Email Security
Content
Guide To Email Security
1
Table Of Contents
Introduction......................................................................................................................................................................................................... 3 How.To.Protect.Yourself. ....................................................................................................................................................................................... 4 . What.To.Do.If.You.Get.Hacked............................................................................................................................................................................... 5 The.Hacker’s.Life................................................................................................................................................................................................. 6 . Email.Is.Gold....................................................................................................................................................................................................... 7 How.An.Attack.Works............................................................................................................................................................................................ 8
2
Introduction To Email Security
by Brandon, deliverability engineer
We’re.a.paranoid.bunch.at.Mailchimp..We.proudly.wear.tinfoil.hats,.we. have.secret.hideout.rooms.with.steel.walls,.and.we.have.fireman.poles. and.slides.throughout.the.building.for.quick.evacuation..We.also.have.at. least.24.rottweilers.with.freakin’.lasers.on.their.heads..We’d.go.into.more. detail,.but.let’s.just.say.that.security.is.a.serious.matter.at.Mailchimp..We. take.it.so.seriously.because.our.customers.shouldn’t.have.to.worry.about. their.data..We.spend.a.lot.of.time.talking.about.bad.guys.and.acting.like. bad.guys,.to.figure.out.how.they.think..Our.team.invests.a.lot.of.time. and.money.into.writing.code.to.protect.ourselves.and.our.customers,.and. we.have.lots.of.software.and.hardware.to.protect.our.infrastructure..Our. security.methods.are.there.to.help.keep.you.safe—but.when.it.comes.to. protecting.yourself.and.your.subscribers,.you.have.some.responsibilities. of.your.own..In.this.guide.we’ll.cover.how.you.can.protect.yourself,.what. to.do.if.your.data.has.been.compromised,.some.basics.on.why.an.attacker. might.target.you,.and.why.email.data.is.important.in.the.first.place..We. hope.this.guide.scares.you.into.taking.some.precautionary.measures.to. ensure.your.data.is.safe. According.to.the.Ponemon Institute,.the.value.of.a.customer.record.is. $204.in.the.US..For.some.people.the.value.is.much.higher,.and.for.others.it’s.much.lower..Some.people.use.the.simple.“dollars.earned.divided. by.list.size.equals.dollar-per-email.value”.calculation..(So.if.you.made. $120,000.off.your.campaigns.and.had.5,000.subscribers,.then.each. subscriber.is.worth.$24.).Though.some.are.worth.more.than.others,.that. calculation.shows.you.how.valuable.email.addresses.are..And.even.if. you’re.not.earning.money.off.your.subscribers,.there’s.great.responsibility.in.protecting.the.email.addresses.they.provide..Hackers.want.those. addresses.because.they.know.how.to.extract.and.extort.money.from. unsuspecting.people,.tarnish.your.brand.and.cause.some.serious.financial. hassles.for.you..If.you.and.your.service.providers.aren’t.taking.the.proper. precautions.to.protect.your.customers.data,.then.you’re.doing.a.grave.disservice.to.your.business.and.subscribers.
*ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of email security. It is not intended to be professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. In sum, while we think this is an awesome guide on the topic, use of the information contained within the guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional.
3
How To Protect Yourself
You.can.never.be.too.cautious.when.it.comes.to.protecting.yourself,.your. business.and.your.valuable.data..Here.are.some.tinfoil-hat.tips. 1..Keep ALL of your systems completely up to date..Not.just.your.operating.systems,.but.your.browser,.Adobe.Reader,.Java,.flash,.etc..These.ancillary.applications.are.generally.the.most.problematic.and.easiest.to.hack. Keep.your.anti-virus.programs.up.to.date,.and.if.possible,.use.anti-virus. software.that.has.a.firewall—or.at.the.very.least.malware—protection..Try. something.like.Comodo. 2. Run anti-virus and malware scans daily. As.in,.every.single.day. 3..Secure your networks and wifi..Do.NOT.allow.employees.to.use.their. home.computers,.guest.computers,.smartphones.or.iPads.on.your.network.. Secure.your.wifi.using.WPA2.or.stronger..If.you.have.mobile.workstations. inside.or.outside.your.networks,.never.use.insecure.wifi,.like.your.local. coffee.shop’s.connection..If.you.must.use.this.type.of.connection,.keep. your.usage.to.an.absolute.minimum...Read.up.on.Firesheep.to.learn.how. much.information.gets.transmitted.on.an.open.wifi.connection. 4. Secure your smartphone with a password or security lock..If.it’s.stolen,. call.your.provider.immediately.and.disconnect.your.phone..Passwords.are. extremely.important.when.it.comes.to.security..Use.different.passwords. for.every.site.you.do.business.with...Do.NOT.use.the.same.password.twice. (see:.Twitter Spam Attack Tied to Gawker Security Breach)..Each.site. should.have.a.unique.password..Consider.using.1Password,.KeePass.or.a. similar.utility.to.help.keep.track.of.all.your.passwords..Keep.in.mind.that. if.someone.steals.your.computer.or.gains.access,.they.can.steal.your.password.database..So.make.sure.your.master.password.is.unique.and.difficult. to.guess..Use.at.least.10-digit.passwords.with.numbers,.letters,.symbols. as.well.as.different.cases..If.you.use.the.same.password.everywhere,.it’s. extremely.easy.for.an.attacker.to.try.your.username.and.password.at.each. and.every.site.they’re.after. 5..Use a single machine for financial transactions..It.shouldn’t.be.used. for.anything.other.than.banking,.and.should.only.be.connected.via.a.wired. connection..Don’t.keep.this.computer.powered.up.unless.it’s.being.used. 6..Be careful what information you share publicly. If.you’re.interviewed. for.something.that.will.be.published.online,.make.sure.you.don’t.mention. software.vendors.or.business.vendors.you.use,.unless.you.can.be.100%. sure.that.your.software.and.business.vendors.will.not.be.hacked. 7..Never open email, IMs and social-media notifications from people you don’t know, haven’t heard from in a long time, or look suspicious. This. type.of.communication.is.often.malicious,.so.skip.it.to.be.safe..If.you’re. unsure,.don’t.reply.to.the.communication,.and.call.the.person.for.confirmation..Assume.everyone.is.compromised.
