During the 27-year gig we were
subjected regularly to "spear phishing" hack attempts. That's defined
by someone contacting internal people via email and soliciting or
evoking information that allows for greater intrusion. It's easy to
find someone's internal email address, that's often published or if not,
it probably follows a standard format. If you are any good at talking
to strangers you can probably write an email that an employee will
respond to. Generally you want to avoid the representation that you are
a Nigerian prince in exhile.
The
first was a situation in which a senior employee received an email that
appeared to be from USBank. The logo, font and contact information was
all correction. There was a reply link that took you to a web form,
also all correct looking. At that point it asked for verification of
account number, home address, you mother's maiden name, etc. Our senior
employee filled out the form and his Visa card was used about five
minutes later in Ireland.
A
very recent event, during my last 'transition' months involved a senior
accounting member. On a Friday afternoon they received an email
requesting a wire transfer of money for a legitimate project. The
message included the name of the company's CFO and mentioned that he was
unavailable according to his calendar but had approved the wire
transfer. The accounting person did several back and forth emails
getting further information and was ready to sent the money. That would
have been a significant amount into a black hole. These people are
good. I would have fired the accounting person for even getting that
far down the path.
So
what is the implication of the Sony hack? Anything you do on the
internet is more or less recorded. Some companies are good about
keeping private what more or less should be private. Unless you are a
terrorist, Google is not going to cough you up. The North Korean's were
able to solicit via spear phishing enough information to get to a
senior network administrators user ID and password. That is all it
takes. In the 27-year gig there were just four of us who had those
rights and we check on each other's integrity and practice standards all
the time.
You
should have complex passwords, something other than your childhood
dog's name. Don't right them down. Don't give them to you spouse.
Don't ask computer's to remember you.
The
Koreans had political intent. There are just as many security trolls
out and about doing this stuff for fun who may just like messing with
people and companies. There is also good money in this as evidenced by
the hacks of Target, Home Depot, etc. My USBank card had been lifted
three times and our three small business cards from Wells Fargo have
been lifted five times in total. Cash might be good...although 20% of
the $100 bills are fake.
Cloud
storage is pretty convenient. I used it all the time. Not everything
that I store on the cloud is encrypted. Some of the cloud storage
providers are a bit brazen about declaring the security of their systems
and the lack of intrusions. The Sony intrusion occurred through a
relatively simple approach and may have destroyed their reputation and
put a lot of movie goers under a threat of violence in theaters, and we
know there's some bad stuff that has happened there in the past. Are
there Korean sleeper cells her? That's my conspiracy comment of the
day.
The
really big hack, bigger than Sony, is that ICAAN was hacked recently.
This is the organization that provides all the addressing and domain
assignments for the internet. A good hack there would affect all
internet traffic.
I'm going to rethink my information stored in the cloud, probably ensuring that all of is is encrypted
on my side before being uploaded. I never had a dog as a child but I do
remember the name of dog that lived directly across the street.
No comments:
Post a Comment