Hacked Screen

grapegeek/iStockphoto

Security


In security and war, you’re only as strong as your weakest link. And in the media industry, we’ve got quite a few weak links.

It should be entirely self-evident by now; over the past year, we’ve seen hacks on some of the biggest media outlets in the world, from the New York Times to the Guardian. And apparently, it’s all our fault.

“In media, security is not a priority,” Tom Cochran, chief technology officer for Atlantic Media, said during a session at the South By Southwest conference in Austin, Texas, this week. It’s something of an afterthought, with employees using duplicate passwords across their various accounts. Or, worse, we’ll use stupidly easy passwords to guess, like “12345” or “password.” (Yes, people actually still do this.)

In a test of his organization’s bad security habits, Cochran sent out an email containing a link that asked employees for their passwords, a popular hacker “phishing” technique. A staggering 30 percent of the people in the company clicked on the link inside the email.

That’s the point at which the Syrian Electronic Army usually comes in and makes its mark. For the past year, the anonymous hacker collective has made a habit of phishing for passwords from media organizations, then breaking into the official Twitter or Facebook accounts and spreading pro-Bashar al-Assad messages while decrying protest groups (as well as U.S. President Barack Obama).

One hack on the Associated Press briefly sent the Dow Jones Industrial Average plummeting about 130 points, after a false tweet claimed Obama had been injured in an attack on the White House.

The takeaway for Cochran here is important: Hackers like the SEA will always be out there, ready to mess with consumers for fun (or “the lulz,” as it were). It’s up to users to keep themselves safe by practicing good password hygiene (by using multiple passwords across accounts) and never clicking on suspect links and giving up their information willy-nilly.

It’s also, in part, up to the organization to update its security practices company-wide. Per Cochran, the Atlantic Media company now mandates two-factor authentication — an extra layer of security — across all of its services.

And after Forbes Magazine was hacked just a few weeks ago, staff writer Parmy Olson said the keys to the various social media accounts for the company were taken away from some of the people who had them across the brand (when I worked for Forbes years ago, even I had the keys to the Twitter account). Forbes, too, implemented two-factor authentication.

Good advice, and in this day in age, I’d call it table stakes. But good luck getting thousands of employees in large media orgs — some of whom are more tech-savvy than others — to get with the program, especially when it’s far more convenient to use one simple, easily memorized password.

In other words, don’t expect the lulz to end any time soon.

More Articles About South By Southwest 2014




4 comments
bobsulli
bobsulli

CTO getting 30% of employees to cough up passwords seems about right. What % of the 30% never took in house I.T. training? If you've never been able to offer in house I.T. training to your staff that 30% should justify the investment.

ShaunC
ShaunC

The result of Cochran's phishing experiment shouldn't be shocking, but it is! While reading this article, I couldn't help but to wonder how we could make internet users more vigilant. Is it through education? Is it through some sort of new technology, like  fingerprint scanners or fancy identity checks?


I don't have the answers, but I'm curious what others think. I keep hearing about how 'something needs to be done' - but the solutions are often more inconvenient and cumbersome than what we have now.


Is there a simple solution out there?

stsk
stsk

The answer is not "good password hygiene". There are perfectly valid reasons people don't use "strong" passwords - they're inconvenient and therefore, useless. The entire concept of security needs a rethink.

Miranda
Miranda

@ShaunC  @ShaunC  I wonder the same thing! The answer is usability. People will not take extra security measures that are annoying, they simply just will not secure their data in the name of convenience. I use LastPass as my password manager and discovered a multi-factor authentication solution called Toopher. It blows any other 2fa solution I have used out of the water in terms of usability. Toopher offers an automation feature that uses the location awareness of your smartphone to authenticate without interrupting the user every time. Nowadays the easier something is to use, the more likely people will use it. Toopher's solution seems to solve this problem. I hope to start seeing it offered in more places. If you have LastPass, you should go check Toopher out!

Follow

Get every new post delivered to your Inbox.

Join 288,939 other followers