Hacking, in the loosest sense of the term, was born in the 1950s when “phone phreakers” first figured out how to exploit the dial tone sounds produced by phones to make free long-distance calls. This form of hacking peaked in the 1960s and 1970s and has since fallen by the wayside.
The 1980s brought us the term “cyberspace,” and saw one of the earliest hacker groups (called the 414s) raided by the FBI and charged with 60 counts of “computer intrusion.”
Though the ability to manipulate dial tones isn’t particularly useful in the digital age, there are a few old-school hacking techniques that have endured the test of time. Here are 5 old-school hack techniques that still work and what you can do to safeguard your data.
Social engineering, which plays a prominent role in phishing scams, involves manipulating unsuspecting victims into revealing private information (such as usernames and passwords) by pretending to be someone else. While a phishing scam involves sending an email reportedly from a trusted source (such as your bank, your IT person, or your boss) and tricking you into handing over your username and password, social engineering can take several forms.
At its core, social engineering exploits human psychology to gain unauthorized access to private or restricted buildings, systems, or data. This form of hacking has technically been around since people first figured out that they could pretend to be other people for ill-reputed gain.
How to Protect Yourself
If you get an unprompted phone call or email asking for personal information, you should always approach the situation with a healthy dose of skepticism. Don’t reveal anything and report the situation to your supervisor, cybersecurity team, or MSSP right away. If possible, forward the email or get a copy of the call log.
To check if the person on the other end of the exchange is who they say they are, you should reach out to them independently. If you get a suspicious email from your “boss,” pick up the phone or forward the email to them to verify that they sent it. If your “IT company” has called you unprompted to help you fix a problem with your machine (that you supposedly reported), hang up and call your IT company directly to verify the situation.
Identity theft isn’t strictly a cybersecurity issue, but it can be used to gain unauthorized access to digital systems. If a cybercriminal is able to gain access to sensitive information (such as your SIN, full name, address, username, password, etc.), they can use that information to commit fraud or other illegal activities.
How to Protect Yourself
Check your credit card statements and credit report regularly and report any suspicious activity right away. You should also change your password if you suspect it’s been compromised, and never use the same password for more than one account. You may also want to consider setting up multi factor authentication on all accounts that allow it.
To select a secure password, consider following the NIST password guidelines. You may also want to consider using a secure and reputable password manager, which will help you avoid using duplicate passwords and can generate random strings of characters (and store them safely) so that it’s more difficult for criminals to guess your passwords.
Distributed Denial of Service (DDoS) attacks are performed by either large groups of hackers or a hacker with a large number of bot computers under their control. All players then hammer the targeted organization’s servers with requests, causing the server to crash and business to grind to a halt. This coordinated attack prevents legitimate users (such as customers) from accessing the targeted website or server.
How to Protect Yourself
There are a few steps you can take to inoculate your systems against DDoS attacks. To begin, you should make sure your network infrastructure is secure by keeping your firewalls up to dates, using spam filters, and implementing load balancing measures.
You can mitigate or even avoid damage by migrating critical infrastructure to the cloud (whose distributed model means that if one server goes down, others are available to step in).
As with any potential cybersecurity incident, you should also have a robust, detailed, and flexible plan in place for dealing with DDoS attacks effectively, minimizing disruptions, and getting to the root of the problem before too much damage can be done.
The Nigerian prince scam is the first example many people think of when they think about cybercrime. It involves a scammer contacting you via email, text message, or online messaging program and regaling you with an elaborate story about how the majority of their vast fortune is trapped because of a civil war, coup, or other disruptive events. The scammer then offers the victim a large sum of money in exchange for helping them transfer their fortune out of their country. Though this style of scam originated in Nigeria, they are now launched all over the world.
To complete the transfer, the scammer explains, they need your bank login details. They may also ask for a small amount of money to cover taxes or fees. Of course, the entire story is a lie designed to get you to hand over your bank details and increasingly large sums of money.
How to Protect Yourself
Most obvious scam emails are probably flagged and filtered out by your email company’s built-in spam filter, but text messages and online messaging apps may not have this feature. Any unsolicited request (even if it appears to be someone you know) that spins a tale of woe and asks for money or bank account details is likely fraudulent.
