If you are sending a zillion newsletter or marketing emails, sure, email marketing platforms make it easy to manage your email list; and many do provide some basic tracking information.
Today’s hackers are more innovative. Rather than just running up charges on your credit card, they are looking to extort money in exchange for return of your private information or to limit their use of it. For insurance executives, private information often includes emails related to customers and their policies. Data could include confidential information about assets, employees, vendor contracts and bank accounts.
The term “security by obscurity” has been around for a long time. Traditionally, this has referred to the idea that the best way to keep a system safe is to keep its design (and any potential vulnerabilities) a secret. To many, “security by obscurity” has also represented the idea that there is safety in numbers, such as on a social media network that has hundreds of millions of users. One might argue that the intersection of social media, online platforms that gather and sometimes sell (for legitimate purposes) personal data, and peoples’ addiction to electronic communication convenience, may call for a new way of thinking about one’s own (or a client’s) security by obscurity.
(WCry) was successful in infecting over 300,000 computers in 150 countries. It is likely the worst ransomware attack to date. WCry works by locking the files with encryption on each device. Victims are promised a decryption key to unlock their files once they pay a ransom of $300 in Bitcoin.
What do United Airlines and footballer David Beckham have in common? Disastrous leaked emails. In these recent cases, the leaked emails appear to be legitimate, though Beckham claims some of the leaked emails were “doctored.” But how do we know that leaked email messages discussed in news stories and tabloid columns are actually authentic?
Earlier this year, Mark Zuckerberg, CEO of Facebook, unintentionally revealed (in a photo he posted to his Facebook account) that he covers up the webcam and audio port on his laptop. He literally has a small piece of masking tape over the pea-sized camera lens and another one on the audio port where headphones plug in. The social media universe was quick to pick up on this, leading to all sorts of speculation and theory crafting about the possible implications.
What does Zuckerberg know that we don’t?
For starters, Facebook is able, technically, to listen in on your conversations. Recall that you may have granted Facebook permission to access your microphone. Coincidentally or not, many FB users have reported online ads popping up for obscure things that they may have discussed within earshot of their phone or laptop, but had not actually typed into any search engine or device. For now, Facebook denies using a phone’s microphone to serve ads or customize news feed stories.
Webcams are also vulnerable; hackers can easily gain access to cameras embedded into mobile phones, tablets and laptops as well as stand-alone surveillance cameras. Webcam hacking was in the news after the October 21st “Mirai botnet attack,” in which thousands of webcams, DVRs and industrial cameras were hacked and then networked together to attack large corporate servers.
The risk of a webcam security breach extends to Android and iOS devices. iOS is the operating system on Apple’s iPhone, iPad and iPod Touch products. In August, Apple issued a security alert after identifying the “Trident” flaw, which hackers could use to turn on the camera or microphone on a hacked device. Trident was delivered to victims via SMS text message links.
Android apps can also serve as a conduit for hackers. Last week, a popular Android app called AirDroid was reported to have a major security flaw. AirDroid, with over 20 million downloads, helps users manage their Android device from a web browser. But the data transmission process is not secure, allowing a hacker to easily create a man-in-the-middle attack. AirDroid has access to a device’s contacts, camera and microphone, and other user data. Android is continually releasing new security updates to keep up with the continual emergence of new security vulnerabilities.
What could a hacker do with remote access to your webcam or microphone?
Imagine the Invisible Man, sitting on the armchair in your bedroom at night, watching you and listening to your private conversations. What could he do with that information? Blackmail you? Gain access to your online accounts? Jeopardize your privacy and safety? Certainly all this and more. Think of the webcam on your laptop as the Invisible Man; it can watch you and listen to you at any time, without your knowledge, transmitting a feed to hackers via your laptop’s Internet connection.
And, it could be recorded and easily posted on YouTube for the world to watch.
And by the way, don’t think you’ll see a recording light turn on when you’re being spied on through your webcam; that can be and is usually disabled remotely by the hacker.
What to do?
While some may suggest disabling your webcam and microphone to protect yourself, this may not be a practical solution for business professionals who need to use these devices for remote collaboration, web meetings, and Internet voice services.
Instead, we circle back to a variation of Zuckerberg’s simple, low-tech solution to defeat high tech surveillance.
But instead of just a piece of tape, we recommend placing a bandaid over your webcam — the bandaid padding will protect your camera, and you can peel it off whenever you want to use the webcam. If you choose the right size bandaid or trim one to fit, you can even muffle the microphone port.
Also, to further protect yourself from becoming a target, consider protecting personally identifiable information and information about your financial assets. Use secure email communications (RMail, for example) to keep your personal information personal.
Next week marks the last official week of summer vacation. It is likely also the beginning of your “back to work” business travel. Business travellers should note these specific precautions when conducting business transactions from the road, especially if you are likely to be more focused on the speed of getting things done rather than security.
A hacking group called Shadow Brokers has reportedly stolen powerful hacking tools from the Equation Group, a hacking group believed to be NSA-backed and responsible for many of the largest state-level hacks in history. On Saturday, Shadow Brokers released a subset of these tools to the public, which several former employees of the NSA’s hacking division, known as Tailored Access Operations (TAO), have said appear to be legitimate NSA files. Shadow Brokers is auctioning the “best files” or the remaining tools, for a price of one million bitcoin (about $568 million).
…and does it change the result?
Who is responsible for the recent Democratic National Committee (“DNC”) hack and resulting emails published on WikiLeaks? Russian hackers are suspected and the FBI is investigating, but Russia adamantly denies involvement. The hackers could be from the same group who stole DNC’s oppositional research about Republican Presidential nominee Donald Trump in mid-June. Perhaps, the perpetrator is simply a DNC employee or subcontractor disenchanted with circumstances that many are now describing as a DNC conspiracy to favor and support its predetermined nominee in the presidential primary – Hillary Clinton – while impeding other candidates such as Bernie Sanders. Whether an angry Bernie Sanders supporter or a foreign government preferring Trump is to blame, the lesson here is once again that if your emails (sent in plain text) contain something of value, they will eventually be exposed.
In the recent Tech Essentials article “Changing Trends in Cyber Security,” we highlighted how hackers are becoming more innovative in their ability to use generally available social media (i.e. LinkedIn recruiter tools) and other business applications to target email recipients with imposter email and lure them into wiring money to hackers. Read more