personal information. The kind of information that you really don’t want getting out into the public domain.
Now, although not technically a targeted attack, the 2016 data leak from Red Cross Blood Donation services proved to be, at the time, the biggest security breach in Australia’s history. Around 555,000 individuals were affected, with over 1.3 million records leaked online. This was discovered by a neutral party, who informed Australian security expert Troy Hunt, who in turn informed the organisation and cyber emergency response company AusCERT.
How did this happen? Once again, lax security measures saw that the database was stored on a publicly-facing website – meaning that it was an insecure online environment. Additionally, according to Hunt, directory browsing was enabled on the server. Meaning that any ill-intentioned hacker could easily find the database simply by scanning for publicly-facing servers. Potentially a massive disaster in the making, only saved by the goodwill of the anonymous informant. The mitigator in this mess? It was actually not directly the fault of the organisation, it was their service provider.
What’s the takeaway?
Just like Ashley Madison, this leak was down to not having properly secured the database on a backend server. In this instance, human error, rather than a targeted attack or malware caused the breach. The leaks also illustrate just how vulnerable business can be – whether large, small, a crucial service or a seedy hookup site.
The Yahoo breach was stunning in its proportions and reach. With nearly 1 billion victims, this hack was astonishing in its length and breadth. Interestingly, it wasn’t just the general public affected. High-profile names in the Australian government, federal police, defense and military industries were also victims.
Politicians, ministers of both main political parties, diplomats and defense personnel amongst others, had their passwords, recovery addresses and other data stolen. These were allegedly sold by the Eastern European group responsible for the hack for upwards of $300,000 each.
Not only to cybercriminals but also to foreign espionage firms. More terrifying still? The breach reportedly dated back to 2013, yet was only discovered and reported in 2016. So access to government, political and federal police accounts has been compromised for at least three years before notice or action was taken.
How did the hackers make this happen? Group E, the hacker group allegedly behind the attack had an easy time of it thanks to a critical weakness on behalf of Yahoo. Once a contender with Google, Yahoo haven’t been on the same playing field since the 90s. And this is perhaps when their security methods were last updated. Yahoo were using ‘obsolete encryption methods’. Meaning that it was very easy for the hackers to access their database. D’oh!
What’s the takeaway?
UPDATE. UPDATE. UPDATE. Sorry for the shouty caps, but seriously, this could have been avoided if the company had updated security and kept in line with modern cybercrime trends. This is an over simplification of what is no doubt a many layered onion, but at its core lies the simple truth: it was a lax security effort.
So what are the lessons to be learned from these five, rather spectacular company hacks?
Steps to protect yourself against Ransomwar
1. BACK IT UP
Back it up. This applies across the board, but back up your data and files on your server on a physical hard drive and keep it in a separate and secure location. This way you have your own form of insurance against a more typical ransomware ransom note. That would be “pay this fee or we will delete your data”.
2. Don’t forget the update
Many individuals and businesses are guilty of this. It’s so easy to forget (or ignore) to update your software. However, this is a loophole that could be easily exploited by hackers and it’s an easy fix for you to eliminate a vulnerability. Set a time and date on your calendar to update each week and stick to it.
3. Two Factor Verification
Ensure your employees are using two factor verification of their mobile devices as a mandatory. That way any logins are doubly protected and your network and fleet of devices are much harder to be hacked.
4. Use Protection
In life and business, protection could save you a lot of hassle and pain later down the track. If your business is operating out of a PC, then keeping your security software up to date is incredibly important. It’s those firewalls that are the secondary protection that could make the difference between detection and infection.
5. Don’t Panic
Take those big, comforting and friendly letters courtesy of Douglas Adams to heart. If the enormity and severity of IT security are overwhelming, you need not panic or stick your head in the sand. First of all, do your research, know the level of security you will require and define whether you have the time or resources to manage it yourself. Don’t know where to begin?
Book an appointment with a reputable ICT firm or get in contact and ask for an ICT Security Assessment. It’s a brave new world. Full of tantalising glimpses of the future of interconnectivity. It’s an exciting time, an era that has the potential to leap forward monumentally in the way we do, think and act in the world, day to day and of course – on the internet.
Don’t shy away from that, embrace it. Just ensure you are embracing it with the most up to date and adequate protections you can muster. That’s smart living, without the sacrifice for you or your business. What have you got to lose? Quite a lot, as it turns out.