Organisations and artists who speak out against piracy can (and often do) feel the full force of the hacker community, with their websites becoming very public and symbolic targets. These may be the extremes but anyone with a site is technically at risk for a variety of reasons – such as hoovering up user data, credit card fraud or merely to cause merry hell. What can be done to prevent such hacks? And what is the best course of action if you’ve been hacked? Music Ally spoke to those on the receiving end as well as the new breed of companies promising solutions.
The music industry’s history of pursuing illegal downloaders and services through the courts has made it one of the most unpopular businesses among the hacker community. As such, it is no surprise that the websites of the BPI and the IFPI have come under attack from hackers. In 2009 supporters of The Pirate Bay hacked the Swedish IFPI’s website, leaving it temporarily bearing a scathing attack on anti-piracy outfits, while in 2010 Ryan Cleary, a teenager from Essex, was arrested for his alleged involvement in Distributed Denial Of Service (DDoS) attacks against the BPI and the IFPI. Record labels and other music companies, then, should be aware that they are vulnerable to hackers. But what can they do to defend themselves? And what should they do in case they are hacked?
“A lot of the time it comes down to having a plan, especially before it happens, and acting with common sense,” explains Jordi Giménez, a former security consultant, now developer at Mobile Jazz. “There is a lot of common sense involved but you have to think it through. Often when you are in a crisis you can act without thinking. That is why it is better to have a policy set up, something written down, to refer to.”
Lowering the risk
First things first, though. There are several fairly simple steps that music companies – and even artists themselves – can take to cut down the risk of being hacked. Employing a security consultant on a permanent or occasional basis is an obvious start, with the International Council of E-Commerce Consultants offering a professional certificate in ethical hacking (that is, for people employed to hack into systems for companies to show where weaknesses lie) that gives some degree of security.
Another important point is to keep your software up to date, everywhere. “Most servers are set up once and left,” Giménez explains. “But most software and hardware have vulnerabilities.” Hackers can then, naturally, exploit these vulnerabilities. This is less of a problem for your desktop computer, which you look at every day: most software companies are very quick to patch any flaws that come to their attention. But for a server, set up once and left to sit glumly by itself in the corner, this can be a real problem, particularly as every patch that is released effectively signposts security flaws to hackers in the outdated software.
One piece of practical and free advice to guard against hacking is simply to make sure everyone in the company has a strong password. This might sound easy but in practice it can be difficult to get highly placed executives to fall in line, meaning those with the most important information in the company can be the easiest to hack. Artists, too, would be advised to follow this advice and to look after their passwords a bit more closely. There have recently been several cases of hackers targeting stars’ email accounts and social media to obtain personal information as well as pre-release tracks, with two German men last year being given prison sentences for hacking into the accounts of artists including Lady Gaga and Dr Dre.Giménez says you should be careful too about creating and testing new websites and online systems, particularly if they are dealing with money, like a retail site. “Have one company to do the software then a different company to check that it is not malicious,” he warns. “Developers often feel underpaid, so they often add vulnerabilities to the software and sell the information, so they have double the income.”
“Pre-release leaks have always been a damaging problem for record labels and artists, threatening to sabotage months of work,” says IFPI director of anti-piracy, Jeremy Banks. “In the last couple of years we have seen such piracy take a new and sinister form as hackers compromise people’s privacy to get hold of commercially valuable pre-release music. This is being addressed through cooperation between artists, labels, anti-piracy experts and law enforcement.”
Responding to attacks
These steps are all fairly straightforward and easy to follow. Fighting off a DDoS attack of the kind favoured by Anonymous, however, is considerably more complex. These attacks essentially try to overload the target website with external requests, either forcing it offline or creating instability in the system that can allows hackers to gain entry.
Giménez says there are three basic approaches that companies who face DDoS attack can take. The most simple, if not the most effective, is to simply try and limit the damage of an attack – accepting, in other words, that you don’t have the resources to fight it off and, if attacked, you will be without a website for a while. This may sounds impractical but attempting to ward off an attack can be an expensive, time-consuming business, which only has a moderate chance of success, so you might be better off cutting your losses.
Somewhat more practical is to ensure that you always have a backup – setting up a secondary website with more or less the same information as your main site, albeit with less functionality. “Most probably, if people attack your primary site, they won’t attack your secondary site,” says Giménez.
Alternatively, you can make your site as attack resistant as possible. “A DDoS attack is just a lot of people asking your website to do things,” says Giménez. “So you can prepare your website to do a lot of things.” DDoS attacks typically hit the front page of a website so one trick is to make your front page very simple – and therefore resistant to attack – while more complicated functionality is on another page that you have to click through to access.
It is also a good idea to increase your number of servers so that they can handle more traffic, even putting some of them in the cloud. This may be expensive but will also protect you in case your server crashes under everyday heavy traffic, for example if you decide to offer an exclusive free download or new video. “The cloud is usually good here because you can rent new servers on the go, allowing you to pay only for the resources actually used,” says Giménez. “This option tends to be very expensive under a heavy attack because you will need to rent a lot of servers at once.”
