What Can We Learn From the American Bar Association Attack?

In March, the American Bar Association (ABA) noticed unusual activity on its network, revealing the presence of  an unauthorized hacker (reference). The hacker had gained access to the ABA network. In the process, they acquired usernames and passwords that members had used to gain access to a previous version of the ABA website.

Let’s look at what we can learn from the ABA attack. 

Results of the ABA Attack

While the older passwords were for a previous site, an investigation found that the usernames may still provide access to the current ABA Career Center and the current member system if members carried forward the same usernames and passwords.. 

The fallout of the attack caused the ABA to initiate its incident response plan and acquire outside cybersecurity experts to execute a full investigation.

How did the Usernames and Passwords Get Compromised?? 

The old ABA membership system used a technique called hashing and salting to encrypt the user passwords.

Hashing is a technique used in database management systems to search for the location of data without using an index structure. It makes it easy to determine whether or not two files in a computer system are the same. Data retrieval and processing can be done very quickly with hash tables.

Hashing is often used to store users’ passwords in an encrypted format so they are more secure. 

To further protect data, a method called salting adds random data to the hash function for greater security.

What is Hashing Used For?

Curious if your organization is missing out on a helpful new cybersecurity tool? Here are a few common uses of hashing:

1. Digital Signatures–with hashing, you can encrypt and decrypt digital signatures, verifying the message’s sender and receiver.
2. File Management–businesses use hashing to index data, recognize files, and erase duplicate files. 
3. Password Storage–hashing provides security to an organization’s cyber system so that hackers cannot steal it (i.e., email passwords stored on servers). 
4. Document Management–when a document is entirely written, the cybersecurity specialist will use a hash to secure it.

Lessons from the ABA Attack

While hashing is an innovative cybersecurity practice with wide-reaching applications, like many strategies, it is not a foolproof solution to safety. There are techniques where cybercriminals can manage to decode the encrypted passwords by brute force, particularly with access to a large number of them and when some of them have been left at their initial default values.

Cybercriminals are constantly learning and evolving. As with the ABA attack, hashing is not a sure protection. Organizations are advised to initiate multiple layers of security and robust incident response plans for when attacks inevitably occur.  In the ABA cyberattack situation, it became necessary to have users that had carried forward their usernames and passwords from the old member system to create new ones.  Furthermore, it was necessary to warn users to not use the same username and password on any other system, such as a banking or other financial website.

Whether you are looking to build your cybersecurity plan from ground zero or looking to add innovative measures to an existing framework, PK Tech can support your business and create a proactive security plan for the future. Get in touch with our team of experts here.