Monday

Another example of Black PR



In What is Black PR? A tour of the black arts, we had an introduction in this topic. The example in the previous post was British Airways against Virgin. Guestblogger Sam Aldis over at Spinhunters.org describes some methods that may be used to send a targeted company into liquidation:

Attacking The Stocks

You don’t have to break into a stock market website because the security can be very high. The best way to send your target company into liquidation is to get access to their news server (i.e. be able to post news) with access to this and the right to post news the attack can then effect the stocks by posting bad news about the company or predictions about what’s going to happen. That will be followed by a mass selling of stocks and the company will loose money and eventually be forced into liquidation. This will work even better if news items are posted to a RSS feed which is checked by people who own stocks or shares of the targeted company.

Attacking the Internals

If you are able to gain access to the Intranet or internal network of the company you might be able to change important information such as inflow and outflow sheets as well as cash flow forcasts in such a way that the company will use them to make decisions that will eventually force it into liquidation.

You may also be able to gain access to a list of current customers and send emails/snail mail to them with bad/incorrect information about the company which will make them choose to use a different company. This will also eventually close the company down. Finally, if you are able to get access to the password for a Skype or other VoIP service then you might be able to place a phone call to a local news paper with some incorrect information that will be damaging to the company when published.

Attacking the Cloud

If none of the above methods are possible then it is possible to leak false information into the cloud (the Tnternet). This can be done in several ways. The following list contains some of them:

  • Sending an email pretending an employee of the company and give information that will discredit the company.
  • Posting information about the company to your own blog/website if it has a good PR (page rank)
  • Spread rumors on social networks and other communication media on the Internet.

All of them can be done in an automatic manner.

So, will your security policy or firewall protect you against this? I think that this can have far much more impact then a security incident. Dataloss and brand damage is a disputed topic.

Posted by Security4all at 19.5.08

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)