In celebration of Guy Fawkes Day, November 5th saw a slew of hacker activity perpetrated by some familiar names. As an Information Week article reported, Anonymous had planned to commemorate the dubious holiday by taking down several large websites, such as Facebook and Zynga. Instead, however, the group only found success on separate fronts.
According to InformationWeek, the security company Symantec and ImageShack were among two of Anonymous's targets. Symantec data, including the email addresses and passwords for nearly 3,200 employees, was posted to online forums. The information stolen from ImageShack included lists of file permissions and source code. Hackers also claim to have obtained internal files from the Organization for Security and Cooperation in Europe, which purportedly show evidence of election tampering in Ukraine.
In a tweet, Annoymous claimed to have hacked PayPal as well, though these claims were ultimately refuted by the company. Though the news spread quickly across social media, after some investigation it was determined that no proprietary data or systems had been breached.
“It appears that the exploit was not directed at PayPal after all,” a PayPal spokesperson told TechNewsWorld.
A New York Times blog post noted that the 28,000 PayPal customer passwords that Anonymous allegedly stole actually belonged to a free open source hosting site called ZPanel. InformationWeek also said that the Pastebin post of hacked ZPanel data included zero-day exploit code, which would allow hackers to remotely reset the system without authentication. When contacted for comment, a ZPanel developer said that the flaw had been patched months ago.
With so many available avenues for cybercriminals to explore within large multinational organizations, it seems clear that strictly focusing on perimeter-based defenses is a fool's errand. As networks expand to accomodate more users and devices, it can be quite a challenge to retain a complete perspective of one's digital assets.
“What [enterprises] forget is they have multiple development servers which are extremely vulnerable, and can be used as gateway systems, as many [of these] share accounts and passwords with their key systems,” Ken Baylor of NSS Labs told TechNewsWorld.
As hacker motives evolve from amusement and diversion toward targeted industrial espionage, such oversights could be particularly costly. With cybercriminals more interested in obtaining corporate intellectual property than online celebrity, these threats could become silent killers of market success.
Data Security News from SimplySecurity.com by Trend Micro