The “New Normal” (I’m sure I’ll get sick of that phrase soon) is already kicking in due to novel coronavirus, and we are seeing a number of changes in the world. One such change, is a new acute awareness of cyber security. Yes, we’ve all been aware of hacks and issues, but it’s never really affected a large swathe of people; it’s just been stories in the media (and often, the tech media as opposed to the mainstream). It would seem that in the wake of Zoom’s security scrutiny, folks have been directly affected and suddenly are paying attention to what many experts have been preaching for a number of years. This is an absolutely amazing development out of all of this, as we cannot afford to plead ignorance anymore when it comes to our own cybersecurity. Much like you would not leave your doors unlocked in a bad neighbourhood, you need to keep the keys to your digital kingdom safe.
On a side note for professionals in the security field: this development seems to have made a number of experts adopt an “I told you so!” attitude, instead of that of helping people understand. This is a fault of a very technical and highly specialised industry, and I can understand the frustration of people “getting it” only now. We as professionals have a responsibility to bring people up to speed. It’s easy to throw shade when we’ve been studying this for years.
What is a “Hack”?
First, let’s define a hack, and hackers. In this day and age, a ‘hack’ can be seen as a malicious break-in into a protected computer system or service, and a hacker is the person who perpetrates this. This differs greatly from its original meaning, mostly due to media coverage portraying hackers as a negative force. For a little history lesson, decades back there was a differentiation between ‘hackers’ (the good guys) and ‘crackers’ (the malicious guys). ‘Hackers’ being those that legitimately worked in the programming industry, and ‘crackers’ being those who act maliciously. Nowadays, these are differentiation by being called ‘white-hat’ (or ethical) hackers, ‘grey-hat’ (inbetween), and black-hat (malicious) actors.
Your cloned Facebook account is not a hack
One of the false claims I see very often is “my Facebook account has been hacked! If you see any friend requests from me, it’s not me!”. This is not a hack, this is a clone. While it is an attack of sorts, it’s a social engineering attack to pose as you, using information that’s freely available about you (your profile information, publicly available Facebook profile photos, and some other details) to create a new profile mirroring your legitimate one. Think of it this way; your own Facebook account has not been compromised, therefore no hacking has taken place on your account. If someone had completely taken over your own legitimate account, this could be seen as a hack as your account has been compromised.
If it bleeds, it leads
As with any news, ‘Fake News’ abounds. There seems to be a view that political news falls into this category and we should be careful, but tech news surely wouldn’t be subject to this kind of irresponsible journalism. That’s not the case, tech news can be just as bad, especially with anyone being able to blog on a subject. It’s also not just false information, but news where the truth is bent or obscured to imply fault where it’s not due. The numerous articles out there about Zoom are prime examples. In a number of articles you would see that “Zoom was hacked! 500k accounts for sale on the dark web!”. This is a falsehood. Let’s go back to our definition of a hack from earlier – it’s a malicious break-in into a protected service. Zoom was not broken into, therefore Zoom was not hacked. This particular instance was due to something called ‘credential stuffing’, which we’ll get to after the jump.
You see, news is news, and the more sensationalist, the more clicks. FUD (Fear, Uncertainty and Doubt) is a powerful tool, and claiming that a company was hacked get’s people into a froth about it, particularly if it’s a service they may be using. Hitting the share button is dead easy, but can be incredibly damaging. In almost any security vulnerability that’s exposed, there will be a legitimate report carried out by a legitimate security researcher or research firm. In the cases of Zoom, a number of the sensational headlines were from issues exposed in a single report that offered quite a balanced view. These are more often than not linked to by responsible journalists, and if they’re not, I’d start looking up additional articles to confirm whether the article is sensational, or legitimate – before hitting that share button.
Please folks, dig deeper. Find source articles before hitting the share button. Much like I’d hope you do before posting political commentary.
This is what Zoom suffered (indirectly) with headlines stating that they’d been hacked and 500,000+ accounts were available on the dark web. Let me reiterate that Zoom itself was not hacked – and if we read the report by Bleeping Computer, it is abundantly clear that they show the original source of the information (a reputable research agency, Cyble) and that the article has been updated. These credentials were taken in a credential stuffing attack.
Credential stuffing at a basic level is where an attacker has a list of email addresses and passwords from a past breach, that they wish to try on other services. In essence, every one of these Zoom accounts that are for sale has been compromised before while under the control of another company. The problem with credential stuffing is that people use the same passwords for EVERYTHING. One of the poorest security practices out there. Say you have three services that you subscribe to (this is a fictional take here, just to be clear):
- Beatrice’s Tea Cosy Emporium
Now, Zoom, Gmail, and Evernote have got entire security teams working to ensure their services are locked down. Beatrice (96), bless her heart, does not have an IT team and her security consultant is her grandson in the 9th grade. Beatrice’s database, containing email addresses and passwords, is stolen by black-hat hackers and sold on the dark web (think of the dark web as equivalent to the black market). Anyone who purchases Beatrice’s database then goes to all the most popular services out there and tries the same combinations of email address and password combinations to log in. If they are successful, that username and password combination goes onto a new list for sale – one for Zoom, or Gmail, or Evernote.
Note than none of those three companies were ever compromised by means of an active attack in this fictional example.
I hope this shines a little more light on the complexities of Cyber Security without being overwhelming. We can no longer bury our heads in the sand when it comes to our own protection, it is up to all of us to educate ourselves and become more aware of how we conduct ourselves online – be it in learning about an issue, protecting ourselves from an issue, or in sharing articles about issues online that may not be factual to begin with.
Ross G Saunders Consulting is a niche data protection consultancy, working with a number of professional partners in order to help you as a business comply with data protection regulation. They help with business process, compliance, documentation and more, and can offer a full range of services to take the hassle out of data protection. Why not reach out to find out how they can help you gain a competitive advantage while simultaneously garnering support from your existing and potential customers.