Security Experts:

Hack Me: You Asked for It. You Got It!

Can’t hack this? Oh yes, they can. A few months back when New York Magazine’s Kevin Roose dared (see embedded video below) a couple of expert hackers to hack him, it reminded me of that old Toyota commercial: “You asked for it. You got it!” Only poor Roose didn’t wind up with a Corolla.

And while most of us aren’t asking for it, chances are high that we, too, have been—or will become—victims of a cyber attack. In fact, last week, Roose popped back into my mind as I was checking my credit card account summary online and discovered a dozen or more transactions (at $75 a pop) marked: Starbucks Card Reload. What the? I may live in Seattle and I may like coffee . . . but not that much . . . and not always Starbucks.

Damn it. Not again!

When I phoned my credit card company to report the fraud, they assured me I wouldn’t be held liable for the charges, canceled my card, and issued a new one. No money lost, no impact to my credit. I guess I got off lucky (knock wood). Thus far, the biggest hassle has been ensuring that auto-payments attached to the compromised card have been changed and various other accounts have been updated, for the second time this year.

Roose didn’t get off as easy—or, at least, he may not have, had his hackers been “unfriendlies.” He seemed aware that his dare could get bad, maybe just not that bad. His (horror) story revealed how hackers broke into his accounts (e.g., a phishing email asking to run a certificate installer), what they found (e.g., credentials, password chain), and what they were capable of seeing or taking (e.g., his SSN, credit card numbers, stock/banking info). In fact, it turned into a Technicolor example of how the cost (and occasional inconvenience) of good security may be peanuts compared to the losses that can ensue in its absence.

One of the eeriest parts of the hack was the hijacking of Roose’ laptop webcam—which took and sent photos of him at two-minute intervals to the hacker. . . for days. I bet he doesn’t discard webcam cover giveaways at trade shows anymore.

What’s Joe Average Got to Worry about?

To be fair, the average person mightn’t be a prime target for hackers (who generally follow the big money), but will likely become a victim at some point given the frequency of attacks on financial services firms. And of course you can never be quite certain whether adjacencies in your relationships or job give access to information that is valuable to cyber thieves. Not everyone’s reward or top prize is the same.

The problem is that the public at large isn’t necessarily hyper informed on the manifold consequences of bad online security practices or hygiene. They may say they want security and privacy, but what are they willing to do for it?

More than ever, the layperson has to be brought into the security-practitioner fold. It’s not only corporations in the cross-hairs. Everyone is vulnerable and the range of cyber threats is expanding, including a wide variety of phishing schemes that anyone (as evidenced by Roose) could fall prey to.

Though corporations tend to have the most to lose in terms of dollars, no one wants his “identity” stolen, bank account drained, or some robotic voice coming over a laptop speaker to say, “You look bored.” Or worse, “Give me money to unlock your laptop.”

Start with the Basics

Old habits die hard, but compromised computers die harder. The same way we need to eat better, exercise more, and be proactive with respect to visiting doctors, dentists, therapists; we also need to keep fit when it comes to online security.

Start with a few simple steps. I promise, they won’t hurt.

Passwords

One day, we’ll be able to move beyond reliance on passwords as protection, but as it stands, they are a part of security and we need to ensure they are as impenetrable as possible.

• Stop with the simple, short passwords. Channel your inner James Joyce and make those puppies long; and maybe your inner Borat to ensure they won’t be found in any dictionary.

• Stop using the same password for multiple accounts. That’s silliness (and sure, I’ll admit, I’ve been silly in the past).

• Stop neglecting to update passwords on a regular basis. And when you do, don’t just change or add a single character.

• And if you are willing to endure a little more inconvenience and spend a couple extra dollars, use a password generator. This way, the passwords are all different, centrally managed, and updated in a flash in case of compromise.

Patching

Microsoft’s Patch Tuesdays were implemented for good reason. And while patching won’t solve all problems or stop all breaches, it’s worth doing. According to CSIS Senior Fellow James Lewis, “75 percent of attacks use publicly known vulnerabilities in commercial software that could be prevented by regular patching.”

So when updates are available, don’t delay, update as soon as possible. It’s not only about new features and functionality, but also about eliminating security vulnerabilities.

Click, Open, or Connect?

Advanced social engineering attacks exploit the human factor (we’re easy targets) and phishing scams remain a top attack vector for criminals. Though not necessarily a high-value hack, phishing can be done en masse with automated emails sent to tons of addresses in the hopes that a few folks take the bait—don’t be one of them. Before you click, open, or connect, take a minute, and:

• Don’t be fooled into clicking on emails from unknown or odd-looking addresses.

• Even for emails from senders you recognize, trust your instincts if the context seems “off” and delete.

• Don’t open email attachment before checking for dangerous file extension (e.g., .exe, .msi, .bat, .com, .cmd, .hta, and many more).

• Don’t connect to public Wi-Fi without turning off file sharing.

• Don’t disclose your exact whereabouts, for example, on Facebook or LinkedIn, especially if you don’t have strict privacy controls enabled.

And for Those Credit Cards...

When it comes to your bank accounts and credit cards, make a habit of regularly scanning activity and transactions. Depending on your credit card provider, you have may options to install apps that give you near-real-time updates and will text you anytime your card number is used. This way, you can at least shut down fraud as quickly as possible.

I spend a fair deal of time and energy machete-ing my way through the technical weeds of security. Having my credit card repeatedly compromised is a good reminder to never forget or get lax about basic security hygiene.

In short, it’s a good idea for all of us to get in the habit of following a few simple security practices—software updates, good password management, social engineering precautions, regular financial activity monitoring—and to try as best we can to keep a low profile. Hmm . . . does that mean not to pen a regular column on security, I wonder? Nah. You can’t live your life in fear, but maybe don’t tempt fate either.

But hey, I know. You got this!

view counter
Johnnie Konstantas heads Gigamon’s security solutions marketing and business development. With 20+ years in telecommunications, as well as data and cybersecurity, she has done a little bit of everything spanning engineering, product management and marketing for large firms and fledglings. Most recently, she was the VP of Marketing at Dato, a company pioneering large-scale machine learning. She was also VP Marketing at Altor Networks (acquired by Juniper), an early leader in virtualization security and at Varonis Systems. Past roles have included product management and marketing for Check Point, Neoteris, NetScreen and RedSeal Systems. Johnnie started her career at Motorola, designing and implementing large-scale cellular infrastructure. She holds a B.S. in Electrical Engineering from the University of Maryland.