No sooner to we pontificate on MumsNet et al
on Monday, than they hit the headlines again with a second DDoS attack within a week, brought the system down on Monday night - Times
Mumsnet has been hit by a second wave of cyberattacks after a hoax campaign this month led armed police to the home of its founder.
A spokesman for the parenting website said yesterday that it was knocked offline on Monday and Tuesday by attacks that were “double the size” of the first, early on August 11.
From an information security point of view it's an "interesting" problem - the truth is that people with IT skills can create quite a sophisticated digital attack these days at fairly low cost and effort. The big players spend a lot of money on their defences, but how does a "midcap" digital enterprise protect itself without spending all its money on sophisticated technology and an army of skiled techies?
From what has been written so far there seem to be three main areas to look at:
(i) Surviving the DDoS attacks
(ii) Avoiding data theft
(iii) Neutralising the attacks in the first place
(The Swat attacks are reprehensible, but they are not specifically due to system hacking per se - that has a separate risk profile, ie the amount of personal data that is publically available and triangulatable - see a talk we gave on that over here
Surviving DDoS attacks is non trivial, but it is the simplest problem to solve, as it is purely technical - in essence one needs a hybrid architecture of a scalable cloud based infrastructure to be able to deal with the volumes, and an on site system that keeps the lights on and is watching for the probe hacks that will often come under the cover of the DDoS.
Data theft attacks are more subtle, and hackers often use the confusion created by a DDoS. If a company is hacked, it is highly likely that links will be redirected to false sites in order to phish for more data. This data often comes in droves after a DDoS attack as people try to log in to re-establish contact while there is still systemic confusion. The "worst case" attack is that an internal system has been subverted, typically a careless (or occasionally malicious) employee is the problem. This is exacerbated by modern "bring your own device" policies. In these cases they key is to ramp up secure procedures and discipline, and unfortunately also impacts users.
But ultimately, the cost of maintaining continual high security is, well, high, and no system is 100% secure against determined attack - it is also necessary to try to neutralise both the reasons for being attacked, and/or the attackers. It would appear that
it's some posters on MumsNet who say things that these activists don't like, and thus the activists are mounting these attacks. The problem with activists (of all stripes) is that they probably won't go away anytime soon. As yet its not clear where they are coming from, but it is even harder to manage this process if attacks are coming from other countries.
We think this will be an emerging trend, the use of (fairly low cost & effort) cyber-attacks to stop people one doesn't agree with having their say (or in the case of Ashley Madison, doing things one disagrees with) as it plays to an increasing tendency towards online polarisation and intolerance. Unfortunately the "systemic" endgame solutions will be some time away - which doesn't help the companies being attacked early up. MumsNet has some tough decisions to make on content vs discontents.
We have been reflecting on the data breaches at Mumsnet and Ashley Madison as well as the user revolt over Spotify’s attempt at a data land grab. We are still at the start of the information age and users are still learning the value and power of personal data. We believe that there are some lessons to learn here.
- nothing is secure! We should know this by now! Even the NSA is not secure, as Edward Snowden helpfully demonstrated. Once you have given your information to a third party you have lost control of it, so take care about who you trust and what you tell them. For example, does my cable company need to know my real date of birth? Invent an “Internet Birthday” and only tell banks and governments your real DOB (banks so your credit check works and governments as they get grumpy when citizens don’t co-operate!)
Ashley Madison were bordering on the insane to claim (as reported by the Independent
) that their servers where “kind of untouchable”. The only untouchable server is turned off, buried and disconnected!
Even after the data breach, the Ashley Madison website has pictures of padlocks and assurances of discretion. However, if you think that the value of the information to the user and compare it to the funds available to Ashley Madison to keep it secure, it doesn’t add up. The fact that a user’s email is “on the list” has potentially life changing consequences
. At least, it will risk their relationship and family. Some people might say that they deserve that, although for the purposes of this post, we are not making moral judgements and just considering the relative value of information in different contexts. However, most people would be concerned about those users who have listed gay preferences and are therefore exposed to physical danger in the countries where they live (as reported in the same Independent
Of course, if you live in the wrong country, there are all sorts of lists that might get you into danger. Political activism in repressive countries is one of the things that the TOR Router
was invented for, although it’s better known in the mainstream media for facilitating unsavoury transactions on the “dark web”. Data security is not the same as anonymity and in the case of paid-for services, anonymity is only an option if you can pay by Bitcoin.
