There are so many reports of this nature that I literally can’t even. My vacation can’t come soon enough, but in reality I’m just going to be worrying about all of you staying safe in the face of widespread negligence and malfeasance. Read on if you dare:
AT&T employees took bribes to plant malware on the company’s network
TLDR: Pakastani hackers bribe ATT employees $1M+ over the course of 5 years to unlock phones and install malware and rogue devices on ATT networks.
More N.S.A. Call Data Problems Surface as Law’s Expiration Approaches
TLDR: Remember all that secret data collection the NSA got caught doing a few years back? They were supposed to delete that data, but Oops! they didn’t.
Yelp is Screwing Over Restaurants By Quietly Replacing Their Phone Numbers
TLDR: Yelp set up a shady deal with GrubHub to redirect customer calls through their hub instead of dialing the restaurant direct. Restaurants get charged a marketing fee for this sleight-of-hand.
Twitter may have shared your data with ad partners without consent
TLDR: Twitter may have inadvertently shared data on your viewing habits that it collected without authorization. And then used that data to show you more ads. “Oops.”
Democratic Senate campaign group exposed 6.2 million Americans’ emails
TLDR: Dumb campaign staffer puts unsecured spreadsheet online in 2010. Emails have been exposed for nearly 10 years.
Image courtesy of TAW4 at FreeDigitalPhotos.net
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
Confirming something that many of us already suspected, Twitter has revealed in its most recent SEC filing that almost 9% of all Twitter accounts aren’t used by actual humans. Given the social media’s 271 million accounts, that’s nearly 23 million Tweeters posting content at the behest of some form of automation or algorithm.
It’s an unfortunate but not unexpected state of affairs that hackers continue to take advantage of our voracious appetite for news. As has been happening with hot news stories for at least a year or more, malware links are cropping up to exploit the media frenzy surrounding missing Malaysian Flight MH370. Taking advantage of the viral nature of sharing prevalent on Facebook and Twitter, fake links promise “shocking video” revealing the fate of the missing flight. Clicking them takes you to a counterfeit survey designed to look like the Facebook surveys many app-makers use to gather info on users before granting access to their app or content. Instead of course, you are giving your info to hackers on a fake website which will undoubtedly be used to annoying, or worse, nefarious ends.
What this means for you:
If I’ve said it once, I’ve said it 1000 times: don’t click links in Twitter, Facebook or email, doubly so if the source isn’t someone you trust or recognize, and you can’t clearly see the destination URL. Most links shared on Twitter use a URL shortener which obscures the final destination, a technology designed originally to compress long URLs into tiny ones and now used as a trick by spammers and hackers to lure you to a fake website. All it takes is a simple page load (no typing or filling in forms required) for an out-of-date browser or OS to be compromised, and once they have a toe in the door, it’s all down hill from there.
From this point forward, you should expect hackers will exploit hot news items to take advantage of our natural curiousity. If part of your online brand-building, either professionally or personally, includes re-sharing or retweeting internet links, be careful you don’t inadvertently share a fake news item to your friends and followers.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
In case you are feeling like the only one under constant cyber attack, Microsoft has recently admitted that the Syrian Electronic Army has successfully hacked some of its employee email accounts, apparently in pursuit of documents pertaining to ongoing law enforcement surveillance requests. As is typical with these types of breaches, Microsoft has yet to determine if any customer data was exposed, and so far is saying very little in that regard. This comes on the heels of it’s the Microsoft Office blog being defaced only days prior, as well as successful attacks on high-profile Twitter accounts and blogs used by other Microsoft divisions.
What this means for you:
The Microsoft employees who were hacked were compromised through nothing more sophisticated than the ole “phishing” tactic. In case you still don’t know what that is, I’ll describe it in brief:
- You receive a legitimate-looking email, warning that your account at a popular service has been compromised, or your password has been reset, or that some other urgent action is required. Other popular phishing tactics include packages (or money) awaiting delivery, important faxes being held, etc.
- The email directs the recipient to a website that may be designed to look legitimate, but is not. The hacker owns that website, and any data typed into it.
