You probably already know the Syrians hacked “The Onion” recently. There’s more to the story.
This weekend, I was reading up on the details of how “The Onion” got hacked. Using The Onion’s tech blog, they disclosed what happened and how they were phished 3 different ways via employees’ Google Apps accounts.
I am glad The Onion is disclosing this information, as it provides some behind-the-scenes data that others can use to learn from their experiences.
Old Tricks Work on Old Dogs
The attack wasn’t any different from the things we hear about (and warn about) all the time, but it worked:
These emails were sent from strange, outside addresses, and they were sent to few enough employees to appear as just random noise rather than a targeted attack. At least one Onion employee fell for this phase of the phishing attack.
That’s the part that sucks – it only takes one person to let their guard down, and only a moment of (pick one) distraction / weakness / lack of conscious security thinking.
Once one person gives up their credentials, things get easier:
Once the attackers had access to one Onion employee’s account, they used that account to send the same email to more Onion staff at about 2:30 AM on Monday, May 6. Coming from a trusted address, many staff members clicked the link, but most refrained from entering their login credentials. Two staff members did enter their credentials, one of whom had access to all of our social media accounts.
Again, relying on humans’ general willingness to trust — and turning it up a notch by using the identity of someone they know to increase their odds of success.
The folks at The Onion provided some good tips, most of which were familiar to me. There was one that struck me, though – one I think I’ll adopt:
The email addresses for your twitter accounts should be on a system that is isolated from your organization’s normal email. This will make your Twitter accounts virtually invulnerable to phishing (providing that you’re using unique, strong passwords for every account).
Would You Share Like The Onion?
I am impressed with The Onion’s willingness to share this information. Granted, with the nature of their business, there wasn’t a lot to lose in doing so. However, I was wondering: How many other organizations would be willing to share this kind of information with the world?
We’ve been talking a lot about “information sharing” lately (across many industries) but it’s mainly been focused on sharing threat information, and not so focused on sharing how our security has failed. I think there is just as much value — perhaps more — in the failures as there is in sharing threat information.
What do you think?
And a big “thank you” to the folks at The Onion for being great examples of trying to improve the state of practice for security on the internet.