Hacking is getting easier, and any criminal with a cause — or even without one — can now bring down companies’ websites and access users’ personal information. The latest victim is the ABC.
There’s nothing special about yesterday’s hack of an ABC website. But that’s precisely why it heralds a future where any organisation can be a target, along with any individuals connected with it. Things are going to get worse.
What we have here is a routine random hacktivist strike against a target of opportunity vaguely connected with the cause of his or her ire, with the exposure of innocent bystanders’ personal data as collateral damage. It just got more media coverage because it happened on the journalists’ own patch.
The random hacktivist was Phr0zenMyst, who claimed responsibility via Twitter. The cause of Phr0zenMyst’s ire was Lateline’s interview with Dutch ultra-nationalist politician Geert Wilders. While Phr0zenMyst’s tweets use the hashtag #OpWilders, which is Anonymous’ label for its ongoing protest against Wilders, the operators of Twitter accounts usually associated with Anonymous are distancing themselves from this one.
The target was the website for the ABC TV series Making Australia Happy. The hacker stole its core database with information on nearly 50,000 audience members who’d registered to comment, and published it online. The data included user ID, nickname as displayed on the site, a hashed version of passwords, age, gender, email address, postcode and the internet (IP) address of the computer at the time users registered.
One key issue here is the hashed passwords. Password hashing is meant to help prevent the actual password being discovered following data breaches like this. But as Microsoft security researcher Troy Hunt soon discovered, the password hashing was done badly. He was able to crack 53% of the passwords in just 45 seconds. Criminals can and doubtlessly will do the same, and they’ll try using the same password to access any other accounts associated with the same user ID or email address.
But again, this is nothing new. So let’s step back.
“The problem with Anonymous is that it’s like a bloke with a hammer forever wandering around looking for nails,” I wrote last July. At the time, Anonymous had hacked random Queensland government websites in protest against the federal government’s plans for ISP data retention.
Since then, things have gotten worse. We’ve got more people like Phr0zenMyst joining the bandwagon without necessarily bothering to understand the subtleties of political activism. Hacking a website is one thing, but immediately dumping the stolen data into a public website to make victims of 50,000 people completely unrelated to your cause is quite another.
The tools used for these hacks are easily obtained, just like anyone can go to a hardware store and buy a crowbar to jemmy open a window, and they’re getting easier to use. Anonymous, with the mystique of secrecy and Guy Fawkes masks — well, Warner Bros Guy Fawkes masks, there’s an irony! — has made hacktivism cool. And web developers don’t seem to be getting any better at security.