Posts

By Farhan Subhan.

Throughout our time on planet Earth, there have been major developments in nearly all aspects of life; from the industrial revolution to the events revolving around Y2K. Even with the doubts of the year 2000, and how calendar storage data was going to be affected due to the transition into the new generation, technology has undoubtedly grown exponentially into being a very integral part of our personal and business lives. However, in nearly all cases of growth, there are some struggles. In this case, data breaches. Data breaches can be found in many forms e.g. phishing, loss or theft of hard copy notes, ransomware, and unauthorized access. Concerning the extent of the data breach, this can vary from losing your credit card information to huge multinational corporations with employee and customer data at risk.

The actual data breach does not have to be in a digital form in order to be considered a data breach. But as we have transitioned into a digital society, these breaches have also evolved from classified papers in a brief case being stolen to online pirates procuring over a million credit card details and being sold on the black market. A breach does not necessarily mean that it is stolen per se, but if said protected data was to become accessible then it is considered to be a breach. The question that we ask now is, what do these attackers do with these pieces of data? One answer is: capitalize on the data. Attackers will either want to take advantage of credit card information instantly, or they hold onto it and then start to slowly take advantage of said persons information for many years. 

Since the start of the Millennium there have been many, yet unsurprising, data breaches within huge multinational corporations. The nature of the data that was exposed is varied amongst these companies, for e.g. if we look at companies like Yahoo and MySpace we can see that the type of attackers who were responsible for these breaches were in fact identity thieves. We will now look at examples of the biggest data breaches within multinational corporations since the start of the 21st century:

 MyFitnessPal

In February 2018, MyFitnessPal was subject to a data breach where 617 million customers had their accounts leaked and offered for sale on the black market, around the same time that Dubsmash. The company did acknowledge this breach and then advised customers to then change their passwords and help them improve their security. However, they did not share how many were affected nor did they explain how their data was compromised.

 Adobe

In October 2013, Adobe reported that hackers had stolen nearly 3 million customer credit cards as well as login data for an undisclosed amount of user accounts. Consequently, later during that month, they mentioned that ID’s and encrypted passwords for 38 million users were included in the compromised data. Unfortunately, this amount surpassed 150 million users resulting in Adobe to pay $1.1 million in legal fees and an undisclosed amount to user for violation of the Customer Records Act. 

LinkedIn

This major social networking platform for business professionals had become a target for social engineering attacks but in 2012 the site also had user data leaked. 6.5 million passwords were stolen and posted onto a Russian hacker forum, but it took four years for the incident to be revealed. The hacker was then found to be selling the data for 5 bitcoins, which resulted in LinkedIn resetting the passwords of the affected accounts. 

As with most errors, these breaches could have been prevented if the companies mentioned above had taken the correct steps in order to prevent these breaches. If the companies had undertaken regular risk assessments then they could have made sure that the procedures used to deal with data were in fact correct but if there were any errors, then they could have made sure this was rectified in order to prevent the data from being leaked. After these leaks, the company could invest more money in staff training for cyber security so that employees are taught more about data breaches and the common mistakes which can lead to a data breach. Incorporating this within the company’s culture will be beneficial for the foreseeable future. 

To conclude, data breaches still do exist in many forms ranging from phishing attacks to huge data losses by corporations. These breaches will still continue to exist in our society unless people are made aware of what cyber security has to offer and actually be inclined to learn more about it which can then be incorporated into their personal and work lives, so that data breaches can be brought to a minimum.

By Shameer Sabar.

As technology advances, and organisations incorporate more and more IT systems into their business in order to aid and facilitate their functions and processes, it becomes necessary for them to test the safety and security of these IT systems. Small and medium-sized enterprises also known as SMEs, are especially vulnerable to cyber attacks. According to the Cyber Security Breaches Survey of  2020, 68% of all medium size businesses in the United Kingdom found at least one cyber security breach or attack in the past 12 months. This is partly due to many SMEs not considering themselves targets and so many do not do enough to protect themselves, but even those aware of the risks usually do not have sufficient resources to defend themselves. This is not to say large businesses remain unaffected. The survey also highlighted that 75% of large businesses have also been affected.

Ethical hacking or penetration testing, allows organisations to seek out and correct vulnerabilities and flaws in the security and safety of their computer systems, networks and databases. While malicious hackers or black hat hackers penetrate databases and IT systems of an organisations with ill intent and personal gain, ethical hackers or white hat hackers are hired by the owner of the company and given permission to penetrate the network and computer systems using the same tools and knowledge of a criminal hacker but with the intention to determine vulnerabilities and weaknesses to the security of such systems and networks. Their work is conducted in a lawful and legal manner. by doing so, they can then recommend preventatives and corrective countermeasures to the organisation to prevent cyber attacks.

