Tuesday, September 17, 2013

Choose Your Vendors Wisely

Just a couple weeks ago, the New York Times and Twitter domains were hacked—and not through a DoS (Denial-of-Service) attack or network port sniffing.

The Syrian Electronic Army (SEA) is taking credit for the attack, and they carried it out through targeting phishing emails. They obtained usernames and passwords from employees of Melbourne IT, who is the registrar for NYTimes.com and Twitter.com and used that information to access the registrar system and make fraudulent changes to the DNS for NYT and Twitter, pointing their site to another server. And then, just to rub salt in the wound, they taunted everyone with their Syrian logo and a pretty sarcastic message – “Hacked by SEA, Your servers security is very weak.”

Now, in this case, it looks like nothing was stolen. Whatever their motive, the culprits seem more interested in belittling the company than in damaging the company or stealing identities (so far). But the lesson here is the same: be very aware of who you trust with your private information. Even if you secure your local data well, you may store information on servers or cloud services that are managed by untrustworthy people. 

You cannot trust your secure information to companies that do not take security very seriously. If hackers can infiltrate your hosting company or your online cloud storage company or your domain registrar or even your photo storage service, then they are just as exposed as if you personally used poor security methods.