This particular story could be one of dozens (or even hundreds) of these types of incidents that occur in any given week: “government official gets social media and email accounts hacked” which then leads to highly confidential data being leaked on the internet. Except in this case it was the current US Central Intelligence Agency director John Brennan, and several other highly-ranked government officials, and the data that was leaked was data from nearly 30k Federal Bureau of Investigation and Department of Homeland Security employees. Also unusual was that the hackers charged in this breach aren’t Russian or Chinese or North Korean. Nope, at least one of the responsible parties hails from North Carolina. And the real reason I’m bringing this story to your attention was this most important facet of the attack: Brennan and the other victims in this incident weren’t compromised through sophisticated malware and technology – the attackers fooled people associated with the victims – usually service providers – through simple tools like emails and phone calls, under the guise of providing technical assistance.
What this means for you:
“Social engineering” is the digital-age equivalent of con artistry, and it is becoming trivially easy to perpetrate given our reliance on tools like email and large, impersonal corporations. In the case of the above, one of the cons included the hacker actually posing as a Verizon technician in order to fool another Verizon employee into resetting Brennan’s email password, and they just worked their way inward from there. As you should know by now, once a hacker is in your email, it’s all over but the crying. Sadly, there’s not much you can personally do to improve poor security practices at companies like Verizon, and despite impersonation being one of the oldest cons in the book, people still regularly fall for it.
It’s only a matter of time before anyone gets hacked – we are human after all, and despite what you might want to believe, there is always someone more clever than you out there, and if you are unlucky, that person is out to get you. You can practice something that is well known to outfits like the CIA and FBI: compartmentalization. Since none of us are intelligence agents (that I know of!), for our purposes this means keeping personal and work activities separate. You can execute this concept in a number of different ways:
- Keeping work and personal emails in separate accounts
- Use separate devices for social networking and financial activities like online banking
- Use unique passwords for all your important accounts
- Exchange confidential information through appropriate secure channels
- Store confidential information in properly secured and backed up locations
- Require two-factor security for your most important accounts
The key to proper execution of this practice is discipline and vigilance. It may be inconvenient and seem inefficient, but weighed against the alternatives, it will be worth the effort.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
The good ship Yahoo is still battling troubled waters on its journey to the safe harbor of a Verizon purchase. Reuters has just released a massive bombshell that may blockade if not outright scuttle the $4.8bln deal: two former employees of the beleagured media company have alleged that Yahoo complied with a classified directive from a government agency to directly surveil the millions of email accounts hosted by Yahoo in 2015. According to the Reuter sources, the decision to open Yahoo Mail’s kimono was made behind closed doors, excluding Yahoo’s then Chief Information Security Officer, who apparently resigned because of this incident.
Whiskey Tango Foxtrot, Yahoo?
Normally, I don’t urge folks to get out the pitchforks and torches, but on reading this I actually used language not normally heard in polite company. Thus far the government agencies named are declining comment. If the allegation proves accurate, I’d say Yahoo customers had their Fourth Amendment rights violated and thoroughly trod upon any trust they might have had left with their still substantial customer base. Coupled with the recent massive breach they experienced in 2014 and the debacle that was their conversion to a new email platform in 2013, it’s no wonder Yahoo has gone from an Internet powerhouse to second-tier media company up for sale. If you are still using Yahoo as a primary email provider for work, you should stop doing so immediately, not only for security issues that they can’t seem to get ahead of, but now for serious breaches of privacy and trust.
Apple made a big splash last week when CEO Tim Cook published an open letter in response to the FBI’s request and subsequent court order to hack the iPhone of the primary assailant in December 2015’s San Bernadino mass shooting. As one might expect, Mr. Cook basically told the government that they would not comply, and fortunately, they might be the one company that could afford to fight this battle in the courts. Though the tech industry has typically maintained a similar stance on device encryption, even the most staunch champions of digital privacy such as Google and Twitter have had suprisingly muted responses to the growing battle. Also revealing is a recent Pew poll that suggests while the tech industry may be largely united on device encryption and government backdoors, the American public isn’t quite sure what to think about this complex issue.
