One click and you are done

Written By Vaclav Vincalek

This week, Microsoft explained how hackers broke into their secret vault of computers which contained signing keys. These keys allowed the hackers  to forge tokens for Microsoft's Active Directory. You can read the story which contains a detailed technical explanation. But cutting to the outcome of this breach - based on Microsoft’s admission - 25 organizations had their accounts compromised. Even worse - and this is the sad part - Microsoft was not aware of this problem until its customer notified them. It was a highly sophisticated, highly targeted attack.

This was not a unique situation for Microsoft, unfortunately. In the past, I wrote about an event where hackers were able to compromise 30,000 email Exchange servers.

With these two stories, I want to illustrate that the Internet is not a place where you just go and search for apple pie recipes or check out pictures of cute animals. You can do that. But it is also a war zone where you get constantly attacked. The brutal reality of the situation is that you are (mostly) on your own. Sure, there are many companies trying to sell you additional hardware or software for extra protection. A good example is LastPass. The company suggests that once you use a master password with them, this is the last password you ever need to remember. The rest will be securely stored within their application. That was working until their system got compromised along with millions of passwords.

The Microsoft case of the stolen sign-in key was an example of a very targeted attack. It’s something which might have been in the works for years. Then there is the attack where the hacker goes after known vulnerabilities and scans any connected device on the Internet. That would be your router or modem at home or your website. For many companies the website hacking traffic far outpaces traffic from legitimate visitors.

Why would anyone do something like this? Compromise your website, download any information about your customers, install malicious code and use your website to attack other computers.

Then there are attacks targeted directly at you. Who hasn’t received an email with a link and text suggested that you should click on it. Once you click on it you can expect several things to happen - you get redirected to a website where some code is waiting for you which will infect your browser, your computer and download any or all information from your computer. As an added bonus, the information on your computer gets encrypted and the only readable file has instructions on how to pay a ransom to get your data back.

Have you ever used a computer, which was not yours, just to quickly check on your email? It could be in a hotel, at the airport or other place where you have some level of confidence in their security.

In fact, a friend of mine did that recently. The result? The computer was compromised and the hackers were able to obtain credentials to his email. Ever since then, hackers have been monitoring all his emails. That’s especially true of the emails going to his wealth management firm. Nobody could tell… until the day when he got a call from his wealth manager trying to confirm the second wire transfer!! In the end, he didn't lose any money, but he was lucky.

Is this type of attack difficult to do? To monitor an email account and write emails on your behalf - it can't be more trivial than that. Also thanks to ChatGPT you can produce an email with a simple command, 'write an email to a bank manager asking to initiate a wire transfer to this account'.

If you want to read about other obscure ways how your computer can be hacked by noise or a laser, here is a good read.

What about your smartphone? It can be hacked just by sending you an image.

What to do about it?

Well, you can write ludicrous ideas and get them published. For instance, in The Globe & Mail, columnists suggest among other things to install a 'kill switch' in every car to disconnect it from the Internet - 'We recommend that the government require all new automobiles in Canada to have a simple physical “off switch” that disconnects the car from the Internet – a software-enabled “off” option is not sufficient. Of course, activating this switch would likely disable certain functions, which must be clearly identified for the driver, but the point is to empower the driver to make that decision for themselves, if they deem it necessary.'

The other option is to limit the attack surface. Do you really need a lightbulb connected to the WiFi at home? What about your talking fridge (geeks will appreciate this one)?

And then there is your computer. Try to install only software which you really need and specially from a vendor which has a history of updating the software. When it comes to email, think twice if the email is really from the sender it claims it is. As an extra feature, disable the automatic download of any image. That's how people know that you opened your email.

What else can you do? Backup your machine frequently. Try to limit the number of passwords you have to remember. How? For any website, come up with a password which you will forget. Next time use the 'Forgot my password' function. Otherwise you end up with your brain too full.

I know none of it really makes sense. You should not worry and not have to know about these things. It is a reflection of the poor state of affairs of the computer industry. It is a recurrent pattern and won't change anytime soon. You have to learn how to survive in this war zone.

Vaclav Vincalek
Previous

Google on trial
Next

When tech gets “cheesy”…