- In all cases, the hacker is trying to get the recipient to volunteer specific information about themselves, usually things like user IDs, passwords, Social Security numbers, addresses, anything that could be used to compromise and possibly steal your ID.
- On top of tricking you into entering your important data, the website will often attempt to install other malware on your computer, resulting in severe infections and further data theft if it’s not caught quickly. This can even happen if don’t enter any information on the website. Visiting that first page is often all it takes to get a bad malware infection.
If you haven’t figured out why it’s called “phishing”, the hackers are the fishermen, the email is the bait (and hook), and you are the fish. “Spear phishing” is when specific groups of recipients are targeted (as was probaby the case with the Microsoft incident above), and “whaling” is when high-profile executives or critical employees are specifically targeted with carefully crafted emails tailored for the individual coupled with other social engineering tactics to lend legitimacy to the attack. And don’t think that you are immune to whaling attacks just because you aren’t a high-powered executive. Analysts are even now investigating possible AI-generated whaling attacks that being generated based upon information gathered on the internet from sites like Facebook and Linkedin, making it harder and harder to spot the fakes in your email.
An Islamist hacktivist going by the moniker “Mauritania Attacker” claims to have hacked and accessed the entire database of Twitter accounts. As proof of this exploit, he has published details on 15,000 accounts that included access tokens users have generated for other applications that use Twitter either as an authentication source, or as a means to publish data from or to the microblogging service. According to representatives from Twitter, no accounts have been compromised, and the account details released by the hacker did not contain passwords (hashed, encrypted or otherwise). Security analysts suspect that it may be possible to use the exposed security tokens to gain limited access to publish through the associated Twitter account via third party app (which is what the tokens are for in the first place) if a hacker could ascertain for which app a specific token was created.
What this means for you:
If you use Twitter, you should do two things:
- Enable login verification by going to your Twitter settings -> Account -> Login Verification. This basically sends out a confirmation to your mobile device that must be entered in order to log into your Twitter account.
- Revoke permissions to Twitter-enabled apps. You can do this by going to your Twitter settings -> Apps and clicking “Revoke Access” next to every app on the list, even the ones you might use frequently. Then, you can go back to your favorite apps and reauthenticate. This way, you can recreate the access tokens, and not have to worry about the possibility that your access tokens were among the ones shared by the Mauritania Attacker.
In a rare public admission, Apple has indicated that some of its own internal Macintoshes have been compromised in a cyberattack that security researchers believe similar to the one that breached Facebook last week. Announcements from Apple of this type are very rare, as Apple has long touted one of the strengths of its platform was how “unhackable” it was compared to Windows. In this particular case, Apple has little to lose, as it’s pointing the finger of blame for the hack at Java and a vulnerability that was taken advantage of to gain access to Apple employee computers.
What this means for you:
Apple’s recent breach is just one more notch in cybercrime’s belt that includes a long list of illustrious companies like the Wall Street Journal, Twitter, Facebook, Jeep, and Burger King, not to mention the numerous intrusions of government agencies and countless hacks of businesses that go unnoticed and un-reported. In the case of the Apple and Facebook breaches, the source has been tied to a mobile development website that both company’s employees accessed, and according to both companies, there appeared to be no evidence that customer data was compromised in the attacks. As I’ve maintained all along, the business world is now entering a new age of security unknowns as serious criminals continue to exploit technology to serve their needs, and are able to outspend and outgun the average small and medium size business. Before the age of computers and the internet, your odds of being targeted by a criminal organization were minute compared to today, where organized crime can now “crowd-source” affiliate-based networks that pay anonymous hackers in any number of a dozen untraceable ways to rent out zombified computers and webservers by the hour for a handful of dollars, and use pre-scripted attacks to launch massive, shot-gun targeted campaigns that only need to snag a small percentage of victims in order to be profitable. This is not some imaginative, cyberpunk movie plot – it’s happening right now, as you read this article. Moving forward, the only way to combat this growing threat will be a combination of vigilance and smart investments in security technology, policy and training.