Netflix and Marvel became the latest targets of OurMine, a shadowy hacker group that took over both companies’ Twitter accounts Wednesday to post self-promotional tweets.
The breaches may seem familiarto tech impresarios such as Facebook chief executive officer Mark Zuckerberg and Twitter CEO Jack Dorsey, whose Twitter credentials were obtained by the group earlier this year.
The collective claims that it isn't breaking into the accounts for nefarious purposes, but instead to make a point. OurMine says it wants to help large organizations improve network security by proving how vulnerable tech companies, executives, and celebrities are to hackers.
But just who is OurMine, and is their brand of hacking rooted in benevolence or profit?
While OurMine calls itself a “white hat” hacking group – a term that applies to ethical hackers – some cybersecurity experts say the group is misappropriating that description.
“A true white hat hacker should never use malicious approaches to make their points,” Zaiyong Tang, a professor of networks and security at Salem State University, tells The Christian Science Monitor in an email. “The hacking of those Twitter accounts makes OurMine not much different from black hat hackers seeking notoriety.”
In addition to hacking Mr. Zuckerberg, OneMine also obtained the Twitter credentials for Google CEO Sundar Pichai, Wikipedia founder Jimmy Wales, and Yahoo CEO Marissa Mayer.
In October, Buzzfeed ran a story identifying one OurMine member as Saudi teen who goes by the name Ahmad Makki. The group denied the accusation and later hacked Buzzfeed in retaliation.
In most cases, OurMine claims to have obtained passwords through network vulnerabilities. But many of the affected sites, such as Twitter and Quora, have denied those claims. Instead, they say, the hackers likely reused passwords from previous data breaches.
“These types of attacks are basically password guessing,” Jibey Asthappan, director of the University of New Haven’s national security program, tells the Monitor in a phone interview. “They might use some social engineering, or it could be a brute force attack. This is probably not a very sophisticated attack.”
After gaining access to an account, the group typically fires off a series of Tweets using the hashtag “#ourmine.” The breaches rarely last more than a few hours, and the group maintains that it doesn’t use the accounts for nefarious purposes. In each case, the compromised account posts a common message: “Don't worry, we are just testing your security,” along with a link back to the group’s website.
“It’s a concerning precedent, but one reason [OurMine] may be doing this is that it’s potentially the easiest way to get an organization to pay attention to a vulnerability,” Derek Ruths, a professor of computer science at McGill University, tells the Monitor in a phone interview. “A random email that comes in and says, 'Hey Netflix, you have a network vulnerability' probably isn’t going to make it very far.”
It’s also possible that the hacks are just free advertising for OurMine’s security services, which range from $10 email scans to $5,000 consultations for corporate networks. In an email to The Guardian, the group claimed to earn $20,000 to $40,000 every month from consultations.
At best, that would be morally questionable guerrilla marketing for the Digital Age. At worst, it’s an exploitative business model predicated on fear. By targeting highly visible tech influencers, groups like OurMine can exploit the security fears of the average user. Though dealing with hackers is almost never a sound practice, some users may feel compelled to do so in the interest of security.
“This is the only place where it’s still the Wild West, and these are the types of things you can get away with,” Mr. Asthappan says. “It’s a unique way of trying to bring themselves a bit of business. I think it moves the industry a bit forward. It’s effective, but is it ethical?”
According to Leonid Reyzin, a professor of computer science at Boston University, “that depends on whether you adopt the utilitarian or deontological position on ethics. If you are a utilitarian, then you would have to weigh the pros and cons [of the hack.] If you are a deontologist, then most certainly not.”
The issue also wanders into legal gray areas. What does it mean to “attack”? Certainly hacking into a bank account qualifies, but what about a social media breach? Couldn’t both potentially cause harm?
“The definition of an attack often comes down to whether there was damage done,” Mr. Ruths says. “I think Netflix could probably make a strong argument that damage was done to their brand.”
Ethics and legality aside, there may be some value yet in OurMine’s vigilante behavior. By making examples out of Silicon Valley elites, the hacking group has called attention to the limitations of password protection.
“They’re calling for something that many in the industry have also called for, which is greater sophistication in the infrastructure,” Asthappan says.
Today, even complex passwords can be cracked with advanced brute force software. Many experts recommend using two-factor authentication, which requires users to enter two separate codes to access an account something that OurMine's victims, including Zuckerberg, chose not to use.
In the early days of the internet, when the first cybersecurity protocols were put to use, a user’s entire experience was limited to email and web browsing. Simply put, the foundation of security did not and could not have accounted for the degree of connectivity to which many of us are accustomed. Though the digital infrastructure has grown and improved, the basic foundation has yet to be replaced.
“It’s kind of like driving a Prius on a cobblestone road – it’ll work, but it’s not going to be pretty,” Asthappan says.