4
What To Do If You Get Hacked
Hopefully.you’re.protecting.your.data.like.a.champ.and.nobody’s.after.you.. But.if.you.do.get.hacked,.here’s.how.to.handle.it. 1..If it’s a virus or malware on a machine, disconnect ALL machines from your network immediately..At.this.point.it’s.best.to.involve.a.local.IT. company.or.consultant.who’s.trained.in.removing.malware..Don’t.turn.on. any.systems.until.the.threat.has.been.completely.removed..If.you.must.get. to.a.system,.make.sure.it’s.not.on.the.internet,.and.assume.that.anything. and.everything.on.that.system.is.infected. 2..Change all passwords, and security questions and answers that may have been affected..Make.sure.you.do.it.from.a.secure.machine—if.you. change.passwords.on.an.infected.machine,.you’re.giving.the.attacker.all. the.info.they.were.after.on.a.silver.platter..Use.a.secured.network.that. you.trust..If.your.systems.were.hacked,.don’t.trust.your.network.until.all. machines.have.been.given.the.all.clear. 3..Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account..Also.ask.them.to. lock.your.account.from.further.access.if.you.feel.the.account.is.what.the. attacker.was.after,.or.if.the.account.is.important.enough.to.lock.down. 4..Check your email. Ensure.that.there’s.nothing.in.your.deleted.items. that.relates.to.communication.with.your.service.and.software.providers. 5..Notify your friends, clients and business vendors that you were compromised..Let.them.know.that.they.shouldn’t.trust.further.communication. from.you.until.otherwise.noted.
5
The Hacker’s Life
Discussions.about.hackers.usually.end.with,.”Why.don’t.they.just.get.a. job?”.The.truth.is,.hacking.is.their.job,.and.they.often.make.good.money. (or.enjoy.what.they.do)..The.laws.in.many.countries.are.lax.enough.that. cybercrime.isn’t.considered.serious,.or.there’s.just.so.much.other.bad. stuff.going.on,.it.doesn’t.bubble.up..Many.countries.even.overlook.this.behavior.because.the.criminals.pay.off.and.support.government.officials..The. book.Fatal System Error by.Joseph.Menn.goes.into.more.detail.about.that.. Whether.someone.is.paying.government.officials,.or.the.laws.just.don’t. apply,.it.really.doesn’t.matter..These.criminals.exist,.and.they’re.out.to.get. any.and.all.information.they.can..So.why.do.they.want.your.data? 1..To target your personal and/or business finances..Stealing.financial.account.information.is.easy.these.days..It’s.even.easier,.and.far.more.useful,. to.steal.credit.card.information. 2..To target your computers and technology infrastructure..Botnets.allow. an.attacker.to.use.many.machines.to.attack.other.machines,.steal.information.and.commit.various.other.acts.of.evil..Once.the.hacker.controls. your.computer.they.can: All.attacks.are.planned..There’s.an.end.goal,.and.because.this.is.the.attacker’s.job,.he.spends.lots.of.time.planning.and.plotting.every.step..Just. like.that.new.promotion.you.planned.in.November,.the.attacker.planned. the.malicious.attack.on.your.Social.Media.Manager..Many.people.think. hackers.don’t.put.much.thought.into.attacks,.and.while.the.419 scams. and.bad.spelling.in.most.SPAM.might.make.you.think.hackers.are.stupid,. that’s.far.from.the.truth..In.the.book.Social Engineering: The Art of Human Hacking,.Christopher.Hadnagy.provides.information.on.how.much. effort.a.hacker.will.put.into.planning.and.executing.an.attack..It’s.like.a. chess.game—but.unfortunately,.most.of.the.targets.have.no.idea.they’re. part.of.the.game..If.you.have.any.type.of.online.presence,.then.you.are,. have.been,.or.very.shortly.will.be.under.attack..So.you.must.behave.like. you’re.under.attack.and.secure.your.assets.at.all.times.