- users should consider how damaging a piece of information would be if revealed. This is really a variation on lesson 1, but with an emphasis on risk management. Because we mediate an increasing proportion of our lives via the Internet, there is more and more information that could potentially be taken out of context. This might be a youthful indiscretion posted on social media and picked up by a potential employer. It may be photos intended only for your partner. It may be that you are on a list of activists or a site like Ashley Madison. Most people would not want any of these things shared, but users can be naively trusting. You need to ask if the protection of said information will be given the same priority as you would give it and given the persistent nature of digital information, for how long?
The Mumsnet Data Breach
provides an interesting contrast. Although users may have been inconvenienced by the breach, there is nothing on Mumsnet that anyone would be ashamed to own up to, or at least is not in (semi) public view already. From the reports, the only valuable information that seems to have been revealed from Mumsnet are personal details such as user email / password combinations and some postcodes. As Mumsnet have reset all their passwords, this only becomes a problem for users that use the same password for many sites. Unfortunately a depressing number of people do this and are vulnerable to breaches and phishing.
– use a different password for each site. If you can’t remember that many passwords, append your password with some letters from the site name e.g. “passwordMU” (by the way “password” should not be used as a password!) This approach will stop automatic bots from reusing your password on other sites. Alternatively, use the browser function to store passwords. I would recommend Firefox as it allows you to share passwords across several systems using a “zero knowledge” protocol, meaning that their servers can never know your passwords (even if hacked.)
I haven’t talked about banking or financial websites and apps so far. From a user’s point of view (at least for the time being) the risk is more about inconvenience that loss of funds. The banks are still bearing the loss of data breaches to keep consumer confident in on-line banking. To be fair to the banks, there are also improving on-line security with two factor authentication as standard for most on-line banking systems.
- Email addresses are not secure identifiers. As email addresses are public, it’s quite easy to “borrow” email addresses. Spammers do this all the time as real email addresses stand more chance of traversing spam filters, especially if they are previously known to the intended recipient. There are reports that some of the email addresses on the Ashley Madison list were not put there by their legitimate owners. Of course, they would say that wouldn’t they! However, I am inclined to be sympathetic to such claims as Ashley Madison did not require emails to be verified and their “freemium” model is likely to attract “spam” profiles. These may be to initiate “Nigerian” scams, build botnets, etc.
- This is well made by Paul Mason in the Guardian
and is about the value of aggregated data. The examples of passwords and specific data points (“this user is an adulterer”) are easy to see. What is less obvious is how seemly innocuous data (location, buying patterns, etc) can by combined to make predictions about users and gather intelligence. On one level this is just creepy. For example, predicting women are pregnant before they know themselves. However, given what we know about the power of loyalty cards, it is more than likely that harvesting such rich data will give huge insight into our behaviour and intensions, conscious and unconscious.
We are moving towards a world of “total information awareness” - in fact, the name of a post-9/11 spying programme
but nicely descriptive. Although recent events have highlighted the risks, there could be many positive sides. For example, your doctor could call you to say that you might be ill, rather than the other way around. However, we should go into this brave new world with our eyes open.
that Google now has to cut links ti stories talking about the right to be forgotten:
Google has been ordered by the Information Commissioner’s office to remove nine links to current news stories about older reports which themselves were removed from search results under the ‘right to be forgotten’ ruling.
The search engine had previously removed links relating to a 10 year-old criminal offence by an individual after requests made under the right to be forgotten ruling. Removal of those links from Google’s search results for the claimant’s name spurred new news posts detailing the removals, which were then indexed by Google’s search engine.
I wonder if Google will be ordered to to remove links to our story about '‘right to be forgotten’ removal stories own ' removal stories'. Ah, the curse of recursiveness....
But this is the EU law - so of course, by using a Google browser from another country or Google.com this will not happen, as it does not apply (Yet - the EU is trying to make Google implement Right to be Forgotten across all its assets).
Or just access another browser without assets operant in the UK that needs not follow the law - DuckDuckGo, for example.
Quack Est Demonstratum...
I've been looking at research around what can be discerned about organisations and their effectiveness due to various organisation structures, and this paper, Calculating Byzantium
, by Johannes Preiser-Kapeller
of the Institute for Byzantine Studies, Austrian Academy of Sciences came up. Compared to much of the worthy stuff and (frankly) dross I've been reading, it was fascinating, just the sort of thing Broadstuff readers may enjoy. The other useful thing about networks of the past is that you know what happened next, so thay are, to some extent, predictive.
It has a section looking at the social networks of the Byzantine Emperor and the Osman Turk statelet (one day to be the Ottoman Turks) who were eventually to overrun Byzantium (there are also some other interesting sections about calculating ancient social networks, fits nicely into Jared Diamond & Robin Dunbar's work).
