Data breach and hacking: what you can do
Read time: 9 minutes
Data breach and hacking: what you can do
In addition to the penalty and financial damage, the insurance sector and their claims handlers face and even graver aspect: the risk that leaking sensitive information of policyholders poses for the personal privacy of the policyholders and the reputation of the insurance and service providers.
Suffice to say that data leaks must be prevented. IT security measures alone are not enough. No matter how much security measures have been implemented, an unconscious action of one of the employees can still cause huge damage.
In a captivating presentation, an ‘ethical hacker’ – we’ll call him EHJ – showed Van Ameyde staff how easy it is to hack an organisation. He started off with a wake-up call by showing NORSE’s life feed on (http://map.norsecorp.com): hackers from all over the world attack 24/7.
In his presentation EHJ dealt with a host of attack methods. In this blog we deal with some of the most striking ones and give some useful tips to protect yourself, i.e. to not make hackers’ lives too easy!
There are various types of hackers: hacktivists whose convictions or religious persuasion motivate them to attack, governments and criminals. And, of course, the good guys (ethical hackers) who help us defend ourselves against malicious attacks. Anonymous is a movement of activists and hacktivists, known for, among other things, their DDoS (distributed denial of service) attacks on PayPal, MasterCard, VISA and the Sony Playstation network. DDoS attacks cripple websites of organisations. The principle is simple: by sending massive amounts of external communication requests to a website, the website overloads, as a result of which regular users can no longer access the website. Those external communication requests are either sent simultaneously from a large number of computers, but more often a botnet is used: a collection of infected computers which can be operated by the malicious party, e.g. by sending spam.
Criminals also use DDoS: they blackmail organisations by threatening to paralyse their websites.
Though there is little an organisation can do against DDoS, there are more common types of attacks that can be prevented by raising awareness among staff, such as phishing.
Much used are emails supposedly sent in the name of the CEO to the Finance Department, to transfer amounts. Proper procedures prevent less experienced colleagues complying with such requests. In addition, it is important to continuously raise awareness of the risks of phishing mails and spam.
An organisation can defend itself against this type of attacks, on the one hand by ensuring proper application of good procedures and controls and on the other hand by continuously alerting staff to the risks of email.
Malvertising: download Adblock!
Adverts on known, in themselves reliable websites, may contain viruses that auto activate. The attack is started as soon as the user visits the page, without even clicking on the advert. This practice is called malvertising and the websites’ owners and site managers have no idea! Sites of the New York Times, the London Stock Exchange and Spotify have all been the sources of malvertising.
A solution: install Adblock, e.g. AdBlockPlus (ABP), which is available for multiple browsers including Explorer and Chrome. https://adblockplus.org/ automatically selects the browser you are using. AdblockPlus is open source and free-of-charge.
Remark: though Adblock blocks much, it does not block all and hackers will find new ways. Adblock is just one of the security measures you can take (not just in your office environment but at home as well), but other forms of security software, including virus scanners, continue to be necessary!
Public Wi-Fi networks: dicey business
Mobile devices such as smartphones automatically try to connect with previously used and stored Wi-Fi networks. Hackers gladly take advantage of this behaviour. Using a simple device that can simulate those earlier used networks, your smartphone unwittingly connects with the device, instead of a real Wi-Fi network. You won’t notice a thing, because the hacker gives ‘his’ network a credible name, e.g. the name of the café where you’re enjoying your coffee.
This way the hacker gains access to all incoming and outgoing traffic of your mobile device. All internet traffic runs through the hacker’s device. The hacker can steal your identity, intercept your login details and potentially empty your bank account. The hacker may even find angles for blackmail, e.g. as a result of your browsing behaviour.
As to the use of internet when not at home, EHJ gives the following tips:
- the easy solution would be: do not use public Wi-Fi, but use mobile data when you are en route. Suffice to say this costs paid MBs;
- turn off Wi-Fi when not at home, so that your device does not try to automatically connect with ‘known networks’;
- if you do wish to login on a public network: first install a VPN app (virtual private network) on your mobile device. VPN encrypts all traffic and sends it to a safe server;
- if you are logged in on a public Wi-Fi network without having VPN installed, avoid work-related and financial transactions;
- regularly clean up the list of public networks on your device: if you do not plan on revisitingthe location, remove the network;
- always immediately install available updates of your software;
- install virus protection;
- do not leave your real details at all kinds of sites.
Ban thumb drives (USB drives)
Amazingly easy to by online: Rubber Ducky thumb drives. You do not recognise a rubber ducky, which means that all thumb drives that have been removed from their sealed packing are potentially dangerous.
What does the rubber ducky do? The thumb drive poses as a keyboard. You plug in the drive in a USB port, upon which it is installed and as a virtual keyboard it starts typing pre-programmed code at incredible speed. Malware is entered on the spot by this virtual keyboard and is, therefore, not detected by the security software.
Another dangerous type of USB is the KeySweeper. KeySweeper can log keyboard strokes of certain types of wireless keyboards and collect personal information and passwords. More information on KeySweeper can be found at http://www.americanbar.org/content/dam/aba/administrative/cyberalert/keysweeper.authcheckdam.pdf
Tip: ban the use thumb drives that you have not removed from its sealed packing yourself. If you find a thumb drive, do not use it! Even thumb drives with a presentation of a supplier is potentially dangerous as the supplier may not know its source either!
Some closing remarks
The possibilities available to criminals, hacktivists, and in particular governments, are infinite and keep growing. The Internet of Things just adds to the potential. Just check out our previous blog on car hacking. Nevertheless, much can be prevented:
- choose proper passwords
- do not use pubic Wi-Fi without a VPN app installed
- install AdBlock and other security software (e.g. virus scanner)
- always immediately install all available updates of your devices and browsers (both on your mobile and desktop devices) – if your device uses Windows, always install its updates!
- ban used / found thumb drives
- do not leave your real details on all kinds of sites
- and when in doubt about the sender, do not open links and attachments of emails.
All tips and information in this blog are provided to raise awareness and to help, but nothing is 100% safe. Van Ameyde and the author of this blog do not accept any liability for data leaks and security breaches.