If an organization like AZ DPS can have their e-mail hacked, how can us little guys ever be safe?
This question was answered on June 24, 2011. Much of the information contained herein may have changed since posting.
The very high profile publication of sensitive documents reportedly acquired from the e-mail accounts of various officers from the Arizona Department of Public Safety this week, has some very real lessons for all of us.
Despite various media accounts that are reporting that DPS was ‘hacked’, based on what we have seen so far, it seems that the more likely scenario was that individual member’s e-mail accounts were compromised (there’s a big difference) LulzSec, the hacker group behind this has announced that they will continue to publish compromised files on a weekly basis, so only time will tell just how much information has been compromised.
Since the individual e-mail accounts seem to be the point of exploitation, this could have happened in a number of places (at work or from home) or for a number of reasons.
Our forensics team evaluated the 700+ files that were posted by LulzSec and the digital stamps (meta data) hidden in many of the files show that they were created by a wide variety of authors (beyond the group of users that were known to be compromised), which would be consistent with a library of files that were recieved as attachments.
One possible scenario is that since all of the passwords that were published for the compromised accounts were very weak (one was actually 12345) or used common words, the hackers used simple password breaking tools to gain access to the accounts.
The lesson here is that if you don’t use letters and numbers in combinations for your passwords and you don’t avoid using common words that are in the dictionary, you expose yourself to readily available tools for breaking passwords The more characters you use, the more secure the password becomes and if you sprinkle in special characters like ! - ? ( ) & $ (some systems won’t support them) you can improve the security even further.
Another scenario is that these officers were targeted with very well crafted e-mail messages that tricked them into allowing a ‘key logger’ or other malware to be installed into their computer, which allowed the hackers to record keystrokes or remotely access their e-mail accounts.
Since home computers tend to be less secure for a variety of reasons (expired security software, no firewall, etc.), it’s much easier to gain access to a large corporate or government mail system by compromising the users home computer and wait for them to access their work e-mail system.
The main lessons here are to always be suspicious of anything that you get in your Inbox that is prompting you to click on a link or to open a file attachment and above all, keep your operating system and security software up-to-date.
You also need to be very careful with links posted on Facebook, Twitter, instant messages or any social network as this is just the latest delivery method they use to compromise your computer or accounts.
These exploits can be effective even on very secure corporate systems if the hackers can convince the user to install something that is posing as a legit program or update The most common trick in the past has been to lure the user to a salacious video then tell them that they need an updated player to view the video.
The reality is that there is no 100% secure way to operate on the Internet these days as the methods for being exploited are growing exponentially, but if you pay attention, you can dramatically reduce your chances of being exploited.
The most common way for hackers to get past security measures is to trick the user, so be suspicious of everything and keep your system updated!
About the author
Ken Colburn of Data Doctors on June 24, 2011