What this means for you:
Late model iPhones ship with encryption enabled by default, and as long as you enable some form of authentication on your device, the data on that device will only be accessible if you unlock it. Law enforcement can’t break the encryption, and Apple, by it’s own admission, cannot decrypt your phone’s contents with out the proper authentication, even if the phone owner asks them to do so. If someone tries too many times to guess your pin, the device will be automatically wiped – no intervention from Apple or your carrier is required. The FBI is demanding Apple create a way for them to unlock the iPhone of the San Bernadino shooter, which if Apple were to actually accomplish such a feat, could theoretically allow anyone with possession of this backdoor to decrypt any iPhone protected by similar technology. Like the atomic bomb, the development of this backdoor cannot be unmade, nor will it remain only in the hands of the “righteous”. While the data on the SB shooter’s phone may prove useful in providing some closure to the incident and may even help further other domestic terror investigations, it’s easy to see that the FBI means for this case to set a precedent that will give them unfettered access to an area that has traditionally been protected, both by law and by technology.
Adobe Flash can’t seem to catch a break. Their most current black eye has arrived in the form of yet another zero-day exploit of a vulnerability in the latest versions (19.0.0.185 and 19.0.0.207) of the browser plug-in. According to Trend Micro’s blog, the hacking group Pawn Storm is targeting government workers via spear-phishing emails that contain links to news about current events. Instead of taking them to a legitimate news story, the links lead to compromised websites that can install malware onto the victim’s computer via the aforementioned exploit. Rather than the usual identity theft, this group seems to have a more politicized agenda and bears similarities to attacks on NATO from last year.
What this means for you:
If you are new to this blog, you may not have been briefed on the #1 Rule of Personal Technology Security: “Don’t click strange email links.” Even clients who have weathered years of me saying this sometimes let their guard down, so Rule #2 is “Be prepared for the worst,” which you should interpret as (1) having a strong firewall, (2) trusted anti-malware installed, and (3) a contingency straegy that includes backups and plans for operating without core infrastructure when things do go wrong. The sad matter of fact is that cyberattacks will get past anyone’s mental guard – we are only human after all – at which point properly installed and configured technology can act as a safety net. Note the emphasis – poorly implemented security is worse than nothing at all in some cases. When you have nothing, at least you aren’t lulled into a false sense of security. And don’t count on the (perhaps prematurely reported) death of Flash as means to improve everyone’s overall security profile. We haven’t quite seen the end of Flash just yet, and there are plenty of other platforms (Java anyone?) that could easily take its place if and when Adobe finally puts this software out to pasture for good.http://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
As is the case with many government screw-ups, the Office of Personnel Management (OPM) hack reported last week has now been revealed to be much more worse than originally thought. Instead of four million civilian federal employees having their PII exposed, investigators now believe as many as 14 million prospective, current and former employees have been exposed. In addition to the usual PII (name, address, Social Security #, DOB, etc) the information also included background investigations which are known to include things like arrest records, financial history, medical problems, as well as information about colleagues, friends, neighbors and relatives.
What this means for you:
Given the large number of current and former government workers, it’s highly probable you or someone you know falls into the 14 million compromised in this attack. There are things you or they should be doing, not the least of which are the following:
- Set up credit monitoring for you and your family – take advantage of the free services offered, or set up something independently.
- Freeze your credit file – Krebs on Security has an excellent explanation of how to accomplish this.
- Review the Federal Trade Commission’s recommended actions.
- Watch your important online accounts like a hawk and investigate any suspicious activity immediately.
In 1986, Ronald Reagan is quoted as saying, “The nine most terrifying words in the English language are, ‘I’m from the government. I’m here to help you.'” As relevant as that sentiment was in his day, it’s still ringing true, this time with at least three government websites that are doing you no favors in terms of protecting your identity. Krebs on Security has an alarming report of identity theft and fraud via the IRS.gov website wherein he shares the story of a taxpayer who discovers someone has already filed a fake tax return under his name, for the purposes of stealing his tax refund. At fault is a identity authentication standard known as KBA, or “knowledge-based authentication” which is pretty widely used in the credit reporting and finance industries. Basically, you prove you are you by answering questions that supposedly only you would know, including former addresses, loan amounts or payments, and other personal data that is – surprise, surprise – readily found on the internet. By anyone.
What this means for you:
Ironically, people avoid creating accounts on websites because they are afraid of their data being leaked. And now you get to be afraid of NOT creating an account on a website for fear of someone else creating it for you, with the added “bonus” of this fake account further decreasing the probability of you being able to prove you are actually who you say you are. “Invasion of the Body Snatchers” anyone? What makes this situation alternately terrifying and ludicrous is that it’s our own government creating this mess in an effort to provide better reporting, accountability, and accessibility. The other two sites that are also potentially weak to this “account snatching”? How about the Congress-created AnnualCreditReport.com and another federal behemoth: the Social Security Administration website. Brian Krebs’ recommendation is to make sure you get an account established for these three website pronto, if only to prevent someone else from pretending to be you and creating accounts that will be used to commit fraud and money laundering. Unfortunately for most of us, the surge of interest created by this article (and blogs like this one) have essentially paralyzed (are you surprised?) the account creation process of these websites, but keep trying, if only to let them know we actually care about our identities enough to want properly secured government websites.
