You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.

In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.

The Value of Your Personal Data

Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.

• Credit card details, account balance up to $5,000: $110
• Credit card details, account balance up to $1,000: $70
• Stolen online banking logins, with a minimum balance of $2000 on account: $60
• Stolen online banking logins, with a minimum balance of $100 on account: $40
• Cloned Visa, MasterCard or American Express account with PIN: $20
• USA hacked credit card details with CVV: $15
• 50 Hacked PayPal account logins: $120
• Hacked Gmail account: $60
• Hacked Facebook or Instagram account: $25
• Hacked Twitter account: $20
• US eBay account: $20
• Netflix account, 1-year subscription: $20
• Hacked Spotify account: $10
• 10 million USA email addresses: $120

Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.

One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!

Take Precautionary Measures

I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.

If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.

Passwords have come a long way since the days of Prohibition, when a knock on the door of a speakeasy required the necessary password for entry and the consumption of illegal liquor. Today, we use passwords and personal identification numbers for just about everything online, in an effort to protect the privacy of our personal information.

Identity theft has grown rampant, proliferating at a time when almost every personal or business transaction passes through one or more computer network. According to the Federal Trade Commission’s latest annual report (covering the 2015 calendar year, with the 2016 report due out in February 2017), there were 480,000 identity theft complaints filed during that time period. Of these, 45% involved tax- or wage-related fraud, 16% involved credit card fraud, 10% involved phone or utilities fraud, 6% involved bank fraud, and 4% involved loan fraud.

One recent report surmised that 15 million Americans have become the victims of identity theft in 2016. That means that 7% of all adults have been victimized in this year alone, with an approximate per-instance loss of $3,500.00. On average, these people spend an additional $500.00 and 30 hours of time trying to recover their identities and make their private information less vulnerable.

Start with Your E-Mail Passwords

My company provides e-mail hosting services through Google and Rackspace for our website hosting clients, and it is rare for a few days to pass without being contacted by a client who has purchased a new computer or mobile device but has misplaced an e-mail account password. For obvious reasons, we do not store those passwords, and we strongly advise our clients to keep records of their passwords in a secure location. Our only option is to assist with changing the lost password, which will then require that passwords be updated on any other actively used devices.

When setting up those e-mail accounts (or updating a password), clients are often annoyed that we will not agree to use a weak password like 123456, abc123, password, passw0rd, qwerty, steelers, yankees, football, baseball, camaro or firebird. (Yes, those are actual passwords that consistently show up on compiled lists of weak passwords.) In fact, Google’s Gmail will not allow an admin to use a password that is made up of fewer than 8 characters (although there are no further password security requirements beyond this minimum length.)

Some people make an attempt at generating a secure password that they can still remember. For example, they might concoct “AIwfCim2ft” from “All I want for Christmas is my 2 front teeth.” The rule of thumb is to use something that is both easy to remember and difficult to guess. This is definitely a step in the right direction, but something totally random that also uses special characters and spaces would be even better, although far less memorable.

Secure passwords will provide a layer of protection against some bad character obtaining your password and hacking into one of your accounts, but they are of far less value in protecting your identity should your account be one of thousands (or millions) compromised in a major data breach.

Hacks Happen

You do not need to be Sony Pictures getting under the skin of Kim Jong Un. Big companies are routinely targeted by hackers from around the globe, putting the security of their subscribers at risk when a breach occurs. In general, big businesses take extraordinary measures to attempt to maintain the utmost security standards, but it is an ongoing game of cat and mouse. For example, Facebook alone has paid out over $5 million to date in its not-highly-publicized Bug Bounty program, where it pays independent “white hat” hackers to identify and repair security vulnerabilities.

That is an example of what one big online business is doing; however your own personal security is to a great degree your own responsibility. You will want to check (and often disable) routinely loose security settings when you buy a new computer or mobile device or when you upgrade one of those to a new operating system. Keep in mind that settings that benefit convenience and ease of use are very often directly at odds with the safeguarding of your personal security.

There are many ways that passwords can be hacked online. The most common technique is the use of dictionary attacks, where commonly used words are highly vulnerable and easily uncovered. Another technique consists of using the brute force of computing power and sophisticated software to run through every possible combination of characters. The more bits of data involved (directly proportional to the number and random nature of characters), the longer it will take to hack a password. Complex character combinations and the use of encryption slow down, but will not prevent, the disclosure of a password to a determined intruder.

There are actually times when a company or individual needs to recover a lost password, and there are other instances where law enforcement needs to crack a password in order to uncover criminal activity. We are all familiar with the FBI vs. Apple Computer encryption debate, involving a cell phone owned one of the shooters in the December 2015 San Bernardino, California terrorist attack. Whether used for good or bad, there are dozens of free, open-source brute force hacking tools that can be easily found and downloaded online. Their existence and ease of access should provide a wake-up call to any computer or mobile device user.

Just in case you think that one of your own passwords is “secure enough”, enter it into this online tool for what will probably be a rude awakening:
https://howsecureismypassword.net/

Minimum Standards

The minimum standards for password security that are generally considered acceptable today involve the use of at least 12 (preferably 16) entirely random characters (a mix of upper and lower case letters, numbers, spaces and special characters), never including a dictionary word or a repeated sequence, and with no password used in more than one application.

