Poor cyber hygiene – even the experts are susceptible
We often talk about the need for good cyber hygiene for ensuring that credentials aren’t stolen and used for nefarious purposes across one or many accounts. This warning is often given to average end users that are afraid of getting hacked. Unfortunately, the average end user appears to not be the only group that needs a gentle reminder about the importance of good security practices.
Last week, the Hacking Team had its Twitter account and networks hacked. Although the damage to the Twitter account was easily rectified, the information exposed about the company was not. According to an article in Help Net Security, the perpetrators used the compromised Twitter account and, “tweeted a link to a 400GB+ torrent file containing the company’s internal emails, files and source code.”
Why would anyone be interested in possibly hacking the Hacking Team? Aside from the potential to damage the company’s reputation through the distribution of corporate emails (think about what a few leaked emails did to Sony!), there may have been a bit of hacktivism involved as well.
The Hacking Team is a provider of digital surveillance solutions. These solutions enable law enforcement, intelligence and homeland security organizations to literally spy on the every online move and communication made by their targets. The solutions work by being installed on the device that they’re monitoring and then discreetly transmitting the information back. In addition to being a tool that would draw the ire of many end users, hacktivists and individuals against government spying and overreach, the company has also been fingered (they claim wrongfully) for worse offenses – including the sale of their technology to totalitarian regimes that use it to closely watch their critics and political opponents.
Regardless of what the Hacking Team does or why someone chose to attack them, there are lessons learned from the attack that can serve as a warning for all end users about the importance of cyber hygiene.
Many of the documents and data exposed in the Torrent file revealed passwords and login credentials for different Hacking Team employees, many of which were simple and used across many accounts. Although that’s not enough information to know for sure, this poor cyber hygiene makes it easy to see how something like a brute force attack could have been used to perpetrate the attack.
Although having a hardened password is a minor issue for one account, it is a major issue for many accounts. Unfortunately, too many end users suffer from password fatigue and fall into the bad habit of embracing what is convenient and easy instead of utilizing disparate, complex passwords across multiple accounts. This is something that employees at security companies should know and take to heart. Unfortunately for the Hacking Team, these practices weren’t being followed.
Although strong, more varied passwords may have been all that was really needed to prevent – or at least delay – this attack against the Hacking Team, another tool that could have helped mitigate the attack is out-of-band, multifactor authentication.
With multifactor authentication, simple passwords would not have been enough to authenticate the hackers and enable them to gain access to sensitive information. Instead, other authentication factors would have been needed that simply wouldn’t have been available to the perpetrators.
Also, by utilizing an out-of-band process for authentication, the Hacking Team could have further protected itself by minimizing the danger from other types of attacks, such as man-in-the-middle attacks and keystroke loggers.
And that brings up another interesting point about this breach. One of the things stolen was the source code to a tool that is sold to government agencies for the surveillance of online activity. That tool can now be in the arsenal of bad actors who could use it against corporations, government agencies and even consumers to steal data. That’s a pretty scary thought.
With a tool like that in the hands of the wrong type of individual, it’s more important than ever for end users, corporations and other end users to think about who’s looking over their shoulders as they type in their passwords. In this environment, taking the authentication process for their online accounts out-of-band may be the best – and only – way to protect credentials and sensitive data.
The Hacking Team is just one of many high profile breaches that have been exposed in the past year. The Access Granted editorial team will be conducting a Webinar on July 22, 2015 entitled, “Anatomy of a Breach,” where they’ll dissect five recent breaches, analyze how it happened and discuss who was affected. For more information, or to register, click HERE.