The following is a guest post by Silvia Brooks, a contributor for www.homesecurity.org. She keeps readers up-to-date with the latest in home security, technology, and online privacy. Silvia welcomes your comments below the post!
Major corporations, federal agencies, and celebrities are targeted by infamous hacking groups on a regular basis, but a recent hack hit a little closer to home for thousands of private citizens around the world. The popular blog and social media site Tumblr was hacked on December 3, 2012.
A hacker group called GNAA–you don’t want to know what that acronym stands for–unleashed a worm that compromised over 8,000 Tumblr accounts and posted racist and inflammatory messages on users’ blogs, and as a result, on many of the Twitter accounts tied to those blogs. The GNAA claimed responsibility for the hack soon after the blogs were compromised, and the group was identified as being linked to several other trolling messages across the web throughout the past year.
The software, designed to cut through security measures and self-replicate once a post had been made, had the potential to fully erase blog content if users deleted the inflammatory posts. Tumblr is now claiming to have repaired the security holes that allowed the work to bypass the site, but the question remains as to how the site was able to remedy the situation and whether the measures would protect against future attacks.
Tumblr had been notified of the GNAA’s intentions and the existence of the security hole weeks prior to the breach, a point the GNAA told the media after the hack occurred.
While Tumblr’s failure to fix the hole immediately is most likely the result of a consistent stream of threats that hacking groups make to websites that make it difficult to follow up on every tip, this is still a much more serious matter than the general public may be aware. In fact, the GNAA cited Tumblr’s inefficacy in repairing the security hole as one of the primary reasons behind the attack.
What does the Tumblr hack mean for online privacy and security?
Even though threats to the federal government, bank accounts, or major corporations hold more weight, there’s something uniquely sinister about hacks into people’s personal creative or social accounts on a mass scale.
Most of us know that our personal information isn’t safe online, but the most the typical citizen can do is change passwords frequently, conduct private business on secured networks, use privacy and security software, and hope for the best. The problem is that most of the information we share on social media seems innocuous. What could a hacking group really do with our pictures of dinner, party nights with our best friends, blog entries, or event invitations?
If we store and share information in clouds, blogs, or social media sites, how could it affect our personal security?
The first major personal security threat is the cloud. More and more private citizens are uploading information to a cloud network where they can access it from any location. Cloud storage presents a direct pathway to our personal wireless devices, especially phones (which have been notoriously easy to hack). The future of cloud security is undefined, as the service is fairly new and extremely wide-reaching. The threat goes both ways. If a cloud account is hacked, the hacker may have the ability to tie it back to a mobile device. Alternately, if a phone is stolen, the thief will have direct connections through apps to all of the owner’s personal information stored in the cloud.
Less obvious threats lie on social media platforms themselves. Facebook and Twitter are great ways to connect with friends and loved ones, but we’re never completely aware of the ramifications that could come with the information we share. Not only do hackers have a front row seat to the information needed to access even so-called high-security bank accounts (a birthdate, for instance, or an authenticator like your mother’s maiden name), hacks may actually present the least of our worries as Internet use expands.
These online security threats could translate into real world personal security issues. Hackers aren’t the only ones who want your personal information: rapists, con artists, and thieves would love to know what you plan to do on Friday night, where you’ll be, and who you’ll be with. In fact, with apps dedicated to displaying exactly where you are and what you’re doing at any given time, thieves and abusers will know when your family will be away on vacation, when you buy a new TV, and what you’re getting for Christmas. This takes quite a bit of the guesswork out of the equation for criminals.
And probably the scariest threat is the possibility of widespread misinformation. Many people use Twitter and Facebook to report on what’s going on in their lives. Protesters use these accounts to mark their locations and plans, and users post videos of police brutality or deadly weather conditions. A hacker group recently prompted several outlets to report that people were looting after the Hurricane Sandy disaster by posting false sightings of the events.
If the news media can be so affected by a simple social media post, what happens when more serious misinformation is placed online? Not only is this a matter of personal information security, but it could become a public safety issue.
The only real regulation in place to define and regulate online privacy is the Electronic Communications Privacy Act (ECPA). Created in 1986, the document has been revised several times, but it’s overdue for a major update. The act doesn’t contain regulations for some of the new and major social media and communication technologies used online—even email isn’t properly protected.
If we fight for anything when it comes to Internet regulation, personal security and our right to privacy should be at the top of the list.