Despite what US mainstream media might be conveying with their breathless coverage of celebrity accounts being hacked for their lewd selfies, not all hacking activity is for titillation or criminal exploitation. A duo of hackers, self-dubbed LulzSecPeru, have penetrated multiple Peruvian government websites and servers, defacing webpages and stealing confidential data as a demonstration of their hacking abilities and purportedly to shake things up politically. Among the data stolen were several thousand emails from the former Prime Minister, which revealed the presence of possible undue influence by Peruvian industry lobbies. The sudden transparency nearly forced the resignation of the entire cabinet in a Congressional vote of no confidence which only missed passing by one vote.
What this means for you:
Once again, hackers prove that if it touches the internet (and sometimes even when it doesn’t), privacy breaches are just around the corner, especially when what is hidden is likely to be highly valuable to someone. Though this particular feat was slightly less salacious than the celebrity breaches, the only rule of thumb that can be followed is this: if you don’t want your “dirty little secrets” spread all over the internet, don’t put it on an internet-facing computer, cloud server or mobile device. Information, especially confidential data, is the new currency of the world economy, and as with all currencies, most folks will go to great lengths to amass it, especially if it has the potential to undermine authority or generate wealth. Complete isolation from the internet is impossible for most businesses, but you should review very carefully what information is stored where, and the potential damage it can cause your company if it were stolen or exposed in a security breach.
I often encourage my clients to be paranoid about security, but never to the point of throwing the baby out with the bathwater, which is exactly what the Economic Development Agency did two years ago when responding to a report that some of its computers were infected with malware. Due to a mixture of clerical error, poor communication and straight-up inexperience (in a government agency? Imagine that!), the top brass at the EDA received a report that stated over a hundred devices on its network were infected. Believing the technology to be unrecoverable, they proceeded to physically destroy all of it, including mice, keyboards, monitors, printers and other devices that couldn’t be infected with malware, rather than risk the spread of infection, to the tune of nearly $3 million.
What this means for you:
If you’ve ever had a really bad malware infection, you sometimes might hear the technician say, “It’s probably best if we nuke this thing from orbit,” referring to a favorite scene from the movie Aliens. Obviously, your computer is going to be just fine, as he’s actually just talking about wiping out the contents of your hard drive and starting with a fresh install of your operating system. Unless he’s a contractor who lists the EDA as a former client, in which case you might want to show him the door and call someone else.
In all seriousness, a situation like this can easily happen if your organization’s leadership has an incomplete understanding of technology and security. In the above case, a little knowledge and a pinch of common sense could have saved the EDA a lot of money and embarrassment. Continue to be paranoid about security, but only “nuke from orbit” when your company is completely overrun by man-eating aliens. A malware infection, or even a serious security breach, can be handled without slaughtering all those helpless keyboards and mice.
With results that will probably surprise no one (and warming the hearts of black-hat hackers everywhere), the US Government Accountability Office has published its findings on a recent security audit of the Internal Revenue Service. The summary reads like the report card every good parent dreads, “Needs improvement.” Despite having a comprehensive security plan (the development of which was funded by your dollars!) the GAO has found that the IRS has failed to follow through in many areas of implementing and enforcing that plan in various parts of its operation, and these failures have severely compromised the overall security of the very important data the IRS collects on all American citizens.
What this means for you:
As you might expect, the 31-page GAO report is not the most exciting of page-turners. I’ll save you the dry read with the “moral” of the story: having a security policy is only as good as how well it is enforced and maintained. It does your company no good to say that “All employees must use strong passwords that are changed every 60 days” if no one is checking to see if they are actually adhering to the policy. It’s actually much worse for your company if you do have a security policy, experience a breach, and then discover that the breach was due to lack of enforcement.
Don’t get me wrong – I’m not recommending against having a security policy. You should have a security policy, especially if you handle sensitive data of any sort, and you should be making every effort to enforce, update and maintain that policy on a regular basis. A simple security breach could cause untold damage to your company’s reputation, and even more so if you have to admit that it happened because you failed to follow through on your own company’s policies.
- 1
- 2