Phishing has become way more sophisticated
Selections of cybercrime information from expert Jim Stickley, Stickley on Security, keynote speaker at the CyberSecurity Conference sponsored by Exchange Bank and the North Bay Business Journal.
[hr:
Hacking was cool
“Hacking was just cool. That's all it was. By my late teens, early 20s, I realized, hey this stuff could get you in jail. As a kid, I didn't pay for stuff very often - movies, Sea World, the zoo, Disneyland. If you give them a good story, they would let you in. Even if I had a date, I would tell them I lost my tickets. With corporations, I could pop my way into things. Five years ago, I had robbed over 1,000 financial institutions. I have robbed a lot of places (as a friendly hacker).”
“I talk very fast, like a monkey on crack. I got my first computer when I was 12, back in 1982, a Texas Instruments TI-99 (released 1981, 256 bytes RAM, 3 MHz speed, much slower than Stickley talks). I was immediately hooked. I couldn't think of anything else I'd rather be doing than being at my little computer. For Christmas, I would ask my parents for programming books.” (By age 16, he was doing program development work for corporations.)
“I believe that there is always a way to solve a problem. When kids were mean to me, I was able to turn off their parents' phone line (because he swiped programming manuals from telephone repair technicians parked in his neighborhood).”
Why cybercrime?
“It's not like I have some better widget that is better than the next guy who is breaking into stuff. We all follow the same trends. Cybercrime is a growth industry. Returns are great. Risks are low. It's just a business now. This is not some kid hacking from a basement. This is organized crime, state-sponsored all over the world. Technology is way better than it has ever been.”
Email poses huge risks
“With very few exceptions, it comes down to email. Every major breach since 2014 started with an email. That led to the compromise on the network. Email is a huge, huge risk. Hacking is hard. It's a lot of work. If I can send one of your employees an email and get them to do something dumb that ends up giving me access to their desktop, I have bypassed all the internal security and I am on your internal network. It solves all my problems for me. All I need is one person to make a mistake. Email is your biggest risk.”
“Emails are the devil, whether it comes from your mom, co-worker, best friend. Doesn't matter who. Start with the assumption it didn't actually come from them. Assume it's bad. Figure out what it wants from you. There's going to be some angle. It wants you to click on a link, download some attachment. If it wants anything from you at all, take a deep breath. You opening that document could be a very bad decision. Treat every email with a really skeptical view. The more you know, the better off you are going to be.”
“I send an email on behalf of IT security guys to one of your employees (using IT security employee's name). The subject is an emergency security patch. The security ID is an important part of this whole scam. (There's an 800 number to call.) It has no links, no attachments. There's nothing that tells them this is a bad email. They pick up their phone and dial the 800 number. You can buy an 800 number for $10 or $15 a month.”
“You'd think that phishing should be getting easier to detect. Actually, the trend is still continuing to go up. Phishing is becoming so much more sophisticated. It (looks as if it) comes from a co-worker to you, has your name in the email. It will look very, very real. Detecting that it's fake is a heck of a lot harder. It looks like it comes from somebody you would trust.”
“When a company is attacked in a phishing attack, the first employee will fall victim within a minute and 40 seconds.”
“if you are a large corporation, you deal with limited network access. If employees don't need email from the outside in for their job, they should not have the ability to receive email from the outside. Why are you putting your company at risk allowing them to have it? It's crazy. Same thing with web access. If an employee doesn't have a job function that requires them to browse on the Internet, they shouldn't be able to browse on the Internet. Every employee has one of these (a smartphone). They can use their own phone. Don't put it on your network. Reduce your risks by a lot.”
LinkedIn, what could be bad?
“LinkedIn is a hacker's dream - a list of all your employees, their job titles, exactly what they do for that company, and how long they've worked there. With employees who have worked there four months or less, I have really good chance of success (in a phishing attack). These people don't know anything. They don't want to do anything to rock the boat. Whatever you tell them to do, they will just do. It's not that hard to get email addresses.”