‘The Chaos Machine’ author on celebrity hacks and how social media threatens IT security

In Max Fisher’s new book The Chaos Machine, the New York Times reporter delves into the history of social media companies and how they are affecting our lives.

He talked with IT Brew last week about how social media can present threats to cybersecurity—and what IT professionals need to understand about the online ecosystem. Here’s some of that conversation.

This interview has been edited and condensed for clarity.

In your book, you write about the celebrity hacks of 2014. Do companies share responsibility for disseminating this material? Where’s the line between people’s right to free expression and a social media company’s responsibility?

The major social media companies have gotten more proactive about removing hacked materials, especially stolen materials that are used to embarrass or humiliate a target. But at the same time, their promotional systems have become only more aggressive at surfacing and pushing out…things that are getting a lot of attention, things that promote outrage, things that are seen as really salacious or scandalous, and that just happens to include hacked materials.

So, in some ways, it’s gotten better because the companies don’t outwardly take this view anymore of, “Well, it's your problem if material got hacked and leaked on our website and our website is promoting it.” But in the ways that matter, it’s gotten significantly worse, because the systems are so effective at pushing that out.

What are the social engineering implications of social media when it comes to security—revealing personal information and the like—and how can IT teams protect against that?

There are three trends that are coming together to create a different sort of IT security threat than the ones that we’ve traditionally thought about, like threats from Blackhat groups, or from hackers who are in it to make a buck for profit, or nation states.

The first one, and this is the one that I obviously spend the most time on in the book, is that the social platforms…have really geared their systems increasingly over the last several years towards the promotion of mass outrage.

And that means not just that you log on and you get angry at something that’s happening online, but that it is designed to galvanize large numbers of people communally in anger towards some target that’s perceived as transgressing the group.

This touches on the second big trend, which is a norm that has emerged…of lashing out at targets of the community’s ire [and] outrage through hacks meant to embarrass the target. That might mean taking some information from them, that might mean hacking an individual who happens to work for whatever the target is, if it’s a company, a celebrity, an individual—whoever happens to be the target of rage that day.

[There is] a norm of folks…going out of their way to execute a hack on the target, to get materials, and then to distribute them through the platform, which allows it to ride the outrage that is already generated…to spread hacked materials or falsified information…Sometimes, it’s just done for mischief, it’s just done for fun.

This is relevant for folks who work in IT security because it means that either you as an individual, or your employer, or whoever you’re thinking about trying to protect, could suddenly become the source of an overwhelming attack meant to embarrass [someone] for no good reason.

The third big trend is [that] there’s been a real democratization of tools for hacking, and for the mass distribution of stolen materials…It’s now much easier for basically anyone to download these kinds of pre-made packages that are pieces of software that will do the hacking for them. What that means is that the world of potential threats has grown from just groups or individuals who are going to be sophisticated enough to execute a hack like this, to anyone who exists on the seedier corners of the internet and might have some free time. They might be a 14, 15-year-old kid [who] is going to be galvanized by the outrage that is promoted through their social platforms.

In practical terms, if you are thinking about security as someone who is living on the internet or someone who is thinking about a client or an employer who’s on the internet, something that you have to pay a lot more attention to that you didn’t in the past…is sentiment on the major platforms, which can snowball very quickly, thanks to the design of these platforms, from someone being mad to 1,000 people trying to selectively hack and humiliate a target as a fun way to kill an afternoon.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.