Is It Time To Worry About Cybercrime?

For the past decade, the bulk of unlawful web-based activities have been profit-motivated: phishing, spam, "Nigerian" money scams, and hacking to get credit cards. This year has seen a rise in politically motivated crimes, most widely exemplified by the loosely-knit group of hackers known as "Anonymous".  Anonymous hackers attack the websites of organizations, be they government, corporate or otherwise that they deem to be repressive or unethical.  In addition to defacing the sites, they've also routinely exposed confidential user information, such as login names, passwords and addresses.  If we are now entering the age where political cybercrime is commonplace, what does that mean for nonprofits?  How can we defend oursleves when we already struggle with basic security on tight budgets and limited resources? 

Two high profile victims were Sony, the gigantic electronics and entertainment conglomerate, and BART, the Bay Area Rapid Transit commuter service.

  • Sony was initially a target for Anonymous after they took legal action against a computer geek named George Holtz, who figured out how to reprogram a Playstation game device in order to play blocked third-party games on it.  This violated the Sony license, but the hacking and gaming communities felt that the license restriction wasn't very fair in the first place. They considered the action against Holtz unwarranted and severe.  Sony also, famously, installed a hacker's rootkit, themselves, on a number of music CDs with interactive computer features, and were sued for that crime.,  Could it be that the hackers were particularly annoyed that this mega-corporation will stoop to their tactics, but sue them for similar actions?
  • BART was targeted for more visceral actions.  Their internal police force shot Oscar Grant, an unarmed youth, in the back a few years ago, and then, again, recently, fired on a homeless man holding a knife, killing him. These actions drew the attention of the community and resulted in protests, some violent.  But BART only drew the attention of Anonymous when they took the step of blocking cell phone service at their four downtown San Francisco stations in order to quell communication about a planned protest.  This action is under investigation by the FCC and has been decried by the ACLU; it was quite likely illegal. Then it was revealed that, at a press conference to discuss the protests, they seeded the audience with BART proponents coached in what to ask and say.  
  •  

Anonymous hacked a dozen or more Sony Websites and three BART websites in protest/retaliation for what they consider to be corporate crime. Here's how easy it was for them: one of the Sony servers containing hundreds of thousands of user account records was running on an old, unpatched version of Apache with no encryption. The initial attack was simply accomplished using a hack (SQL Injection) that is ridiculously easy to block (by updating to a current software version, in most cases). The Administrator password to get into the BART police site was "admin123".  The "hacker" who broke into that site reported that she'd never hacked a web site in her life, she just did a bit of googling and got right in.

These were corporate web sites, run by companies that take in vast amounts of consumer dollars every day, and they couldn't be bothered to do even the minimum amount of safeguarding of their customer's data.  They might not be the criminals, but is it wild to suggest that they were criminally negligent? This isn't a matter of them not having the money, resources or available expertise to protect our data.  It was a matter of them not taking the responsibility to protect it.  

What can nonprofit organizations, that aren't obsessed with bottom lines, do to avoid the problems that BART and Sony have faced?

  • First and foremost, we need to protect constituent data.  If your NPO doesn't have the weherewithal to do that internally, than your online data should be hosted with companies that have strong commitments to security and privacy of customer data. 
  • Second, should breaches occur (and they do), your primary goal should be timely, open communication with the victims of the data breach.  We're getting past the point where our constituents are naive about all of this (Sony has done a great job of prepping them for us).  So your first response to exposed constituent data should be to tell the constituents exacty what was exposed.
  • One uncomfortable situation like this won't kill your credibility, but a history of bad or callous relationships will amplify it.  This is one of the reasons why good social media policies are critical -- the people who can support or sink you when something like a data breach occurs are on Twitter and Facebook, and they'll feed the media stream with support or slander, depending on how well you relate to them.
  • We promote causes online, but we admit faults there, too.  We don't engage customers by lying to them, hiding things that impact them, or dictating the terms of our relationships with them.
  • Our supporters are people, and they have their motivations for supporting us (or not) and their ideas about how they should be doing it.  Their motivations and reasoning might be quite different from what we assume. Accordingly, we should be basing our assumptions -- and campaigns -- on the best feedback that we can coax out of them.  Long-held industry assumptions are suspect simply because they're long-held, in a world where technology, and how we interact with it, is constantly changing.

 

If we ever needed reverse primers in how to manage constituent relationships, the Sony and BART fiascos are prime ones.  They are victims of illegal and unethical behaviour.  But by viewing their customers and constituents as threats, with callous regard for the people who keep them in business in the first place, they've created a public relationship that did nothing to stem the attacks. Sony has put far more money and effort into attacking and dehumanizing their customers with lawsuits and invasive, annoying copyright protection schemes than they have in listening, or trying to understand the needs and desires of their constituents.  BART has tried to block their ears so tightly to shut out public criticism of their violent, shoot first police force that they've crossed constitutional lines of conduct. We -- nonprofits -- know better. It's a two way relationship, not a dictatorial relationship with our supporters, that will serve as our most effective firewall.

Comments

Our relationships are our firewall...

The last part of your blog post sums things up nicely.  As nonprofits (small nonprofits in particular)  we have to cultivate our relationship with our constituents on a daily basis.  With any luck (and some skill) we can hope to maintain a positive repor with society and avoid becoming a target for those who intend to do harm to our virtual worlds.

Right on! Nonprofits need to understand they are at risk.

 Peter -

As a whole, nonprofits and a lot of small businesses do not take computer security seriously, which makes me very sad. This indifference allows the people behind cybercrime to use their ill-gotten gains to support activities that most nonprofits would find very offensive, such as identify theft, human trafficking, and child pornography.

What's most concerning to me is how many nonprofit organization still think of technology as a nice to to have instead of a requirement to get their work done.  I  really would like to see more organizations recognize that when the technology isn't cared for, the organization can't meet its mission. It is no longer optional to include technology and computer security in an organization's budget. Resources must be dedicated toward updating systems, tracking new threats, and learning how to protect the organization against them.

It seems that organizations do not understand why computer security is important. During the past two months, I spent time trying to connect nonprofit organizations in the Baltimore area with an opportunity to receive free computer security help from a graduate-level computer security class. Not one of the organizations I contacted was interested in the free help, and most of these organizations were public-interest law firms or other organizations with higher-than-normal computer security needs. (To the credit of one of the organizations, they were not interested in participating because they recently had paid to have a security audit done.)  While there are many reasons that this opportunity would not be a good fit for an organization, it saddens me that I couldn't find one organization willing to take advantage of it.

Nonprofit organizations are very much at risk, both of large scale and small scale hacks. Many people don't realize that most "hacks" can be purchased online and used by people with very few technical skills. Recently, I was reviewing which content manangement systems legal aid orgaizations are using. Of the 263 sites that I reviewed, three of the websites had been hacked such that I could tell simply from reviewing the page source code. These were not complicated attacks and simply exploited a flaw in the systems the organizations used. Research suggested that the hacks were readily available for purchases. But nonprofits organizations are also at risk from non-standard attacks.

But larger attacks are also possible. The Aurora incident, which involved Google being hacked by a larger actor--potentially China--also involved several law firms that were involved in human rights work. And there is nothing to stop Anonymous from attacking a nonprofit they disagree with. Anonymous is a great, but terrifying, example of crowdsourcing. Anyone can decide to be a part of Anonymous, target an organization, and then credit the attack back to Anonymous.

As a community, we need to start taking this threat seriously, report incidents where systems have been hacked, and clean up the attacks promptly. - K