The GhostShell hacktivist group has been at it again. It has dumped 1.6 million records – mainly database tables – which it claims it took from NASA, ESA, the FBI, Interpol, various defence and aerospace industry firms, the Credit Union National Association (CUNA) and others.
You can read more details at The Register and Information Week.
The data dump is accompanied by the usual preening on Pastebin (and wasn’t Pastebin supposed to be taking steps to stop this sort of thing?). It’s the kind of posturing and taunting of law enforcement and the security industry we’re familiar with from the likes of LulzSec – you know, right up to the point where they were arrested.
But there’s no getting away from the fact that these dumps, if they’re genuine, will cause major embarrassment for the organisations concerned.
GhostShell seems to specialise in these massive data dumps. It previously leaked a million records from businesses, back in August, student records from 100 universities and 2.5 million records from Russian government organisations and businesses.
Why?
There’s a lot of rather self-important blather about fighting oppressive regimes in China and the Middle East, cyberwar against governments and the like. Most of it grossly exaggerates the significance or effectiveness of what GhostShell has done.
However, there’s also a clear desire to shame organisations with poor information security, and in that, at least, they’ve had some success. But for all the grand idealism, what are they actually achieving?
These databases were poorly secured, yes. But the organisations concerned – for all that they should be held culpable for their ineptitude – weren’t the ones to leak the information. There, the blame lies squarely with GhostShell.
In its Pastebin screed, GhostShell notes, “over 85 mil. people at risk. (we’ve keep [sic] the leak to as little as possible)”. Maybe so, but it’s GhostShell that is exposing individual people to attack through the leaking of this data. Is there really no other way to embarrass these organisations without actually dumping the data? After all, these dumps are going to be pure treasure for spammers, phishers and other cyber-criminals.
This is the problem when people who cast themselves as freedom fighters attempt to achieve their goals by making vulnerable the very people they claim are at risk from the targets’ poor security.