Wednesday, March 21, 2012

What Happens to Companies that Get Hacked?

As our world continues to grow more connected and more of our services move online, a host of new problems have developed. One such problem is hacking, or compromising otherwise secure networks. Interestingly, hacking can take several forms. It may have a criminal elements, such as attempting to gain access to financial records, or hacking to disrupt essential computer systems. It may be designed to embarrass and humiliate, such as hacking social networks for private photos or to send inappropriate messages from a user's account. It may also be used as a form of guerrilla protest, or an attempt to vandalise.

Hacking now receives significant media coverage, as mainstream networks have covered the "lulzsec" and "anon" activities. Even the Sony PlayStation Network scandal was well publicized, even though it was contained within the PS3 network. The coverage drops, however, once the system has been restored, but what actually happens to the users who are hacked?

One possible remedy is an FTC case. According to the stipulated facts, on January 4, 2009, a brute force password guessing program was able to break into a Twitter users administrative account. Once accomplished, the hacker had access to every Twitter users profile, account settings, and both protected and public Tweets. This user, among other things, sent messages from Barack Obama's account offering free gasoline cards.

Disabling webcams doesn't have the same criminal panache as a good ol' fashioned ski mask.
On April 27, 2009, it happened again, when a hacker was able to break into a Twitter users personal email account (Twitter had a policy of not providing employees with work email accounts, and instead encouraged them to use a personal one). This time, the hacker went a reset the passwords of several users, and accessed private accounts.

The FTC challenged Twitter on two counts, the first that Twitter represented that it had taken reasonable security steps to protect information when it had in fact not, and that it represented to users that it would honor the privacy of a users settings.

The FTC entered into a consented order with Twitter to resolve the case (as expected). The settlement included several very specific steps Twitter must take to ensure compliance.

The first was to designate an employee or employees to be responsible for Twitter's information security plan.

The second was to identify reasonably foreseeable risks, both internal and external, that could create risk of intrusion. These risks included the areas of employee training and management, information systems including network and software design, and prevention, detection, and response to attacks. Twitter was also required to design and implement a plan to address these risks.

There also was a separate sub paragraph directing Twitter to maintain the privacy of user information, not just from outside sources but also internally. The FTC gave an outline of possible sources of verification and testing of the security and correctness of these implementations.

This agreement gave Twitter 60 days to implement the agreement, which was slated to last for 20 years.

There are a few takeaways from this case. First, you clearly do not want to FTC to have reason to issue such a complaint against your company. As a part of this agreement, Twitter does have some strict and onerous requirements. However, the order also makes it clear that Twitter had incredibly lax security policies. The cracked password was a short, all lowercase, dictionary word that was guessed by a brute force program, that simply guessed basic words, submitted them, and then tried again. The FTC noted also that Twitter did not have a policy of expiring passwords, of assessing password strength, or even of locking out users from repeatedly guessing.

Secondly, it appears that Twitter opened itself up to some liability in the realm of privacy. The FTC noted that Twitter repeatedly asserted that direct messages and protected tweets were private, when in fact every single Twitter employee had access to them. Although not explicitly stated, it does appear that if Twitter had disclosed that employees could access private user content, there would have not been a case.

No comments:

Post a Comment