These steps will help your company to reduce the risk of being hacked. But the sad reality is that a determined number of hackers will most likely still be able to penetrate your defences – after all, if Anonymous were able to hack the European Parliament website, as they did in January, then it’s a good bet that your label website will always be vulnerable in one way or another.
As a result, it is vital to set up monitoring systems to see if your site is being attacked. Of course, a DDoS attack that takes down your website will be pretty obvious; but there have been several examples of hackers stealing data without the affected company even being aware of the attack until it was too late. Monitoring systems include Tripwire, which will monitor the integrity of your system and Nagios for monitoring your traffic, while companies should also consider an intrusion detection system and an intrusion prevention system.
Monitoring can also include simply keeping an eye on the press and social media to see when your company might be vulnerable to attack. Has your CEO recently said something scathing about Anonymous? Or is there an important court case coming up? By keeping an eye out for events that may motivate hackers, companies can prepare themselves for an attack. “Look at significant events coming up, either related to the IFPI or related to the industry or that could provoke a reaction,” says the IFPI’s Banks. “If you learn of an event that could bring greater attention to you, then it is good to be on heightened awareness.” It is also worth getting someone to simulate an attack on your website – an ethical hacker, for example – to get some idea of what may happen in a real attack and to identify any weaknesses in your system.
In the end, though, you may still be attacked. And if your website does go down or hackers make off with your customers’ personal details then it is vitally important to have a contingency plan to call on. This could serve if you are hacked but also if your website goes down for any other reason. The plan should include details of any backup servers, how to get your site up and running again and also how to communicate the problem to the press and public.
Go public after an attack or not?
“You should always tell the truth to people,” says Giménez. “People will understand that you have a problem, although they won’t like it. When you communicate it is important not to panic; to tell people what is happening, not to worry, that you are doing something; and what you are doing. For example, you can say you are restoring backups.”
GoDaddy took most of these steps when it suffered a massive outage earlier this month. The company’s CEO Scott Wagner released a statement the day after the event, explaining that service had been fully restored and that the outage was not due to a hack – as had been widely reported – but due to “a series of internal network events that corrupted router data tables”. Wagner went on to apologise for the outage, explaining that no customer data had been at risk, and offered customers one month’s free credit.
As such, the response seemed to tick many of the necessary boxes. However, the fact that the statement was released the following day seems far too slow, allowing news stories about the site being hacked to spread far and wide and permitting one member of Anonymous to claim responsibility for the outage. Of course, there are also cases when publicising a hack is not such a good idea. Giménez says banks rarely tell the public when they have been hacked, while IFPI communications manager Alex Jacob explains that his organisation treats such attacks on a case-by-case basis.
“We don’t have a fixed protocol,” he says. “Our www.ifpi.org website has never been hacked, although it has suffered denial of service attacks, which means people can’t access it easily. In those circumstances, one of the aims of the perpetrators is, presumably, publicity, so we wouldn’t help them by proactively going out and making an announcement, though, of course, we’d honestly answer any questions we received about the situation.”
As well as preparing what to say to the media and the public, companies should think about what to say to the hackers themselves should they make contact. As unlikely as it may seem, many hackers actually get in touch with companies to warn them that they are about to attack, as the attack may be intended to show off flaws in the company’s systems rather than to cause damage. If this does happen, Giménez says that companies should always respond politely, thanking the hacker for getting in touch to point out this flaw in their system. Not all hackers are quite so charitable, though, and if they do ask for money Giménez says you should go to the police rather than risk a payout. “If you pay once then you are always vulnerable,” he notes.
But what should you actually do during the attack, to keep your business up and running? The answer will depend on the specifics of your website, what your business does and what preparations you have made in advance, as well as a simple cost/benefit analysis of how much the attack will harm your business and how much you are willing to spend. With this is mind there are several options: firstly you can do little and wait for the attack to end, on the grounds that your website is not so important to your business and you don’t want to spend money on internet security.
Secondly, if you have separated the critical and non-critical parts of your website in advance you can degrade your service, keeping the most important parts of your website running and not worrying about the less important parts. Alternatively, if you have a backup service – a secondary website or, in the case of a shop, a call centre for telephone processing orders – you can switch to that while the attack is in progress. Or you can rent new servers.
Finally, you could just shut down your website and wait for the attack to pass. This could be the best option if, say, you fear for customer security but don’t want to pay a heavy bill for renting cloud servers. Whichever option you chose, though, you should decide on a course of action before the attack starts, rather than in the heat of the moment, and this should be included in your contingency plan. It is also worth thinking of different approaches to take in the face of differing attacks.
During the attack, Giménez recommends finding out which vulnerability in your system is being exploited (for example, a flaw in your software) and fixing this as soon as possible. He also suggests collecting as much information as possible during the attack. Once the attack is over, you can then analyse what damage occurred and why it happened, putting in place a better plan for the next time. “Sometimes hackers combine several attacks at the same time, leading to the tech guys maybe not focusing on the right systems. So maybe during the analysis phase you discover more damage than expected,” Giménez concludes.
While attacks are rare, they do still happen. Preparing for the worst puts you in a stronger position should that worst-case scenario actually happen. To be forewarned, as the saying goes, is to be forearmed.