Corporate Security

Ashley Madison & Hacked Jeeps – Morality, Safety and Security Awareness

Oh my goodness me. Isn’t big bang security news just like busses (only two so far, but what’s the betting another one will be along in a minute).

My reaction to the former…

Gossip‘Cheaters R Us’ site Ashley Madison gets user data stolen by hackers apparently motivated by unfair and insecure conduct by the company. Only a sample of data was in the wild, but more is promised if they don’t shut up shop

…was very simple. A very long intake of breath through pursed lips. You know what I mean…in the world of tradesmen it’s usually followed by a slow shake of the head and the words “That’s gonna cost you”.

The mainstream media first focused on ‘flexibly committed’ members of Ashley Madison who can be personally identified by leaked information. They’re mainly saying

BE AFRAID…BE VERY AFRAID

and

SERVES YOU RIGHT

BUT (and this isn’t a popular perspective right now) morality, when you break this down, is irrelevant. It was irrelevant to the hack (the reported reason for hacking was AM charging for secure deletion of confidential data, then apparently not following through) and it is irrelevant to the question of personal privacy and online security risks:

The data – whether payment cards, names, addresses, dates of birth, or sexual fantasies – is confidential. A subset of users who are savvy about online risks would have checked AM statements about site confidentiality and security and managed their risks accordingly. Another subset might have been ignorant of the risks and used insecure credentials and unnecessarily revealed real personal details in exchanges.

Whether they were active or just curious members, should what you deem questionable social conduct cost them their online, financial and potentially physical safety? My answer is no and wouldn’t differ if my partner was registered. Yes I would take fantastic delight in him being digitally screwed over and ‘vigorously discuss’ what the heck he thought he was playing at, but my core takeaway from the specifics of the incident would still be:

If a business built on the necessity for secrecy and security (AM called themselves the last truly secure space on the internet) didn’t keep information safe, what does that tell us about other companies?

My reaction to the latter…

magoo1Security researchers demonstrating software vulnerabilities in a Jeep Cherokee by turning off it’s engine while Ken Westin was driving it at 70mph (check out the video if you don’t believe me).

…was all together different. It began with morbid fascination and culminated in a bona fide shudder of horror. The only sane reaction from a parent who drives her kids anywhere.

For the Jeep Cherokee horror story, the immediate and headline advice is simple:

FIX IT…NOW!

There’s absolutely no need for me to talk about consequences here, but the question of both auto-industry and driver awareness and treatment of risks is a big one. There is a patch out now, but challenges about this need to be issued by car industry regulators and consumer groups. Cars must be safe by design…not by retrospective patch. But to balance online rage at car manufacturers, many have been collaborating with security specialists to make fundamental changes to the way they approach and practically implement security. That kind of shift isn’t simple or quick, so blanket judgements can be unhelpful.

So why write about both at once? Because they’re both going to resonate with everyone. Anyone who drives and anyone who has been or who has considered being unfaithful to their partner.

Could this be a security awareness tipping point?

For all the furore about root cause, method of exploitation and the effect on the businesses involved (Ashley Madison’s planned IPO is a notable victim), it’s the users of their services and products I’m most concerned about. Ironically, in AM’s case, they were the victims of both corporate lack of diligence AND hackers trying to raise awareness about it.

Hackers leaked customer data knowing it would grab most headlines, but many companies considering security before this were more than likely solely focused on their bottom line. Yes a big media splash can hurt sales and share prices, but it’s a relatively short-lived effect (see the share prices of Sony and Target for details).

That prioritisation bias is getting brutally adjusted and will result in some hiring, firing and rapid security spending activity, but in many firms it will settle back down to pounds and pence, rather than the question of user privacy and security. If future assessments highlight risks for consumers that don’t look likely to raise flags with regulators, or make the news, they’ll likely not be a priority to mitigate.

How does this change?

Speaking to users: You change it! Vote with your feet. Ask more questions. Complain to regulatory and oversight bodies and publicise the impact on you.

Not motivated to do those things? Do what you can as an individual to keep your information safe. A couple of links to posts here and elsewhere to help you do that:

And, wherever it is that you work, apply the same principles. The Ashley Madison hack looks likely to have been an inside job (intentionally or unintentionally), so worth thinking about it. Imagine the call from your manager to tell you a hack originated from your PC.

You might be asked to look at security risks to do with change projects, you might contribute to strategic security spending decisions. If so ask about and consider implications as if you were the one personally impacted. On the other hand you definitely will:

  • Hold doors open for others to come in the building
  • Spot a new person sitting at a desk nearby and not ask who they are
  • Click on links in emails without doing a sense check to see if the content and links look kosher
  • Chat on the train about work without thinking about other people listening.
  • Stick a USB drive into a computer without being 100% sure its free of malware
  • Send files into work from or out of work to your webmail account.

Again think about fallout before doing these things next time. Consider the possibility that clicked link could allow an attacker to get into and camp on your machine. Scooping files and contents of correspondence and jumping off onto other devices you connect to. Perhaps they harvest your details and use them to try and access other sites your browsing history tells them you’ve visited both at home and at work. Perhaps sites like Ashley Madison…

A bit on the business perspective – IT WASN’T A TERRORIST ACT!

To close, a little on what’s usually the most popular debate in the security media-verse: Cause and ways to avoid this being your firm. Yes Ashley Madison was cyber crime and exploitation, but it’s not, as one senior staff member at Ashley Madison said, a terrorist act. Rather than repeating reams written before there’s stuff almost guaranteed to be pertinent in these past posts. The wearying truth is that causes are bound NOT to be a huge surprise:

Ohhh P M

Sony, Sensationalism and Cybersecurity Solutions

How much security is enough

Security Awareness is for life, not just for compliance.

We’ll see just how unsurprising and pertinent, when the avalanches of commentary come to some coherentish conclusions.

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s