CSO — Blackmail rising from Ashley Madison breach

Posted on Sep 8, 2015 in Quoted by Press |


Ashley Madison

Blackmail rising from Ashley Madison breach

In an article for CSO, Taylor Armerding reports how the Ashley Madison breach demonstrates how blackmail can be the motivation for hackers. Protegrity CEO Suni Munshani is quoted.


 

Cybercriminals are maddeningly adaptable.

If a Dark Web illicit marketplace gets shut down, others spring up almost immediately to take its place. If credit cards get tougher to hack, there is always spear phishing, poorly protected electronic health records or the unending variety of devices that make up the Internet of Things (IoT), most of which have little to no security built in.

All of which offer opportunities for blackmail.

Not that the concept is new. But criminal threats demanding ransoms have tended to lean more toward extortion than blackmail. As in: “Your computer is locked, and if you ever want access to your files again, here’s where to send $1,000 in Bitcoin.” Or: “We have penetrated your network, and unless you pay us, or do what we want you to do (a la the Sony hack, where the demand was to cancel the release of a movie deemed derogatory to North Korea’s Supreme Leader), we will expose not only business information, but the personal information of your employees.”

More recently, with the hack of Ashley Madison, the adultery website, which led to exposure of everything from personal information to nude pictures and sexual fantasies of 37 million users, some of the fallout has included offers to scrub the information – for a fee, of course. Or, threats to expose it, unless a “ransom” is paid.

In other words, it’s less about your business and more about you – information that could be embarrassing, socially damaging and/or cause major trouble in the most important relationships in your life.

Encrypt the data, control access and monitor for exfiltration attempts.

. . .

Impact Team, the group that claimed responsibility for hacking Ashley Madison, professed to be doing so to damage or destroy a company it considered immoral. But Suni Munshani, CEO of Protegrity, noted that, “the consequences of a breach can go well beyond the intentions of the original hacker once the data are released.”

 

“One thing we know for sure it’s that criminals will always find new targets and new ways to exploit information about those targets for their own advantage,” he said.

Indeed, an estimated 15,000 U.S. government and military emails were on the Ashley Madison list of customers. Combine that with the breach discovered this past June of the federal Office of Personnel Management (OPM), which reportedly compromised the personal information of an estimated 21 million current and former federal employees, and the blackmail possibilities are enormous.

The consequences of a breach can go well beyond the intentions of the original hacker once the data are released.

That kind of “rich data,” Munshani said, means, “the personal and professional blackmail opportunities against individuals whose data were included in both incidents, as well as the organizations they work for, increases exponentially.”

It is hard to know how pervasive cyber blackmail is, experts say, because it doesn’t always get reported. “It’s not the kind of thing individuals publicize,” Delmar said.

Munshani agreed. “Successful blackmailing – when companies meet the demands of the blackmailers – flies under the radar of public exposure,” he said.

But there is general agreement that it is a growth industry for cyber criminals.

As usual, there is no way to guarantee 100% protection from such crime – the well-established cliché is that there are two types of organizations – those that know they have been breached, and those that have, but don’t know it. Still, organizations can make it less likely that they will be damaged from a breach.

Munshani said one way to do that is to protect the data with limited access and strong encryption, so that when hackers inevitably breach firewalls and other defenses, “all they would see is meaningless gobbledygook.”

Please find the complete article here.