• • •
Log.every.keystroke.you.type..The.software.that.records.the.keystrokes.is.even.built.to.show.fake.login.pages.for.financial.institutes. to.log.your.credentials. Steal.information.from.your.hard.drive..The.attacker.owns.your. machine.and.can.get.at.any.piece.of.data.they.want..Stealing.your. accounting.database.and.cracking.the.username.and.password. shouldn’t.take.more.than.a.few.Google.searches. Use.your.system.to.send.SPAM..The.majority.of.SPAM.is.sent.through. systems.controlled.by.botnets..If.your.system.is.under.the.control.of. a.hacker,.they.can.send.hundreds.of.thousands.of.pieces.of.SPAM. from.your.system.without.you.ever.knowing.it.
3..To target your customers. Maybe.you.have.some.high-profile.clients.that. the.attacker.is.after..Maybe.a.client.is.listed.on.your.site.or.sent.an.issue. via.Twitter..It’s.easy.to.figure.out.who.your.clients.are,.and.it’s.an.easily. accessible.entry.point.for.an.attack. 4..To target employees. A.hacker.can.easily.target.your.employees.using. social.media.and.direct.attacks..It’s.easy.to.find.ways.to.get.at.your.employees,.like.using.family.members,.college.or.high-school.friends.found. through.Facebook..If.an.attacker.targets.one.of.your.employees,.he.can. gain.insight.into.your.business.practices.and.target.your.entire.company.
6
Email Is Gold
Email.addresses.are.extremely.valuable.in.today’s.economy..Referencing. back.to.our.quick.calculation.in.the.introduction,.you.can.see.that.an. email.address.can.be.worth.a.lot.of.money.to.your.business..Our.identities,. important.accounts.and.vital.information.are.attached.to.email.addresses.. Chances.are.your.financial.institutions.use.your.email.address.as.your. username..Your.social.media.accounts,.like.Facebook.and.Twitter,.tie.to. your.email.address..Your.email.address.is.a.unique.identifier—but.more. importantly,.it’s.a.communication.mechanism..We.use.email.to.transmit. all.kinds.of.important.information,.and.we.use.email.more.and.more.each. day..Evil.hackers.want.the.email.accounts.for.various.reasons..This.is.just. a.small.list.of.some.stuff.they.might.be.after:
• •
• •
Hackers.have.found.that.companies.who.use.ESPs.generally.have. clean.lists..A.clean.list.means.fewer.bounces.and.potentially.an.engaged.list..And.that.means.the.list.will.deliver.to.the.inbox.and.have. a.higher.likelihood.of.clicks.and.opens. The.hacker.wants.your.email.addresses.to.send.your.subscribers.. malicious.stuff..Maybe.your.email.list.has.important.users.like.congress.members..If.they.can.trick.your.subscribers.into.clicking.links. and.visiting.bad.sites,.they.can.then.gain.access.to.machines.they. were.targeting. The.hacker.is.planning.a.much.larger.attack.and.is.just.harvesting. email.addresses. The.hacker.is.planning.to.resell.your.subscribers.
Know.that.lists.used.by.marketers.often.have.highly.engaged.readers.and. good.email.addresses..If.the.hacker.wanted.to.target.your.customers,. they.could.easily.imitate.your.campaign.content.and.trick.your.users.into. following.a.link.to.a.malicious.site..Chances.are,.the.engaged.readers.will. click.like.they.normally.would..The.list.is.valuable.to.you,.but.it’s.just.as. valuable—if.not.more.so—to.the.hacker... There’s.also.a.large.market.for.buying.and.selling.email.addresses..So. not.only.can.the.hacker.use.the.email.addresses.for.direct.attacks,.but. they.can.then.sell.the.addresses.to.a.list.broker.for.further.gain..Think. that.through.the.next.time.someone.approaches.you.about.selling.a.list— chances.are.most.of.the.addresses.were.gathered.unethically.
