Got a licence to use that laptop ? Who, me ? Dumb Ways To Get Hacked and why you should stop worrrying and learn to love the Dark Web
I suspect I've been around in the IT industry for too long, starting in the 1980's as a young casual still in school salesperson in Dick Smith selling System 80 (copied Tandy TRS 80) computers that sold for whopping AUD $10K with a green screen, 720K floppy disk drive for storage, expansion bus, a 300 baud modem and 64K of memory (far short of the 640Kb that Bill Gates allegedly said was all the memory you ought to ever need). In those olden glory days, you could buy a new Holden Commodore for around $20K or a house for $80K, so $10K was a lot of "bitcoin". Laugh you might, but we sold at least 10 of these each weekend to budding IT geeks (albiet that the term was not invented back then and who needed passwords anyway).
At that time, the internet was just for unis to play with (although whilst at uni I did find and play the first version of the Doom game) and corporate hackers in the old USSR (before it broke apart) and places like North Korea did not exist (or they were real hackers with machetes, guns, nunchaku sticks and knives, Kill Bill style).
Even during my time in around 1985 as a budding lawyer learning to swim quickly after being thrown into the deep end at Wang Computer (the short story being is that they paid me to study for my law science degree as they wanted software engineers but when their company secretary left, they said you know something about the law, here's a new job), they laid claim to the largest customer computer network (Dept of Social Security in Australia ) and at Sun Microsystems, we never had "take me" home laptops, remote access or even mobile phones, just Wang OIS green screen terminals and Sun Workstations the size of a small dog house respectively . Ah, the bliss of not being able to log in after hours to check the email.
That all changed when I joined Digital Equipment Corporation (DEC), who gave me a brick of (or maybe "for" given what it weighed) a 386 laptop and remote access 56Kps dial up modem and said good luck, you work for IT company, you work it out.
It did not help much that they sat me on a empty floor for the first 6 months and left me to my own devices. I learnt that an "empty floor" by some accounting magic did not count for any costs in the accounts, which is probably why they got taken over by Compaq and then HP in quick order and no longer exist (but at least not due to a data breach).
Now, left to my own devices, I fondly remember that DEC had a product called Alta Vista, being the forerunner of today's search engines. Some defunk company had the brilliant (but ultimately money losing) idea of allowing you to dial up (only in the US) for free to search the new fangled thing called the internet. I discovered Alta Vista could also be used internally and when pointed to a internal network, did the same thing as a internet search engine, only it found (I love the old *.* wildcard option ) and served up all sorts of confidential and unsecured documents, and so my career as a white hat lawyer quasi hacker days started.
From then on I was given newer, faster and smaller latops and remote access to networks and system I did not really need to or want to access, all with little to no practical training on security or even forced password changes every few months. And this was the IT industry.
So, given the above history, the point is that, with the rapid advanced in IT thanks to Moore's Law, even today's basic IT products are worldwide internet wirelessly interconnected and have least 64Gb (eg around 100,000 times the System 80 floppy disk storage) of data in phones, laptops, tablets, cloud storage, USB, portable devices, CCTV and the like, most of which is unencrypted personal data that a hacker (or companies like Flybuys) would give a lot of bitcoin to get, not counting all the free services like Google, OneDrive and Drop box to name a few - remember, if its free, your the product (or at least your data is).
However, we valiantly soldier on assuming all humans, including employees like Gen X, Y and Z, are IT literate, know what complex passwords mean, never reuse passwords, never use ones like "password" , "123456" or "arron431", can spot a phishing email a mile away and never, ever download anything off the internet, even porn with dishy malware (which some say is the real reason the internet exists). Ignorance is bliss.
Now, the government has decreed that you need a licence for most things nowdays, like driving a car or boat, owning a gun (some what optional in some states / countries), owning a dog (and in some council's, a cat), getting married, running certain business, but not it seems operating a laptop or phone that has a lots of personal data of you (and other people like all you Facebook friends ) and access to networks / bank accounts where there is even more personal data to be had. Given the average data ransomware breach cost was US$4.54M, maybe we should care a bit more.
In fairness, I do need to mention you do not need a licence to make babies (except in China until they realised they had inadvertently created a multi generational social issue with female babies that no one wanted) and also building high rise residential buildings in NSW and elsewhere, which now in hindsight seems somewhat unwise (given elections are coming up) as a few are falling down and bankrupting their "bought it off the plan" owners aka voters (but given both sides of politics did nothing (except take donations), maybe that's what Shakespeare had in mind when he wrote "a plague on both your houses" ?).