If the message comes from someone you know or care about (say, your daughter who is currently backpacking through Europe) and you think it could be a legitimate call for assistance, do not reply to the message. Instead, contact your loved one through another medium (such as by phone) to verify the story.
A common form of this scam involves criminals claiming that the victim owes taxes or some other form of payment to the government, and may ask for payment in gift cards, bank transfer, pre-loaded bank card, or a cryptocurrency such as bitcoin. If you receive a request like this, do not respond. Instead, reach out to the governmental body in question or call your local police department’s nonemergency line to find out if this request is legitimate or a scam.
Exploit kits are automated cybersecurity threats that take advantage of weaknesses in compromised websites to divert traffic, run malware, or capture private user data (including usernames and passwords).
These small programs are particularly insidious because they don’t require a lot of technical expertise to install, and they can easily be deployed across several compromised websites at once. Exploit kits can easily be purchased or rented on underground criminal markets (including on the dark web).
How to Protect Yourself
Since exploit kits depend on vulnerable websites, the most important thing you can do is take basic precautions. These include keeping your software up to date so that your website can take advantage of any new security patches that have been released and keeping an eye out for suspicious website activities.
Old school hacking techniques have stuck around because they’re still effective. To help safeguard your digital assets, you need to create robust yet adaptable playbooks to follow, train your employees to detect suspicious activity, and stay up to date on all the latest cybersecurity research.
This may sound like a lot, and for a small or medium-sized business, it may not be feasible to handle on your own. A Managed Security Services Provider (MSSP) can help you put measures in place to safeguard your digital assets, offer employee cybersecurity training, monitor your systems 24/7/365 for suspicious activities, and help you minimize or avoid damage should an incident occur.
In 2019, governments and companies in the United States faced a barrage of ransomware attacks. In all, 103 federal, state, and municipal governments and agencies, 759 healthcare providers, and 86 universities, colleges, and school districts were impacted by ransomware attacks. The potential cost could be more than $7.5 billion, and that’s only for US-based organizations.
That figure doesn’t even take into account lost employee productivity, how many people hours had to be diverted to deal with cyber incidents, and how many patients, students, and other private citizens were affected either directly or indirectly. Students saw tests and admissions services halted, medical records were lost, and some surgeries were canceled. Emergency services, including 911, were interrupted, putting countless lives at risk.
Here’s a look back at 2019’s most expensive cyberattacks.
Cost: Between $100 million and $150 million.
The CapitalOne hack affected nearly 100 million Americans as well as 6 million Canadians. The hacker managed to gain unauthorized access to 140,000 Social Security Numbers, 1 million Canadian Social Insurance Numbers, and 80,000 bank accounts as well as an undisclosed number of client names, addresses, credit scores, credit limits, and balances as well as other personal information.
The expected cost of this breach is estimated between $100 million and $150 million.
Norsk Hydro Attack
Cost: At least $52 million
In March, Norsk Hydro (a Norwegian aluminum company with over 35,000 employees in over 40 countries) was targeted by LockerGoga malware and forced to shut down or isolate several manufacturing plants while other plants were forced to continue operations in manual mode.
Though it isn’t clear how the Norsk Hydro systems became infected (phishing has been ruled out), the malware was still able to encrypt files, forcibly log victims off of the infected systems, and remove the ability for users to log back on. Though Norsk Hydro was able to determine the causes of the attack, the fact that users are logged off and left unable to log back on means that some victims may not even receive the ransom note at all.
As of last April, the company estimated that the cost of repairing the damage inflicted by the malware would likely be at least $52 million.
Baltimore Ransomware Attack
Cost: Up to $18 million
Last May, thousands of city computers in Baltimore were encrypted with RobbinHood malware, and the hackers demanded approximately $76,000 in Bitcoins. Though the city refused to pay the ransom, the entire ordeal ended up costing approximately $18 million. Critical systems, including email service for city employees, were affected, and during the downtime, citizens of Baltimore were unable to pay their water bills or have real estate transactions processed.
Texas Ransomware Attacks
Cost: At least $12 million
Over the summer, 22 local governments in the state of Texas fell victim to a coordinated ransomware attack. Though the hackers demanded $2.5 million, the state refused to give in. Unfortunately, even without paying the ransom, the entire incident still ended up costing over $12 million.
Grays Harbor Phishing & Ransomware Attack
Both the Greys Harbour Community Hospital and the Harbor Medical Group were hit with a ransomware attack this year, during which hackers demanded $1 million. The attack started when an employee clicked on a malicious link in a phishing email. That employee’s machine then went on to infect systems at several clinics in Greys Harbor, though the hospital’s older software prevented the ransomware from being able to properly install itself on the main system.
As a result of the attack, clinics needed to revert to paper records. This pervasive form of malware infected not only the main system but also computer backups of medical records. Though it still isn’t clear whether or not the company decided to pay the ransom, some medical records have yet to be recovered and are feared permanently lost.
The group has cyber insurance that will cover up to $1 million in damages and lost income (since billing was affected during the incident). However, the total cost of the incident, including patient disruptions, is still unknown.
Asurion Ransomware Attack
Asurion (a global phone insurance and tech support company), based in Nashville paid at least $300,000 in ransom to a hacker who claimed that he had managed to steal the private information of thousands of employees as well as the names, addresses, phone numbers, and account numbers of more than a million customers. Though the company believes that the hacker, in fact, accessed far less information, they still paid $300,000 of the $350,000 demanded ransom in $50,000 per day installments.
The hacker, a former employee, named Nicholas Burks, was arrested after the company noticed that a corporate laptop was missing and that the last known login was by Burks, who had also used the stolen laptop to access the corporate network multiple times in the days before his termination.
DHC Health Systems Ransomware Attack
In early October of this year, hospitals across Alabama were hit with a widespread ransomware attack that forced them to shift their operations into manual mode, relying on paper copies of charts and medical records until the IT system could be repaired. The hospitals were all members of the DCH Health Systems hospital group and included the DCH Health Systems Regional Medical Center, Northpoint Medical Center, and Fayette Medical Center.
In order to return to normal operations, the group ended up paying the hackers an undisclosed amount in exchange for the digital key to decrypt the system.
University Attacks by Iranian Hackers
Cost: Intellectual Property
As of this year, Iranian hackers have targeted at least 380 universities in over 30 countries using phishing emails. The goal of the hacker group (dubbed Cobalt Dickens) is to steal intellectual property, which is then either exploited or sold for profit. The phishing emails claim they are coming from the school’s library, and ask the user to reactivate their account by clicking on an infected link.
Though previous iterations of this attack used URL shorteners to obscure the fact that the links didn’t go to the library’s website, the newest version has managed to spoof the school website’s URL so that the link appears genuine. Once the user clicks on the link, they are then asked to input their library login credentials on a spoofed version of the library’s actual site.
Malware detection software has been hindered because the group used publicly available tools and code from GitHub to conduct the attacks instead of using traditional, and easily recognizable, malware.
Malware, and ransomware, in particular, continues to grow in popularity among hackers. As such, cybersecurity awareness is only becoming more critical for organizations and companies of all sizes. As part of your organization’s new year’s resolutions, you should take the time to review your cybersecurity policies, train employees, and consider partnering with a Managed Security Services Provider to better safeguard your organization’s digital assets.
Though many of us may only hear about big cybersecurity incidents like the Equifax breach of 2017 and the CapitalOne hack of 2019, cybersecurity incidents are becoming increasingly common in the modern world.
Many C-suite executives and other decision-makers likely shook their heads as they read about these and other serious cybersecurity incidents, thankful that that sort of thing could never happen to their organization. Unless you have a flexible and robust cybersecurity strategy in place, stay up-to-date on current threats, and have a post-breach playbook, the unfortunate reality is that your organization could experience a similar beach.
You Aren’t Up to Date on Cybersecurity Threats
You can’t adequately protect your organization and safeguard your digital assets if you don’t know what you are safeguarding your assets from. The cybercriminal landscape is continuously shifting and changing, and new threats are popping up every day.
Cybercriminals don’t work nine to five, Monday through Friday, so your cybersecurity team can’t either. Your team needs to be able to monitor threats 24/7/365.
You Aren’t Adequately Safeguarding Your Data
Not only do you need to stay up to date on all potential threats, but you and your team need to have the knowledge and skills necessary to protect your assets and thwart any would-be breaches before they occur. If you do not have an adequate cybersecurity strategy in place to safeguard your data, you are vulnerable to a breach or other cybersecurity incident.
Your Employees Need More Training
Every employee, from the CEO all the way down the ladder, is responsible for cybersecurity. Employees need to understand why cybersecurity is important, what they can do to help safeguard your organization’s digital assets (from selecting strong passwords to reporting suspicious emails), and what they need to do if a breach or other incident occurs.
Not only do employees need to be trained, but their training should be ongoing and reviewed regularly. Tabletop scenarios and pen tests can help your team keep their skills up to date and avoid getting rusty. These scenarios also give your team a chance to test out your current cybersecurity protocols and analyze the efficacy of their response in a zero-risk environment so that they can be better prepared if an incident does occur.
Poorly trained or inadequately trained employees are a security risk, and may not even know they have compromised your cybersecurity or inadvertently caused a breach until the damage is already done.
You Don’t Have an Offboarding Process
While most organizations have a formal, or even informal, onboarding process (sorting out ID badges, assigning desks, signing paperwork), many organizations lack formalized protocols for offboarding employees who are leaving the organization.
When someone leaves your organization, you need to have a formal checklist in place for removing their access to critical systems as well. This includes removing access to internal systems as well as asking them to turn over their keys, ID badge, and any company equipment they were granted the use of during their time with the company.
You Don’t Have a Post-Breach Plan
Unfortunately, too many organizations don’t have adequate post-breach protocols in place. This means that when an incident does occur both employees and management are ill-prepared to deal with the aftermath. Being unprepared can not only prevent you from properly addressing the breach and shoring up your defenses, but it could cause you to inadvertently run afoul to regulations such as GDPR because you are unable to craft the necessary comprehensive reports.
Reacting poorly to a breach can also harm your reputation and damage the trust you have worked hard to build with clients or customers.
Your Permissions Are Too Permissive
The hacker responsible for the CapitalOne hack may have used her insider knowledge of Amazon Web Service’s systems to exploit a bug and gain unauthorized access to CaptialOne’s private servers, but once she was inside it was CapitalOne’s excessive permissions that allowed her to gain access to the data of nearly 100 million Americans.
The way CapitalOne had configured their internal permissions meant that once the hacker was inside, she encountered almost no resistance and was able to easily view and read a wide selection of private files, and export them. By implementing policies such as zero-trust architecture, you can contain a hacker and prevent them from moving freely about the system should they be able to gain access. Zero-trust architecture works like RFID keycards: you need to verify who you are each time you try to access private or sensitive areas of the system.
An MSSP Can Help
All of this may seem overwhelming. Cybersecurity is complicated, and there are a lot of things you need to consider to ensure that your organization’s digital assets remain secure. A good Managed Security Services Provider (MSSP) can help you craft tailored cybersecurity strategies to meet your needs, monitor your systems 24/7/365 for potential threats, provide ongoing support, help you train your employees, and help you mitigate damage and ensure compliance if a cybersecurity incident does occur.
It seems like almost every day brings news of another large, high-profile hack affecting millions of Americans and other users around the world. Though wide-reaching hacks affecting large companies and millions of users are more likely to make the news, the reality is that cybercriminals are increasingly targeting small and medium-sized organizations as well.
Cybercriminals are constantly evolving and changing their tactics in the hopes that they can stay ahead of cybersecurity experts. Looking back on high-profile hacks like the CapitalOne hack can give us insight into how cybercriminals operate and help us craft robust cybersecurity policies that allow us to approach cybercrime in a way that works to preemptively safeguard digital assets.
The CapitalOne hack occurred on March 22nd and 23rd of this year but was not discovered by CapitalOne until July 19th. The incident affected credit card applications as far back as 2005. The hacker, Paige Thompson, is accused of breaking into a CapitalOne server and gaining unauthorized access to 140,000 Social Security Numbers, 1 million Canadian Social Insurance Numbers, and 80,000 bank accounts. She is also accused of accessing an undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information according to CapitalOne and the US Department of Justice. In total, the breach affected approximately 100 million Americans and 6 million Canadians.