7
How An Attack Works
Remember,.the.hacker.has.an.end.goal..In.this.section.we’ll.build.a.scenario.and.walk.through.how.an.attack.is.planned.and.carried.out.. Let’s.say.your.site.is.a.popular.foodie.blog..You.have.a.cool.newsletter.signup.on.your.site,.and.you.allow.people.to.comment.on.your.blog.. Somewhere.along.the.way,.you.were.interviewed.on.a.food.website.about. how.you.handle.your.business,.and.most.importantly,.your.marketing.. You.told.everyone.that.you.use.this.really.cool.newsletter.service.called. MiamiMail,.that.you.have.280,000.subscribers,.and.the.list.grows.by. 2,000-3,000.subscribers.a.week..It’s.so.much.to.maintain.that.you.hired. Debra,.a.social-media.expert,.Quinn,.an.email-marketing.guru,.and.Vince,. a.programmer.who.works.with.the.MiamiMail.API..You.also.talk.about.your. guest.bloggers.and.some.of.the.famous.chefs.that.actively.participate.on. the.blog.and.answer.questions.in.the.comments..You.just.built.this.great. new.recipe.section,.where.the.same.famous.chefs.comment.on.the.posts.. Arthur.is.a.hacker,.and.he’s.just.come.off.a.series.of.attacks.against.major. car.dealers..He.wants.to.change.things.up.and.reads.the.article.about.your. site..It.piques.his.interest.because.you.gave.some.specific.details..Here’s. what.Arthur.knows.about.your.business: 1..You.use.MiamiMail. 2..You.have.a.substantial.list,.and.it’s.growing.quickly. 3..Arthur.knows.about.at.least.four.people.in.the.company:.Debra,.Quinn,. Vince.and.you. 4..Arthur.also.knows.some.famous.people.who.use.your.blogging.tool. 5..Those.famous.people.participate.in.the.recipe.section. Arthur.takes.this.data.and.begins.to.research.the.following: 1..MiamiMail..Find.out.anything.and.everything.out.about.them..He.trolls. the.support.forums,.signs.up.for.a.free.account,.learns.about.the.API.and. even.experiments.with.the.system.to.send.a.few.test.campaigns. 2..Your company’s About page. That.really.cool.Team.page.came.in.handy!. Arthur.finds.a.few.other.employees.and.then.begins.researching.your. employees.and.building.profiles.for.Debra,.Quinn,.Vince.and.you..He.finds. your.Twitter,.Facebook.and.LinkedIn.profiles..He.also.finds.out.your.home. addresses,.personal.email.accounts.and.a.few.other.pieces.of.information. he.purchases.using.some.stolen.credit.cards.he.got.from.that.car.dealer. scam.he.ran.last.week. 3..The famous chefs..If.Arthur.can’t.trick.your.employees,.he.might.be. able.to.trick.one.of.the.chefs.and.maybe.gain.some.access.to.the.blog. Over.the.years.we’ve.seen.SPAM.grow.in.maturity...SPAM.has.moved. from.poorly.spelled.419.scams,.to.simple.phishing.scams,.and.now.we. see.smarter.and.more.targeted.SPAM.and.phishing.attacks..Hackers.have. exposure.to.tools,.data.and.blackhat.ESP.systems.that.allow.them.to.run. sophisticated.campaigns.against.targeted.victims..We.see.hackers.use. levels.of.sophitication.beyond.what.most.marketers.use,.like.advanced. segmentation,.dynamic.content.using.conditional.merge.tags,.and.combining.other.data.sources.to.target.recipients.more.effectively..With.combined. data.sources,.they.can.effectively.attack.your.employees.and.users..If.the. attacker.can’t.obtain.enough.information,.there.are.sites.where.a.few.dollars.can.provide.them.with.just.about.anything.they.want.to.know..Just.as. you.read.your.campaigns.results,.the.hacker.is.using.reporting data.from. their.malicious.software..When.they.launch.an.attack,.they.use.the.stats.to. tweak.and.refine.future.attacks. Arthur.builds.his.campaign.to.drive.his.victims.toward.a.site.or.series.of. malicious.sites..These.campaigns.allow.him.to.learn.more.about.the.computer.systems.involved,.gain.access.to.the.owners.system,.or.even.worse,. damage.your.infrastructure.as.a.whole..He.won’t.just.target.employees— he’ll.target.business.associates,.family.members.and.friends..Arthur..may. even.use.a.series.of.campaigns.to.learn.more.information.or.gain.access.to. specific.computer.systems.
So what is a malicious site?
Years.ago.someone.would.receive.a.virus.in.an.email,.click.it,.and.get.infected..Those.tactics.are.still.used,.but.these.days.most.attacks.use.driveby.malware..The.basic.idea.is.that.you.visit.a.site.that.the.hacker.controls.. They’ve.embedded.some.javascript.or.code.that.runs.and.infects.your. system..You.didn’t.have.to.click.anything—you.simply.visited.the.site.and. got.infected..If.Arthur.plays.his.cards.right,.he’ll.infect.the.right.machines.. Even.if.he.doesn’t.get.to.the.systems.he.wanted,.he’ll.use.the.other. systems.to.learn.more.information.or.attack.elsewhere..And.what.does.an. infected.machine.provide.Arthur.with?.Malware.infections.can.include. keyloggers,.remote.access.and.access.to.all.the.data.on.your.machine.or. network..Once.infected,.Arthur.has.unfettered.access.to.your.information... Keyloggers.allow.him.to.watch.all.your.keystrokes..Yes,.EVERY.keystroke... Malware.is.designed.to.run.without.you.ever.knowing.it.has.been.installed.. . Arthur.can.sit.and.watch.and.collect.and.learn..With.time.he’ll.gain.access. to.all.of.your.systems.or.in.this.case.gain.access.to.your.MiamiMail.account..Once.he.has.this.access,.he’ll.steal.your.subscribers.and.start.the. process.all.over.again..At.this.point,.he.can.target.your.subscribers.to.gain. access.to.their.systems,.attempt.to.steal.credit.cards.and.more..He.can. continue.mining.data.from.your.system,.or.rent.or.sell.your.system.to.other. hackers.for.other.needs.. Read.more.about.malware..Scary,.huh?.We.suggest.rottweilers.with.lasers.
8
1
Table Of Contents
Introduction......................................................................................................................................................................................................... 3 How.To.Protect.Yourself. ....................................................................................................................................................................................... 4 . What.To.Do.If.You.Get.Hacked............................................................................................................................................................................... 5 The.Hacker’s.Life................................................................................................................................................................................................. 6 . Email.Is.Gold....................................................................................................................................................................................................... 7 How.An.Attack.Works............................................................................................................................................................................................ 8
2
Introduction To Email Security
by Brandon, deliverability engineer
We’re.a.paranoid.bunch.at.Mailchimp..We.proudly.wear.tinfoil.hats,.we. have.secret.hideout.rooms.with.steel.walls,.and.we.have.fireman.poles. and.slides.throughout.the.building.for.quick.evacuation..We.also.have.at. least.24.rottweilers.with.freakin’.lasers.on.their.heads..We’d.go.into.more. detail,.but.let’s.just.say.that.security.is.a.serious.matter.at.Mailchimp..We. take.it.so.seriously.because.our.customers.shouldn’t.have.to.worry.about. their.data..We.spend.a.lot.of.time.talking.about.bad.guys.and.acting.like. bad.guys,.to.figure.out.how.they.think..Our.team.invests.a.lot.of.time. and.money.into.writing.code.to.protect.ourselves.and.our.customers,.and. we.have.lots.of.software.and.hardware.to.protect.our.infrastructure..Our. security.methods.are.there.to.help.keep.you.safe—but.when.it.comes.to. protecting.yourself.and.your.subscribers,.you.have.some.responsibilities. of.your.own..In.this.guide.we’ll.cover.how.you.can.protect.yourself,.what. to.do.if.your.data.has.been.compromised,.some.basics.on.why.an.attacker. might.target.you,.and.why.email.data.is.important.in.the.first.place..We. hope.this.guide.scares.you.into.taking.some.precautionary.measures.to. ensure.your.data.is.safe. According.to.the.Ponemon Institute,.the.value.of.a.customer.record.is. $204.in.the.US..For.some.people.the.value.is.much.higher,.and.for.others.it’s.much.lower..Some.people.use.the.simple.“dollars.earned.divided. by.list.size.equals.dollar-per-email.value”.calculation..(So.if.you.made. $120,000.off.your.campaigns.and.had.5,000.subscribers,.then.each. subscriber.is.worth.$24.).Though.some.are.worth.more.than.others,.that. calculation.shows.you.how.valuable.email.addresses.are..And.even.if. you’re.not.earning.money.off.your.subscribers,.there’s.great.responsibility.in.protecting.the.email.addresses.they.provide..Hackers.want.those. addresses.because.they.know.how.to.extract.and.extort.money.from. unsuspecting.people,.tarnish.your.brand.and.cause.some.serious.financial. hassles.for.you..If.you.and.your.service.providers.aren’t.taking.the.proper. precautions.to.protect.your.customers.data,.then.you’re.doing.a.grave.disservice.to.your.business.and.subscribers.
*ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of email security. It is not intended to be professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. In sum, while we think this is an awesome guide on the topic, use of the information contained within the guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional.
3
How To Protect Yourself
You.can.never.be.too.cautious.when.it.comes.to.protecting.yourself,.your. business.and.your.valuable.data..Here.are.some.tinfoil-hat.tips. 1..Keep ALL of your systems completely up to date..Not.just.your.operating.systems,.but.your.browser,.Adobe.Reader,.Java,.flash,.etc..These.ancillary.applications.are.generally.the.most.problematic.and.easiest.to.hack. Keep.your.anti-virus.programs.up.to.date,.and.if.possible,.use.anti-virus. software.that.has.a.firewall—or.at.the.very.least.malware—protection..Try. something.like.Comodo. 2. Run anti-virus and malware scans daily. As.in,.every.single.day. 3..Secure your networks and wifi..Do.NOT.allow.employees.to.use.their. home.computers,.guest.computers,.smartphones.or.iPads.on.your.network.. Secure.your.wifi.using.WPA2.or.stronger..If.you.have.mobile.workstations. inside.or.outside.your.networks,.never.use.insecure.wifi,.like.your.local. coffee.shop’s.connection..If.you.must.use.this.type.of.connection,.keep. your.usage.to.an.absolute.minimum...Read.up.on.Firesheep.to.learn.how. much.information.gets.transmitted.on.an.open.wifi.connection. 4. Secure your smartphone with a password or security lock..If.it’s.stolen,. call.your.provider.immediately.and.disconnect.your.phone..Passwords.are. extremely.important.when.it.comes.to.security..Use.different.passwords. for.every.site.you.do.business.with...Do.NOT.use.the.same.password.twice. (see:.Twitter Spam Attack Tied to Gawker Security Breach)..Each.site. should.have.a.unique.password..Consider.using.1Password,.KeePass.or.a. similar.utility.to.help.keep.track.of.all.your.passwords..Keep.in.mind.that. if.someone.steals.your.computer.or.gains.access,.they.can.steal.your.password.database..So.make.sure.your.master.password.is.unique.and.difficult. to.guess..Use.at.least.10-digit.passwords.with.numbers,.letters,.symbols. as.well.as.different.cases..If.you.use.the.same.password.everywhere,.it’s. extremely.easy.for.an.attacker.to.try.your.username.and.password.at.each. and.every.site.they’re.after. 5..Use a single machine for financial transactions..It.shouldn’t.be.used. for.anything.other.than.banking,.and.should.only.be.connected.via.a.wired. connection..Don’t.keep.this.computer.powered.up.unless.it’s.being.used. 6..Be careful what information you share publicly. If.you’re.interviewed. for.something.that.will.be.published.online,.make.sure.you.don’t.mention. software.vendors.or.business.vendors.you.use,.unless.you.can.be.100%. sure.that.your.software.and.business.vendors.will.not.be.hacked. 7..Never open email, IMs and social-media notifications from people you don’t know, haven’t heard from in a long time, or look suspicious. This. type.of.communication.is.often.malicious,.so.skip.it.to.be.safe..If.you’re. unsure,.don’t.reply.to.the.communication,.and.call.the.person.for.confirmation..Assume.everyone.is.compromised.
4
What To Do If You Get Hacked
Hopefully.you’re.protecting.your.data.like.a.champ.and.nobody’s.after.you.. But.if.you.do.get.hacked,.here’s.how.to.handle.it. 1..If it’s a virus or malware on a machine, disconnect ALL machines from your network immediately..At.this.point.it’s.best.to.involve.a.local.IT. company.or.consultant.who’s.trained.in.removing.malware..Don’t.turn.on. any.systems.until.the.threat.has.been.completely.removed..If.you.must.get. to.a.system,.make.sure.it’s.not.on.the.internet,.and.assume.that.anything. and.everything.on.that.system.is.infected. 2..Change all passwords, and security questions and answers that may have been affected..Make.sure.you.do.it.from.a.secure.machine—if.you. change.passwords.on.an.infected.machine,.you’re.giving.the.attacker.all. the.info.they.were.after.on.a.silver.platter..Use.a.secured.network.that. you.trust..If.your.systems.were.hacked,.don’t.trust.your.network.until.all. machines.have.been.given.the.all.clear. 3..Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account..Also.ask.them.to. lock.your.account.from.further.access.if.you.feel.the.account.is.what.the. attacker.was.after,.or.if.the.account.is.important.enough.to.lock.down. 4..Check your email. Ensure.that.there’s.nothing.in.your.deleted.items. that.relates.to.communication.with.your.service.and.software.providers. 5..Notify your friends, clients and business vendors that you were compromised..Let.them.know.that.they.shouldn’t.trust.further.communication. from.you.until.otherwise.noted.
5
The Hacker’s Life
Discussions.about.hackers.usually.end.with,.”Why.don’t.they.just.get.a. job?”.The.truth.is,.hacking.is.their.job,.and.they.often.make.good.money. (or.enjoy.what.they.do)..The.laws.in.many.countries.are.lax.enough.that. cybercrime.isn’t.considered.serious,.or.there’s.just.so.much.other.bad. stuff.going.on,.it.doesn’t.bubble.up..Many.countries.even.overlook.this.behavior.because.the.criminals.pay.off.and.support.government.officials..The. book.Fatal System Error by.Joseph.Menn.goes.into.more.detail.about.that.. Whether.someone.is.paying.government.officials,.or.the.laws.just.don’t. apply,.it.really.doesn’t.matter..These.criminals.exist,.and.they’re.out.to.get. any.and.all.information.they.can..So.why.do.they.want.your.data? 1..To target your personal and/or business finances..Stealing.financial.account.information.is.easy.these.days..It’s.even.easier,.and.far.more.useful,. to.steal.credit.card.information. 2..To target your computers and technology infrastructure..Botnets.allow. an.attacker.to.use.many.machines.to.attack.other.machines,.steal.information.and.commit.various.other.acts.of.evil..Once.the.hacker.controls. your.computer.they.can: All.attacks.are.planned..There’s.an.end.goal,.and.because.this.is.the.attacker’s.job,.he.spends.lots.of.time.planning.and.plotting.every.step..Just. like.that.new.promotion.you.planned.in.November,.the.attacker.planned. the.malicious.attack.on.your.Social.Media.Manager..Many.people.think. hackers.don’t.put.much.thought.into.attacks,.and.while.the.419 scams. and.bad.spelling.in.most.SPAM.might.make.you.think.hackers.are.stupid,. that’s.far.from.the.truth..In.the.book.Social Engineering: The Art of Human Hacking,.Christopher.Hadnagy.provides.information.on.how.much. effort.a.hacker.will.put.into.planning.and.executing.an.attack..It’s.like.a. chess.game—but.unfortunately,.most.of.the.targets.have.no.idea.they’re. part.of.the.game..If.you.have.any.type.of.online.presence,.then.you.are,. have.been,.or.very.shortly.will.be.under.attack..So.you.must.behave.like. you’re.under.attack.and.secure.your.assets.at.all.times.
