海角大神

海角大神 / Text

Netflix hack: White hats, or digital robber barons?

OurMine claims to hack large organizations in order to help improve their network security.听But is this collective rooted in benevolence or profit?

By Joseph Dussault, Staff

Netflix and Marvel became the latest targets of听OurMine, a shadowy hacker group that took over听both companies鈥 Twitter accounts Wednesday to post self-promotional tweets.

The breaches may seem familiarto tech impresarios such as Facebook chief executive officer Mark Zuckerberg and Twitter CEO Jack Dorsey, whose Twitter credentials were obtained by the group earlier this year.

The collective claims that it isn't breaking into the accounts for nefarious purposes, but instead to make a point. OurMine says it wants听to help large organizations improve network security by proving how vulnerable tech companies, executives, and celebrities are to hackers.

But just who is OurMine, and is their brand of hacking rooted in benevolence or profit?

While听OurMine calls itself a听鈥渨hite hat鈥 hacking group 鈥 a term that applies to ethical hackers 鈥 some cybersecurity experts say the group is misappropriating听that description.听

鈥淎 true white hat hacker should never use malicious approaches to make their points,鈥 Zaiyong Tang, a professor of networks and security at Salem State University, tells 海角大神 in an email. 鈥淭he hacking of those Twitter accounts makes OurMine not much different from black hat hackers seeking notoriety.鈥

In addition to hacking Mr. Zuckerberg, OneMine also obtained the Twitter credentials for Google CEO Sundar Pichai, Wikipedia founder Jimmy Wales, and Yahoo CEO Marissa Mayer.

In October, Buzzfeed ran a story identifying one OurMine member as Saudi teen who goes by the name Ahmad Makki. The group denied the accusation听and later hacked Buzzfeed in retaliation.

In most cases, OurMine claims to have obtained passwords through network vulnerabilities. But many of the affected sites, such as Twitter and Quora, have denied those claims. Instead, they say, the hackers likely reused passwords from previous data breaches.

鈥淭hese types of attacks are basically password guessing,鈥 Jibey Asthappan, director of the University of New Haven鈥檚 national security program, tells the Monitor in a phone interview. 鈥淭hey might use some social engineering, or it could be a brute force attack. This is probably not a very sophisticated attack.鈥

After gaining access to an account, the group typically fires off a series of Tweets using the hashtag 鈥#ourmine.鈥 The breaches rarely last more than a few hours, and the group maintains that it doesn鈥檛 use the accounts for nefarious purposes. In each case, the compromised account posts a common message: 鈥淒on't worry, we are just testing your security,鈥 along with a link back to the group鈥檚 website.

鈥淚t鈥檚 a concerning precedent, but one reason [OurMine] may be doing this is that it鈥檚 potentially the easiest way to get an organization to pay attention to a vulnerability,鈥 Derek Ruths, a professor of computer science at McGill University, tells the Monitor in a phone interview. 鈥淎 random email that comes in and says, 'Hey Netflix, you have a network vulnerability' probably isn鈥檛 going to make it very far.鈥

It鈥檚 also possible that the hacks are just free advertising for OurMine鈥檚 security services, which range from $10 email scans to $5,000 consultations for corporate networks. In an email to The Guardian, the group claimed to earn $20,000 to $40,000 every month from consultations.

At best, that would be morally questionable guerrilla marketing for the Digital Age. At worst, it鈥檚 an exploitative business model predicated on fear. By targeting highly visible tech influencers, groups like OurMine can exploit the security fears of the average user. Though dealing with hackers is almost never a sound practice, some users may feel compelled to do so in the interest of security.

鈥淭his is the only place where it鈥檚 still the Wild West, and these are the types of things you can get away with,鈥 Mr. Asthappan says. 鈥淚t鈥檚 a unique way of trying to bring themselves a bit of business. I think it moves the industry a bit forward. It鈥檚 effective, but is it ethical?鈥

According to Leonid Reyzin, a professor of computer science at Boston University, 鈥渢hat depends on whether you adopt the utilitarian or deontological position on ethics. If you are a utilitarian, then you would have to weigh the pros and cons [of the hack.] If you are a deontologist, then most certainly not.鈥

The issue also wanders into legal gray areas. What does it mean to 鈥渁ttack鈥? Certainly hacking into a bank account qualifies, but what about a social media breach? Couldn鈥檛 both potentially cause harm?

鈥淭he definition of an attack often comes down to whether there was damage done,鈥 Mr. Ruths says. 鈥淚 think Netflix could probably make a strong argument that damage was done to their brand.鈥

Ethics and legality aside, there may be some value yet in OurMine鈥檚 vigilante behavior. By making examples out of Silicon Valley elites, the hacking group has called attention to the limitations of password protection.

鈥淭hey鈥檙e calling for something that many in the industry have also called for, which is greater sophistication in the infrastructure,鈥 Asthappan says.

Today, even complex passwords can be cracked with advanced brute force software. Many experts recommend using two-factor authentication, which requires users to enter two separate codes to access an accountsomething that OurMine's victims, including Zuckerberg, chose not to use.

In the early days of the internet, when the first cybersecurity protocols were put to use, a user鈥檚 entire experience was limited to email and web browsing. Simply put, the foundation of security did not and could not have accounted for the degree of connectivity to which many of us are accustomed. Though the digital infrastructure has grown and improved, the basic foundation has yet to be replaced.

鈥淚t鈥檚 kind of like driving a Prius on a cobblestone road 鈥 it鈥檒l work, but it鈥檚 not going to be pretty,鈥 Asthappan says.