There have been several stories in the news recently that highlight how hackers are changing their tactics to infiltrate and disrupt our businesses. I thought I would describe how two of the most recent incidents occurred so that we can all evaluate how well we are protected and how to enhance that protection. These are by no means the only methods being used by hackers. But, these 2 incidents highlight 2 areas that we should all be aware of and mitigate against. We hear about these things every day and assume these attacks are very sophisticated. However, they start out with some very simple lapses that we are all guilty of.
The first incident is the hacking of the Clinton Campaign Chairman, John Podesta, Colin Powell and several other high profile political people. The story we hear in the news is that these people’s email was hacked and then published by WikiLeaks. My intent with this post is not to speculate how that whole process occurs, I’m not sure anyone actually knows the path from point A to point B here. What I want you to understand is how simple this was to get started. And it is not at all that sophisticated! Investigators have determined that these people were victims of a phishing attack and it appears that they are from the same source in most cases. That’s right, these people simply clicked on a link in an email they received to cause the email leaks you are seeing in the news almost daily. We have all seen these types of emails. They come from banks we don’t have anything to do with, unknown people that have a business deal or have money to share with us, even people we may know that have some incredible product or scheme to make us rich. In the cases above the email indicated the user’s Gmail account had been compromised and provided a link to fix it. No big high tech manipulation of email servers, firewalls, break-ins etc. Just a “Click Here Please”. You would never do that, right? How about your staff? These things can be very professionally done and look very authentic. Businesses need to have continuous training and communications with our staffs to insure they are aware of the latest cyber security risks.
The second incident is the major internet outage that occurred on Friday, October 21, 2016. During the day and evening on the 21st, several major websites became inaccessible to users. These sites included Twitter, Spotify, Netflix and many other sites. Again, I don’t want to get into all the technical details of this Distributed Denial of Service attack, other than to explain that Denial of Service attacks occur when a website is bombarded with so many bogus website requests that they cannot respond to valid requests, which makes the website appear to be down. In this case the “Distributed” part means the bogus requests came from many (possibly millions) of computers or internet connected devices. The attack on the 21st was the first time (possibly) that the attack was largely carried out by non-computer devices connected to the internet, webcams and low end routers were major culprits. Yes, our internet connected computers, webcams, routers, refrigerators and toasters can be used to cause an outage like we saw on the 21st and even worse. Very sophisticated? Not at all! While the program that was created to cause our devices to become zombie warriors could be considered sophisticated, the method used to get that program on our devices is rather simple. The simple fact is that most home owners (and some businesses) don’t do the simplest of configuration changes when setting up their internet connected devices. One of the most basic rules when setting up internet connected devices is never to use the factory configured password. For instance, when you go to Staples and buy your router it comes with a built is password, the same password as every other similar router sold anywhere in the world. You know, the one that is published in the quick start guide or user manual. Forgot yours? No problem do a quick internet search and you will have it in less than 10 seconds. So, the major internet outage on the 21st was enabled partially by ourselves. These hackers simply could connect to these devices and use the default password to plant the zombie software on the device.
We have all heard about, been trained on and even make attempts at applying security to our business and personal lives. What these two events have shown us is how critical it is becoming to step up our game in this area. These are not difficult things that we need to do. However, until the number 1 password is no longer “password” (#2 123456. #3 qwerty) and until we all start taking this more seriously, the bad guys are going to have a field day and October 21st 2016 will be the tip of the iceberg.