Cybersecurity attacks are scary. Whether your personal data gets compromised in a large-scale breach or your password is exposed, getting hacked can be a nightmare. Today, one of our security staff members is going to share his experience of getting hacked and what he learned from it.
Meet Joe. He is an intern at MRW Systems and an IT student nearing completion of his Cybersecurity Associates degree. One of his cloud accounts got compromised and it changed his life.
My hope is that by sharing his story, victims of cyber attacks know what to expect and how to remedy the situation. – Michael Wolinski, CEO
No matter the stakes, sometimes the best lessons are the ones learned the hard way.
Grab a notepad, top off your coffee, and settle in for a cautionary, self-deprecating, yet not altogether hopeless, tale of identity theft woes. Hopefully, in relating my mistakes, I might cue you in on a thing or two about securing your own online accounts and personal information.
Green and Going Places (Maybe)
At the time of the event, I was only a couple semesters into my cyber education, right in the middle of a quarter filled with IT security best practices and concepts. Stuff like PKI, hash salt, and the exalted C.I.A. triad, Confidentiality, Integrity, and Availability – the three pillars of good cybersecurity.
I erected mental shrines to all the prominent PowerPoint bullets, taking notes religiously. Here’s how you verify hashes with a PowerShell script. Or here’s how you configure IDS rules. And here’s the difference between a block and a stream cipher.
The technical information came at me fast, and I took it to be of utmost importance. Finally, stuff I didn’t know already! And surely being equipped with such esoteric knowledge made me invulnerable to simple human error, right?
My identity wasn’t stolen. In fact, I can’t even confirm that any of my personal data was stolen. All I can confirm is that my cloud storage provider sent me a login notification email, alerting me that a login to my account had just occurred from the great, ancient city of Athens… No, not Athens, Georgia.
I was nowhere near Greece at the time. If my house was anywhere near Greece, I probably wouldn’t have been on a computer. I probably would have been wearing a chiton and puzzling over an Abacus. So it was clear that someone, somewhere (it’s likely the hacker’s login was proxied through a VPN hosted in Greece or some such magic) had successfully gained access to my private cloud account.
But big deal, right? What do people store in their free, 1-Gig cloud accounts? Stuff like college paper drafts. Work-in-progress screenplays. Middle school chorus group photos. FruityLoops rap tracks… Hackers, whether they’re the Guy Fawkes kind or the Ancient-Greek-chiton-wearing kind, can steal any of that data for all I care.
Only I had stored a lot more than my Deadmau5 music samples in the cloud.
I had stored very (VERY) sensitive employment documents as well.
Why? I honestly can’t remember. It was bad enough that I had sent these sensitive documents in unencrypted emails to people I had never met in person. But I had gone the extra mile and uploaded them to cloud storage behind – you guessed it – a several-year-old, weak password I had reused too many times to count.
Multiple cardinal rules of good security were broken. This is the stuff you pound into end users’ brains. Be mindful of where you store sensitive documents – make sure those documents are secure at-rest – make sure those documents are secure in-transit – and use strong, unique passwords. I pretty much failed to follow all of them.
To be fair, I had already begun the process of retroactively applying strong security to my old personal accounts via a shiny new password manager, but not to the degree I should have done. I should have interrogated my past self, found and corrected every erratum.
I should have performed a comprehensive security audit on that awkward teenager with the AIM account and cringe-worthy Myspace profile. With an exhaustive approach, there would have been no chance of my recently configured cloud account eluding me. I’m sure of it.
But once you receive that unauthorized login notification, it’s done.
Instantly, you cross over into disaster recovery mode. And as far as your personal information is concerned, you quickly come to realize that the disaster recovery stage could very well take as long as… well, your entire life.
You have to live the rest of your life (or until you get hit especially hard with identity theft) with a reasonable doubt concerning the confidentiality of your most precious personally identifiable information.
You can change the password of your affected account (and you absolutely should do so), but that doesn’t mean the trespasser didn’t make off with copies of your data. There’s no undoing that.
The day after my account had been compromised, I had to go to class. None of my classmates nor my teacher knew what had happened. No one was the wiser, but that didn’t do much to assuage my shame.
Pangs of doubt almost led me to skip my class under the pretext that I needed to further investigate the extent of the breach.
My accounts needed to be monitored, my credit report requested, compromised bank account migrated. I needed to withdraw every dollar, stuff them in sacks, and bury them in my grandma’s backyard…
But I went to class anyway. And I’m glad I did.
That day in class was the day my Network Security class introduced me to haveibeenpwned.com, and I was enlightened.
Cyber breaches are becoming more and more ubiquitous, and barely a week goes by before we’re hearing about new breaches in which consumer information is compromised. However, it might be hard for the individual, even the individual whose data was compromised in a breach, to really conceptualize the threat these incidents pose to one’s financial accounts and online identity.
That’s where tools like haveibeenpwned.com come in. This website is a simple search engine that takes your email address and searches for it in past breach details and actual Dark Web posts.
It finds the breaches in which your information was compromised, gives you a rundown of the incident, and even allows you to see the data that was provided to potentially malicious parties.
You can use this free service to get an idea of where you can start with securing your accounts.
But the website itself, though a nifty tool, is only a means to reaching the true lesson. haveibeenpwned.com embodies a new mindset, one in which hack data and breach news are incorporated into all personal identity-based decisions on the Internet.
Using tools like these support a more mindful stance on data security. And most of the time, all it takes to protect yourself is a little bit of diligence in the moment.
If you should take any lessons from my mistake, it’s these:
- Follow strong password creation guidelines. Emphasis on making sure all your passwords are unique!
- If your account is hacked, change your password immediately. And make sure your new password can’t be guessed based on your life, interests, etc. A strong password means one that no one could ever guess. If you find that rule to be too strict and difficult, you should…
- Invest in a password manager! It’s the FUTURE.
- Also, keep an eye on services like haveibeenpwned.com. Having avenues for up-to-date info on the state of your online identity will be crucial as IT continues to grow. Additionally, password managers like Dashlane and 1Password include online identity monitoring in their feature-lists.
- Finally… Don’t believe hackers can’t hail from ancient civilizations. If you see unauthorized connections to your account from Athens, Rome, or even Mesopotamia, lock everything down. It likely means the attackers have hacked time itself.