One 2015 cyber threat trend was not widespread, but deserves attention because of a pair of high-profile security breaches: Hacking Team and Ashley Madison. In both cases the perpetrators of the breach not only stole confidential information, they published it to the world. This combination of criminal data theft via hacking and public exposure of internal secrets represents an emerging threat, which ESET has dubbed haxposure.
In this article we discuss how haxposure differs from other threats, why it may be on the rise and what organisations should be doing to protect against it.
Haxposed: damaging company secrets and innocent customers
In July of 2015, some 400 gigabytes of information were stolen from Italian security company, Hacking Team and published. In an unconnected incident later that month, a group calling itself Impact Team published a subset of account data stolen from Canadian firm, Avid Life Media, that operates the Ashley Madison website which promises to connect men and women who want to have an affair. The hackers demanded the website be shut down. When that did not happen, they released gigabytes of internal data in August, causing embarrassment to some individuals, and providing evidence for lawsuits against the company.
What the Hacking Team and Ashley Madison Incidents have in common is that a security breach led to exposure of secrets that were damaging to the reputation and business model of the organisation. In the case of Hacking Team, the exposed data appeared to prove that the company had been selling its digital surveillance tools to repressive regimes, despite the company’s past claims to the contrary.
In the case of Ashley Madison, the exposed data appeared to prove claims that the company did not remove customers from its database, despite charging them money to do so. The exposed data also supported allegations that a lot of female participation was fabricated, seriously undermining the company’s credibility and its claim to facilitate affairs.
In both cases, it would appear that the people behind the attacks were unhappy with the business models of the targeted companies.
The Implications of haxposure
Whether or not the Hacking Team and Ashley Madison attacks qualify as hacktivism, the strategy of haxposure represents a potentially more damaging threat to an organisation than data being looted and sold to people who secretly exploit them. The damage potential is a function of the sensitivity of the data you are trying to secure, where secure = keep secret.
Consider a scenario in which you are a food company and hackers steal your secret recipe for baked beans. If they sell it to one of your competitors or publish it on the internet that is bad news, but it probably won’t sink your company. Unless your secret recipe contains a harmful secret. Suppose one of your secret ingredients is a banned carcinogenic. Exposure of that kind of secret can seriously damage reputation, revenue and valuation.
Several factors have combined in recent years to increase the risk of companies keeping harmful secrets:
1. Access to hacking:
Anyone can hire a hacker. Gone are the days when only a few technically skilled persons were capable of performing acts of digital disruption, and when the only disgruntled employees capable of digital revenge were in the IT department. Nowadays, hacking attacks are an option for anyone who has a beef with your organisation, regardless of their technical knowledge and hacking skills.
2. Access to open source intelligence:
When you use the internet to advertise your business you expose your business to the world. The full implications of the reality continue to elude some business folk. To be clear: you cannot use the World Wide Web to promote controversial goods and services to a select group of people - that is not how the Web works. Whether you are selling furs or rhinoceros horn powder or surveillance tools that can be abused by repressive regimes, trying to do so discreetly via the Web is not possible; history and logic clearly show that when you try this, your business will be discovered by critics, explored, and possibly exposed.
3. Publication tools abound
Sites like Wikileaks and Pastebin enable anonymous publication of stolen information, reducing risks for those who engage in haxposure.
4. Appetite for anger
The global reach of social media, which can act as an amplifier for outrage – sometimes in the absence of supporting data – can be an attractive platform for the crusading hacker, increasing the spread and impact of published secrets.
5. Complexity is the enemy of security and secrecy
It is clear that keeping secrets is hard when they are kept in digital form. Complex systems typically contain multiple unpatched vulnerabilities that are known and can be exploited, plus some number of zero-day exploits that are not known, much less patched. Furthermore, digital secrets are much easier to exfiltrate, potentially a mere blip in outbound network traffic, or a tiny bit of physical media.
What are the implications of these factors? First and foremost they underline the need to get the security basics right.
You are definitely going to need, at a minimum:
- Strong authentication, anti-malware and encryption (these could have limited damage for both Hacking Team and Ashley Madison).
- Backup and disaster recovery plans and capabilities
- An incident response plan (lack thereof was apparent at Sony Pictures)
- Insider threat monitoring (one trusted party with privileged access can cause way more trouble than thousands of external attackers – see Snowden vs NSA)
Beyond these basic security techniques there are strategic factors that need to be adjusted to address the threat of haxposure:
- Risk assessment: Do your security policies and controls reflect awareness of the haxposure threat?
- Operational awareness: Is the organisation mindful of the potential to invite haxposure attacks in the way it conducts its organisation?
- Organisational transparency: Is the organisation being unnecessarily secretive in its operations? And are decisions to keep secrets with a full awareness of the potential for leaks and associated blowback?
Will we see more cases of haxposure in 2016? The answer depends on several factors including the extent to which organisations educate themselves about this threat and take appropriate countermeasures.
If a few high profile companies succeed in heading off such attacks and work with law enforcement to bring perpetrators to justice that may act as a deterrent. Unfortunately, it is also possible that haxposure will be encouraged by risky corporate secrecy.
Hackers who feel that they have right on their side and a right to act as arbiters of justice may feel inclined to seek out further secrets and expose them, potentially damaging innocent victims in the process.