Lessons from a hack

Lessons from a hack

David Gee relives the day he became the victim of a spear phishing attack

About a year ago, I noticed that I was receiving an increasing number of phishing emails in my work inbox. It was about the time I was travelling to Japan for a holiday and I casually noticed that someone had accessed my email address from Estonia.

Estonia? I’ve never been there; I know someone who was born there but they certainly wouldn’t be logging into my email account.

I had been the target of a spear phishing exercise. The logic is that the offending person was trying to access me through either my corporate or personal address. This is assuming that I perhaps use the same password on these different accounts (which of course, I don’t.)

The phishing approach is all about law of numbers and eventually they will find a weak link. Some statistics that I have seen show that phishers have a 5 per cent success rate.

It really is quite common, as most people have to try to remember 20 to 30 passwords that all have different requirements around strength, length, upper and lower case as well as numbers and special characters. No doubt that leads to sloppiness of just having the same password or one with variations.

Malware paranoia stage

It was somewhat disturbing to find someone had accessed my account. I had to find out the source of this entry. My hypothesis was that some malware had found a way onto my computer and to confirm this, I needed to install three different pieces of anti-malware software.

I found it more concerning that not all software solutions are effective and according to two of these packages, I was safe. It was the third that removed the culprit malware. This only made me more concerned about being re-infected.

Password heaven

I’ve always believed that whatever is man-made can be vulnerable. Some recent studies reveal that ‘1234’ is the password 10.7 per cent of the time. Then there is the use of ‘123456’ or ‘password’, which tend to be in the top 5 passwords used.

I’m happy to report that none of these simple or obvious ones were my password, and I had established that a key-stroke logger had found a way onto my home PC.

These are actually not hard to find, just do a Google Search and you will see at least three that are advertised, so I assume that there are legitimate uses for such software.

The weakest link

Most corporate systems have added restrictions around repeat passwords, sequences etc. Such measures don’t apply at home and your greatest fear may be that you have used the same password more than once on different sites.

In my case, I did a self-audit and found that I had indeed been guilty of using the same password on two personal websites. However, the weakest link in the office environment is that staff write down these secret combinations and leave it in their desk drawers.

Even the personally entered ‘challenge response’ questions around your first pet’s name can be disclosed where social media is mined for this data. These efforts are often referred to as ‘social engineering’ attacks and an innocent call to the helpdesk is to try to gain access to a set of security credentials.

Hacker’s treasure

The ultimate treasure for a hacker is ‘data’, and it’s funny that this is also the holy grail for the new age web companies – Facebook, Google, Amazon.

In my instance, the hacker had over a period of time left a key logger, which often is just initially watching and then observing before taking action to gain further access.

The hacker can then gain additional access for remote login, or perhaps to create an additional login account. Unfortunately, my Estonian friend did both of these actions.

While I felt somewhat violated, my first concern was what personal information was it that had been copied or read? I have since taken additional vigilance to watch our credit card statements for a number of months, just to ensure that nothing adverse occurs.

My friendly hacker sent me a picture of his buttocks and private parts, perhaps as a parting gift. Not sure if this was forensic evidence that I really wanted to keep, so it was deleted fairly quickly.

Identity theft?

There was no evidence of any loss or damage but I did receive an email that my online loan application had been declined. Hmmm, I don’t recall applying for a loan in London?

While alarmed, I calmly wrote back to explain that my account had been hacked and this was not the real ‘David’ who had applied.

The loan company said it could not share any further details with me, and then it didn’t want to tell me any details about my so-called loan.

Later, I received a different email, this time from a truck repair company regarding my scheduled service. I tried a different tack and asked for a copy of my last invoice, to see if I could 'Sherlock Holmes' an address. The repair company then got suspicious and said that they had emailed the wrong address.

On guard

When one is at work, it is more natural to be ‘on guard’ and avoid clicking on any link or message that looks suspicious. Let me stress though, once you have had such an experience personally, it really does make you look at the world differently.

I’ve also noticed some funny connections on Linkedin, (yes these are the random requests that you get) and I recall seeing this name with ‘Harvard MBA’ and ‘General in the USA’ credentials. It got better and better, or should I say more and more unbelievable.

Then there was a Linkedin connection request again from a person who logically wouldn’t be sending out a random invitation. She was on the board of a large bank in Asia. My initial suspicion was correct and I noticed that there were three or four other individuals with the same name and photo on Linkedin.

Bring your own data?

Most people want to be environmentally-responsible and the same duty of care that I exercise in disposing of old personal PCs will need ongoing attention.

Yes, I want to be ‘green’ and see items recycled, however I don’t want my hard disks shipped to a third-world country to be diagnosed for sensitive data.

I suspect that cybersecurity will become a bigger risk for each of us in the future and my unfortunate story will be more commonplace for many people.

We live in a world where trust is a valuable asset, and we are heading down the path where we all have to exercise much more care.

What information we share online will need to be more judicially considered. The ‘right to forget’, will be what we all expect to be able to exercise control.

Perhaps bring-your-own-data initiatives will be the way forward. We may have our personal data (personally) secured, then directly grant or revoke access to a social media site. In this way, the data is controlled by you, and there are no fragments kept on sites.

Just think of all the places that you have once visited and left information – MySpace, Zoominfo, Spock and many other organisations that may not now be trading but somewhere there is information that you just wouldn’t want to be disclosed.

BYO data is really an interesting concept that I think will gain some traction, particularly if there are some large scale abuses of data or perhaps another similar data breach to the one that we saw with Target in the United States.

Identity theft is now an area of concern for me after falling victim to this spear phishing attack.

It made me reflect on a quote from Frank Abagnale, the infamous counterfeiter who was portrayed by Leonardo Di Caprio in the 2002 biographical film Catch Me If You Can. Abagnale said he doesn’t use Facebook or Twitter as the bad guys would use this information against you.

I’ve always been somewhat of a power user with social media – trying and using multiple tools then measuring on Klout what is my score. Now, another voice in my head is ‘hey, don’t share too much’, perhaps be a lurker – it may be safer.

David Gee is the former CIO of CUA where he recently completed a core banking transformation. He has more than 18 years' experience as a CIO, and was also previously director at KPMG Consulting. Connect with David on LinkedIn.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the CIO newsletter!

Error: Please check your email address.

Tags amazoncybersecurityMySpaceLinkedInZoominfoDavid Geehackeranti-malwareFrank Abagnalebring your own dataFacebookBYODCatch Me If You CanCUAgoogle searchGoogleestoniaSpockLeonardo Di Caprio

More about FacebookGoogleindeedKPMG

Show Comments