The other day the Associated Press (AP) twitter feed was hacked through a spear-phishing attack against AP employees. It was apparently instigated by the Syrian Electronic Army (SEA) — a Syrian government aligned hacking group. The SEA has either taken credit for or has been blamed for attacks recently against news organizations like CBS, NPR, and the BBC, as well as international organizations like FIFA.
Clearly, We’re now in an era where cyber terrorism or cyber warfare is becoming more common. In some cases these acts may be perpetrated by sovereign states, as was the case with Stuxnet and its attack on Iran’s nuclear program and very specifically targeting the centrifuges that they were using to enrich uranium to weapons-grade level. In other cases there may be pseudo government aligned entities like the SEA lashing out against organizations that aren’t aligning with their political agenda. Two other common perpetrators in these attacks can be groups like Anonymous who push a variety of political, legal, and anarchical agendas or the unknown black hat agent who may be just doing something because they can.
During the news frenzy of the Boston attacks last week the news, link aggregation, social media, and internet naval gazing site reddit was attacked. As part of their post mortem they stated, regarding who perpetrated the attack, under the call out of “conjecture:”
“I’d say the most likely explanation is that someone decided to take us down for shits and giggles. There was a lot of focus on reddit at the time, so we were an especially juicy target for anyone looking to show off. DDoS attacks we’ve received in the past have proven to be motivated as such, although those attacks were of a much smaller scale. Of course, without any clear evidence from the attack itself we can’t say anything for certain.”
Regardless companies must take a more aggressive stance on security.
One of the key areas of focus in making security better is by helping to better secure accounts. Federation technologies like SAML have been around for a while but have only become common in enterprise scenarios as they require tight integration between two entities and are complex to implement and manage. Other technologies like OpenID have shown promise, but flaws in the protocol and wavering interest in key organizations and with individuals that were pushing this initiative have made it so that the technology isn’t widely enough adopted to be useful.
The latest approach seems to be around the FIDO alliance. FIDO is an alliance of several organizations and companies that are trying to align to “support the international standardization of OSTP by a recognized standards body.” Although this seems like a great goal, I guess, OSTP isn’t a published standard today and the only implementation of this “standard” is by a private company. The goals of the FDIO alliance are lofty but they are at a nascent stage, and given that they are currently bypassing standards bodies, it’s difficult to understand how much of FIDO is marketing vs reality.
I’m a big believer in using what we have today, in our hands right now, and using that to make the world a better place. Mobile based (either voice, SMS or app based) two factor authentication (2F) is here today and organizations such as Google, Apple, and Microsoft have all implemented this in some way, shape or form in their products. Google and Microsoft have made broad statements about rolling this technology across their platforms to their users. Although 2FA isn’t going to stop Anonymous, it will make the gigantic releases of username and passwords to sites like Pastebin.com irrelevant since a password won’t be sufficient to log into a site.
I like the approach that Gabe Newell the founder of Valve Software, publisher of the Half-Life series of games among other hugely popular games, took. Gable when he implemented 2FA in their Steam online store published his username and password in public saying that with 2FA it didn’t matter if it was stolen his account would still be secure.
Here it is:
Good luck in cracking into there.