Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site

There must be some hand wringing going on at Public Broadcasting Corporation (PBS) tonight.

On the heels of a PBS server breach earlier this year, that revealed the passwords of journalists from numerous media outlets.  They’ve now had to endure the defilement of their signature children’s program, Sesame Street.

If you grew up watching Oscar the Grouch trading one-liners with Bert and Ernie, you will be horrified to know that for about twenty minutes today X-rated video content was substituted for G-rated content.

It is shocking that anyone would think that putting X-rated content in front of the Sesame Street audience could be justified.

At this time, we don’t know the entry-point for this breach. It does make one wonder what might have happened to cause this incident.

An attacker might have been able to learn the username and password that allows Sesame Street producers to upload new content. As we saw in the breach of the PBS server in May of this year, once an attacker controls one critical system, it is often easy to discover the user names and passwords of users. Often the passwords are trivial to guess, or easy to “crack.”

And, often staff members use the same user/password pair to access multiple systems. It is possible that some sort of password stealing trojan was used against the staff of Sesame Street. Once that attacker(s) has one, or some passwords, the he might have found it trivial to impersonate a Sesame Street producer and upload whatever content he wished.

Even after so many attacks in the news (and more that don’t make the headlines), non-technical managers still look at information security as an expense, rather than a strategic investment. They often think that they are not a target since they are not a bank, or the Pentagon, or the FBI, and that they have nothing of value to take. Many non-technical decision makers downplay the risks, and once the risk is lowered, there is no need, in their minds, to take measures to protect the organization’s information assets.

What is disturbing, in this case is that AFTER a breach earlier this year at PBS, it appears that Sesame Street did not take information security measures to protect the most vulnerable members of the PBS audience.

There is a bigger message here for all organizations: Passwords alone are no longer effective in protecting information assets. Users have too many systems to log into to remember long, complex passwords for each system. And, with modern attacks, even THOSE passwords can be cracked or stolen with relative ease.

What’s a solution? Non-technical decision makers need to look at so-called multi-factor authentication. Something you know is one factor (a username/password) and something you have can be another factor. The best systems use multi-factor authentication with one time passwords. So that each time a user authenticates, a new, one time password is used. If an attacker steals that passwords, it is useless.

Of course we can’t overlook another strong possibility. Research shows us repeatedly, that disgruntled employees are often at the root of cyber breaches.  I hasten to add, that I have no information, aside from what I have read in the press. There are also several types of technologies that would alert management engages in unauthorized activity.

Technology provides the answers, but sometimes management has to get stung before they become curious enough to look into them.

By: Ira Victor G2700, GCFA, GPCI, GSEC, CGEIT, CRISC,  Member: HTCIA ; Ira Victor is an  information security and forensics analyst, and Co-Host of CyberJungle Radio

One Response to “Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site”

  1. […] News and talk on security, privacy, and the law « Lessons Not Learned? Porn Gets Uploaded To Sesame Street Site […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: