The attacker who stole Hacking Team's data gained access to an employee's computer while the victim was still logged in.
The attacker either had direct physical access to Christian Pozzi's PC or they used malware to achieve a similar level of access. Whichever way it was, we can tell that Christian was logged in at the time simply by looking at a folder name among the files that were leaked onto the internet.
Christian's password files have been published online and most commentators have focussed on the low quality of many of these passwords. However, look at the folder in which these files were stored: /Truecrypt Volume/.
The detail that jumped out at me, but does not seem to have been mentioned in (m)any reports, is that Christian stored his passwords in text files that were encrypted inside a TrueCrypt volume. TrueCrypt is a free but no-longer-supported program.
Presumably Christian felt that such valuable data should be protected, and he'd be right. But there are clearly security limitations to using encrypted volumes.
It is very likely that the victim was logged in and had opened this volume when the files were stolen.
Encryption like TrueCrypt is excellent at protecting data when the user is logged off. Greg Hoglund of HBGary once told me that it's such an effective system that if his team couldn't crack a volume in a few days they would simply give up.
The lesson to learn from this story is that even excellent encryption has its limits. Hard disk encryption is great for protecting lost or stolen computers and disks, but it won't hinder attackers who have access to your computer while you are logged in. Whether they creep over to your desk during a rest break, or install malware remotely over the internet, it amounts to the same thing.
Benefit from Hacking Team's failure by reconsidering the wisdom of storing passwords on your computer. You could also reduce the length of time that encrypted volumes are mounted to the minimum; press Win-L (Lock) before you leave your Windows PC unattended; and invest in anti-malware solutions that are capable of detecting and blocking targeted attacks.
That last recommendation is not trivial to implement and most likely will include some level of white-listing, which can be effective but a pain to implement - either for the administrator or the user.
Saturday, 18 July 2015
Tuesday, 12 May 2015
* Technical – breaking in via computers only
* Human – tricking people into aiding the attack
For the technical attacks you might consider the following, in order of priority/effectiveness:
- Update your applications and operating system – if there are no known security holes present on your computer it makes it very hard for an attacker. We (Dennis Technology Labs) ran a test [PDF] in which updating Windows alone made a massive difference to a target’s exposure to online threats.
- Use different usernames and passwords for different internet accounts – even large businesses on the internet suffer successful hacking attacks and this may mean your account details being stolen and sold on the black market. It’s trivial for a hacker to try to re-use these details on other sites to make the most of their gains. You can’t stop the breaches or the thefts but you can minimise the risk to yourself if/when they happen.
- Use anti-malware with a software firewall – these programs stop known malware and network attacks. Update these religiously for maximum effect.
- Use a Virtual Private Network (VPN) when using public WiFi – this will protect your personal information, such as what websites you visit and, in some cases, even your usernames and passwords from being spied upon by those will control over the WiFi. (And don’t assume that only those who own the WiFi network have control over it.) This advice applies equally to PCs, Macs and mobile devices. F-Secure’s Freedome provides a very reasonably-priced and effective solution – it’s around £20-£30/year (depending on which version you need) for unlimited use and works on PC/Mac/iOS/Android.
- Enable your broadband router’s firewall, if it isn't on by default, and turn off remote administration – there are automatic attacks that will hack routers with remote management enabled, and these attacks can ultimately steal your online banking information etc. by hijacking your connection, even if you run anti-malware software etc. on your PC/mobile device.
- Install anti-exploit software such as Microsoft’s EMET – these programs can prevent attacks that exploit largely unknown/un-patched vulnerabilities.
- Consider setting up a guest WiFi network at home so that friends, baby-sitters etc. can use your connection without exposing your own computers to their potentially-infected devices. Here’s a cheap method (around £10).
For the human side you can do the following to make a big difference:
- Backup your data. Some modern malware encrypts victims’ files and extorts money for their recovery. In many cases even experts are unable to regain access to encrypted files. Some online backup services, such as BackBlaze, store older versions of files, which is useful if you want to recover files from before an attack.
- When installing mobile applications check that you trust the publisher and that the program is not asking for too many/inappropriate permissions. Does that compass app really need access to the internet and your address book?
- Avoid clicking on links in email messages. It’s safer to log straight into a website rather than assume embedded links lead to where they appear to.
- Do not run applications, such as updates, that arrive as email attachments. This old trick is still being used by criminals to trick victims into installing malware.
- Avoid pirated files and applications designed to generate license keys for commercial software. Aside from the moral issues involved there is also a good chance they will contain malware.