Blog

The Onion hack brings tears to my eyes

By Mike Rothman

Onion saute FTW...OK, not really. But as Rich pointed out in last week’s Incite (Truth is stranger than satire), The Onion getting hacked, and then the hackers posting stuff that seemed very Onion-like, was one step short of crossing the streams.

In less than true Onion form – honest and satire-free –= they go through exactly what happened in a recent blog post, and it was very unsophisticated phishing. Phase 1 seemed random, and only one Onion staffer fell for the ruse. Leveraging that initial compromised account the attackers sent another wave of phishing messages. A few clicked the link but only two actually provided credentials. At that point the Onion folks realized they had compromised accounts and forced a company-wide password reset.

But the attackers weren’t done. They were able to send a duplicate password reset email (through yet another compromised account) and they then got control of another 2 email accounts. One of which had access to the corporate Twitter account. Yikes!

Hats off to The Onion – these posts are helpful for everyone to learn from the misfortune of others. They have some decent tips in the post as well, including using a dedicated application to access the corporate Twitter account (where you could apply more granular access control) and having email addresses associated with the corporate accounts on a totally separate system to provide account segregation. Rich talked about some other tactics to protect corporate Twitter accounts as well, with two-factor authentication topping the list.

Photo credit: “Never again Mr. Onion” originally uploaded by dollen

From the New York Post, of all places:

Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said.

The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised.

Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially.

No Related Posts
Comments

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.