30 July 2016

How not to get hacked by Russians (or anyone else)


Russian President Vladimir Putin's government has been implicated by CrowdStrike in the DNC hacking scandal.

There's been a lot of talk about Russian hackers infiltrating the Democratic National Committee's servers and then leaking sensitive emails via WikiLeaks. 

The breach, which happened in June but was revealed this week, may sound like a high-level hacking plot by international spies that doesn't have anything to do with your personal cybersecurity. We are here to tell you, that is incorrect.

In times like this, it is good to remember Russia, or any government for that matter, could turn its attention to you — if, for some reason, they decided you had some information they needed to obtain. Perhaps you work for an important company or you are the love child of a Soviet spy. Whatever the reason, it is a good time to consider your privacy online.

The attack on the DNC was investigated by cybersecurity firm CrowdStrike, which not only claimed the Russian government was behind the hack but also noted it was due to "spear phishing." And they are not referring to the sport.

Spear phishing is the term for when a hacker sends you an email that pretends to be from someone you trust, but is in fact a scammer. "The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you," security firm, Norton,warned.


In other words, these scammers are getting smarter and they may be using you to get into your company's networks. So how do you prevent being the one that exposes your company to an attack? There are a few crucial things you can do. 
Understand how the hackers think

Knowledge is power when dealing with hackers. Understanding a little about how hackers think will put you ahead of the pack when it comes to protecting yourself.

"Get educated on exactly what spear phishing is," Steve Morgan, Cybersecurity VenturesCEO and founder, said in an email to Mashable. "First off, a spear phishing email has a spoofed (forged) address and appears to be coming from a trusted source — for instance a co-worker or manager — when in fact it is coming from a malicious person (hacker)." 

In the case of the DNC attack, there were two groups that infiltrated the systems. The first group, codenamed "Cozy Bear" for no obvious reason, is known for its use of a spear phishing method that sends a person web links to programs which install themselves on your computer. These programs normally include sophisticated tools that allow the hacker to remotely access your computer, CrowdStrike's Dmitri Alperovitch wrote in a blog post.

The second group, "Fancy Bear," is a little more detailed in its approach. With groups using this method, you really need to be on the look out. Fancy Bear registers domain names that resemble ones of the legitimate organizations they plan to target, according to Alperovitch. The group then copies the look of the victim's email service and goes in for the kill. 
"When it comes to phishing scams, attackers look to the emotional aspects of human decision making to execute their attacks."

"When it comes to phishing scams, attackers look to the emotional aspects of human decision-making to execute their attacks," a spokesperson from Norton Security toldMashable. "Cyber criminals will use social engineering as a method to try and get people to divulge sensitive information or install malicious malware onto their computers."

Social engineering includes hackers researching the victim by looking at their social media profiles and online activity to find out everything they can about them and the organization. 

When you receive an email from someone who knows who you are, appears to be from your organization or is someone you trust and is asking for an urgent response, it is much easier to respond without paying much attention. This is their evil plan. Next thing, you are exposed.
Be vigilant 

Firstly, don't have your cat's name, your mum's home and your friend's engagement splashed all over Facebook. Try and keep as much private as you can, especially when signing up to websites. It can all be pieced together to make an in-depth profile of who you are, where you live, who you are friends with and what you do. If you want to freak yourself out over your social media sharing, a visit to TakeThisLollipop.com should do the trick. 

To check how vigilant you have been, do a Google search of yourself and see what you can find. Terrifying. 
Don't be lazy with your password

Passwords can not be the same for multiple sites. They should also be super difficult and preferably not contain the word "password." Use a program such as LastPass or any ofthese brilliant tools to generate and store the most difficult passwords you can imagine. 

If you can remember it, it can probably be easily hacked. Throw in a couple of exclamation points for good measure. 

You should also turn on two-step authentication. Even though it's the most annoying thing on Earth, think of the security it brings. Google made it a little bit easier recently by adding a one-click verification option. For instructions on getting it set up, check out this link.
Think before you respond

If your friend or brother's cousin is asking you to wire transfer them money via email, alarm bells should go off. That is the most obvious example, though, and the people doing the phishing at the level of the DNC attacks are way more sophisticated than that. 

Be on the lookout for anything suspicious in an email. If your friend is writing in a slightly different tone, give them a call or a text to check it is them. The same goes for dealing with organizations you are familiar with. If you aren't expecting an email, be cautious about downloading attachments.

In other words: be alert, all the time.
Your company should take steps to protect you

Human error is responsible for 95 percent of all security issues, according to IBM, so companies should step up and train their staff to be alert for phishing attacks. It's not all your fault. 
"Human error is in fact simply a lack of security awareness training when it comes to hacks and data breaches."

"Human error is in fact simply a lack of security awareness training when it comes to hacks and data breaches. Users are careless and make mistakes because they have no idea what to be on guard for," Morgan said.

Organizations can also block emails from strange sources with email authentication, according to Alexander Garcia-Tobar, the CEO of email security company ValiMail, which allows a company to control who sends email using their identity. 

"With email authentication properly in place these spoofed emails are blocked before end users ever see them," Garcia-Tobar explained. "Therefore, no clever con artist has the opportunity to trick well-meaning employees into giving away the company's money or secrets."

(He also noted that, according to his company's tests, the emailing domains for the RNC, DNC and Donald Trump's campaign were "wide open to phishing," while Hillaryclinton.com was protected.)

He believes that because so many threats are hard to spot with the naked eye, companies need to take responsibility for their security and not rely on humans. "Rather than attempting to train employees to detect the undetectable, companies need to eliminate these attacks in the first place with a strong email authentication system," he said. 
But should I be worried about the bears?

Not exactly — unless you work for a government agency — but one thing Fancy and Cozy Bear have done is help raise awareness for these kinds of attacks.

"The main takeaway should be that Cozy Bear and Fancy Bear — which are hacking groups affiliated with (and potentially sponsored by) Russian intelligence agencies aimed at political and financial espionage — have been around for years," Morgan said.

"Unfortunately it takes a high-profile cyberattack to get the public's attention — which is exactly what's happening with the DNC hack ... To be clear, these are not the only 'Russian Bears' the U.S. should be concerned with."

If that last sentence doesn't terrify you into being vigilant online, nothing will. 

Have something to add to this story? Share it in the comments.

No comments: