Recently, our fearless leader, Brett Gallant of Adaptive Office Solutions, shared a video about the importance of backups as part of your cyber security plan. A client of his called in a panic. They’d lost most of the 2022 email exchanges for an important individual in the company.
Most people don’t think about backing up their emails, especially if the email exchanges are done through the cloud. But what if a hacker, or a person with malicious intent within your organization, deleted all of your emails?
However, backing up your emails is just one piece of the backup puzzle. Data of any kind needs to be protected. We can’t think of a better story to demonstrate the devastation that one person can do to an organization, than this one…
Man Loses Data for an Entire City’s Population After a Night Out Drinking
In an article by Mashable, they wrote, “There are some very basic online security measures that everyone should take to ensure their private data is protected.
Use strong, unique passwords. Don’t download files from sources you don’t know or trust. And…don’t store the personal private data of all 465,177 residents of an entire city on a single USB flash drive.
Amagasaki, Japan is currently experiencing this very security crisis after an unnamed employee of a company “tasked with providing benefits to tax-exempt households” lost the USB drive containing this sensitive data of the city’s entire population, according to CNN.
What data is contained on this USB drive precisely? For starters, the names, birthdays, and addresses of 465,177 people that were just recently transferred to the drive from the city government’s information center. The drive also includes residents’ tax information, banking account names and numbers, as well as info about any public assistance they might be receiving.
According to public broadcaster NHK, the employee, who is in his 40s, went drinking at a restaurant on Tuesday, the day he transferred the files to the drive. He ended up falling asleep on the street. When he woke up, the bag containing the USB drive was gone.
Local authorities held a press conference on Thursday to share more details. While the employee was “authorized to access the data,” he was not supposed to transfer it to a separate device, like a flash drive. As of now, there has been no known leak of the data and the drive is apparently encrypted.
So, let this be an online security lesson for everyone. Do not keep hundreds of thousands of people’s sensitive information stored on a USB flash drive that you take with you while having a night out on the town. It’s not a good cybersecurity practice, to say the least!”
Before you start to think that this is an isolated case of bad cyber security strategies, let’s take a look at the…
Top 7 Weirdest, Meanest, and Dumbest Hacks of All Time
According to excerpts from an article by CSO Online, they wrote, “Sometimes hacks can be incredibly complex and sophisticated, but most hackers take the path of least resistance and attack networks through phishing, weak passwords, unpatched systems, and social engineering. And sometimes hacks can be just plain weird. Here are eight examples:
1. Data stolen through a fish tank
Cybersecurity firm Darktrace made quite a splash in 2017 when it announced that it had discovered hackers using an internet-connected fish tank to steal data from an unidentified North American casino. Apparently, the aquarium tank was equipped with IoT sensors connected to a PC that monitored and regulated the water temperature and the cleanliness of the tank and controlled the feeding of the fish.
“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” says Justin Fier, director for cyber intelligence and analysis at Darktrace.
The casino’s name was not disclosed, but the report did say that data was sent to a device in a foreign country. If you guessed Fin-land, you would be correct. Darktrace CEO Nicole Eagan explained to attendees at an event in London that once hackers got a foothold in the network, they moved on from the little fish to access a database of high rollers, also known as whales.
2. Vishing attack scams CEO
We’re all on the lookout for email phishing attacks, but what happens when your boss calls you on the phone and asks you to do something? Would you suspect that you might be the victim of a voice phishing or vishing attack?
The first reported case of an AI-based vishing attack occurred in 2019 in England. Apparently, criminals used commercially available, voice-generating AI software to impersonate the boss of a German company that owns a UK-based energy firm. The criminals called the UK CEO and tricked him into wiring $243,000 to a supplier in Hungary. The CEO recognized the slight German accent and voice patterns of his boss and the call didn’t arouse suspicion. That’s until the criminals got greedy and called a second time asking for another huge wire transfer. This time, the CEO refused and the ruse began to unravel.
However, authorities have not been able to nab the culprits or get the money back. This may be just the beginning of a new, scary era of AI-based deepfakes.
3. Pump hack yields free gas
Hackers usually traffic in cash or cryptocurrency. In 2019, French authorities nabbed five men who stole nearly 25,000 gallons of fuel from gas stations around Paris by hacking gas pumps with a special remote that unlocked a particular brand of pump installed at Total gas stations.
The hack was possible because some gas station managers didn’t change the gas pump’s default password from the standard ‘0000’. Hackers used the PIN code to reset fuel prices and remove any fill-up limits.
Operating in teams, one hacker would use the remote to unlock the gas pump, while a second vehicle, a van with a large tank in the back of the vehicle, would fill up with as much as 750 gallons at a time. What did they do with the gas? They advertised on social media and re-sold the gas at discount prices. Police estimate the gang made around $170,000 before they were caught.
4. Road sign hacks annoy local police
Weak log-in credentials are a perennial security problem, and with the advent of electronic billboards and road signs, enterprising hackers have figured out ways to gain control to get a funny or raunchy message across.
A Texas man was walking his dog when he came upon a road sign warning motorists about construction ahead. He quickly guessed the user name/password for the electronic message board and changed the sign to read: “Drive Crazy Yall.” An alert neighbor witnessed the scene and called the police, who failed to see the humor. The man was arrested and charged with criminal mischief.
Last September, two young men wearing hoods and masks broke into a small building underneath a digital billboard on the side of a major highway in Auburn Hills, Michigan, hacked the system, and used it to display pornography. According to police, the duo, who were captured on surveillance video, were in and out in less than 15 minutes, so the password couldn’t have been that hard to crack. The video entertained drivers for about 20 minutes before police responded and turned it off.
Even more outrageous, a 24-year-old IT professional who was stuck in Jakarta rush hour traffic apparently looked up at a giant electronic billboard, spotted login credentials that were accidentally displayed for a moment on the screen, hacked the system, and streamed hardcore porn. Indonesia happens to be a very conservative Muslim country, so authorities were not pleased. The prankster has been charged and could face six years in prison.
5. Shark Tank star was victimized by an email scam
Barbara Corcoran, one of the sharks on the television show Shark Tank, lost nearly $400,000 recently in a clever email scam. The hacker posed as Corcoran’s executive assistant and sent an email to Corcoran’s bookkeeper containing a fake invoice. The bookkeeper failed to notice that the return email address was not legit.
So, when the bookkeeper asked questions about the request that nearly $400,000 be transferred electronically into a German-based bank account, that email went to the hackers, who, of course, confirmed the invoice request. It wasn’t until the bookkeeper sent a separate email to the correct address of the executive assistant asking if the payment had gone through that the light bulb went on.
Unfortunately, Corcoran is out $388,700.11. You might think that the bookkeeper would be out of a job, but it seems that Corcoran is the forgiving type. She said, “I lost the $388,700 as a result of a fake email chain sent to my company. It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate. I was upset at first, but then remembered it was only money.”
6. Hackers activate tornado warning system, leaving people at risk
March 12, 2019, was a quiet night in the Dallas suburbs of DeSoto and Lancaster – until 30 high-decibel tornado sirens suddenly began blaring at 2.30 a.m. and continued to go on and off until 4 a.m. However, there was no tornado. This was a hack.
Residents at first were panicked that the siren warning might be real and a twister was about to hit. After all, this area of Texas is known as “tornado alley” and the period between March and May is prime tornado season. DeSoto had run tests of the tornado alarm sirens a week prior (during the day) and the weather report for that week called for severe thunderstorms and possible twisters.
City officials reported that “based on the widespread impact to the outdoor sirens located in two separate cities, including Lancaster, it has become evident that a person or persons with hostile intent deliberately targeted our combined outdoor warning siren network.” Officials pointed out that they had to take the entire system offline and in the meantime, the residents were without that warning system as storms rolled in. (Of course, residents could also receive warnings via text message, so they weren’t left completely in the dark.)
Even more curious, in April 2017, a hacker set off 156 tornado sirens across Dallas proper, also in the middle of the night. Investigators attributed that hack to a technique called “radio replay,” where the hacker records a prior test of the system and replays it back repeatedly.
So, maybe there’s a serial siren spoofer on the loose.
7. Hacked baby monitor alarms parents
Potential vulnerabilities associated with home security and baby monitoring systems have been well documented. Through techniques like credential stuffing or taking advantage of weak or default passwords, hackers can spy on unsuspecting residents.
Apparently bored by watching a baby just sleeping, a hacker who had taken over an Ohio family’s baby monitoring system, began repeatedly screaming, “Wake up baby!” The stunned parents rushed into the baby’s room only to find that the hacker had pointed the camera directly at them and was screaming obscenities. IoT-based taunting has seemingly taken off, as similar cases have been reported across the country.”
And in keeping with the Seven theme…
7 Stupid Mistakes That Led to a Data Breach
In excerpts from an article by artmotion, they wrote, “Even the best of us are guilty of making stupid mistakes. However, when it comes to IT, the smallest blunder could lead to a major data breach with dire consequences.
Data breaches are on the rise. Hackers continue to attack enterprises and government agencies relentlessly, and it’s only going to get worse. So there’s (absolutely) no room for any stupid mistakes.
According to the FBI, reports related to cybercrime have quadrupled during the COVID-19 pandemic. As more companies fall victim to security breaches, they risk significant regulatory fines and damage to brand reputation.
While it’s human nature to goof up from time to time, there’s no excuse for foolish mistakes that could have been avoided. So companies and security teams need to pay attention to these examples and take extra steps to avoid repeating these ‘stupid mistakes.’
Misconfiguration
Hackers always search for servers that haven’t been set up correctly. This was the reason behind the now-infamous Capital One data breach that exposed the sensitive personal data of more than 100 million applicants and customers.
In this scenario, a flawed firewall implementation enabled access to the server. As the company didn’t properly encrypt the sensitive data stored on the server, the hacker was able to read it.
This seems to be a common theme as just 4% of data breaches tracked by Gemalto’s Breach Level Index were (what we call) secure breaches where stolen data was encrypted and rendered useless to threat actors.
2) Failed to update
The Equifax data breach, which still hogs the headlines today, occurred because the IT team wasn’t proactive. Even after the company was alerted to the threat in the Spring of 2017, the consumer credit agency still failed to identify the vulnerability.
In this scenario, encrypted traffic was exposed because of a digital certificate that expired ten months before the incident. This oversight allowed a hacker to breach the system and access sensitive information from mid-May until the end of July.
This stupid mistake led to the theft of the personal data of more than 145 million US citizens and over 10 million British citizens. The incident still hogs the headlines as the company continues to pay hefty fines to settle numerous lawsuits.
3) Chose speed over security
Transportstyrelsen or the Swedish Transport Agency, outsourced its vehicle and license register to a third-party contractor to save money. In any other case, this would be standard practice for companies and government agencies looking to access top tech talent cost-effectively.
But here’s where Transportstyrelsen dropped the ball.
To accelerate the whole process, the Director General decided to overlook standard security procedures and best practices. Most notably, enabling seamless access to sensitive data that demanded security clearance.
This security incident exposed the details of people with criminal records, military and police transport personnel, intelligence agents, and those in witness protection programs.
Fortunately, there’s no evidence that anyone but the subcontractors viewed this information. Neither the intelligence agents nor those in witness protection came to any harm.
But it could have been very different!
The political fallout from this security event evidenced the Swedish government’s ignorance about technology and data security. The positive outcome was the fact that it ushered in a sea change across government departments to ensure that it doesn’t happen again.
4) Weak passwords
In the current threat landscape, you would think it’s nearly impossible not to hear about a data breach almost every day. Yet, Western Australian government officials continued to use ridiculously weak passwords.
For example, the most common weak password, used by as many as 1,464 employees, was “Password123.”
Furthermore, research showed that 26% of accounts across agencies used similar weak passwords (like abc123), significantly increasing their exposure to risk. Even worse, total access to every government system was possible with the password “Sumer123.”
But it wasn’t just the Australians, their counterparts in the United States were also found to make the same stupid mistake.
According to a study conducted by WatchGuard, almost 50% of over 355,000 government and military email accounts had weak passwords that could be cracked within two days.
In this scenario, the most commonly used weak passwords by government and military staff were as follows:
- 123456
- 12345678
- password
- sunshine
Civilian passwords were found to be weak 52% of the time and were matched to passwords leaked in the LinkedIn data breach that occurred as far back as 2012.
5) Ease-of-use over security
The infamous data breach at Uber occurred because of weak access control to an extensive collection of data. In this scenario, threat actors were able to find credentials for an Amazon Web Services account containing user data (or 57 million records with personally identifiable information) in a private GitHub coding site.
If that wasn’t bad enough, Uber often allowed developers access to live production data without deploying proper protocols to monitor and secure this sensitive information.
As all the developers had unlimited access to user data, all the attackers had to do was compromise one individual to breach the whole system.
As developers had complete access to GitHub repositories and so much customer data was available, we can conclude that Uber made the stupid mistake of choosing “ease-of-use over security.”
Even worse, the company tried to cover it up by paying the hackers $100,000 to delete the stolen user data and keep the incident under wraps.
6) Unsecured database
French fitness tech firm, Kinomap, recently suffered a massive data breach that exposed the personally identifiable information of 42 million users (spread across 80 countries).
Discovered by researchers at vpnMentor, the open database that was left unsecured for at least a month, revealed the following information:
- Full names
- Usernames
- Email addresses
- Home country
- Gender
- Timestamps for exercises
- Kinomap account details
- The date they joined Kinomap
All this sensitive user data wasn’t encrypted, making it easily accessible to threat actors. What makes this security incident even worse is the fact that although vpnMentor informed the French firm on March 28th, 2020, they didn’t fix the security issue for over two weeks (until April 12th, 2020).
7) Poor protection against insider threats
Marriott Hotels suffered a second major data breach within two years when two employees accessed the information of more than five million guests.
Although this incident wasn’t as severe as the security event in 2018, it’s concerning that the hotel chain didn’t take security seriously even after the first incident.
While this data breach is a bit complicated to be called a “stupid mistake,” it could have been avoided. If real-time monitoring and zero trust protocols were deployed, security teams would have been alerted immediately when unusual patterns in user behavior were identified.
Lessons learned:
- Always encrypt sensitive data
- Deploy the latest patches and updates immediately
- Engage in regular security training
- Engage in penetration testing to identify potential vulnerabilities
- Never compromise on cybersecurity best practices
- Always use unique credentials for each user and system
- Use strong passwords
- Use two-factor authentication
- Have a data breach plan ready
- Respond to data breaches immediately”
At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.
When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca