Security Experts:

People Have War Stories Too

We read about hacks and vulnerabilities all of the time. A retailer is successfully attacked via malware and credit cards are stolen. A credit card processing company is hacked via cross site scripting and credit cards are stolen. An online social media company is attacked through an SQL injection attack and usernames and passwords are stolen.

It is great to read “war stories” (as long as it isn’t about us) and try to get some insight into what happened, and see if we can learn anything from them. But “case studies” are always impersonal, right? Would you get more out of specific stories of individuals caught in the cross hairs instead of corporate entities?

Lana

Lana ended her work day as an in-home care nurse. Her last patient, Phyllis, finished telling her story about the grandchildren, and told Lana “Have a great weekend, dearie.” Lana loaded her laptop and her bag in the hatchback of her Mazda, and called ahead to Able’s BBQ restaurant for carry out. Traffic going north during Friday rush hour totally blew, but Lana was excited about the weekend, so she made the quick run into Able’s, then continued on home. She didn’t even think about her laptop until Monday morning, when she spent 10 minutes searching the house for it. She eventually stopped by the garage door, and tried to retrace her steps. She clearly remembered bringing in the Able’s bag, and decided she had left her laptop in the car, in the garage, for the weekend. But then the laptop was not in the car, and not in the house.

Cybercrime StoriesLana eventually drove in to work and reported her laptop stolen. Unfortunately, Lana’s laptop was loaded with full records from the 45,000 home-bound and “assisted living” patients for whom her company provided care. And more unfortunately, Lana had never gotten around to talking to her IT people about turning on her disk encryption software, so the records were stored in a plain text database. No password. Lana’s company reported the loss as a HIPAA violation, and “relieved her of her duties” within the week.

Stan

Stan was late. He was annoyed and late. Another airport delay, and more wasted time in another terminal. He dropped his laptop bag on the floor between his legs and opened his cellphone. When Stan’s administrative assistant answered, he started barking at her to get him on another flight and out of this airport. The conversation only lasted a couple minutes, and he should get a call back on his new flight in just a few minutes. Stan bent over to reach for his laptop bag, only to find it gone. He turned around and searched the floor all around him. No bag. He stared around the terminal. No bag. Well, lots of bags, but none that he could say was his. No suspicious looking people. Stan dropped a few f-bombs, and reported the missing bag to the airport police, then dropped a few more f-bombs. When Stan walked into his office the next morning, he dropped a few more f-bombs when he told his IT director that his laptop had been stolen and he needed a new one. A few minutes later, Stan stopped dropping f-bombs when his IT director walked back in and told Stan that Stan had been logged onto the corporate network through the VPN (token in the bag) for about seven hours, and was actively downloading files to his laptop. Stan and the IT director watched as an IT guy terminated the VPN connection. Stan got his new laptop about two hours later. When he asked, his IT director said they could not tell what PseudoStan had downloaded, just that his VPN had been busy moving data. Stan never found out, never got his laptop back, still carries his VPN token in his laptop bag, still drops lots of f-bombs, BUT, now uses a domain password to log on to his laptop.

Jim

Jim was loading a laptop when Ray called him Monday morning. Ray sounded awful. Jim almost felt like he was going to get sick just listening to Ray’s raspy voice, wet gurgles and sniffy nose. As best he could, between coughing fits, Ray explained that he had changed his domain password before leaving the office last Friday, and that their boss, Julie (“She’s a royal piece of work, know what I mean, Jim?”) had called him and told him he needed to look at the Ganther report, today, but he’s at the lake, sick (“hang on I think I’m going to hurl… no, I’m okay”), and forgot his password. Jim was all over it. “No problem. Ray, I can reset your password. What do you want it to be?” At Ray’s gurgled request, Jim changed it to “abcd1234”, and told Ray to get some rest and try to enjoy the lake. Ray mumbled something about “will change the password after I log on” and “thanks,” but really, Jim was happy to have him gone. He almost felt like he should scrub down his phone with sanitizing wipes. The following Monday morning, Ray walked in, properly sun burned from a week of fishing and water fun. Jim’s first comment was “glad you’re feeling better.” Ray looked confused, so Jim continued, “When you called last week I thought you were dying.” When Ray responded with an “Um, I didn’t call last week,” Jim almost choked on his Diet Mountain Dew. Together, they checked Ray’s account. His password had indeed been changed about 10 minutes after Jim had spoken with PseudoRay the previous week, and PseudoRay had spent quite a bit of time online. A year later, as people walk by Jim’s desk, they still ask him, “Hey Jim. Say, would you change Ray’s password for me?” It had stopped being funny about 11 ½ months ago.

