Q: If an organization like DPS can have their email hacked, how can us little guys ever be safe?
A: The very high profile publication of sensitive documents reportedly acquired from the email accounts of various officers from the Arizona Department of Public Safety this week has some very real lessons for all of us.
Despite various media accounts that are reporting that DPS was “hacked,” based on what we have seen so far, it seems that the more likely scenario was that individual member’s email accounts were compromised (there’s a big difference).
LulzSec, the hacker group behind this, has announced that they will continue to publish compromised files on a weekly basis, so only time will tell just how much information has been compromised.
Since the individual email accounts seem to be the point of exploitation, this could have happened in a number of places (at work or from home) or for a number of reasons.
Our forensics team evaluated the more than 700 files that were posted by LulzSec and the digital stamps (metadata) hidden in many of the files show that they were created by a wide variety of authors beyond the group of users that were known to be compromised, which would be consistent with a library of files that were received as attachments.
One possible scenario is that since all of the passwords that were published for the compromised accounts were very weak (one was actually 12345) or used common words, the hackers used simple password breaking tools to gain access to the accounts.
The lesson here is that if you don’t use letters and numbers in combinations for your passwords and you don’t avoid using common words that are in the dictionary, you expose yourself to readily available tools for breaking passwords. The more characters you use, the more secure the password becomes and if you sprinkle in special characters like ! - ? ( ) & $ (which some systems won’t support) you can improve the security even further.
Another scenario is that these officers were targeted with very well crafted email messages that tricked them into allowing a “key logger” or other malware to be installed into their computer, which allowed the hackers to record keystrokes or remotely access their email accounts.
Since home computers tend to be less secure for a variety of reasons (expired security software, no firewall, etc.), it’s much easier to gain access to a large corporate or government mail system by compromising a user’s home computer and wait for them to access their work email system.
The main lessons here are to always be suspicious of anything that you get in your Inbox that is prompting you to click on a link or to open a file attachment — and above all, keep your operating system and security software up to date.
You also need to be very careful with links posted on Facebook, Twitter, instant messages or any social network as this is just the latest delivery method they use to compromise your computer or accounts.
These exploits can be effective even on very secure corporate systems if the hackers can convince the user to install something that is posing as a legit program or update. The most common trick in the past has been to lure the user to a salacious video then tell them that they need an updated player to view the video.
The reality is that there is no 100% secure way to operate on the Internet these days as the methods for being exploited are growing exponentially, but if you pay attention, you can dramatically reduce your chances of being exploited.
The most common way for hackers to get past security measures is to trick the user, so be suspicious of everything and keep your system updated!
• Ken Colburn is president of Data Doctors Computer Services and host of the “Computer Corner” radio show, noon Saturdays on KTAR 92.3 FM or at www.datadoctors.com/radio. Readers may send questions to firstname.lastname@example.org.