Federal Report on Russian Hacking and Lessons to Learn!

Last week the Federal Bureau of Investigation [FBI] and the U.S. Department of Homeland Security [DHS] released a joint report on "Russian Malicious Cyber Activity". This report is meant to show the evidence of the 2015/2016 email hacks of the Democratic party which were then released via the WikiLeaks website.

It's only 13 pages - go read the report!

Many people are pointing to this report to illustrate the fact that there is no smoking gun as promised. One such post can be found here. I'm going to do something a little out of character though and not go into the political who did it issue, you can read the report and decide for yourself if this provides the evidence that was promised.

See I really could care less who actually perpetrated the breach, in the end all they did was air the dirty laundry. I tend to live by the idea that if you put it online expect that anyone can see it. This is why I tend to not be anonymous when it comes to my online conversations. Almost all of my user accounts are some of my name and if I say it online I'll own it. If I'm worried about it getting out, I don't say it online. It's an old and very proven method.

Realize that if you look carefully no one is saying the information is false, no one is denying that these emails were sent or that the content of them is somehow faked. They are simply yelling about how they were obtained. Sure if it were a court of law you might not get them in as evidence under that kind of argument (I'm no lawyer but I watch a lot of Law & Order LOL) but this is no court of law.

So why am I writing this then.

Well when I read the report what I found most interesting is really the low level of sophistication used in the breaches. This is the reason I would like people to read the report and understand just how this is done.

According to the report the main method used in the breaches was a method called target spearphishing. Basically what this involves is sending a select group of people an email that looks official and then getting those people to either click the link to a domain that looks official but is really downloading malware on your machine, or it asks you to reset user credentials such as your login and then links you to a site they control.

This is an important method to understand because it's one not just used to attack Democrats, it's a widely used, widely effective method to breach accounts and also to steal personal information for things like identity fraud.

This is one of the simplest and easiest ways for someone to breach your account and there are some very very simple ways to avoid being a victim.

Don't be a victim!

The first way to avoid being the victim of these emails is one of the simplest, never click the link inside of the email. Just don't do it! See simple right. Even in the case where you think the email maybe kind of sort of is possibly almost assuredly is legitimate, don't do it. Instead go to the main domain for the specified account in your own browser and log in that way. It will take you to the same place and you know for a fact that you are on the right website.

In the end that is literally a catch all, if you simply do that you will be safe from the phishing emails.

Of course you can go a little further to be completely sure you did the right thing in not clicking that link. The easiest way there is to look at the email address of the sender. By default most email clients will only show the name property that comes through for an email address, and you can make that name anything you want. This means if you just look at the name it could say "PayPal Account Services" while the email it's from is actually "wantstostealyourmoney@moron.com". This feature is a common thing exploited and the reason they still use this method is that it works.

Again though, if you never click on that link it won't work for them.

The report goes further into other security methods like application whitelisting, input validation, and privilege restrictions to name a few. These are all great and proven mitigation strategies, but really the average person has no idea what any of this is. There are loopholes around everything, exploits to take advantage of, and system limits to attack. This has and will continue to be the basis of how hackers work.

Consider your password practices

Another thing that is exploited is shared passwords. Many people use the same password for every site because it's easier to remember. This is a horrible idea. Wile the report details what administrators should do in terms of an email policy it's worth noting again that the user plays a heavy role here too. You can help protect yourself.

Also don't use security questions in the way they are "intended". They want you to give an answer from your past, the problem is your past is easy to find. It's often in public records where you were married or born. If you post your high school on social media it's very easy to find out your mascot. Also it's not very hard to get a person to open up about their first pet or their first car.

It's why I thought this was a great part in the movie Now You See Me:

So the simple list is this:

  • Don't click on links in the emails, instead open your browser and navigate to the main site.

  • Check to see if it's coming from a valid email address before assuming it's coming from the right person.

  • Never use the same password for all of your sites, it's the easiest way to be compromised.

  • Even email passwords should be protected, if a person gets into your email they can reset your other passwords so it doesn't matter if they are super secure or not.

  • Use security questions that would not come up in general conversation, and it can even be good to use false answers.

I mean unless you want people to take over your accounts, expose your secrets, and steal your identity. It's really up to you :)