Just after noon on April 23, the Associated Press put out a tweet: “Breaking: Two Explosions in the White House and Barak Obama is injured,” causing the Dow to plummet 150 points and traders to panic. AP quickly notified its following that their Twitter feed had been hacked. Taking claim was the Syrian Electronic Army, which has claimed previous breaches of other media outlets including Reuters, CBS and the BBC.
The attack seems to have happened like most others, starting with a phishing attack against employees. These attacks are getting more impressively disguised. They used to come in the forms of get rich quick schemes, travel deals and coupons. They now come in the forms of emails from colleagues, your boss, friends, customers and partners. These hackers used to prey on the “clicker in the crowd,” but with cleverly disguised phishing attempts, everyone is a target. Who wouldn’t open an email from colleague?
Targets
The AP Twitter hack is still under investigation, but what is plainly clear is are the people and groups being targeted. We know that the Syrian Electronic Army favors attacking U.S. media outlets. We also suspect the Chinese government of hacking the New York Times and the Wall Street Journal, among others. The bottom line is that anyone who has influence is a target. The Associated Press has 1.9 million followers…the bigger the voice, the bigger the target. Justin Bieber has over 38 million (ARE YOU LISTENING JUSTIN?!?!). If you are an actor, musician, athlete or politician, expect to be targeted.
But it’s not just people in the public eye, it’s anyone with access. In the AP case, it was access to the corporate Twitter account. More commonly, it’s access to corporate financial information, company VPN, banking or healthcare records. Obviously, it’s important to protect your network, and most businesses do a fair job at that, so the hackers go to the weakest link… the employees (desktop or mobile solutions).
Two Factor Authentication
We all know these problems exist, but what we don’t realize is that there are simple solutions to solve not all, but a wide majority of these instances. The most obvious that is being discussed is two factor authentication. Many people think of two factor authentication as the use of tokens. Using tokens is not always practical because it is expensive and can be easily avoided with a man in the middle attack. Research also shows that a popular RSA token can be cracked in as little as 13 minutes.
It’s important that businesses implementing two factor authentication use two totally separate channels to send information. Separating the username from the password and sending them over two separate channels is more secure, cost-effective and easier to deploy and manage. There’s even a name for it: Out-of-Band Authentication (OOBA). In an Out-of-Band deployment, the channels can be split by using something everyone already carries, like a mobile device as a second factor.
Keystroke Encryption
Two factor authentication is vitally important, but not always enough on its own. The most common form of attack is the use of keylogging malware. These keyloggers will track every keystroke you make and are usually planted on systems looking for specific information such as credit card information or login credentials (to a VPN, social media, banking sites, etc.). They capture your information before it gets to the security of an SSL website, secure browser, instant messenger, email program or just about any application. To be completely protected, businesses need to use keystroke encryption. This encrypts every keystroke as you make it, keeping the data from the prying eyes of keyloggers.
The Truth About Anti-Virus
To protect your computer, everyone uses some form of anti-virus software, which may protect your desktop from known viruses. These programs, however, do a poor job of preventing malware in general, but an even worse job of preventing keyloggers. They all claim to prevent keyloggers, but any sophisticated hack will generally use newly written keyloggers or polymorphic keyloggers that change their signatures (making them virtually impossible to detect). It still makes sense to keep the known malware off your system, but using antivirus as your sole desktop defense is just plain foolish.
The bottom line is if business provide employees with two factor out-of-band authentication, keystroke encryption in addition to anti-virus software, they will be safe from more than 90% of the attacks that happen daily. The costs of doing this are negligible. The cost from recovering from a hack could bring business of any size to their knees.