• Status Update: I’ve been Hacked!

    Chances are high that, at some point today, either you or someone you know has posted an online message through one of the many social media platforms available. Hundreds of millions of users flocked to social networks this year to do precisely that, and they are doing it in record numbers though smart-phones, tablets, or desktop computers. The problem, however, is that this development has been noticed by one group in particular—hackers and cyber-attackers.

    The prime target for these individuals is perhaps the most obvious: Facebook.  With over a billion users worldwide, Facebook commands a veritable gold mine of information and, like insects within range of a lightbulb, the hackers just can’t stay away. In fact, one need not be a hacker—or expert programmer—to get started. A simple Google search yields countless websites that offer software (really malware) and multiple tips and tricks on how to hack into Facebook accounts to steal information or download infected software into the victim’s computer (don’t try this at home, or elsewhere!).

    Earlier this year, scammers took advantage of the widespread skepticism about Facebook’s new Timeline  feature to trick users into clicking different links that purported to remove the feature. Those who followed the instructions were taken to a page that looked like Facebook but was not. This faux-Facebook page encouraged users to ‘Continue’ or ‘Like’ or ‘install’ various items just like the real Facebook, and those who fell for this trap automatically became victims of click-jacking or like-jacking, because the bogus link then spread on their personal Facebook Walls. When their friends noticed the link and clicked it themselves, the hacking process simply repeated itself.

    Another common exploit has been using the users’ natural worries about newly posted images or videos of themselves to lure the recipient into viewing direct messages (DMs), purportedly from online friends, reporting that they had been captured in a Facebook video.  These DMs, usually spammed out from newly-compromised Twitter accounts, tricked the unwary into clicking the link they contained, which would take the users to a website telling them to upgrade their “YouTube player.” If the user went further, they would be infected with the Troj/Mdrop-EML,  detected by Sophos as a backdoor Trojan that can also copy itself to accessible drives and network shares. Exactly how the Twitter accounts were compromised and able to send malicious DMs remains unclear, but the attack underscores a key message about modern social media security: if a friend sends you a link, don’t click it without thinking!

    If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password and revoke permissions of any suspicious applications that have access to your account.


    Finally, we have the usual phishing attempts to lure you into entering your account information into a web site that looks like the Facebook’s sign-in page or other web sites proclaiming offers for freebies of various kinds. Facebook has a page about how to avoid phishing. It also has a page about what to do if you’re locked out of your own account, but I recommend that you avoid this page unless you have actually been hacked, particularly if you are a Facebook user who is logged in. The site assumes that you’ve been attacked, and unless you hit “cancel”—one of two options you’ll have—you will be forced to change your password and security question. And you’ll learn very little about the hacking problem.

    So, what can we do to protect the information we post online—the pictures of cats, the live-blog of what we’re eating for lunch, etc.—from those who wish us (digital) harm?

    The good news is that you don’t have to de-friend everyone you know for fear they will start sending you malicious links or software. The better news is that there are various concrete steps you can take today to better protect your online information. You should:

    • Choose a strong password. Include [email protected] symbols, some numb3rs, and even a ma+hematical sign or two. Also be sure to include both uppercase and lowercase LeTtErS. Once you have established your password, do not share it with anyone.
    • Look over the privacy and security settings regularly and carefully choose your configuration:
      • Secure Browsing – enabled
      • Login Notifications – enabled
      • Login Approvals – enabled
      • Recognized Devices – if there is anything listed here that doesn’t look familiar, or the date is not recent, remove it
      • Active Sessions – remove all except Current session.
    • Take care when downloading applications and check the terms of use before you do. Yes, those long terms of use where you normally click on “Accept” without actually reading them!
    • Only befriend people you know
    • Report suspicious activity to Facebook
    • Don’t post pictures, updates or the location where you are, if there is anybody in the world you would not want to be able to find out about it

    Words of Wisdom: What we tend to forget is that the basic (unsecured) designs underpinning the Internet were built on presumptions of good intentions and not with the numerous possibilities of malevolent sabotage in mind. Indeed, the original internet inventors, developers and planners engineered the Internet to enhance wealth and the free and easy exchange of ideas and information, and assumed that new participants would automatically adapt to established rules of the road based on social trust, the security of property and the best use of this technology for the greater good. But where great value in goods, knowledge and funds flows without societal protection (or a much more complex, secured and encrypted system), so grows great potential for crime and conflict, even in cyberspace.

  • South Carolina Government Agency Hacked!

    “Just one look: That’s all it took for an attacker to compromise South Carolina state systems.”[1]

    In what appears to be the largest cyber attack yet against a state government agency,  hackers stole millions of documents from the South Carolina State Department of Revenue this summer. The stolen bounty includes almost four million social security numbers and over three million bank account numbers. Hackers stole the information by placing a 21st Century twist on an ancient sport: fishing. The incident likely began with a ‘phishing’ email sent to various state employees. ‘Phishing’ emails work by luring the recipient into clicking a link, thinking it will lead them to somewhere of interest. Unbeknownst to the user, the link actually embeds and installs software onto their computer, which allowed hackers to obtain their passwords and user-names.

    So, what was exposed as a result of this security breach?

    • 3.8 million taxpayers’ Social Security numbers
    • 387,000 credit cards and debit numbers
    • 700,000 businesses tax records
    • 3.3 million bank account numbers and data

    What could/should have the SC Department of Revenue done to prevent it?

    • Upgrade its password protection to a dual-password system—this is the only solution the agency is currently addressing
    • Encrypt ALL their data—this idea was rejected by the agency in 2006 because “cost ineffective” ($5 million) and not required by the IRS.
    • Hire a new Cyber-security Officer—the position had been vacant from September 2011 to August 2012, just when the hacker stole millions of taxpayers’ personal data. Seriously, how many similar agencies and banks go for almost a year without a security guard?
    • Train employees and top executives—the workforce in these institutions needs to be capable of implementing the programs, policies and strategies that can begin to address some of these cyber threats.

    “No matter how good a technology is, if not used correctly by skilled employees who follow well-defined processes, vulnerabilities will surface that can be leveraged by both internal and external threat actors”[2]

    • Increase the number of vulnerability scans on the agency—quarterly vulnerability scans are currently run by a private contractor.
    • Accept the offer of free breach-detection services from the state’s IT department— which the agency has reportedly declined before.

    The Department of Revenue Director Jim Etter has appeared before Senate panels in the past two weeks to answer the multiple questions on the causes of the breach and demanded improved security procedures for the state’s computers. Etter will be resigning at the end of December.

    As of today, the cost of the state’s response is estimated to be above $14 million and climbing. Other state tax agencies are now on high alert.

    [1] Mathew J. Schwarts, “How South Carolina Failed to Spot Hack Attack,” InformationWeek, November 26,2012

    [2]“Booze Allen Announces Top 10 Financial Services Cyber Risk Trends for 2013”, Booz Allen Press Releases, November 29, 2012