So I was somewhat surprised to read a 2023 report by SpyCloud that most, if not all, US Fortune 1000 companies might have some serious staff IT upskilling issues to ponder. I'm sure this report could not apply to Australia's top ASX companies, we being so much better that those know it all Americans, especially after our own goals with Medibank, Optus and Latitude, to name a few.
Now, even blind Freddy could see that the average of a 62% password reuse stat (eg using the same password multiple times on multiple sites in some vain hope that none of them will be hacked, being sort of the IT equivalent of the definition of madness) might suggest maybe the human race has not evolved its IT skill quickly enough to overcome Darwin's theory of survival of the fittest. Let hope we fix that before Elon (or Putin / Xi Jiping / Trump / Kim Jong Un) make us all go to Planet B (aka Mars), hopefully without a AI Powered HAL 9000 to guide us.
One finding in the SpyClould report that intrigued me is that one of the most common passwords is still "arron431", so I learnt something. A Google search shows it was just as popular in 2020 and probably well before that. This one's a keeper for reuse.
More worrying in the SpyCloud report is that most companies seem to take the view that the dark web is something they do not need to bother about, given its just all about drugs and the sale of illegal items. This is despite data on dark web able to be searched reasonably publicly, probably maybe of those same companies who had been hacked but still do not know it, courtesy of companies like Spycloud, Watchguard, DarkOwl, Norton Google and even Microsoft, who can tell you if you have data on the dark web, how much and and even how old it is, sometimes even for nix.
Some reluctant players such as the same Medibank, Optus, Latitude and HWL Ebsworth (of the law firm fame) can vouch that the dark web is actually all about data (or the bitcoin value of it to a company that did not train its staff about IT security enough). In the case of HWL Ebsworth, 4 Terra bytes of data of hundreds of clients (and people they were suing or defending) ended up on the dark web and is probably still there today (hackers aren't known for their data cleaning housekeeping skills). https://hwlebsworth.com.au/cyber-incident/
My read of HWL Ebsworth's predicament and probable root cause was that someone had too much access to too much data and maybe a non complex reused password to boot, which some companies hand out like candy to any employee, contractor or outsourced service provider, whether they need it or not.
I'd also speculate that the IT department probably got their normal bonuses (cheap beer, even cheaper pizza and not having to work that weekend) and saved the firm's partners a motza by consolidating all the data into a single database with single sign on access so that they could point a CRM (or maybe some e-discovery tools) that would eliminate that pesky issue of data segregation to limit risk. Wonder if they implemented higher level MFA or even thought to encrypt the data ? Seem some US SEC staff thought that MFA stuff was all too time consuming as well.
领英推荐
I bet HWL Ebsworth now wish we still only had 56 kbps dial up modems (or even better still, 300 baud ones) as transferring 4 TB of data at 56kbps would probably take around 7811 days and not the 1 hour or so it took on say a 1 Giga bit link (125Mb of data per second) - maybe the IT industry does have things to learn from the slow food movement. Try the calc yourself https://techinternets.com/copy_calc
Now here's an idea - surely you would want to set a alert or speed limit when your data is being siphoned at a rate of knots out to a IP address in maybe a country like Russia or Nigeria that you might think is weird location for a client or partner to be visiting at midnight to download all your data (albeit I have worked in companies that used to outsource to weird countries which also are hacker havens, like having a bet each way, just in case). Most Tor file sharing programs allow you to do it to stop leechers.
Also, why would a super admin (eg the ones that can probably have access permissions to read all your personal emails and documents despite not having a business need to do so under privacy laws) need to have two seperate accounts when their normal account that they use to access their corporate email and Google (probably more like DuckDuckGo) / eBay/ Aliexpress / Uber / X (formerly Twitter) / Facebook / Tor downloads accounts plus all the admin function in the company is just dandy. Despite it reportedly being industry best practice to separate these, seems its all too time consuming, having to remember just two more user names and passwords (unless, of course, they fall into the 62% stat above and simply reuse the same password for both accounts - nice).
What I do like about HWL Ebsworth is their fallback to using clever legal skills to apply for an injunction to stop anyone accessing the hacked data on the dark web (the equivalent of closing the gate after the cows have bolted).
Now I sort of have to wonder how that worked out, given the Russian hackers were probably not that keen to go to court to argue against the injunction (and probably really did not care anyway) and it would be hard to serve on anyone, albeit if you added it to the hacked data, I guess you could say it was served to everyone on the dark web when it became part of the dark web (sort of like the Borg in Star Trek, serve it on one and you serve the whole hive / collective)
That said, the unintended (or maybe intended) impact of the injunction was to prevent the very clients of HWL Ebsworth (and the people they were suing etc) being those whose data was hacked, from searching the dark web to see what data was actually stolen. Well done, bit of an own goal but probably really slowed down those class actions.
I do like the comment by a spokesperson from HWL Ebsworth in the IT news article below about how hard they found the process to work out what was stolen and tell their clients due to the "volume and unstructured nature of the data". Begs the question of how they might run litigation discovery.
At least the Australian Government has now at least sanctioned the Russian Medibank hacker Aleksandr Ermakov, who apparently will not be able to visit Australia , the so called Lucky Country, to holiday and spend whatever ill gotten gains he received. I'm sure there are other nicer closer but some colder places in the world (like Russian leaning allies China, Belarus, Kyrgyzstan, Iran, Cuba, Venezuela, Nicaragua, Syria, North Korea, Myanmar, Eritrea, Mali, Zimbabwe, Central African Republic, Afghanistan, Burkina Faso and Niger but not the Ukraine for obvious reasons), where they will welcome him with open arms for his bitcoin.
I'm not really convinced by the argument that it will really hurt his standing in the hacker world, given he goes by the online hacker names of GustaveDore, aiiis_ermak, blade_runner, and JimJones, but what else is the Australian government to do. Look at what Russia has done for Edward Snowden albeit I suspect Alexei Navalny would gladly come (but alas is now dead), even if just for the scorching 40 C degree climate change induced heat we are getting compared to subzero temps in some god forsaken penal colony near the Arctic Circle (which is apparently is warming up anyway).
I can't recall reading if anyone in Medibank got a slap on the wrists, esp as they, apparently being an insurer hopefully somewhat familar with risk management / treatment / transfer, did not feel the need to take out any cyber insurance cover, maybe knowing members like me would end up paying for it anyway I guess. Maybe they are banned from going to Russia on holidays too. I do wonder what the director's minutes might say about that "no, not for us, we know better" decision.
Anyway, I digress. I really wonder if the solution to this cyber data protection and password reuse is to make people get a licence, or at least some practical training (and no, not those usually banal canned American "thank you for sharing" videos that HR say you must (but can) watch at any time of day or night), to understand the real risks of what it is to use complex passwords only once and to own and operate a laptop / phone / tablet / cloud storage , USB / portable drive connected to the internet with more personal information and corporate data than you can throw a USB stick at, least it gets hacked and suddenly someone else is pretending to be you from Moldavia or Bulgaria.
And also the kiddies at school, who get new phones and dump the old ones without wiping the data (or maybe they got the mummy or daddy old phone with all sorts of icky photos and data that the parents forgot about).
And the grandparents, most of who can barely use the new TV remotes let alone understand cyber security.
And maybe the pets, although there is some solace in this one as it's claimed a monkey could, given a keyboard, and an infinite amount of time, hit the keys randomly enough times to type the entire works of Shakespeare, sort of like some of my emails or hackers stuffing credentials to brute force passwords. Maybe the solution is to give everyone a monkey to create complex passwords and it would cost peanuts. Or you could just use "arron431"
ps - some geek even found time to write a simulator to test the monkey theory. https://en.wikipedia.org/wiki/Infinite_monkey_theorem
Or we could make a song and video (and game) along the same lines as the Victorian Metro Trains ad back in 2012 but call it "Dumb Ways To Get Hacked" and get some unhacked corporate sponsors (if there are any left and willing to put their hand up) https://www.dumbwaystodie.com/psa
Or maybe just hope and pray there is a internet outage just as the hackers start to download all your data but remember as some wiser people have said, "Hope is not a strategy. Luck is not a factor. Fear is not an option." Although the jury is still out on the fear one, given its called the dark web after all.
The Saga continues - https://www.lawyersweekly.com.au/biglaw/39009-hwl-ebsworth-s-hackers-hit-with-final-injunction?utm_source=LawyersWeekly&utm_campaign=13_02_2024&utm_medium=email&utm_content=2&utm_emailID=fbd5b972aaceb61cce9746f99fe9f85b8c683921607c0738acdea7612e960cc7
Board Facilitator | Coach | Growth & Turnaround | Change | Consultant
10 个月Must have been the onboarding with DEC, when I joined the business unit I was supposed to start with had moved and I sat on an empty floor for two months.
More channeling Dr Strangelove in my spare time given Trump is going to be elected again
Outcome driven Director, Category, Contracts and Procurement Manager
10 个月I love your intelligence and humour Mark. I am glad to see that you have not joined the Borg collective and been assimilated. May the force be with you always. :-) P.S. Yes, I know I have mixed up my sci-fi, deliberately. ??