There must be some hand wringing going on at Public Broadcasting Corporation (PBS) tonight.
On the heels of a PBS server breach earlier this year, that revealed the passwords of journalists from numerous media outlets. They’ve now had to endure the defilement of their signature children’s program, Sesame Street.
If you grew up watching Oscar the Grouch trading one-liners with Bert and Ernie, you will be horrified to know that for about twenty minutes today X-rated video content was substituted for G-rated content.
It is shocking that anyone would think that putting X-rated content in front of the Sesame Street audience could be justified.
At this time, we don’t know the entry-point for this breach. It does make one wonder what might have happened to cause this incident.
An attacker might have been able to learn the username and password that allows Sesame Street producers to upload new content. As we saw in the breach of the PBS server in May of this year, once an attacker controls one critical system, it is often easy to discover the user names and passwords of users. Often the passwords are trivial to guess, or easy to “crack.”
And, often staff members use the same user/password pair to access multiple systems. It is possible that some sort of password stealing trojan was used against the staff of Sesame Street. Once that attacker(s) has one, or some passwords, the he might have found it trivial to impersonate a Sesame Street producer and upload whatever content he wished.
Even after so many attacks in the news (and more that don’t make the headlines), non-technical managers still look at information security as an expense, rather than a strategic investment. They often think that they are not a target since they are not a bank, or the Pentagon, or the FBI, and that they have nothing of value to take. Many non-technical decision makers downplay the risks, and once the risk is lowered, there is no need, in their minds, to take measures to protect the organization’s information assets.
What is disturbing, in this case is that AFTER a breach earlier this year at PBS, it appears that Sesame Street did not take information security measures to protect the most vulnerable members of the PBS audience.
There is a bigger message here for all organizations: Passwords alone are no longer effective in protecting information assets. Users have too many systems to log into to remember long, complex passwords for each system. And, with modern attacks, even THOSE passwords can be cracked or stolen with relative ease.
What’s a solution? Non-technical decision makers need to look at so-called multi-factor authentication. Something you know is one factor (a username/password) and something you have can be another factor. The best systems use multi-factor authentication with one time passwords. So that each time a user authenticates, a new, one time password is used. If an attacker steals that passwords, it is useless.
Of course we can’t overlook another strong possibility. Research shows us repeatedly, that disgruntled employees are often at the root of cyber breaches. I hasten to add, that I have no information, aside from what I have read in the press. There are also several types of technologies that would alert management engages in unauthorized activity.
Technology provides the answers, but sometimes management has to get stung before they become curious enough to look into them.
By: Ira Victor G2700, GCFA, GPCI, GSEC, CGEIT, CRISC, Member: HTCIA ; Ira Victor is an information security and forensics analyst, and Co-Host of CyberJungle Radio