On February 21, the customer service software provider Zendesk learned that it had been hacked. Three of its customers were compromised: Twitter, Pinterest, and Tumblr. In Zendesk’s official blog, Mikkel Svane wrote:
We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.
At Wired’s “Threat Desk” blog, Matt Honan noted that Wired’s source “claims some customers also may have had their phone numbers revealed, but no passwords, password hashes, or even encrypted passwords were revealed.” Although the potential that phone numbers were revealed isn’t good, the news could have been much worse—the hacker could have gotten passwords.
That’s not to say that this security breach is no big deal—it is. The concern, of course, is that the email addresses and subject lines will enable the hacker to conduct successful phishing campaigns. The subject lines of previous emails could provide the perfect camouflage, making the phishing emails seem like just another exchange in an ongoing conversation.
Honan cited the warnings that Pinterest, Twitter, and Tumblr sent to their users. While Pinterest…
Don’t share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away. Beware of suspicious emails. If you get any emails that look like they’re from Pinterest but don’t feel right, please let us know—especially if they include details about your support request.
Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.
both warned users about phishing, Twitter did not.
Twitter issued a statement regarding a “significant security breach” at Zendesk, and closed by saying “We do not believe you need to take any action at this time but wanted to ensure that you were notified of this incident.”
Unfortunately, many people throw caution to the wind when they believe that they’re dealing with email from a known source—disregarding factors that would clue them in to a phishing attempt, if the email obviously came from an unknown source.
A recent study conducted at the University of North Carolina at Chapel Hill, the Millennial Cybersecurity Project, examined the behaviors of millenials on the internet. As the first “always-connected” generation, there’s the very real concern that millenials will bring risky behaviors and unprotected devices into their workplaces, thus exposing them to security vulnerabilities. “Millennials have a greater degree of trust in the virtual world that is not shared by older generations—especially the baby boomers,” the authors note (p.2).
The study found that millenials
1) lack a comprehensive and consistent methodology for password usage;
2) have difficulty identifying emails with social engineering attacks such as phishing and scam emails; and
3) show a general lack of awareness of certain best practices necessary to assure a safe experience in cyberspace. (p. 8)
Part of the reason that millenials were unable to identify the phishing emails in these experiments is that some of them were masquerading as legitimate emails from Facebook and LinkedIn. All of the experimental phishing emails had spelling and grammar errors, broken links, out-of-date forms and other indicators; but because millenials “have strong social connections” to these companies, they seemed to perceive them as “more trustworthy” (p. 11). The millenials involved in the study indicated that they were more likely to spot fraudulent emails if they didn’t know or trust the email’s source (p. 14). Millenials identified 52% of the experimental phishing emails that appeared to come from financial institutions (including Bank of America and Paypal); they identified only 48% of experimental phishing emails from Facebook and LinkedIn (p. 13).
The good news is that these experiments indicate that positive reinforcement and education about best practices can encourage safer behavior and increase awareness online. In most cases, millenials that received emails about their success or failure to identify phishing emails improved their performance in subsequent experiments (p. 24). The exception was when receiving emails from a trusted source; although in a previous experiment, only 29% of subjects had opened phishing email from an untrusted source, 57% of subjects opened phishing emails from trusted sources (p. 26)
The authors conclude that the best approach is to
- Explore, employ and exploit digital messaging that is short in length, iconic, and actionable. (p. 38)
- Personalize communications based on the audience’s profile. (p. 39)
- Develop cybersecurity tools that are technology-mediated, more interactive and capable of providing a user experience of high value. (p. 39)
Bruce Schneier, who is described by The Economist—and most geeks— as a “security guru,” writes about cryptography, computer and network security, the many failings of the Transportation Security Administration (“security theater” is a regular topic of his blog), personal safety, crime, and corporate and national security. In a recent article (cross-posted to his blog on February 12, 2013), he writes about how technology “continually upsets” the balance between “the honest and the dishonest.” New forms of technology lead to new forms of crime:
Online banking results in new types of cyberfraud. Facebook posts become evidence in employment and legal disputes. Cell phone location tracking can be used to round up political dissidents. Random blogs and websites become trusted sources, abetting propaganda.
This represents a “security gap” where criminals exploit new weaknesses, and law enforcement tries to figure out how to stop them. The security gap is larger when there are rapid technological changes, but it gets even larger when rapid social changes occur as a result of this tech.
Twenty years ago, parents had to worry about television commercials encouraging their kids to buy cereal with sugar as the first three ingredients and ugly dolls in neon-colored ninja costumes. Now they have to worry about websites that encourage their children to reveal personal information, so that they can be marketed to more effectively—and that’s just legitimate businesses! That doesn’t include the seedier places on the internet not geared towards children; or apps that kids purchase that will track their movements and actions, or install other forms of malware.
These are some massive social changes that we’re going through now, and we don’t really know yet what the results are going to be. Schneier points out that “[w]e don’t know *how* the proliferation of networked, mobile devices will affect the systems we have in place to enable trust, but we do know it *will* affect them.” The solution isn’t legislation or technology alone—people are the main factor in the success or failure of any security system. “Much of our security comes from the informal mechanisms we’ve evolved over the millennia: systems of morals and reputation,” Schneier reminds us. It’s time, he concludes, for these systems of trust to evolve:
It’s time for us to deliberately think about how trust works in the information age, and use legal, social, and technological tools to enable this trust. We might get it right by accident, but it’ll be a long and ugly iterative process getting there if we do.
We can’t simply trust that Facebook or Tumblr or Twitter or Pinterest or anyone else has our best interests at heart. We need to be informed, cautious, and sensible. (As Ronald Reagan famously said, “Trust but verify.”) We need to be aware of terms of service, privacy policies, and security breaches. We need to be aware of the dangers posed by social engineering, poor security practices, hacking, and electronic surveillance. We need to be familiar with resources like Wired’s Threat Level blog, the Millenial Cybersecurity Project, Bruce Schneier, danah boyd, and the Electronic Frontier Foundation. These resources are all accessible to the layman—you don’t have to be a white-hat hacker or code monkey to understand and apply them.
We need to do these things as future librarians not only to protect libraries and other information organizations navigating the Web 2.0 world, but also to educate patrons so that they can protect themselves.
Greis, N.P.; Nogueira, M.L.; and Kellogg, S. (2012). The Millennial Cybersecurity Project: Improving awareness of and modifying risky behavior in cyberspace. Final Report. Institute for Homeland Security Solutions. Retrieved from http://sites.duke.edu/ihss/files/2011/12/IHSS_FinalReport_MillenialCybersecurity_Greis.pdf on February 24, 2013.
Honan, Matt. (2013, Feb. 21). Zendesk security breach affects Twitter, Tumblr and Pinterest. Wired. Retrieved from http://www.wired.com/threatlevel/?p=54338 on February 24, 2013.
Schneier, Bruce. (2013). Our new regimes of trust. The SciTech Lawyer, 9(3), 16-17.
Svane, Mikkel. (2013, Feb. 21). We’ve been hacked. Zendesk Nation [blog]. Retrieved from http://www.zendesk.com/blog/weve-been-hacked on February 24, 2013.