2016: A Hack Odyssey
What is Hacking?
As of late, the media has been saturated with topics about hacking, leaks, phishing etc. For the most part these terms are used quite loosely and without explanation. This blog was never intended to be geared toward politics. I figure if these terms are being tossed around in the news the general public is going to need some knowledge in these areas before they could make a decision based on what the media reports.
The form of “hacking” that these media stories are generally referring to is simply defined as using a computer or electronic device to maliciously gain access to information which does not belong to you. The terms “hacker” usually conjures thoughts of a person in a dark room, wearing a hooded sweatshirt, incessantly clicking away at his keyboard while little green letters and numbers dance across the screen faster than anyone could comprehend. Hacking is more often than not seen as criminal and unsavory. However, a hacker could just describe someone who is proficient in computing and programming. It’s usually quite benign. You just don’t hear about it because it’s not interesting and not worth a news story. Some of these “hacking” techniques you read about serve legitimate purposes.
Consider this: You’re the CEO of a new and quickly growing online business. You have a big meeting today and a power-point presentation saved on your MacBook. The same MacBook you’re kid watched Shrek on the night before. Before your meeting, you power it on, type your password in… and it doesn’t work. You try again and again. You can’t bother the kid. He’s in school. You bring the computer over to your tech guy and he manages to gain access to the laptop. The day is saved. You change your password, go to your meeting, have your presentation, make a billion dollar deal, buy a boat, thank your computer guy, buy your computer guy a Ferrari, thank your computer guy, THANK YOUR COMPUTER GUY, BUY HIM A BOAT THNAK YUR COMUTER GUY …
My point is you gained access to something you did not have access to. That is hacking. Hacking isn’t always criminal. Hacking isn’t always bad. Look at the context. Look at the motive. Thank your computer hacker guy.
Lex: I’m a hacker!
Tim: That’s what I said: you’re a nerd.
Lex: I am not a computer nerd. I prefer to be called a hacker!
– Jurassic Park (1993)
“Hacking” in Recent National News
The 2016 US presidential election and events leading up to it produced stories of hacking and international espionage covered extensively by large media outlets. Big news stories, especially those in reference to the big event that happens every four years, are conducive to water-cooler talk. Everyone is taking whatever chance they get to stay in the know on current events for when the topic comes up when they are talking with their co-workers and friends. They want to be as informed if not more informed than their friends. As well as these stories are reported (well, sometimes they are) very few of them actually attempt to define the terminology they use. The recent election gave us a number of stories involving technology and hacking. Let’s go over a couple of them to hopefully give you a better idea of what they mean and why it is important to understand the difference between them.
The DNC and Podesta Emails a.k.a. Password is Password
Before we jump into any of this let me tell you as tempting as it is to discuss whether or not Russia had anything all to do with any of these items is irrelevant. So I’ll do my damnedest not to go off on a tangent in the middle of typing this. Anyway.
On the March 19, 2016 John Podesta, Campaign Chairman for Hillary Clinton received what is called a “phishing email”. A phishing email is an email that is sent to a person with the intention of the recipient performing an action in response to the email that allows the sender to gain access to information. The email is commonly meant to appear perfectly legitimate and not suspicious to most people. In the case of Podesta the email was meant to look like a simple notification from Google asking him to change his password. The email contained a link to a web page containing username and password fields. After entering that information and sending it forward the sender gained access to the username and password of John Podesta’s Gmail account. His emails were collected and given to the Wikileaks organization. Wikileaks then displayed the collections of emails on their web page.
Good to know!:
Do not confuse a “leak” with a “hack”. Many news sources fail to make this distinction apparent. In this instance: the hack is the obtaining of information. The leak is the release of the information to an interested party. That’s how these terms should be used in this example. A leak is not always a hack.
Phishing is a common practice. Government officials and working class citizens alike are susceptible to these types of attacks. Hackers send these emails to working folk like myself in hopes of locking us out of our accounts, obtaining personal information, credit card numbers, social security numbers, you name it. John Podesta was specifically targeted. However common people are often not. Lucky for us, there are things we could do to make sure this doesn’t happen to us.
How to Protect Yourself from Phishing Attempts and Password-Related Hacks
1. Use sophisticated and lengthy passwords.
This is the most important thing. If you are going to make any attempt to protect yourself online, do this one thing. Guess what? I know P@55woRd seems like a safe bet to you, but to someone with intent to gain access it is nothing. Make your password as unpredictable as possible. Anytime you are asked to create a password online as soon as you see this field to type it in, STOP. Take a minute. Take five. Think of something completely outrageous and random. The longer the safer. Use numbers. Not your kid’s birthday. Not your house number. Random numbers. Instead of putting them at the end of the password. Stick the numbers in the middle. You get the idea. BE UNPREDICTABLE.
2. Make your passwords unique.
Do not use the same password twice. No matter how much of a hurry you are in. I understand it’s hard to remember multiple passwords. You can use a safe and encrypted password vault like KeePass to store them. KeePass is effective, free and open source.
