Does the name Syrian Electronic Army mean anything to you? It certainly does to Microsoft, Ebay, Paypal, Facebook, Twitter, Obama’s website “Organizing for Action”, and dozens of others targeted by the organisation in the past few years. Their most financially damaging assault was the infiltration of the Associated Press’ Twitter account in April 2013. The false tweet:
“Breaking: Two Explosions in the White House and Barack Obama is injured”
Caused major panic and briefly wiped out $136bn of the S&P index’s value.
The group support the government of Syria’s president, and appear to target organisations or individuals they perceive to be undermining their cause. In January 2014 Microsoft were hit by a successful phishing attack, and later released a statement on their technet blog stating:
“We have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen.”
Documents fitting this description have been released online by the hackers, and purport to show interactions between Microsoft’s Global Criminal Compliance team and the FBI’s Digital Intercept Technology Unit (DITU), appearing to suggest Microsoft have been charging the FBI hundreds of thousands of dollars for user information, for around $200 per individual (as from August 2013). If this were the case, and assuming these documents are not in fact forgeries, Microsoft would be acting legally according to US law which states that, when required to release such information to the FBI and similar agencies, the provider may be compensated for expenses. Whether this practice is legal or not however, it raises some major questions about online security.
The Daily Dot- a website hacked by the Syrian Electronic Army- disclosed details of their ordeal, explaining that a sophisticated phishing attempt was made by the organisation. Emails manipulated to look like they were sent by a colleague were directed to members of the site management team, encouraging them to click on an enclosed link. When they did so they were required to give out their username and password, which were then used by the activists to infiltrate the organisation. In their article describing the incident, the Dot labels the method a “weakest link” approach- all it takes is one person to slip up and the entire system is compromised.
It’s no secret that companies are working all the time to improve online security. Only a few days ago, on the 20th March, Google announced they had made changes to their email services and are now encrypting 100% of messages sent internally, claiming:
“Today’s change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you’re using public WiFi or logging in from your computer, phone or tablet.”
Whilst some (the Mail Online, for example) have charmingly interpreted the move as an attempt to stop snooping from the US National Security Agency in the interests of user security, the fact remains that these agencies can and do request information from Google, Microsoft and the like on a regular basis. With regard to the interaction between these companies and government agencies therefore, the only effect of this increased security may be that Google could force the NSA to pay for the privilege of viewing user information. Whilst the knowledge of this increased security may seem comforting therefore, if recent events involving Microsoft and the Syrian Electronic Army have shown anything, it is that we still cannot put our complete trust in online security. Even if the hackers can’t access our personal information, there seems to be little stopping our governments- for a price, of course.