Is There a Muscovite Hiding in Your Mailbox?

How Vulnerable Are You and What Can You Do About It?

Think the Russian-DNC-hacking incident has little to do with you? Hillary Clinton, Bernie Sanders and Donald Trump aside, if this incident, in which thousands of e-mails were copied and then leaked to WikiNews, should remind us of anything, it’s how vulnerable we all are in the vast, ever-shifting expanse of cyberspace. Think about it. If the Democratic National Convention, with its pile of money and uber-wealthy politicians, couldn’t prevent their secrets from being exposed, what about normal folks like thee and me? And what about the companies and non-profits that have some of our private information? Here’s another aspect: As an IT pro on a much more limited budget than the DNC, how can you protect the organization from which you earn your livelihood? There is an answer, and it doesn’t start with expensive technology. In fact, some of the best protections cost almost nothing at all.

Something Worse Than Phishing

You’ve probably received an e-mail or two that seemed to come from a person or business you knew, and that included personal information about you, but was in fact from a scammer or hacker of some sort. The technical term for these is “spear phishing”. A spear phishing attack will appear to come from a trusted source. However, unlike a traditional phishing attack, a spear phishing attack will be highly targeted. The message will be sent only to one person or a few, carefully selected individuals. Not only does it seemingly come from someone you know, but often the salutation is directly to you, and sometimes the e-mail contains a piece of knowledge that seems to be about you specifically. The spear phisher can get this information by looking at your e-mails to and from the friend they’re pretending to be, or by looking at recent purchases you’ve made online, and especially by looking at information you’ve revealed at social media sites. Often they’ll try to trick you into divulging something you shouldn’t, a log-in password for instance. They pose as reputable companies and ask you to re-set your password “for increased security”. And sometimes they’ll send an innocent-looking web link that as soon as you click on it, installs malicious malware on your computer. Here’s a not very convincing one I received last week: Spear phishing may or may not be news to you, but what is interesting is that according to Crowdstrike, the cyber-security company who investigated the incident with the Democratic National Convention, the Russian government used spear phishing in this attack. And since they were able to do so for nearly a year, it seems that spear phishing may have become more sophisticated.

Protection Protocols

The following covers some actions you personally can take to be more secure, as well as what you as an IT Manager can do to help protect your company or organization. This could be used as a checklist for self and user protection.

Social Media

The first thing is take a look at how much you’re revealing about yourself at social media sites, and never reveal anything that you wouldn’t want a scammer to know, or anything that could be pieced together with other data to create a profile of knowledge about you and your friends. Obviously this covers a lot of potential posting ground, and you don’t want to end up being scared to post anything. So the knowledge that a hacker may be monitoring what you write has to be used with judgement. This knowledge can also be used by you to look at what you posted and then compare it with information mentioned in spear phishing emails that you get. Does this mean you should give up Facebook? While that would obviously increase your overall cyberspace security, you may not want to sacrifice that much. But you can use Facebook’s security features. And you can take prudent actions such as resisting the invitations to share your recent purchases with your friends.

Passwords

Way too many people use the same password for numerous sites across the web. This is like advertising, “Hack me!” Use a secure password aggregator like LastPass, Dashlane or RoboForm to store all your passwords, but don’t let it auto-login to your more sensitive sites such as online bank accounts, online retailers, PayPal, eBay etc. Also, make its master password completely unique and impossible to guess. Betterbuys.com has a free tool where you can enter a proposed password and see how long it would take a hacker to crack it in 2016, and in future years when cracking tools get faster. Additionally, make your passwords very, very different for each of your online sites, and preferably passwords that don’t include any recognizable words in them. Because of the sophistication of password cracker software, these days it is now recommended to use 12 characters or more in your passwords. According to BetterBuys, 12-character passwords, given current cracking speeds, are estimated to take 200 years to crack, whereas 9 character passwords typically take only five days to crack. Many people still use simple passwords, like birthdays or pet’s names and all the other things that a hacker would usually check first (and that he could easily find from your social media sites).

Dadada

Reportedly, Mark Zuckerberg’s stolen Linkedin password was “dadada” and he also used it on several sites. Don’t be like Mark. Don’t have a simple password like “dadada”.

