David Gee relives the day he became the victim of a spear phishing attack
CIO Magazine 28 August, 2014
About a year ago, I noticed that I was receiving an
increasing number of phishing emails in my work inbox. It was about the
time I was travelling to Japan for a holiday and I casually noticed
that someone had accessed my email address from Estonia.
Estonia? I’ve never been there; I know someone who was born there but they certainly wouldn’t be logging into my email account.
I
had been the target of a spear phishing exercise. The logic is that the
offending person was trying to access me through either my corporate or
personal address. This is assuming that I perhaps use the same password
on these different accounts (which of course, I don’t.)
The
phishing approach is all about law of numbers and eventually they will
find a weak link. Some statistics that I have seen show that phishers
have a 5 per cent success rate.
It really is
quite common, as most people have to try to remember 20 to 30 passwords
that all have different requirements around strength, length, upper and
lower case as well as numbers and special characters. No doubt that
leads to sloppiness of just having the same password or one with
variations.
Malware paranoia stage
It
was somewhat disturbing to find someone had accessed my account. I had
to find out the source of this entry. My hypothesis was that some
malware had found a way onto my computer and to confirm this, I needed
to install three different pieces of anti-malware software.
I
found it more concerning that not all software solutions are effective
and according to two of these packages, I was safe. It was the third
that removed the culprit malware. This only made me more concerned about
being re-infected.
Password heaven
I’ve always believed that whatever is man-made can be vulnerable. Some recent studies reveal that ‘1234’ is the password 10.7 per cent of the time. Then there is the use of ‘123456’ or ‘password’, which tend to be in the top 5 passwords used.
I’m
happy to report that none of these simple or obvious ones were my
password, and I had established that a key-stroke logger had found a way
onto my home PC.
These are actually not hard to
find, just do a Google Search and you will see at least three that are
advertised, so I assume that there are legitimate uses for such
software.
The weakest link
Most
corporate systems have added restrictions around repeat passwords,
sequences etc. Such measures don’t apply at home and your greatest fear
may be that you have used the same password more than once on different
sites.
In my case, I did a self-audit and found
that I had indeed been guilty of using the same password on two personal
websites. However, the weakest link in the office environment is that
staff write down these secret combinations and leave it in their desk
drawers.
Even the personally entered ‘challenge response’
questions around your first pet’s name can be disclosed where social
media is mined for this data. These efforts are often referred to as
‘social engineering’ attacks and an innocent call to the helpdesk is to
try to gain access to a set of security credentials.
Hacker’s treasure
The
ultimate treasure for a hacker is ‘data’, and it’s funny that this is
also the holy grail for the new age web companies – Facebook, Google,
Amazon.
In my instance, the hacker had over a
period of time left a key logger, which often is just initially watching
and then observing before taking action to gain further access.
The
hacker can then gain additional access for remote login, or perhaps to
create an additional login account. Unfortunately, my Estonian friend
did both of these actions.
While I felt somewhat
violated, my first concern was what personal information was it that
had been copied or read? I have since taken additional vigilance to
watch our credit card statements for a number of months, just to ensure
that nothing adverse occurs.
My friendly hacker
sent me a picture of his buttocks and private parts, perhaps as a
parting gift. Not
sure if this was forensic evidence that I really
wanted to keep, so it was deleted fairly quickly.
Identity theft?
There was no evidence of any loss or damage but I did receive an email
that my online loan application had been declined. Hmmm, I don’t recall
applying for a loan in London?
While alarmed, I calmly wrote back to explain that my account had been hacked and this was not the real ‘David’ who had applied.
The loan company said it could not share any
further details with me, and then it didn’t want to tell me any details
about my so-called loan.
Later, I received a
different email, this time from a truck repair company regarding my
scheduled service. I tried a different tack and asked for a copy of my
last invoice, to see if I could 'Sherlock Holmes' an address. The repair
company then got suspicious and said that they had emailed the wrong
address.
On guard
When
one is at work, it is more natural to be ‘on guard’ and avoid clicking
on any link or message that looks suspicious. Let me stress though, once
you have had such an experience personally, it really does make you
look at the world differently.
I’ve also noticed
some funny connections on Linkedin, (yes these are the random requests
that you get) and I recall seeing this name with ‘Harvard MBA’ and
‘General in the USA’ credentials. It got better and better, or should I
say more and more unbelievable.
Then there was a
Linkedin connection request again from a person who logically wouldn’t
be sending out a random invitation. She was on the board of a large bank
in Asia. My initial suspicion was correct and I noticed that there were
three or four other individuals with the same name and photo on
Linkedin.
Bring your own data?
Most
people want to be environmentally-responsible and the same duty of care
that I exercise in disposing of old personal PCs will need ongoing
attention.
Yes, I want to be ‘green’ and see
items recycled, however I don’t want my hard disks shipped to a
third-world country to be diagnosed for sensitive data.
I
suspect that cybersecurity will become a bigger risk for each of us in
the future and my unfortunate story will be more commonplace for many
people.
We live in a world where trust is a
valuable asset, and we are heading down the path where we all have to
exercise much more care.
What information we
share online will need to be more judicially considered. The ‘right to
forget’, will be what we all expect to be able to exercise control.
Perhaps
bring-your-own-data initiatives will be the way forward. We may have
our personal data (personally) secured, then directly grant or revoke
access to a social media site. In this way, the data is controlled by
you, and there are no fragments kept on sites.
Just
think of all the places that you have once visited and left information
– MySpace, Zoominfo, Spock and many other organisations that may not
now be trading but somewhere there is information that you just wouldn’t
want to be disclosed.
BYO data is really an
interesting concept that I think will gain some traction, particularly
if there are some large scale abuses of data or perhaps another similar
data breach to the one that we saw with Target in the United States.
Identity theft is now an area of concern for me after falling victim to this spear phishing attack.
It
made me reflect on a quote from Frank Abagnale, the infamous
counterfeiter who was portrayed by Leonardo Di Caprio in the 2002
biographical film Catch Me If You Can. Abagnale said he doesn’t use Facebook or Twitter as the bad guys would use this information against you.
I’ve
always been somewhat of a power user with social media – trying and
using multiple tools then measuring on Klout what is my score. Now,
another voice in my head is ‘hey, don’t share too much’, perhaps be a
lurker – it may be safer.
David Gee is the
former CIO of CUA where he recently completed a core banking
transformation. He has more than 18 years' experience as a CIO, and was
also previously director at KPMG Consulting. Connect with David on LinkedIn.
http://www.cio.com.au/article/553464/lessons_from_hack/
No comments:
Post a Comment