Jay

Jay was reading his email when his computer just shut down. He reached for the power button, then realized his laptop was rebooting. He mumbled something about “stupid Windows,” and waited. It seemed to take forever to come back up, and when it did he jumped back into email, then into LinkedIn.

It seemed awful slow, almost like his Internet speed had dropped by like 75%, but he finished checking his profile, finished his email, and shut down the laptop. But it didn’t shut down. Instead it just kind of sat there. Jay pressed the Windows key, and nothing happened. He tried ctrl/alt/del, and after about a minute, he got the task manager, which showed no open apps. He pressed and held the master reset button until the laptop shut off.

The next day, Jay watched his laptop boot, remembering that it had been funky the day before. Everything seemed fine, but on a whim, he ran an anti-virus scan, which came back with no results. Jay then pretty much accidentally noticed that his automatic daily anti-virus scans had been turned off. He was pretty sure that was a bad sign, but the scan had come back clean. He ran his anti-malware, and that came back clean as well, but he was unconvinced, so he navigated to an online virus service and ran a scan there. The online scan found a couple mild things that he was not worried about (especially since they were now quarantined), but he ran his anti-malware software again. This time it came back with a hit on z-bot and 16 more pieces of malware. Jay turned off his wireless card and with another system Googled how to remove z-bot and some of the other malware. After reading some of the guidance, Jay restored an image backup he had made of his laptop about a month previously. He had no confidence that he could successfully clean his laptop so he just crushed everything. He then changed all of his online passwords. Yes. Every one of them.

Kate

Kate was watching Jeopardy. Loved Alex Trebek; he is just so handsome. And, she liked solving the puzzles. When the phone rang, she thought for a couple seconds about just not answering it. The nerve of some people, calling during Jeopardy. But it could be one of the kids or grandkids, so she answered anyway. The young man on the phone identified himself as “Luke”, and said he was calling from her state’s healthcare plan that was part of Obamacare, and asked if she had applied on the state site. Kate hadn’t and told him so. She was pretty sure that her Medicare and state assistance program was enough. With a very concerned tone in his voice, Luke corrected her, had she not realized that the Medicare and the state assistance program were going to be administered through the state site, and that if she didn’t apply by the end of the day tomorrow she would lose her healthcare benefits? Kate’s heart dropped.

In a very pleasant tone, Luke offered to help her sign up for the state program over the phone, and just get it done. “I’m not really supposed to, but I can help while I have you on the phone if you want to.” Kate agreed, and started answering his questions, while Alex Trebek played in the background. Name. Date of birth. Current address. Social Security Number. “Kate, do you have a checking account that we can use as second verification of your identity?” Kate provided Luke with the account number, and then the routing number from her check. Kate could hear Luke clicking keys, and after a few seconds he told her that she was all set and she should expect a healthcare card in the mail in two to three weeks. Before he hung up he was kind enough to ask if she had any questions or if there was anything else he could help with. Kate made it back in time to see Final Jeopardy. The next morning she was telling Chloe about Luke, and it occurred to her that Luke had helped her, but it was not clear why he had even called in the first place. When the assisted living home director didn’t know anything about the healthcare program she called the local police and asked them. They replied that yes, they knew all about the call, and that it was fraud. Luke lied to get her personal information and credit cards or bank account information.

Kate’s heart raced. All of her money was in her checking account. She called the service van and got a ride to her bank, then tried to explain it to the young man behind the counter who verified that her account was fine, but stated that he could not change her account number in case there were outstanding transactions. When Kate rapped on the desk with her cane, the manager came over and was able to help her before any money was removed from her account. The call with Luke had lasted maybe 15 or 16 minutes, and counting the round trip van ride, it had taken her almost two hours to protect her savings. She may have been 87 years old, but she was still faster than Luke.

Sometimes, it’s Something Simple

In each case, these people were just doing their thing, work or play, and they were essentially interrupted by security – or lack thereof. With the exception of perhaps Jay, security was not at the top of anyone’s list. Two stolen laptops, one malware/rootkit attack, and two social engineering attacks later, attackers had, overall, been pretty successful. It isn’t always the big glamorous attack that does us in. Sometimes it is something simple, like forgetting to lock your car doors at Able’s BBQ or being perhaps a little distracted by that hunky Alex Trebek...

view counter
Jon-Louis Heimerl is Director of Strategic Security for Omaha-based Solutionary, Inc., a provider of managed security solutions, compliance and security measurement, and security consulting services. Mr. Heimerl has over 25 years of experience in security and security programs, and his background includes everything from writing device drivers in assembler to running a world-wide network operation center for the US Government. Mr. Heimerl has also performed commercial consulting for a variety of industries, including many Fortune 500 clients. Mr. Heimerl's consulting experience includes security assessments, security awareness training, policy development, physical intrusion tests and social engineering exercises.