More Tips

When a site requests that you use two-factor authentication — pain in the behind that it may be — use it! This is where a site ties one piece of information, such as your password, to something that you physically have, such as your cellphone, and the account can’t be accessed via one without the other. Some of the services that use this are Gmail, Facebook, Twitter, Instagram and Amazon. When you get an e-mail from a “friend” asking you for something that just doesn’t feel quite right to reveal, or there’s something about the tone of how they’re writing that doesn’t quite gel with the person you know, e-mail them from another account or call or text them and ask them if it really came from them or not. The same is true for banks and other businesses. No legitimate business would ask for your password or account number via e-mail. Many banks have an e-mail address to which you can forward suspicious emails for verification. Here’s another tip: Never open an e-mail attachment that you were not specifically expecting from the sender. If you get an attachment that you are not 100% sure was attached by the sender personally, call, text or e-mail the person and ask him/her whether or not he/she attached it and if he/she has opened it (versus just forwarding it from someone else with no knowledge about it). The bottom line is don’t give out too much personal information online, because you don’t know who might eventually use it against you, or how it might end up being used. In 2016, there are now more and more ways you can be hacked, and you can actually check if you already have been. More specifically, you can find out if your data is among data that was hacked, by going to https://haveibeenpwned.com/ and entering your e-mail address or a username that you use. I entered my e-mail address and found that it was among data hacked from a well-known forum. The site also has a list of the top ten breaches. In addition to the above, of course all the traditional anti-hack caveats still apply. Here’s a short list of some that the UK Daily Telegraph newspaper recommends:

• Keep your operating system and software up to date on all your devices as these often included patches for security vulnerabilities. And of course, use and keep updated, good anti-virus and anti-malware software.
• Before downloading an app or program, do some online research into what exactly it is. Check it’s rating, check into the site it’s being downloaded from, check if it asks for unwarranted access to your system, and especially make sure you’re downloading the official version from the official site.
• Check the privacy settings on all your social media accounts to ensure that only the people you want to see your data can. You can use a browser extension like Ghostery to see who is tracking you and to block any unwanted trackers.
• When using online services where security is important, such as e-mail, online shopping, banking, and social media, always check for the padlock symbol before the URL, and make sure the site address begins with https://.
• Make sure your home wi-fi is protected by a very strong password, and when out never use an unsecured hotspot for doing anything that may be personal or private.
• Don’t do anything personal or private while charging your phone via USB in a public place, as it’s possible to hack into your phone while doing so.
• If using messaging apps, use end-to-end encrypted ones like WhatsApp, iMessage and Telegram.
• If you’re asked to click on a link, type out the full URL yourself and put that in your browser instead.
• When done, always log out of any accounts that you logged into.
• If you get a message on your desktop saying you have some kind of system error or infection and asking you to call a number (often claiming to be Microsoft) for help, don’t do it!

And lastly, use common sense; if what you’re being offered seems too good to be true, it usually is! And if you’re an IT Manager with users, bear in mind that according to IBM, human error is responsible for 95 percent of all security issues, and train your staff and other users how and why to be alert for spear phishing and other attacks. Or send them this article as a starting point.

Last Words

According to Steve Morgan, CEO and founder of Cybersecurity ventures, “Human error is in fact simply a lack of security awareness training when it comes to hacks and data breaches. Users are careless and make mistakes because they have no idea what to be on guard for.” And Alexander Garcia-Tobar, the CEO of email security company ValiMail, says that companies can block e-mails from phishy sources by using e-mail authentication. Per Garcia-Tobar, “With email authentication properly in place these spoofed emails are blocked before end users ever see them. Therefore, no clever con artist has the opportunity to trick well-meaning employees into giving away the company’s money or secrets.” Keep yourself and your users safe!  

Sources:

https://mashable.com/ https://www.reuters.com/article/us-usa-election-russia-theory-idUSKCN10801S https://www.washingtonpost.com/posteverything/wp/2016/07/27/by-november-russian-hackers-could-target-voting-machines/ https://www.nbcnews.com/politics/politics-news/democratic-national-committee-breached-russian-hackers-n592061 https://us.norton.com/spear-phishing-scam-not-sport/article https://www.betterbuys.com/estimating-password-cracking-times/ https://haveibeenpwned.com/

Photo credits:

Cortana scripting language via photopin (license) Stuck on You via photopin (license)   Locked via photopin (license)