The Real Consequences of an Anonymous Data Leak

Wednesday, August 17, 2011

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

I checked out the information leak that the now-infamous Anonymous collective released from their hacking into the BART system over the weekend in retaliation for what they perceived was a breach of civil rights by BART during a protest last Friday. 

I don't need to give you details since you can look those up, or an opinion on whether BART violated civil rights or not... but I will give you an idea of the consequences of one of these little stunts.

As you can see, the site was released middle of the night day, Sunday night (see image below).

BART_Release_Site.jpg

Shortly thereafter, one of the people who had their information leaked, and just so happens to work here at HP, got this email:

phishing.jpg

Yes, this is your typical USPS delivery notification phishing email, and if you look closely at the link you'll realize it points to some site that's obviously not the USPS... but I digress.

Interestingly enough, I'm happy to put Karen into the "gets it" class of user.  She's security aware, and does a good job of being paranoid.  When I sent her an email about the fact that her information as exposed she was already well on top of the situation. 

In fact, she forwarded me the phishing email she was suspicious of so I can investigate it.  First off, way to go Karen... second off, I think this makes several interesting points.

What groups like Anonymous fail to see is the very real consequence of their actions. 

You've probably heard me say "Never let a valid cause get in the way of reckless actions"... and this is a perfect example of that.  In this data breach ...ask yourself who was hurt more. 

Was is BART?  Or was it the end-users who were almost immediately phished and attemptively compromised?  Now ask yourself, how you can in good conscience support that kind of activity... honestly.

I know many of my colleagues in Information Security sympathize with the Anonymous cause, because it's not too difficult to do so.  While I won't comment personally on how I feel about that - I can tell you I absolutely do not condone the reckless actions, and short-sighted activity that leads to more harm than good.

In the end, this does raise awareness for end-user education and that we should always be vigilant about what shows up in our mailbox.  Users are the weakest link, and will continue to be... So how do you factor that into your IT Security and risk mitigation policy or framework? 

Are you prepared for your users to be phished of their corporate credentials?  What about your customers?  Keep in mind as hacktivism continues on its rampage of corporations and governments... you are the collateral damage

Stay vigilant, ever more so now that the war is on.

If you're like to go check to see if your information was leaked, go here: http://www.djmash.at/release/users.html

Cross-posted from Following the White Rabbit

Possibly Related Articles:
7811
Security Awareness
Information Security
Phishing Data Leakage Security Awareness Anonymous Hacktivist AntiSec BART
Post Rating I Like this!
Default-avatar
Jake Rosenbaum So the collateral damage was an unanswered phishing email? what was the collateral damage of turning off the phones? Hardly parity I would say.
1313699693
0a8cae998f9c51e3b3c0ccbaddf521aa
Rafal Los @Jake - the collateral damage was my co-worker's phone number being released and her being repeatedly harassed by these kids. That's an offense that I'd like to see the perpetrators behind bars for.
1315500223
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.