Engineering a far worse attack than Sony, without hacking

To be more precise, this kind of attack would rely on business hacking, rather than computer hacking. Other attacks, some potentially as massive as to turn Google into the worst search engine, are described below.

The Sony attack

I believe that such an attack could be accomplished by an insider (disgruntled employee, or employee paid by an external organization), and benefiting from poor IT security at Sony. Especially the email part, consisting of cross-emailing every employee of interest (including executives) with scary messages, or messages aimed at generating massive lawsuits and firings.

Indeed, in many companies, it is easy for some employees to download the email database (or parts of it), the CRM database (clients with email addresses and associated internal contacts), or the hierarchical database of employees (who report to whom, email addresses, and job titles). Once this database is acquired by a rogue employee or consultant, it can be sold or used for many nefarious purposes: announcing (fake) layoffs, sending porn to executives with cc to external parties such as clients, exchange of racial insults between executives and clients (using spoofed email addresses) followed by fake apologies, and the list goes on. Before the  culprit gets caught, the damage is done, billions of dollars have evaporated, and reputation is destroyed.

So how to protect your company?

Never hire a guy that looks too smart. Never hire a guy like me who posts articles like this one. Identify a dangerous employee as early as possible (using predictive analytics), and use soft-firing to get rid of him. Make it impossible for anyone (employee or contractor or client) to download vast amounts of HR information. Beware that some rogue employees will accumulate the dangerous data very slowly, over a period of months. Detect and block spoofed email (originating from an IP address not in your white-list authorized to send internal email), as well as employees having infected computers (that can be used to send fake email that appear legitimate - not spoofed).

The Sony attack is the tip of the Iceberg

Plenty of silent, smaller attacks, happen daily as part of normal business activities. These attacks are aimed at killing business competitors. Sometimes these attacks are a reaction to what is perceived as  unfair treatments by big companies or government. Combined together, these attacks result in far more damages than the Sony or Target hacks. These attacks might not even be illegal, unlike the Sony attack.

Examples of silent attacks

A digital company got banned or penalized on Google, and it feels as unfair punishing by the victim. Typically, the wrong punishing is the result of an algorithm defect. Algorithms have no feelings, and in the case of a big company like Google, there's nothing you can do about it: no customer support, no phone number to call, and anyway they deliver free traffic to your website. So they can pull the plug at any time for no reason, and make you loose all your revenue (too bad if you rely entirely on Google organic traffic for your revenue, not a smart business strategy). Occasionally, Google will have to face a tech-savvy victim that can and will kill all other competitors on Google, as a last resort to recoup losses and regain market share. There are techniques to succeed in such attacks, such as

  • Black-hat SEO that you would do for (indeed against) your competitors - the kind of stuff that would get you banned if used for you. You might enroll a snake oil SEO company, a rogue newsletter marketing company, or link farm vendor for this purpose, pretending that you want to promote ... your competitor websites! 
  • Or generating manufactured traffic via a Botnet (you can use a third party Botnet operator), essentially traffic that never converts, making it appear to Google's algorithms that your competitors have irrelevant websites for the keywords you are interested in, and that you are targeting in the attack.
  • Posting bad reviews against your competitors, on blogs that show up in Google search results. Manipulate Google's relevancy algorithms so that only the bad stuff shows up. This is accomplished by creating an artificial higher click-through rate for the bad stuff, and requires the bad stuff to be published in trusted publications (LinkedIn etc.). Not easy to do unless you are a true SEO guru.

You can go one level further and over time, corrupt massive amounts of Google search results. Especially if you are a kid (maybe one rejected after a Google job interview), and want to prove to the world that you are one of the greatest data scientists. You would need to target the top 100,000 keywords with the right amount of fake but well statistically distributed traffic. How to find these keywords? On Google itself, or just ask me. Such an attack could be called a data science attack. It does not involve hacking into anyone's server, but algorithm intelligence and external data collection and processing.

Other companies such as Amazon or Yelp, extensively relying on user reviews, have made a lot of businesses very unhappy, due to undetected fake reviews. Rather than fixing their faulty algorithms, their policy is to further attack those few tech-savvy companies that they inadvertently (but unsuccessfully) tried to kill, once these little guys retaliate. These counter-attacks (e.g. by Amazon) are laughable, and make you think that they underestimate their enemies. I will provide an example in a future article. In the case of Amazon, attacks targeted at authors and publishers are starting to backfire, as articles against Amazon are getting a lot of traction recently.

Note that all these companies have stellar data scientists and other great employees. The problem is with some top decision makers, still acting as if we small people (their customers) are idiots that can easily be crushed on demand. That might be true for 99.999% of their users, but once you hit the 0.001% resilient ones  - which will eventually happen when you make thousands of users furious every day - that's when you get an attack like the Sony one.

So even if you - the big company - are swamped by millions of customer messages every week, and can only provide automated answers, at least use an NLP-based algorithm to detect potential big trouble-makers. Not just automatically browsing what people write on your blog or to your mailboxes, but also on social networks, about your company. Follow thought leaders, they might be the first ones to detect a new trend, or new risks. Always be nice. Even when your algorithms randomly turn bad and mean against someone. Listen to what people say about your company, but learn how to filter out the vast amount of noise from these conversations, using both algorithms and analyses performed by human beings. The most dangerous hackers might be those who never say anything, so having well-behaved, human-friendly (as opposed to computer-friendly) algorithms to deal with your users, is always the best strategy. 

Note: This type of attack could also be used to manipulate the stock price of the target company, especially to short the stock before the attack and buy back after the collapse, to finance the operations of hacking or terrorist groups.

 DSC Resources

Additional Reading

Follow us on Twitter: @DataScienceCtrl | @AnalyticBridge

Views: 2018


You need to be a member of Data Science Central to add comments!

Join Data Science Central

Comment by Nancy Grady on January 2, 2015 at 7:11am

Very interesting article. It does take "cyber" security to a whole new level!  We all deal with bad or just messy data, but your description of a 'data' attack chain is an interesting one, and it would certainly work given sufficient resources.

© 2021   TechTarget, Inc.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service