There are several online tools that will assist you in generating secure random passwords. Using one of these tool, I just generated a random 16-character password that I then entered into the secure password test site (shown above.) According to that site, the password that I entered would take 41 trillion years to crack. Here are two such password generator tools. Give one of them a try:
Password Generator
https://passwords-generator.org/
Bitwarden Password Generator
https://bitwarden.com/password-generator/

Storing Passwords

The best advice for keeping track of your cryptic passwords is to always maintain a written paper record in a very secure location. To simplify your life, you can also use one of several password managers that will allow you to encrypt and store all of your passwords in one secure location. You will only have to remember one password to access your files. (If you have been following along and learning from what I have written, that password will meet the standards that I have outlined above.)

The following are some of the best free password managers. They all work across multiple devices. Compare their features and choose one:

LastPass • Dashlane • KeePass

Bear in mind that even these password managers are vulnerable to hackers; however, in one documented security breach, only users with weak passwords were impacted. We are over a month into a New Year. Resolve to at least take a step in a positive direction when it comes to your online security.

If you follow the news, you are aware of massive security breaches that have taken place at major retailers in recent months. And then there is the Sony Pictures nightmare that has been in the news this week. You are probably also aware that your own personal identity is at risk in so many ways. Short of withdrawing from society and moving into a cave or feasting off coconuts on your own private island, it is probably a good idea to take some reasonable precautions to help to prevent hackers from cloning your personal identity or making you a victim of cyber-crime. Here are a few precautions that will help you to survive in this threatening environment.

1. Always choose a strong password. It should never be a common word or an easily recognized string of numbers like your phone number or birthday. Use a randomly generated string of at least 8 characters that include a combination of upper and lower case letters, numbers, and special characters such as ^, #, _ and $. Use a unique password for every account, avoiding the tendency to use a common password. My rule is that, if the password involves a secure account that allows online transactions, give it an extremely strong, unique password. If the account involves online banking, stock trading, or tax filing, make your password ridiculously secure.
2. If an account (such as your online banking) uses security questions, choose the most bulletproof options available, not questions with answers that are commonly known. You want to go with things like your maternal grandmother’s middle name, not the name of the city where you were born.
3. Steer clear of unsolicited e-mails and unknown websites. Never download a file from an unfamiliar site, and do NOT open attachments, click on links, or unsubscribe from unsolicited e-mails. Any of those actions can lead to the installation of spyware, malware, botnets or viruses on your computer.
4. Look for secure sites and the https protocol. Be sure that the URL begins with https before EVER entering your credit card number for payment.
5. Keep your computer and mobile devices clean by promptly installing updates for your hardware, operating system, software and Web browsers. To run old versions of any of these represents a high level of risk. If you are running a Windows computer, there will usually be daily updates, and a major pack of security updates is issued the second Tuesday of every month, commonly known as “Patch Tuesday”. These updates are essential to your online security.
6. If your business conducts e-commerce or accepts online payments, you have additional responsibilities that could impact your customers. For example, an Internet security issue commonly referred to as POODLE was identified in October. If your Web server was running SSL V3 (an outdated version), visitors using Internet Explorer 6 (an outdated browser) were vulnerable to allowing hackers to gain access to their otherwise presumably secure connection.
7. Be sure that your office meets PCI (payment card industry) compliance standards. Never keep records of your customers’ credit card numbers. If you ever have to write down a customer’s credit card information – for example, if you are provided with that information over the phone – do not leave your desk before that information has been completely destroyed in a cross-cut paper shredder.
8. How do you recycle or dispose of old computers? If you simply give them away or pay a disposal or recycling fee at your local landfill, where does your computer go? What kind of data are you leaving behind on its hard drive … for somebody to later recover? Before you ever part with a computer, it is essential that you first totally wipe all content from its hard drive(s). You cannot simply delete files or format the drive and then think that your data is gone. It is essential that you use a disk wiping or data shredding application that supports the latest Department of Defense standards. Even then, you would be amazed at how much data will still remain recoverable, if you were a criminal and your computer was being used by law enforcement to gather evidence. In your case, you want to protect your personal data from a hacker, who could be across town or scavenging a cyber-landfill across the globe. Some of the best software to use includes Disk Wipe, Darik’s Boot and Nuke, and Hard Drive Eraser … all free downloads that can be easily found online.
9. What did you do with that old broken office copier? Did you realize that nearly every digital copier, fax, or multi-purpose office machine built since 2002 contains a hard drive? Like most people, you have probably made copies of your tax returns, credit applications, and other documents that contain your social security number and other highly personal information. A CBS News investigative report from back in 2010 exposed this vulnerability and how easy it was for anybody to purchase a used copier and then have full access to the contents of its hard drive. In the report, used copiers were purchased at bargain prices from a warehouse in New Jersey (one of 25 throughout the country), some of which contained classified law enforcement and private health records. The lesson learned was that, if your office has an MFP (multi-function peripheral) device that is at its end-of-life, take measures to ensure that its hard drive is destroyed.
10. Finally, every computer in your office and every mobile device that you own should be running the latest version of a robust anti-virus software package that will be continually updated, typically several times per day. Sadly, the most common anti-virus products that come pre-installed on many computers or sold over the counter at office supply and computer stores are highly ineffective. I use (and highly recommend) Avast, a full-featured security suite for Windows computers, Macs, and the full range of mobile devices. It is available as a free download, with free updates (although, if you are not careful, you might click on a link for a paid upgrade that you do not need.)

If you know anybody who has ever been the victim of cyber-crime or identity theft, you know how important security measures such as these can be. If you were unfamiliar with one or two of these ten security tips – and implement the recommended precautions – you will be on your way to enhancing both your personal security and that of your business.