The two commanders' network diagrams are shown in the picture above, and what is clear is the Turkish command system is smaller and - looking at the stats (see below) has many advantages. The paper notes that:
The network of the then significantly smaller incipient Ottoman state is of course also smaller than the Byzantine one and consists of 43 nodes. As the comparison of some key figures demonstrates (see table below), this smaller size results in a lower average distance between the actors and a higher average potential speed for the flow of information, resources etc.
The network of the dynatoi (two co-reigning Emperors) is significantly more stratified (11 network levels vs. 3 network levels); but although the Ottoman network is more than four time smaller, the Clustering Coefficient of the Byzantine network is higher, which.. ..indicates the high “cliquishness” within the Byzantine aristocracy. That the network of Osman Bey in contrast is more centralized with regard to the potential flow of influence, resources etc. is indicated by the higher centralization values for closeness (which measures the average distance between one node and all other nodes) and degree (cf. also the degree distribution of the Osman Bey-network ), whereas the higher betweenness centralization of the dynatoi-network hints again at a higher de-centralisation of cliques and influence which gave actors the opportunity to establish themselves as brokers.
Thus, our analysis shows a highly stratified, more de-centralised network of the Byzantine “powerful” confronted with a smaller, flexible Ottoman network, in which the potential flows of power and resources are more centralised in the hand of the ruler.
It's easy to jump into the assumption that the Turks are far more integrated, clearly far more information can be moved fast, and thus the Turkish system is more flexible, more responsive, more effective, and the inevitable Fall of Byzantium is merely a matter of time (took c 100 years from this period to get parity, mind you, and another 100 to finally take Byzantium out - a lesson that big old dinosaurs are still no pushover for fast moving startups).
But there are a few caveats:
Firstly, Byzantium at this time was a bigger, far more complex state than Osman's Turkish statelet so needed more people to run it and - very unusually - was running with 2 Emperors (older one + nephew) and broke into a ruinous civil war in 1328 (half way through this map's timespan) so the network would be massively bi-modal, with 2 opposing camps, by definition.
Secondly, the Byzantine system had been relatively stable for 800 years (just how they managed that
that would really be worth studying) so its not a slam dunk that Osman's system was "better", Byzantium had seen the likes of Osman (and far worse) come and go many times over the centuries. Arguably he got lucky, being around just at the time the Empire was busy tearing itself apart (and Andronikus II was by all acounts one of the crappest Emperors they ever had) and other challengers - the Venetians, Bulgarians and various Latins - were also attacking it at the same time.
Thirdly, as the paper notes, in Osman's network "the potential flows of power and resources are more centralised in the hand of the ruler". This works if the leader is able, and can keep on top of the decision flow. Not so good a system if the leader is not so able, and/or the system becomes more complex.
If there was a modern lesson for the "flexible structured, small and nimble giant killer startup school" its that its not enough to be just that to succed, your large and ossified dinosaur opponent also needs to be in total disarray internally, and probably beset on a number of other fronts simultaneously. That the Ottoman state system started to look more and more like the Byzantine as it grew is a salutary lesson.
Or, to rephrase, that the [Insert your favourite Unicorn] system started to look more and more like the [insert your most hated Corporate Dinosaur] as it grew is a salutary lesson.
It would appear Facebook's Messenger service not only knows your location, but packages it in the data stream when polled. The fate of the prospective Facebook Intern, Aran Khanna who found this out and built an App on the back of it, however, is more interesting - Boston.com
The app also showed the locations, which were accurate to within three feet, in a group chat with people he barely knew. That meant complete strangers could hypothetically see that he had messaged them from a Starbucks around the corner, while he could see that they had messaged from their dorms.
The app capitalized on a privacy flaw that Facebook had been aware of for about three years: the Facebook Messenger app automatically shared users’ locations with anyone who they messaged.
Within three days, Facebook asked Khanna to disable the app. The company also deactivated location sharing from desktops, which meant Khanna’s app wouldn’t work even if he hadn’t taken it down. And the company that Mark Zuckerberg famously launched from his Harvard dorm room withdrew its internship offer from this Harvard student, who apparently made the mistake of...launching an app from his dorm room.
And, in classic Facebook one step back, two steps forward mode, after Shooting the Messenger (App Maker) they then...
...released a Messenger app update trumpeted as follows in a news release: “With this update, you have full control over when and how you share your location information.”
The description didn’t mention the previous default settings. Nor did it point out that users who didn’t activate the update would continue to share their locations by default unless they manually altered their privacy settings.
The lesson, should you wish to learn it - again - is that Facebook's view on your privacy is to exploit it until caught at it, and even then to try everything to keep it ongoing.
The other lesson, of course, is that Social Media SNAFUs must always be blamed on the Intern
More Recent Articles