HOW HACK­ERS CASH IN

50 mil­lion Face­book users’ ac­counts were hacked re­cently

Cape Argus - - FRONT PAGE - BI­LAL KATHRADA

FACE­BOOK is hav­ing a tough year.

Ear­lier this year, there were the re­ports that they were sell­ing pri­vate user data to third par­ties with­out con­sent. Now, not six months later, the com­pany is fac­ing an even big­ger storm. Face­book was hacked, and 50 mil­lion peo­ple’s ac­counts were com­pro­mised.

Among the hacked ac­counts were no less than Mark Zucker­berg’s own ac­count. No one knows who was be­hind the in­ci­dent, and worse still, no one knows what the dam­age was.

All we know about the in­ci­dent is the scale of the at­tack, but other vi­tal ques­tions re­main unan­swered.

What was the mo­tive? What did they take? Did they find any valu­able in­for­ma­tion?

No one knows yet, but there are some the­o­ries. Some be­lieve the hack­ers trolled Face­book user ac­tiv­i­ties for sen­si­tive data like pri­vate mes­sages, to use for black­mail.

Oth­ers claim the cul­prits were Rus­sian hack­ers who gath­ered in­for­ma­tion that could be used to rig the 2020 Amer­i­can election.

What gives im­pe­tus to the Rus­sian hacker the­ory is the scale and so­phis­ti­ca­tion of this oper­a­tion. To hack into a com­pany like Face­book and take con­trol of 50 mil­lion ac­counts would prob­a­bly re­quire a large, highly-skilled, well-funded team.

But the same could have been said about the oc­ca­sion when Ap­ple was hacked, and nearly a ter­abyte of valu­able data was stolen from their servers.

This too seemed like the work of a team of sea­soned hack­ers, but the per­pe­tra­tor turned out to be a lone 16-year-old kid from Mel­bourne, who stored his hack­ing in­struc­tions in a folder on his com­puter called “hacky hack hack”.

Re­gard­less of who is be­hind it, cy­ber­crime has been la­belled a “pan­demic” due to the fre­quency and sever­ity of the in­ci­dents.

The an­nual global cost of cy­ber­crime is cur­rently es­ti­mated at about $600 bil­lion (about R8.76 tril­lion), and it af­fects everyone: cor­po­rates, small busi­nesses and in­di­vid­u­als.

Sta­tis­tics like this are nat­u­rally a cause for alarm, and peo­ple gen­er­ally want to know how to be safe.

I reg­u­larly come across peo­ple who have been vic­tims of cy­ber­crime in some way or the other, peo­ple who’ve had their bank ac­counts cleaned out.

Or, in one of the most dis­turb­ing cases I’ve ever en­coun­tered, a busi­ness­man who was quite lit­er­ally locked out of his own busi­ness by hack­ers who locked down his server and de­manded a huge ran­som.

The poor guy was in a des­per­ate sit­u­a­tion. His com­pany’s point-of-sale sys­tem, back-of­fice ac­count­ing soft­ware and emails all ran on the same server. With­out ac­cess to these, they had no op­tion but to shut the doors.

My ad­vice to them was to pay the ran­som. There were no back­ups, and the hack­ers warned that if they tried to un­lock the server, then the en­tire sys­tem would be blanked.

Even if there was a pos­si­bil­ity that the sys­tem could be un­locked, it was too risky with­out back­ups.

They stood to lose every­thing. They sub­se­quently paid the ran­som and got their server back, but the cost was huge: nearly a mil­lion rand, in­clud­ing the ran­som money, lost sales and down time.

When we hear about hack­ing, we gen­er­ally think about peo­ple with com­put­ers run­ning pow­er­ful pass­word-crack­ing soft­ware to get into sites or bank ac­counts. This method, known as a “brute force at­tack”, ac­counts for only a small per­cent of cases.

Most of­ten, at­tack­ers use so­cial engi­neer­ing, which is to use de­cep­tion, ma­nip­u­la­tion and in­flu­ence to con­vince a per­son who has ac­cess to a com­puter sys­tem, to give away ac­cess.

In other words, they use plain, old-fash­ioned con-artistry.

Kevin Mit­nick, world-renowned ex-hacker and au­thor of the book Ghost in the Wire, warns that, “com­pa­nies spend mil­lions of dol­lars on fire­walls, en­cryp­tion and se­cure ac­cess devices and it’s money wasted be­cause none of these mea­sures ad­dresses the weak­est link in the se­cu­rity chain: the peo­ple who use, ad­min­is­ter, op­er­ate and ac­count for com­puter sys­tems that con­tain pro­tected in­for­ma­tion”.

The busi­ness­man I men­tioned learnt this the hard way.

Upon in­ves­ti­ga­tion, it was dis­cov­ered that one of the ad­min clerks opened a sus­pi­cious email at­tach­ment, which in­stalled ma­li­cious soft­ware – called mal­ware – that took con­trol of her com­puter; and since her com­puter was linked to the main server, it was easy to gain ac­cess to the server.

The clerk was a vic­tim of “phish­ing”, which is the prac­tice of trick­ing some­one into open­ing a ma­li­cious email or at­tach­ment by dis­guis­ing it as a le­git­i­mate email from a bank or other or­gan­i­sa­tion or per­son. An­other strat­egy used by at­tack­ers is to run fake piracy web­sites of­fer­ing free down­loads of copy­righted con­tent.

All too of­ten, peo­ple us­ing these sites think they are down­load­ing free mu­sic, movies and soft­ware, but what they are ac­tu­ally get­ting is mal­ware which com­pro­mises their com­put­ers.

Most cases of cy­ber­crime are due to hu­man er­ror, neg­li­gence, or clas­sic fool­har­di­ness.

Usu­ally all it takes is a lit­tle ed­u­ca­tion to avoid be­com­ing a vic­tim.

● For more in­for­ma­tion about the topic, go to: https://www.youtube.com/watch?v=YWqi3CoDsY8

● Bi­lal blogs at www.bi­lalkat.com

Most cases of cy­ber­crime are due to hu­man er­ror, neg­li­gence, or clas­sic fool­har­di­ness. All it takes is a lit­tle ed­u­ca­tion to avoid be­com­ing a vic­tim of cy­ber­crime

THE an­nual global cost of cy­ber­crime is es­ti­mated to be about $600 bil­lion

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.