«

»

Sep 07

Why charities need to act now against the threat of hacking

Are the hackers winning

Is digital security a one-sided battle?

Are we fighting a losing battle against hackers?

Hardly a week goes by without news of some corporation or internet giant being electronically infiltrated. The result? Credit card details, account passwords, and personal data either stolen, sold or published online, not to mention the painful inconvenience of what a targeted attack can mean.

In the brief time this blog has been running, the list includes:

  • AAPT (an Australian internet provider)
  • Amazon
  • Apple (apparently including President Obama’s iPad details!)
  • BitCoin
  • Blackberry (in India)
  • Blizzard (gaming)
  • Dropbox
  • eHarmony
  • KY (a mobile phone operator in South Korea)
  • Last.fm
  • LinkedIn
  • Numerous oil and power companies
  • Reuters (well, they had fake stories posted on their site)
  • the DNS changer attack

Even the Mars Curiosity Rover is thought to be under attack!

And that is by no means an exhaustive account. But if you want to read more on how devastating it can be on an individual level, I highly recommend you read this from Mat Honan, one of my favourite bloggers.

The problem is simple to demonstrate. Years ago, a company I was working at had a slightly forgetful director. They had forgotten their password and we needed to get into their hard drive.

I pulled out his hard drive, connected it to a spare machine, and left it running for nearly 18 hours under the guidance of a little bit of software found on the internet. It was a simple password (a pet’s name and the date of their eldest’s birth, I think) but a simple ‘brute force’ attack found it. Essentially a guessing game.

A few years later, the same process took less than 60 minutes.

Why is this happening?

You may have heard of Moore’s Law,  which stated that the processing power of computers would double every 18 – 24 months.

That’s part of the reason. The other reason is that hackers use increasingly sophisticated algorithms based on typical human behaviour.

For example, you probably know to use capitalisation and substitutions (e.g. 1 for an I, a 4 for an A and so on) and add a numbers here and there.

Well, it turns out that most people use exactly the same substitutions, capitalize the first letter of each word, and put numbers on the end. Maybe you use a pass phrase – unfortunately most people use well known phrases, and hackers can plan for that.

But the most fundamental problem is that is a race between what humans can remember, and how many attempts a modern computer can make per second. Guess who is winning?

And as the Mat Honan story showed, even relying on people can be vulnerable to a social engineering attack.

Fortunately, the charity sector does not seem to be a particular target of attacks at the moment. Most hackers are going for high-profile, high-monetary value targets. But the truth is, they are the ones with the budgets to address such problems.

You probably don’t.

Growing concern

Hackers, of course, know that larger companies, while offering more ‘prestige’, are increasing their security. Which is why smaller companies are being targeted next,  and most attacks are done with criminal intent.

It’s dreadful prediction to have to make – charities are not far down the list. Personal details? Check. Bank details? Check. Tempting to hackers … check

And if, like many organisations, you are increasingly looking to the ‘cloud’ for scalable, affordable IT services, then you are just one password away from being hacked.  Using Legacy systems? Then you are one password away from having everything hacked.

So what can you do to make the systems you have as secure as possible, without breaking the bank?

Encryption

Where ever possible, use encryption. The standard is called PGP (Pretty Good Privacy) and there are free and paid for products. Get the best you can, pronto.

VPN

Encryption for you network, vital for remote workers. Alternatively, find the options to ‘always use HTPPS’ where available, particularly for banking, email and other websites using confidential information. Its very easy to ‘snipe’ packets of information otherwise from public Wi-FI.

Two-factor identification

Some services will ask for two passwords, typically one provided to you by email, the second either by post (such as your bank card PIN number) or to your mobile, such as Google Apps for business. A lot of services have this, but not always as default. Find out, and make it policy.

Complete your account details

Confirm details on email accounts, such as back-up or recovery emails. and security questions. Also, consider using passwords or pass phrases as the answers, rather than just straightforward names, to questions such as ‘Name of your first pet’ etc.

Separate accounts

Imagine if someone got to your email – how long would it take to get passwords for almost everything else? De-link your accounts as far as possible. Especially, please, your backup.

Get off Facebook!

Ok, not Facebook in particular, and you don’t have to actually leave it, but address the privacy issues. Get your date of birth, mother’s maiden name, phone number, email and all that other personal information away from everyone but your friends.

Dump XP

Now. As we mentioned earlier, XP is painfully insecure. For all the advances it presented in terms of usability, it is a system so easy to bypass that it’s embarrassing.  I’m not going to detail it here, but you could Google it in seconds. Any confidential information on that machine – isn’t. Plus, support for XP is ending soon. Meaning no more updates, so no more patches for security flaws.

Update your software

Browsers, Java, adobe, OS updates… They are annoying, constantly popping up when they are least wanted. But they are essential to protecting your computer. Most of the time. Yup, looking at you Java

BYOD Policy

If people are going to be allowed to use their own machines, make sure they follow the same guidelines, and have the same standard of software (for encryption, VPN) as work machines. This goes for mobile phones as well

Have a browser policy

I’ll be bringing one of those to you soon, but essentially make sure you use a different browser for accessing websites with confidential information, and set it to never remember passwords.

Don’t use the same passwords everywhere

This should be self-evident!

Final point…

This may sound strange, but …

Write your passwords down.

For those of you still reading, let me explain.

Passwords buy you time. Many services can detect multiple attempts or access from unusual IP addresses.

Make your passwords difficult, and while you remember them, write them down for reference.

The trick, of course, is not to keep the passwords with your laptop. Most times that laptops go missing is when they are out of the office, or even stolen from an office.  Keep the book separate, not even in your desk. And don’t label it “Fred’s passwords to his Dell laptop running XP”.

Shred the pages once you’ve got them memorised (with a diamond pattern shredder, of course). If necessary, keep another copy in a separate location. It’s hackers we are dealing with, not MI5. You should be safe!

Got any more advice? Let us know.