The FBI has released their report on the Russian hacking of the Democratic National Party called “Grizzly Steppe“. Read the FBI report here. The report is long on blame, short on evidence and includes a silly, but authoritative looking diagram. Reminiscent of Colin Powell’s U.N. presentation of Saddam Hussein’s WMDs, it is very short on details or evidence. What is clear is that the initial attacks and entry were through phishing attacks.
In a phishing attack, an email is crafted to appear to be from an authoritative source but is not. For instance, you might receive an email that appears to be from your bank or e-mail admin telling you to click here to change your password. The link leads to a replica site that looks like the bank or your e-mail, but is really a fake site meant to capture your credentials. The fake site may actually act as an intermediary and allow you to really change your password at the bank or mail service. But it captures the new and old passwords and gives them to the bad guys.
Our SpamDragon spamfilter stops phishing emails by the dozens per day. Phishing emails are very common. So, everybody should have some clue how to recognize them. And that’s where this imbroglio with DNC and Russian hacking is disingenuous. The current administration has placed all the blame on the Russian “hackers” who did this. And they may well be Russian. But here’s the thing: Hacking and Phishing are not the same thing.
Hacking is like burglary. The burglar finds a way to break into your locked house, pokes around and steals the jewelry you keep in your sock drawer. Phishing is more like this: Some guy shows up in a maintenance uniform, knocks on your door, and says he’s here to look at your air conditioner. That’s his bad. But then you let him in and tell him you’re going for a long walk and he can make himself at home. That’s on you then. Phishing is just giving it away. The DNC fell for a phishing attack. That’s just incompetent.
The FBI report shows few facts to back up its assertions. But it does have some good advice including regular backups, security scans, and training. Phishing is best resisted with common sense. So here are some security tips to which all of us should adhere:
- Don’t trust emails from banks or mail admins that include links to login or change your passwords. Type the URL into a web browser yourself so you know it is right. Look for the green symbol that indicates the site is validated and trusted before you type in credentials.
- Don’t open attachments that you didn’t expect. Regardless of whether the email purportedly came from your bank or your best friend, do not trust the attachment. In particular, zip files are untrustworthy, especially encrypted zip files that have the password included in the email. Why would anyone legit do that?
- Run a security scan from outside azithromycin price. If you’re in a medium sized or larger company, pay professionals to do it. If you’re a small company or a home user, you can use GRC’s scan as a beginning. Just click here: https://www.grc.com/x/ne.dll?bh0bkyd2
- Back up your data! But keep the backup safe. Use a very trusted cloud service with encryption, or put it on your own drives or USB sticks. But don’t lose those drives or sticks. Having many copies is safer for drive failures, but makes it easy to accidentally lose a copy that someone else may find and read.
- Patch the O/S and firmware. Keep your systems up to date and patched. Obviously, this includes Windows and Apple updates (Linux too). But your router has software that may allow bad guys to do bad things. Keep it up to date. Other devices like security cameras, printers, and the soon to be a problem “Internet of Things” like home automation, smart refrigerators, etc need to be behind a firewall and running the latest firmware.
- Change default passwords and use high security passwords. Change default user names where possible. All the script kiddies in the world are trying usernames like admin, administrator, supervisor, superuser, root, etc. Disable or change those usernames and make more unusual usernames.
- Turn off features and devices that aren’t needed. If you’re out of town, power off the TV. If you don’t have home automation or an Internet camera security system, turn off the router. It’s more secure and saves power and life on the device also.
- Use an antivirus. Duh! But the latest malware will probably get by the antivirus anyway. That’s why the measures above are still important.
- Use an anti-spam service. It won’t block all phishing attacks, but it will reduce them and make it easier to resist… or will it? Sometimes I wonder if people would be more skeptical if they saw all the attempts instead of just what gets through the spam filter.
It doesn’t matter much who the attacker is. If it’s not Russia, it’s China, or North Korea, or Iran, or Anonymous, or ISIS, or some script kiddie club in Miami. There will always be someone probing and testing your defenses. Attacks, probing, and deception are constant. Complaining about it is like complaining about a punch in the nose in a boxing match. Retaliation and negative incentives in the form of laws are not adequate protection. We must all protect ourselves proactively. Falling for a phishing e-mail is unacceptable. Don’t invite the burglar into your house!