This is what you should know to stay safe in our increasingly compromised cyber world
It looks like the OurMine hacker gang has struck again, this time, hacking National Geographic and Sony’s Twitter accounts. This isn’t even close to the first time OurMine has hacked a high-profile target, as we’ve seen in the past few months with the Business Insider hack, the hack of Google CEO Sundar Pichai’s Twitter and Quora accounts, and famously the Twitter account of Mark Zuckerberg. OurMine identifies themselves as a ‘Security Group’, selling personal, enterprise, and complete company security audits, and seems to harmlessly hack companies to raise awareness of poor security practices.
As we saw with the Netflix and Marvel Twitter hack, the group looks like they’re using compromised accounts to advertise their own services and mostly brag that they’ve hacked such major companies. However, what’s troubling is not the prank-style of hacking that OurMine is engaging in. Rather, it’s how they’re hacking these companies that should raise flags for other enterprises and major companies.
OurMine is known for leveraging the compromised usernames, emails, and passwords that are circulating from major mega breaches of 2016. These mega breaches include the LinkedIn, Dropbox, and multiple Yahoo data breaches, which total to over 2 billion compromised accounts.
Usually, leaked passwords don’t pose a problem if the breached company used the proper cryptographic hashing algorithm when storing the passwords, making it nearly impossible to crack the passwords in the case of a breach. However, in most of these cases, the passwords were not sufficiently encrypted and often lacked a ‘salt’, which obfuscates the password before cryptographically hashing them with a random string added to the password. Due to the lack of security on the breached companies’ part, this ensures that any hacker who wants to crack the leaked passwords will do so.
The large size of the data breaches also ensures that a percentage of passwords are still valid even after the disclosures have been released. Less than 1% of those affected by password breaches will change their passwords, even if they know they have been affected. This gap causes the perfect conditions for attackers to engage in password reuse for the purposes of compromising enterprise accounts. Password reuse and the use of common passwords such as ‘12345’, ‘password’ or in Zuckerberg’s case, ‘dadada’ allow hackers to retry passwords on multiple services using a single email address. This is demonstrated over and over again by the OurMine group who continues to hack individuals as well as major organizations. They have been running around trying to login to social media accounts and more, trying reused passwords with surprisingly more success than one would expect.
Major companies are still at risk, even with consumer-focused data breaches such as Last.fm. Employees are always likely to use their corporate email accounts for any number of services, putting the organization at risk in the case of a data breach. As part of employee security awareness security training, employees should be taught the risk of associating a corporate email address with any non-essential service or product, and also be taught the risk of password reuse.
An organization should always be vigilant and learn of any new data breaches as soon as possible. Smaller data breaches may affect an organization’s third-party or perhaps the subcontractor to their third-party (known as a fourth party). These interconnected business relationships pose a significant risk to an organization when it comes to third or fourth-party data breaches. If any significant breach occurs, employees should change their passwords as soon as a breach is disclosed and they should also change the password of any other accounts that shared the same password since it’s likely a hacker will try to access multiple accounts using the leaked password.
Fortunately, OurMine doesn’t seem to have any malicious intent behind their hacking, but there are other groups with more malicious intents in making use of the same techniques and keeping quiet about their victories.
The views expressed are of the author.
Geektime invites global tech and startup professionals to share their opinions and expertise with our readers. If you would like to share your point of view, please contact us at [email protected]