Ethical hackers use many methods of sourcing vulnerabilities. they use port scanning tools such as Nmap, Wireshark or Nessus to scan a company’s systems, analyse open ports, study the vulnerabilities of each port and take corrective measures. They also critically test patch installation processes to make sure no new vulnerabilities are introduced to take advantage of software updates and exploit them. Using the right tools, they also perform network traffic analysis and sniffing. Ethical hackers also rely on social engineering techniques to manipulate end users and find information about an organisation’s computing environment.

Like black hat hackers, ethical hackers look through activity on social media or GitHub, engage employees in phishing attacks through email or roam through premises with a clipboard to exploit vulnerabilities in physical security. However ethical hackers are given limitations restrictions to their social engineering techniques such as making physical threats to employees or other types of attempt to extort access or information in order to keep their hacking ethical and lawful.

By Aqsa Hussain.

What is ethical hacking?

There are codes of conduct for almost every industry, from the rules of the game in sport to the constitution in law to safety measures in factories. Ethical hacking is no different. It is governed by a code of conduct created by a community who consider themselves to be experts in this line of work. In the formal sense, an ethical hacker is either a company or an individual who identifies and exposes potential threats on a computer system, before someone with malicious intentions does so. Upon discovery, these gaps in the system are plugged to ensure the safety of the computers and networks being probed.

Rules of the ethical hacking game

The rules of the game include: asking for explicit consent from the party to be probed, respecting their privacy, ensuring that there are no open avenues for malicious hackers to enter the systems and finally they must alert the organisation/individual if there are any vulnerabilities they have found.

In fact, most companies with an online presence use a Bug Bounty program – a crowdsourcing initiative – to identify vulnerabilities on the company website in exchange for rewards in the form of compensation or recognition. Companies hope that in this way instead of becoming the victim of cybercrimes, they continue to remain a secure environment for their users.

However, there are instances when hackers attack a system under the umbrella of ethics, without adhering to the rules of the game. Can the ethical element of hacking still be present here?

The ethics of Hacktivism

When hackers enter a system without permission and with the purpose of hacking for the ‘greater good’, they consider themselves ‘hacktivists’ – conducting ethical hacking with a political purpose. Hacktivist attack the system of organisations they fundamentally disagree with the goal of exposing their activities to the wider public. Although they don’t play by the rules, they do not believe that their actions are disruptive or illegal since they are merely calling attention to issues that matter.

Is hacking to counter controversial morals ethical?

Take the relatively recent 2015 hack of the online dating site Ashley Madison. A group called ‘The Impact Team’ attacked this website which enabled married couples to engage in extramarital affairs. They obtained the personal information of the entire user base and in mid-August 2015 decided to release over 10 gigabytes of data (real names, addresses, credit card transactions, search history etc). That amounts to over 30 million people in over 40 countries. The Impact Team had provided the parent company of Ashley Madison, Avid Life Media, with numerous warnings expecting it to be shut down based on the fact that it was immoral to create a platform to allow people to actively be unfaithful to their partners. Yet, the parent company stood by the fact that they were merely providing a service in demand and it was not their role to judge its users’ morality. Evidently, the hacktivist team did not think such a response was sufficient. Can this be considered ethical hacking or is it a form of cyber-terrorism? The cliche of ‘one man’s terrorist is another man’s freedom fighter’ is in play here where The Impact Team wholeheartedly believed that releasing all of that private information was right. On the contrary, Ashley Madison believes that the rights of its users were violated as well as the act being nothing short of illegal.

Is hacking to counter terrorism ethical?

On the other hand, you have examples such as the hacktivist group Anonymous which claims to be ‘at war’ with the terrorist organisation Islamic State (ISIS). They have been systematically hacking the social media accounts of ISIS members and followers as well as bringing down their propaganda websites. Their aiming is to stunt the growth of the terror group. Can this be considered another form of ethical hacking, despite not entirely following the rules of the game?

Needless to say, the practice of ethical hacking is one in which you can become professionally qualified in if you have the drive to seeks vulnerabilities in a legitimate way and report them accordingly. Companies accept this intrusion into their system as a legal and justifiable act, rewarding it as such. Yet, hacktivism requires no such qualification and its legitimacy comes down to being a matter of opinion. Many agree with the morality behind the Ashley Madison hack, whilst others claim it was a cybercrime causing immeasurable damage to users. Similarly, the ethics of countering IS’ online terrorism with a form of cyber-crime itself, can we consider this more than or equally as ethical as that of the Ashley Madison hack?