“Shame Hacking” Liberal Groups — Is It Really Russian Hackers Doing It?

But it’s the Russians!

The ubiquitous Russians are at it again, or, so we are being told. You know, the Russian hackers who are everywhere, doing everything nefarious in the world, and victimizing poor little helpless “us” here in the United States . . .

BREAKING!

 Wikileaks: CIA ‘Stole’ Russian Malware, Uses It to ‘Misdirect Attribution’ of Cyber Attacks

‘Vault 7’: CIA Catalogues Hack Techniques Used by Other States

Hey, if it makes you feel better, sure, blame it all on the Russians … but are we talking about Russian immigrants, Russian citizens, Russian descendants, or Russian government operatives? Those pesky details always seem to take the fun out of things. But here is something that is not up for debate: shame hacking is on the rise!

YAHOO DATA BREACH – SOME FACTS & QUESTIONS (I.E., WAS IT REALLY THE RUSSIANS?)

What is Shame Hacking?

Shame hacking is the use of hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.

Shame hacking is one more way that cyber criminals have learned to monetize the fruits of their criminal actions and represents an increasing trend for how hacked information can and will be used for many ways.

Shame Hacking the Progressives.

According to the recent Bloomberg article, Russian Hackers Said to Seek Hush Money From Liberal Groups, “Russian hackers are targeting U.S. progressive groups in a new wave of attacks, scouring the organizations’ emails for embarrassing details and attempting to extract hush money.” For example, “[i]n one case, a non-profit group and a prominent liberal donor discussed how to use grant money to cover some costs for anti-Trump protesters.” The hackers learned of this information and then threatened to expose this activity if the groups did not pay anywhere from $30,000 to $150,000 in Bitcoin.

Other Cases of Shame Hacking.

Shame hacking is nothing new and first became prominent when the North Koreans hacked Sony and revealed the Sony executives’ embarrassing emails. Over time, this trend has gained more popularity as yet another way for hackers to monetize the fruits of their ill-gotten gains, such as in the following cases:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

David Beckham’s Exposed Emails Exemplify Shame Hacking Threat

Hackers have obtained David Beckham’s embarrassing emails from his advisors in an extortion plot in which the advisors were told “pay up or we’ll release emails,” according to a recent news report. When the advisors refused to pay the £1million demand, the hackers released the emails.

This is yet another example of what I call shame hacking, a topic that I have explained in several other posts and news appearances. Shame hacking is the use of hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with the demands made of them.

Shame hacking is one more way that cyber criminals have learned to monetize the fruits of their criminal actions and represents an increasing trend for how hacked information can and will be used for many ways.

This is just the beginning folks, hang on for the ride!

Here are the prior posts that I mentioned earlier:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Porn, Politics & Cybersecurity: Are We Seeing Shame Hacking with Texas Elector?

Is the Texas elector who refuses to vote for Trump the first example of shame hacking in politics?

In previous posts, I have written about shame hacking which is the use of hacked data for embarrassing or extorting people by threatening to expose such compromising data if they do not comply with whatever demands were made of them. I explained this on the CW 33 Eye Opener Morning Show while discussing the recent Adult Friend Finder data breach.

One of the ways I envisioned shame hacking taking place in an earlier post was for someone to use membership information revealed from the Ashley Madison hack in the context of politics:

The hack of Brazzers porn site is similar to the Ashley Madison hack in that the real opportunity for monetization lies not in the intrinsic value of the data itself, but in the opportunity to use the data to embarrass and extort others into paying money to keep it secret.

The data dump from the hackers includes email addresses, user names and passwords spelled out in plain text, which can certainly lead to embarrassment for those who would not want their spouses, significant others, co-workers, employers, employees, parents, children, pastors, congregation, or constituents to know they are members of such a site. (Brazzers Porn Hack: More than Just Account Holders Exposed)

With the public announcement by the Texas elector that he will not vote for Donald Trump, quite a kerfuffle has ensued. In the wake of this, one website is accusing the elector of having been a member of the Ashley Madison dating website and looks to information purportedly obtained through the Ashley Madison data breach to support its allegations.