• • •
Log.every.keystroke.you.type..The.software.that.records.the.keystrokes.is.even.built.to.show.fake.login.pages.for.financial.institutes. to.log.your.credentials. Steal.information.from.your.hard.drive..The.attacker.owns.your. machine.and.can.get.at.any.piece.of.data.they.want..Stealing.your. accounting.database.and.cracking.the.username.and.password. shouldn’t.take.more.than.a.few.Google.searches. Use.your.system.to.send.SPAM..The.majority.of.SPAM.is.sent.through. systems.controlled.by.botnets..If.your.system.is.under.the.control.of. a.hacker,.they.can.send.hundreds.of.thousands.of.pieces.of.SPAM. from.your.system.without.you.ever.knowing.it.
3..To target your customers. Maybe.you.have.some.high-profile.clients.that. the.attacker.is.after..Maybe.a.client.is.listed.on.your.site.or.sent.an.issue. via.Twitter..It’s.easy.to.figure.out.who.your.clients.are,.and.it’s.an.easily. accessible.entry.point.for.an.attack. 4..To target employees. A.hacker.can.easily.target.your.employees.using. social.media.and.direct.attacks..It’s.easy.to.find.ways.to.get.at.your.employees,.like.using.family.members,.college.or.high-school.friends.found. through.Facebook..If.an.attacker.targets.one.of.your.employees,.he.can. gain.insight.into.your.business.practices.and.target.your.entire.company.
6
Email Is Gold
Email.addresses.are.extremely.valuable.in.today’s.economy..Referencing. back.to.our.quick.calculation.in.the.introduction,.you.can.see.that.an. email.address.can.be.worth.a.lot.of.money.to.your.business..Our.identities,. important.accounts.and.vital.information.are.attached.to.email.addresses.. Chances.are.your.financial.institutions.use.your.email.address.as.your. username..Your.social.media.accounts,.like.Facebook.and.Twitter,.tie.to. your.email.address..Your.email.address.is.a.unique.identifier—but.more. importantly,.it’s.a.communication.mechanism..We.use.email.to.transmit. all.kinds.of.important.information,.and.we.use.email.more.and.more.each. day..Evil.hackers.want.the.email.accounts.for.various.reasons..This.is.just. a.small.list.of.some.stuff.they.might.be.after:
• •
• •
Hackers.have.found.that.companies.who.use.ESPs.generally.have. clean.lists..A.clean.list.means.fewer.bounces.and.potentially.an.engaged.list..And.that.means.the.list.will.deliver.to.the.inbox.and.have. a.higher.likelihood.of.clicks.and.opens. The.hacker.wants.your.email.addresses.to.send.your.subscribers.. malicious.stuff..Maybe.your.email.list.has.important.users.like.congress.members..If.they.can.trick.your.subscribers.into.clicking.links. and.visiting.bad.sites,.they.can.then.gain.access.to.machines.they. were.targeting. The.hacker.is.planning.a.much.larger.attack.and.is.just.harvesting. email.addresses. The.hacker.is.planning.to.resell.your.subscribers.
Know.that.lists.used.by.marketers.often.have.highly.engaged.readers.and. good.email.addresses..If.the.hacker.wanted.to.target.your.customers,. they.could.easily.imitate.your.campaign.content.and.trick.your.users.into. following.a.link.to.a.malicious.site..Chances.are,.the.engaged.readers.will. click.like.they.normally.would..The.list.is.valuable.to.you,.but.it’s.just.as. valuable—if.not.more.so—to.the.hacker... There’s.also.a.large.market.for.buying.and.selling.email.addresses..So. not.only.can.the.hacker.use.the.email.addresses.for.direct.attacks,.but. they.can.then.sell.the.addresses.to.a.list.broker.for.further.gain..Think. that.through.the.next.time.someone.approaches.you.about.selling.a.list— chances.are.most.of.the.addresses.were.gathered.unethically.
