By: Larry Lozuk | @loggerhead12
Due to the nature of my job, I have high levels of access to mission-critical systems. To protect data and satisfy my own unreasonable level of paranoia, I take every precaution and use every possible trick and trap to stop the bad guys. I take security very seriously, so when I woke to an email from Microsoft that said the PIN to my account had been changed it was a full-blown red alert.
The email was eight hours old, giving the hacker plenty of time to wreak havoc. Thankfully it was my personal account, so nothing at work was compromised. Still, that account was tied to enough devices and systems to make my personal life miserable. I had to act fast.
FIND THE ENTRY POINT
When something like this happens you always want to find the entry point – the weak spot the hacker used to get in. Sometimes you can’t find it, which leaves lingering doubts and increased suspicions about the account. Ignoring phishing scams and fake Java upgrades has become second nature, but keystroke loggers installed through infected websites are very slick and sophisticated. In order to stay protected, you must be cynical and skeptical. It can seem like a full-time job to stay protected.
One of the first things to do following a hack is regain control of the account. In this case, because it was just the PIN that was compromised, I was able to log in with the password and change the PIN to something new. If your password was changed, it can be a bit more complicated. We’ve all seen red-faced public figures scrambling to get back into their Facebook or Twitter accounts while embarrassing posts and tweets are being made in their names.
You might be able to go through the forgotten password procedure, but a good hacker can redirect those requests and even set up multi-factor authentication on another phone line. If that’s the case, you’re stuck trying to contact the provider, many of which seem determined to avoid any interaction with us end-users.
THE BACK DOOR
The next step is to look for any back doors left behind by the hacker. The really bad ones will change alternate email addresses and backup phone numbers on the account which can be used to reset the password again and again. Nothing is worse that thinking you have the issue resolved just to find out you’ve been hacked again because the hacker opened another big security hole.
Next, check the security questions to make sure they hadn’t been changed. It’s always a good idea to provide nonsense answers to these questions to make it virtually impossible for someone to guess. After all, your dog’s name or the street you grew up on aren’t all that difficult for a determined bad guy to find out.
If you use a password manager like 1Password or LastPass, you can use it to create strong answers and store them in the notes section. For my situation, it was obvious that these security questions had been set up a long time ago because the answers actually made sense. Yes – Travis McGee was my favorite fictional character.
MY OWN FLESH AND BLOOD
Then I had a chilling flashback to a couple of nights before. My son, sitting on the couch, ostensibly doing an English assignment, had asked me who my favorite fictional character was. Hacked by my own flesh and blood – how embarrassing!
Apparently, the new 90-minute daily time limit I had set on the Xbox wasn’t as popular as I expected. My Microsoft account controls the Xbox. The answer to the security question led to the PIN change, which allowed access to the “Family” section where the timer was set. Only the notice from Microsoft foiled the plan.
I fell for the most common form of credential theft, social engineering. I should have been more aware of what my son was asking, but familiarity makes us comfortable and complacent. Instead, I gave him the answer without a second thought just like hackers can do. They will enter your world, try to make you comfortable, develop your trust, then exploit what you give them.
I was hacked. Thankfully, there was no long-term damage or exposure. You can make it a lot harder than I did by staying aware, seeing the big picture, and following these tips:
- Be leery of seemingly innocent questions
- Use a password manager
- Select different strong passwords on every account
- Create strong answers to security questions
- Don’t click on any upgrades or installs that you aren’t familiar with
- Lock your computer at work and at home when you’re not in front of it
A moment of carelessness can expose personal and work information that we would all rather keep private. Be careful out there!