Regardless of whether the allegations are true or false or the information purportedly obtained from the Ashley Madison data breach is real or not (and, I do not know either), this illustrates the point that information obtained from data breaches such as Ashley Madison, Brazzers, or Adult Friend Finder — or allegations of the existence of such information even if false — can and will be used for many ways, including in politics.

This is just the beginning folks, hang on for the ride!

Here are the prior posts that I mentioned earlier:

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Yahoo Data Breach – Some Facts & Questions (i.e., was it really the Russians?)

hacked-1The Basic Facts

Yahoo announced that it had a data breach in late 2014 and 500 million users’ account information was stolen. The account information may include names, email addresses, telephone numbers, date of birth, passwords (most encrypted with bcrypt, but apparently not all), security questions, and security question answers.

People who have Yahoo-based services should immediately change their passwords, change their security questions and answers, not use the same password on multiple accounts, and implement dual factor authentication where available.

The Message in the Message

In its notification message, Yahoo subtly invokes the “it’s not our fault, we were the victim of a state-sponsored actor attacking us” defense. I do not blame Yahoo, it works. It uses the words “state-sponsored actor” twice in the first paragraph and twice in the fourth paragraph: Continue reading “Yahoo Data Breach – Some Facts & Questions (i.e., was it really the Russians?)”

You Could See This One Coming: Vibrator Company Sued for Tracking Usage

flingSETTLEMENT UPDATE: A Canadian sex-toy manufacturer, We-Vibe, has been ordered to pay out almost $3 million to customers who bought a “smart vibrator” that tracked owners’ usage without their knowledge. Each customer who used the associated app will be paid $7,433, and customers who bought the vibrator but never used the app can claim up to $147. READ MORE

___________________

For many years this blog has been raising awareness of the intimate nature of vulnerabilities that are created by connected devices on the Internet of Things (IoT) (hacking a toilet, hacking other devices). This latest about the We-Vibe sex toy is no surprise but, as explained below, the concern over shame hacking is no laughing matter.

Today’s Law 360 leads with an article about a recently filed privacy lawsuit: Vibrator Gets Too Intimate By Tracking Usage Info, Suit Says (paywall). According to the article, Continue reading “You Could See This One Coming: Vibrator Company Sued for Tracking Usage”

Brazzers porn hack: more than just account holders exposed–what does this mean for your company?

hackedWe have been observing an evolution in hackers’ tactics from going after data that could be directly monetized, such as payment card data, to going after data that can be monetized indirectly through extortion, such as the Ashley Madison data. The hack of Brazzers porn site is similar to the Ashley Madison hack in that the real opportunity for monetization lies not in the intrinsic value of the data itself, but in the opportunity to use the data to embarrass and extort others into paying money to keep it secret.

The data dump from the hackers includes email addresses, user names and passwords spelled out in plain text, which can certainly Continue reading “Brazzers porn hack: more than just account holders exposed–what does this mean for your company?”

#SonyHack: Will Executives’ Embarrassing Emails Better Motivate Cybersecurity Change?

Sitting in the Miami airport at 5:00 am I am reading news updates on the #SonyHack and a thought just occurred to me:

Previously, many of us preaching the “you better take your company’s security seriously” message to the C-Suites have been wondering if it would take a court decision finding C-Levels or Board members personally liable before they would fully appreciate the significance of cybersecurity risk to their companies.

In reading the articles about how the Sony Hackers are releasing Sony Executives’ entire email folders and all of the personally and professionally embarrassing email conversations they have exchanged, it makes me wonder if this will not do more damage to their professional reputations and careers than anything. And, if it does, does that mean that this may ultimately exert as much or more pressure on them (and other executives who are watching) to put more emphasis on cybersecurity in their companies when the risk to company message has not been working?

If there is one thing we know about human nature, it is that self-interest always prevails … will it here as well?