Reaching beyond the infosec community, one of the most publicized incidents of the past decade was the 2014 doxxing of Sony Pictures. Ostensibly, the attack was ordered by North Korean leader Kim Jong-un to dissuade Sony from releasing “The Interview,” a film that poked fun at Mr. Kim and the North Korean regime.
Unlike ransomware, a topic about which the general public has a modicum of awareness, doxxing remains far less well known, outside of high-profile incidents such as the Sony Pictures attack. Unfortunately, as cybersecurity professionals, we do not have the luxury of the general public’s blissful unawareness of doxxing.
Nonetheless, doxxing is not a widely discussed topic in our industry. That isn’t because it doesn’t happen – more likely, it is because those who fall victim to extortion are loathed to discuss it.
Off the record, law enforcement officials will admit that doxxing happens all the time but remains rarely reported in an official context.
While a treasure-trove of personally identifiable information was exposed in the Sony hack, (e.g., Brad Pitt’s phone number, Tom Hank’s pseudonym is Johnny Madrid, employee social security numbers), there was something the news outlets didn’t highlight. Among the over one terabyte of data that was exposed, the most embarrassing thing of all was a small file that included a folder with 140 files containing thousands upon thousands of passwords for everything from all of Sony’s social media channels to employees’ passwords stored in plaintext without protection. The hacker group responsible for the Sony hack used a variant of the Shamoon Wiper malware to execute their attack, and then demanded that the premiere of The Interview be withdrawn.
Doxxing attacks (sometimes referred to as doxware and often considered a subclass of ransomware) is far more insidious than the classic variety of ransomware discussed in the media. More akin to blackmail or extortion, doxxing involves stealing non-public sensitive files and threatening to publicize the files unless the ransom is paid. If you don’t pay the ransom, you’re not just locked out of your systems, as you would be with ransomware. Instead, you “pay the price” with your sensitive data exposed to the world. And because the files are never actually “returned” to the company, even if you pay, there is a good chance the thieves continue to extort the company on a continuous basis.
The threat of employee information, client files, product roadmaps, and company secrets ending up exposed in a public forum can be catastrophic for any organization. In November 2019, Allied Universal was breached by the Maze ransomware (Maze was referred to as ransomware, but in actuality, it was a doxxing attack). When they refused to pay the ransom, the “Maze Crew” published almost 700 megabytes of leaked files, including termination agreements, contracts, medical records, and signing certificates.
If that isn’t enough for an organization to deal with, any initial embarrassment over the exposed data will be compounded by the numerous regulatory compliance violations that will come, not to mention the hefty fines, reputational hits, and litigations.
Doxxing, in some respects, more so than traditional ransomware, has become a growing concern for organizations, and the threat extends beyond your four walls. In addition to targeting the organization, clever criminals are targeting the organization’s service providers. Take for example, the recent attack against several law firms where the attackers posted client files online when the ransom was not paid.
Even with the right security controls in place, you can inadvertently dox your organization. Many of the data breach headlines have been due to the same thing: misconfigurations. In late 2019, a database of 267 million Facebook user IDs (now 309 million after the discovery of a second server), phone numbers, and names was exposed online for two weeks due to a misconfigured Elasticsearch cluster. The Entertainment Software Association, which runs the E3 Expo, accidentally doxxed over 2,000 journalists, YouTubers, and streamers through an unprotected web page that contained phone numbers and addresses.
Another way that organizations dox themselves is through discarding old or refurbished devices. Research from Rapid7 shows that many businesses do not follow through on their guarantee to wipe data from the devices brought to them. An analysis of 85 devices found over 366K files, including social security numbers and other sensitive information. Put these devices in the wrong hands, and your organization can be easily compromised.
The strongest possible protection against a doxxing is encryption of data at rest. In theory, encrypting each sensitive file with a password would work nicely, but figuring out which files to encrypt and dealing with granular access controls for each file can pose an unrealistic management burden on users and systems.
While traditional encryption solutions, like Windows BitLocker, Symantec Endpoint, and Sophos SafeGuard, can serve as a precautionary baseline measure, they’re not without their shortcomings. These legacy encryption tools provide only the weakest protection against an attack, as they rely on the user’s credentials for decryption. As soon as a user authenticates, everything is effectively decrypted, enabling the user to interact freely with the user’s files. So, we are right back where we started: an attacker – likely with either user or admin credentials – has open access to every file.
What is needed is file-level, granular encryption that is wholly decoupled from other authentication processes, yet doesn’t pose a barrier to usability. It is a tall order.
Atakama’s approach makes it impractical for an unauthorized user to attempt to open an encrypted file. Unlike traditional encryption solutions that rely on pre-existing user authentication systems or bulk-encrypt with a single key, Atakama’s approach disconnects authentication from encryption. Using AES-256, Atakama encrypts each file with a unique key that is split into pieces that are distributed and saved to the authorized user’s devices (e.g., computer and smartphone). Without traditional passwords that can be easily compromised, files protected by Atakama cannot be hacked or compromised without having both physical and digital access to the trusted devices.
Crucially, Atakama completely decouples authentication from encryption. It relies neither on bulk encryption nor central key storage. It is as if your users uniquely password-encrypt each file, but without the use of passwords.
Need to open an encrypted file? Just tap the “Approve” button in the Atakama mobile app. Atakama will immediately and securely transmit the piece of the requested file’s key stored on that device back to the computer, recombine the key from its distributed pieces, decrypt, and open the file.
With Atakama, you can:
Request a demo and see how Atakama can help you protect your organization from sophisticated and damaging doxware attacks.