09 Oct 2015
A journalist facing heavy jail time for his part in the Anonymous LA Times' hack is a strong reminder for organisations to review and improve their security postures.
On Wednesday, journalist Matthew Keys was found guilty of illegally leaking the username and password to Anonymous. The credentials were used to make unauthorised changes to the Los Angeles Times’ website, owned by Tribune Company, a large multimedia corporation headquartered in Chicago.
Keys, 28, who was seemingly disgruntled after a dispute with his supervisor, contacted Anonymous and handed over the login credentials to Tribune Company’s server, according to several media outlets.
Keys “specified that he wanted Los Angeles Times “demolished,” reported Tripwire.
Keys “specified that he wanted Los Angeles Times “demolished,” reported Tripwire.
Anonymous hackers reportedly used the username and password supplied by Keys to access a Tribune Company’s server and alter the web version of a Los Angeles Times article about tax policy.
Keys admitted to his part in the hack way back in 2012, and earlier this week, Keys was found guilty for his involvement. He now faces a jail sentence of up to 25 years. His sentencing hearing has been set for January 20 next year.
A spokesman for Tribune Media Corporation, Gary Weitman, said: “We are pleased that the justice system worked. We will let today’s verdict speak for itself.”
A spokesman for Tribune Media Corporation, Gary Weitman, said: “We are pleased that the justice system worked. We will let today’s verdict speak for itself.”
I have little doubt that we all have views on what we consider to be an appropriate punishment for Keys' part in this debacle.
Lessons learned...
While a fascinating story, there is a valuable security lesson for us all buried in this story: the vital importance of implementing two-factor authentication.
No business can be a hundred percent confident that usernames and passwords won’t be passed on to unauthorised third parties. This can happen with intent, as in the case of Mr Keys, or occur innocently. No doubt you have heard of employees receiving a seemingly innocuous call from someone purporting to be another employee - perhaps from the IT department - claiming there is a problem and requesting the user’s credentials to rectify it.
Security guru Graham Cluley of grahamcluley.com has this advice:
It is essential that when an individual leaves your company that you change the passwords on any systems they may have had access to. Furthermore, add additional layers of security on your systems - such as two factor authentication - which can help reduce the threat even if still-current passwords are shared with unauthorised individuals.
While regular and mandatory education on the importance of creating strong passwords and keeping them safe is vital, it is not foolproof. Combining education with technologies such as two-factor authentication, however, provides a much stronger barrier to network defences against unauthorised access.
Get the latest advice and solutions to deal with today's IT security challenges
To learn about these and other new IT threats, check out AKJ Associates' security conference series. With security events held throughout the year all around the world, it’s the place to be for IT security.
==
Carole Theriault - Tick Tock Social
AKJ Associates' consultant
Tags: Anonymous security privacy passwords two-factor authentication