As of the writing of this article, she is still awaiting trial.
Ms. Thompson, a former software engineer for Amazon, was able to gain access to the private server by exploiting a misconfigured firewall. The server is run by Amazon Web Services (AWS).
What We Learned
Ms. Thompson was able to gain access to CapitalOne’s private AWS server by exploiting a misconfigured firewall, which she was able to trick into granting her access to critical back-end resources. The misconfigured firewall was not only vulnerable, but it had also been granted more permissions than it should have. This allowed Ms. Thompson to view a wide selection of files and read their contents. She was also allowed to export private information, thereby stealing sensitive CapitalOne customer data.
The type of vulnerability Ms. Thompson exploited is a well-known method called a Server Side Request Forgery (SSRF) attack. In this case, the server was tricked into running commands that it should never have had permission to run in the first place.
The CapitalOne hack taught us that even seemingly minor vulnerabilities can be exploited and that overly generous permissions pose a hazard. CapitalOne was also not aware of the breach until it was reported to them by someone who saw that Ms. Thompson had posted the private CapitalOne data on her GitHub page. If they had been monitoring their systems more closely, they might have been able to detect the breach right away instead of being made aware of it by a good Samaritan months later.
What Can You Do to Protect Your Organization
The best thing you can do to protect your organization from hacks like the CapitalOne hack or any other cybersecurity incident is to be vigilant and take a preemptive position. It is always better to safeguard against potential threats than deal with breaches and hacks after they have already occurred.
Ensure Firewalls and Other Software is Up to Date
One of the simplest things you can do to protect your organization’s digital assets is to keep your software up to date. This includes cybersecurity specific software such as anti-virus software as well as the software your organization uses to conduct its everyday business.
When software companies detect flaws in their products, they release patches, which are small snippets of code designed to patch vulnerabilities or fix bugs. Cybercriminals look for these patches because they show them exactly where exploitable vulnerabilities exist in out-of-date software.
By keeping your software up to date, you can take advantage of these security fixes, making it more difficult for cybercriminals to gain unauthorized access to sensitive or proprietary data.
You should also review your cybersecurity protocols regularly so that they can be updated or adjusted according to your evolving needs. Regular reviews and audits also help ensure that your employees know how to spot suspicious activity, and whom they should report it to.
The CapitalOne server was granted too many permissions, which allowed Ms. Thompson to view and export large amounts of sensitive information. Should your organization experience a hack, limited permissions can help limit cybercriminal access.
By limiting permissions for both software and employees to only what these entities need to complete their jobs you make it more difficult for a cybercriminal to access sensitive or proprietary sections of your infrastructure, slowing them down and limiting the damage they can inflict. Slowing cybercriminals down helps ensure that their activities are noticed before they can cause too much damage or gain access to other systems.
You can’t mount an effective defense against a cyberattack if you don’t know one is happening. By monitoring all traffic on your network, both within the network and between your network and the Internet or other external programs, you can better keep an eye out for suspicious activity.
You should also make sure that the employees responsible for monitoring your systems have the appropriate training to recognize suspicious activities and either report them or investigate them themselves.
Have an Official Offboarding Process
Ms. Thompson knew the vulnerability was there because she had worked as a software engineer for Amazon, who owned and maintained the server used by CapitalOne. Though Ms. Thompson had to hack her way into the server, too many companies don’t have proper offboarding processes in place to revoke permissions for former employees.
By making sure you have proper procedures in place to revoke access to your organization’s systems, you can help prevent disgruntled former employees from using their permissions to gain unauthorized access.
Consider an MSSP
Keeping your software up to date and limiting permissions are both critical, but will only get you so far. To stay one step ahead of cybercriminals, you need to ensure that your current cybersecurity protocols are both robust enough to safeguard your digital assets effectively and flexible enough to adapt to the ever-changing cybersecurity landscape.
Not every organization is large enough to support an in-house cybersecurity team, and that is okay. A Managed Security Services Provider (MSSP) consists of a team of cybersecurity experts, who can help you create tailor-made cybersecurity solutions to meet your organization’s unique needs, provide employee training, monitor your systems for suspicious activity, and help you limit or even avoid damage should a cybersecurity incident occur.