Avoid Being Hacked: Lessons from Recent Data Breaches
This week, I’m going to cover some of the high profile hacks that have happened recently, including Lastpass, Kaspersky, and the White House’s Office of Personnel Management (OPM). My hope is that by learning more, you can avoid being hacked, stay more secure, and know what to do if you have been hacked.
Just as predicted, there have been a huge number of hacks this year, including very notable ones like Lastpass, Kaspersky, and the White House’s Office of Personnel Management (OPM). Here are some lessons learned from those hacks in order to help you stay more secure, as well as tips for what to do if you’ve been hacked.
Sponsor: We’ve all been there. You’re listening to a podcast on the go when you hear a super interesting ad for a product or service, but simply don’t have the time to check it out. Well, now you’re in luck. See the full list of offers, discounts, and more from our Quick and Dirty advertisers over at quickanddirtytips offers. That’s quickanddirtytips offers.
Lastpass
The first and most recent hack I want to talk about is in regards to Lastpass. I’ve done a podcast on Lastpass in the past for using it as a way to securely manage your passwords for all of your web accounts and payment information.
First of all, if you are using Lastpass to store your passwords, you should go change your master right now. Go on, I’ll wait for you …
Alright and we’re back! According to Lastpass, on June 15th, they publicly announced that they noticed suspicious traffic on the network and stopped it immediately. They assured users that their encrypted data was not taken, and that the only user emails, hashed master passwords, and secret questions were stolen. Now, that’s pretty bad for a company whose sole business is to secure your information.
However, it’s not as bad as it could have been. Although information was stolen, the most important part was that the master password was still hashed. If you’re not familiar with how Lastpass works, you basically have to remember one password, which safeguards every other password that you use online.
When Lastpass stores your master password, it hashes it just in case something just like this happens. Without going into the nitty gritty of hashing and cryptography (if you’re interested I have a podcast on that subject), basically the hackers would have to break your hashed master password.
Due to the fact that Lastpass uses an extremely long and slow hashing function, if an attacker were to focus its efforts to break a user’s hashed password, it would take an extremely long amount of time. I’m talking hundreds of thousands of years. Without your master password, the hackers would only have your email, security question, and that unusable password, which isn’t much to go off of. Still it is recommended that you change your password, and set up some form of two factor authentication.
Kaspersky
The next hack I would like to talk about is that of one of the world’s leading research facilities for malware. You are probably familiar with their top notch antivirus solution. While a Kaspersky researcher was doing some work, he noticed some odd network traffic and decided to look into it. Come to find out it was an extremely sophisticated piece of malware that shared similarities with Stuxnet (a virus that was used to slow the Iranian nuclear program).
After a computer was compromised, most likely do to a fishing email, this malware made its way into Kaspersky’s network. Now, let’s be clear, we are talking about one of the world leaders in computer security. This was not your typical network. It would be like comparing robbing a bank to breaking into Fort Knox!
To be able to perform this attack so stealthily, this attack used a combination of Microsoft operating system vulnerabilities, along with stolen digital certificates from the company Foxconn. If this company sounds familiar, well it should, because it makes hardware for a few companies you may have heard of, such as Apple and Dell.
The digital certificate that was stolen was the equivalent of stealing the badge off of a bank security guard. It let the hackers right in because the certificate was trusted. It doesn’t stop there, because once they were in, the hackers took over multiple servers using the certificates and Microsoft vulnerabilities.
The malware itself was so brilliantly made that it never wrote a file to the hard drive, and thus eliminated yet another way of being detected. What’s interesting about this is that the malware stayed in the computer’s memory, so when the computer was rebooted, there was not a trace of the malware left. It was like disappearing ink! What happened is that an infected computer was rebooted, and cleaned, so the malware, which was on another computer in the network, would reinfect it all over again!
In order to defeat this malware, Kaspersky had to shut down all of its computers at the same time so that there was no trace of it left on the network. Any one computer left on could have led to the network becoming infected again.
White House Office of Personnel Management
Last but certainly not least was the hacking of the White House Office of Personnel Management or OPM. The method of entry is not exactly known, but what is very certain is that this hack stole a huge amount of data on government personnel and potentially military personnel. The total amount of people affected by this data breach is estimated to be around 3 to 14 million people.
The data that was leaked was potentially personal data for anyone who worked for the United States government, including their background check. If that weren’t horrible enough, it’s suspected that China was responsible for carrying out the attack.
There have been a handful of theories as to how the attackers initially got in, such as an unpatched Windows XP computer or perhaps a weakness in the TLS encryption on one of the login pages of the OPM’s portal. In either case, it appears that once they gained credentials of a high level user, they were able to come and go as they pleased.
Alright, so all of this is a huge issue for everyone. Lastpass, Kaspersky, and OPM are just some of the notable hacks in the past few weeks. However, there are a few things that could have been done to prevent some of these attacks.
For instance, had two factor authentication been enabled for the OPM’s website, then even though a hacker got a user name and password, they would also need the user’s cell phone or other type of authentication. In the case of the Lastpass hack, even if a hacker were to have gotten your master password and email, it would also require that they have whatever device performs their two factor authentication. As far as the Kaspersky hack, if a user fell for a phony email, then the solution would have been simple: don’t click links in email, unless you know who they are from!
Here are my main tips to avoid getting hacked, and what to do if you believe you already have been:
1) Always keep your computer and smartphone updated
2) Use two factor authentication where you can
3) Never click links that you are suspicious of!
4) If you suspect your data has been hacked, at the minimum download your free credit score quartly, and consider an identity theft protection service like lifelock.
Well, that’s it for today! Be sure to check out all my earlier episodes at quickanddirtytips tech talker. And if you have further questions about this podcast or want to make a suggestion for a future episode, post them on Facebook QDTtechtalker.
Until next time, I’m the Tech Talker, keeping technology simple!
Computer hacking image courtesy of Shutterstock
You May Also Like…
About the Author
Tech Talker demystifies technology and cutting edge devices so that even the most tech illiterate can understand what’s going on with their computer or gadget — and what to do when something goes wrong.