3. Change your passwords periodically.
Online sites have security breaches often. And for that reason alone it is important to change your passwords regularly. Have I Been Pwned is a website that you should visit to make sure your online accounts have not been compromised. Data on the site shows over 350 MILLION MySpace accounts have been compromised to date. So if you’re like me and you’ve had a particular email account for over 10 years you should check if you’ve been “pwned” yourself.
4. Make sure your email provider utilizes spam filters and antivirus/antimalware protection.
5. Know what a “phishy” email looks like.
As I stated earlier, these phishing emails often look legitimate to an untrained person. There are some key factors to consider when you are checking an email for legitimacy. Any time an email asks you for any information you should be suspicious. No matter who it is supposedly from. If an email brings you to a web page, make sure that page in secured and the connection is encrypted. To do this just take a look at the upper left hand corner of the screen, just before the URL.
If the URL bar does not show this green text and lock icon, you should think twice before entering any personal information on that page (especially banking information).
Ghost in the Machine
On the night of December 31, 2016 the Washington Post reported that a laptop in a Vermont power plant contained a malware code associated with a Russian hacking operation. The report turned out to be inaccurate and has since been removed from their website (the link to the article is archived courtesy of archive.org.)(UPDATE 7/10/17: The web archive link is dead now.) It kind of makes you feel as though there’s another cold war happening under our noses. This one is being carried out by little men with pocket protectors and thick black-rimmed glasses guzzling down coffee and “out-coding” each others computers. Right? That’s how computers do things? No. Not at all actually. However, this brings another form of cyber attack, cyber-security lingo into the homes and offices of the American populous. MALWARE. It even sounds icky and infectious. Doesn’t it?
As if that wasn’t confusing enough the U.S. intelligence community has a name for this alleged Russian cyber-attack campaign. GRIZZLY STEPPE. Geez. I don’t know whether to be scared or giggle to myself in a corner. In all seriousness this terminology is intimidating to say the least. The sad truth is that the layman does not have the knowledge and usually doesn’t have the time to conduct their own research. And to delve into the web to learn about these things is… well, quite frankly it is pretty boring. And yet that’s why I have a job. I’m bored so you don’t have to be.
In addition to the hastily written claim of Russian malware infecting “the grid”, according to sputniknews.com the U.S. intelligence community claimed that “876 unique IP addresses were used to infiltrate the Democratic National Committee and John Podesta’s email accounts.” The details of how they got that information are not 100% clear, but this brings up another valuable line of defense when you are connected to the internet. FIREWALL.
A decent router is commonly the first line of defense against intrusion. Organizations all over the world scan IP addresses 24/7. Some of these scans are port scans, looking for open ports in someone’s firewall. They could then use these open ports to try and force their way into a network’s infrastructure. Some of them with malicious intent. A restrictive firewall is important in keeping unwanted visitors out. Some firewalls have the function of even blocking any IP belonging to a specific country. Worried about uber Russki haxxorz? Enable GeoIP Blocking on your router.
Dealing with Malware
You’ve heard it at least once before. “I love Apple. I use a Macbook because Macs don’t get viruses.”
There are several types of malware. And they all stink! Malware files can render your computer unusable, allow an unknown party to manipulate your computer, generate ads and more. Basically its job is to make your day ten times worse than it already was and usually try to steal your information. Malware is malicious.
Let’s go back to the claim at the top of this portion. The claim is in a way both true and false. In a way. As of the release of this blog post netmarketshare.com shows that 88.67% of the computer operating system market is dominated by Microsoft Windows. Even after considering that, another 2.21% belongs to Linux (primarily used on servers like the one this website is hosted on). That leaves 9.12% of the market belonging to the Mac OS X operating system. So, put yourself in a hacker’s shoes for a moment. Your job is to program viruses and malware to infect systems and gain access to information etc. Are you going to write code compatible with Mac and ignore 90% of the population of the world? Probably not. So are Macs more secure? It just depends on how you look at it. The fact is Macs are susceptible to infection just like Windows. It just isn’t as big of a target.
Dealing with most malware is quite simple. Windows Defender (standard on Windows) is surprisingly effective at detecting malware in real-time. I always teach my clients that the best defense against viruses and malware is to be responsible users and be smart about what you do online. Going on an all-out clickfest can be fun on those lonely nights but it has its consequences. Be especially careful if you are accustomed to torrent downloading. The torrent community is a hotbed of viruses and malware. And if you find yourself in one of those “oopsy” moments and you clicked 6 ads for prostate pills off your screen and your machine is doing somersaults before your eyes be sure to at least have Malwarebytes installed. Malwarebytes has long been an industry standard in malware removal. They have a free version and they update it frequently.
Stay Informed
So don’t fret. Keep yourself informed and use these practices to keep you and yours safe whether it be from the hacker elite or just your nosy coworkers. Stay current and reset your passwords. And if it hits the fan you could always give me a call. Don’t worry. If your spouse or your boss asks me why I had to fix it … it was the Russians.
Comment (1)
[…] is of course, not true. I’ve explained this briefly in my Russian hacking article. You can get more detail about the matter there. For now I want to talk about the most […]