7
How An Attack Works
Remember,.the.hacker.has.an.end.goal..In.this.section.we’ll.build.a.scenario.and.walk.through.how.an.attack.is.planned.and.carried.out.. Let’s.say.your.site.is.a.popular.foodie.blog..You.have.a.cool.newsletter.signup.on.your.site,.and.you.allow.people.to.comment.on.your.blog.. Somewhere.along.the.way,.you.were.interviewed.on.a.food.website.about. how.you.handle.your.business,.and.most.importantly,.your.marketing.. You.told.everyone.that.you.use.this.really.cool.newsletter.service.called. MiamiMail,.that.you.have.280,000.subscribers,.and.the.list.grows.by. 2,000-3,000.subscribers.a.week..It’s.so.much.to.maintain.that.you.hired. Debra,.a.social-media.expert,.Quinn,.an.email-marketing.guru,.and.Vince,. a.programmer.who.works.with.the.MiamiMail.API..You.also.talk.about.your. guest.bloggers.and.some.of.the.famous.chefs.that.actively.participate.on. the.blog.and.answer.questions.in.the.comments..You.just.built.this.great. new.recipe.section,.where.the.same.famous.chefs.comment.on.the.posts.. Arthur.is.a.hacker,.and.he’s.just.come.off.a.series.of.attacks.against.major. car.dealers..He.wants.to.change.things.up.and.reads.the.article.about.your. site..It.piques.his.interest.because.you.gave.some.specific.details..Here’s. what.Arthur.knows.about.your.business: 1..You.use.MiamiMail. 2..You.have.a.substantial.list,.and.it’s.growing.quickly. 3..Arthur.knows.about.at.least.four.people.in.the.company:.Debra,.Quinn,. Vince.and.you. 4..Arthur.also.knows.some.famous.people.who.use.your.blogging.tool. 5..Those.famous.people.participate.in.the.recipe.section. Arthur.takes.this.data.and.begins.to.research.the.following: 1..MiamiMail..Find.out.anything.and.everything.out.about.them..He.trolls. the.support.forums,.signs.up.for.a.free.account,.learns.about.the.API.and. even.experiments.with.the.system.to.send.a.few.test.campaigns. 2..Your company’s About page. That.really.cool.Team.page.came.in.handy!. Arthur.finds.a.few.other.employees.and.then.begins.researching.your. employees.and.building.profiles.for.Debra,.Quinn,.Vince.and.you..He.finds. your.Twitter,.Facebook.and.LinkedIn.profiles..He.also.finds.out.your.home. addresses,.personal.email.accounts.and.a.few.other.pieces.of.information. he.purchases.using.some.stolen.credit.cards.he.got.from.that.car.dealer. scam.he.ran.last.week. 3..The famous chefs..If.Arthur.can’t.trick.your.employees,.he.might.be. able.to.trick.one.of.the.chefs.and.maybe.gain.some.access.to.the.blog. Over.the.years.we’ve.seen.SPAM.grow.in.maturity...SPAM.has.moved. from.poorly.spelled.419.scams,.to.simple.phishing.scams,.and.now.we. see.smarter.and.more.targeted.SPAM.and.phishing.attacks..Hackers.have. exposure.to.tools,.data.and.blackhat.ESP.systems.that.allow.them.to.run. sophisticated.campaigns.against.targeted.victims..We.see.hackers.use. levels.of.sophitication.beyond.what.most.marketers.use,.like.advanced. segmentation,.dynamic.content.using.conditional.merge.tags,.and.combining.other.data.sources.to.target.recipients.more.effectively..With.combined. data.sources,.they.can.effectively.attack.your.employees.and.users..If.the. attacker.can’t.obtain.enough.information,.there.are.sites.where.a.few.dollars.can.provide.them.with.just.about.anything.they.want.to.know..Just.as. you.read.your.campaigns.results,.the.hacker.is.using.reporting data.from. their.malicious.software..When.they.launch.an.attack,.they.use.the.stats.to. tweak.and.refine.future.attacks. Arthur.builds.his.campaign.to.drive.his.victims.toward.a.site.or.series.of. malicious.sites..These.campaigns.allow.him.to.learn.more.about.the.computer.systems.involved,.gain.access.to.the.owners.system,.or.even.worse,. damage.your.infrastructure.as.a.whole..He.won’t.just.target.employees— he’ll.target.business.associates,.family.members.and.friends..Arthur..may. even.use.a.series.of.campaigns.to.learn.more.information.or.gain.access.to. specific.computer.systems.
So what is a malicious site?
Years.ago.someone.would.receive.a.virus.in.an.email,.click.it,.and.get.infected..Those.tactics.are.still.used,.but.these.days.most.attacks.use.driveby.malware..The.basic.idea.is.that.you.visit.a.site.that.the.hacker.controls.. They’ve.embedded.some.javascript.or.code.that.runs.and.infects.your. system..You.didn’t.have.to.click.anything—you.simply.visited.the.site.and. got.infected..If.Arthur.plays.his.cards.right,.he’ll.infect.the.right.machines.. Even.if.he.doesn’t.get.to.the.systems.he.wanted,.he’ll.use.the.other. systems.to.learn.more.information.or.attack.elsewhere..And.what.does.an. infected.machine.provide.Arthur.with?.Malware.infections.can.include. keyloggers,.remote.access.and.access.to.all.the.data.on.your.machine.or. network..Once.infected,.Arthur.has.unfettered.access.to.your.information... Keyloggers.allow.him.to.watch.all.your.keystrokes..Yes,.EVERY.keystroke... Malware.is.designed.to.run.without.you.ever.knowing.it.has.been.installed.. . Arthur.can.sit.and.watch.and.collect.and.learn..With.time.he’ll.gain.access. to.all.of.your.systems.or.in.this.case.gain.access.to.your.MiamiMail.account..Once.he.has.this.access,.he’ll.steal.your.subscribers.and.start.the. process.all.over.again..At.this.point,.he.can.target.your.subscribers.to.gain. access.to.their.systems,.attempt.to.steal.credit.cards.and.more..He.can. continue.mining.data.from.your.system,.or.rent.or.sell.your.system.to.other. hackers.for.other.needs.. Read.more.about.malware..Scary,.huh?.We.suggest.rottweilers.with.lasers.
8
