Why None of us are Above Cyber Attacks: How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts
It’s fair to say that when it comes to high profile cyber security failures, the past twelve months have seen more than their fair share.
As if the loss of customer data in TalkTalk-gate wasn’t enough, 2016 brought fresh attacks on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, costing a number of banks both their reputations and tens of millions in losses. But why do security breaches keep befalling global giants who pump millions into their cyber security initiatives?
Organisations or individuals?
When reports of cyber-attacks hit the headlines, the press are quick to condemn the overarching failings of the organisations in question. Given that global consumer businesses are in possession of vast amounts of private customer data, it’s little wonder that the kneejerk reaction to security failures on this scale is anger. But with user error often relegated to a single line in damming press pieces, it’s easy to miss a common trend across many of these cases: that initial access to an otherwise secure system was granted by the accidental opening of an email, or a click on a seemingly innocuous link by somebody within the organisation.
If we’re looking for evidence in support of this statement, all we need do is delve a little deeper into the mountain of reports into these instances that are available on the web. In fact, one report published earlier this year in the Federal Times noted that as much as fifty percent of all cyber breaches and data leaks can be attributed to human error.
In short, in this era of increasingly sophisticated cyber threats, a critical truth remains: your firewall can be as sophisticated as you like, but it means nothing if your people aren’t armed with the right knowledge.
Falling foul of cybercriminals can happen to anyone
In spite of the usual dialogue of blame that implies a certain ‘stupidity’ on the part of the staff in question, the reality of human-error data breaches is that they happen often enough to highlight a genuine problem with education around information security. There was perhaps a time when malicious phishing emails were laughably obvious, but with the ever-increasing sophistication of available technology, and smarter social engineering, falling foul of a cyber-attack can quite literally happen to anyone.
Never has this been illustrated more than by the recent email leaks from senior officials in Hillary Clinton’s US presidential election campaign.
Case in point: How hackers infiltrated the Clinton Clan
Back in March, John Podesta – former chief of staff to the Whitehouse and Chairman of the 2016 Clinton campaign – received an email that appeared to come from Google. It wasn’t until some months later, in October of this year, when hundreds of Podesta’s private personal emails began to appear on WikiLeaks that officials were alerted to any data breach. Rather than a legitimate Google security alert, what Podesta had received was a well-disguised phishing message designed to dupe him into giving up the password to his Gmail account.
Of course when news of the hack broke, people were quick to point the finger at Russia. With mounting international tensions, and the profile of notorious hacking group Fancy Bears continuing to rise, such accusations were hardly unexpected.
The subsequent investigation into exactly where this particular email came from claimed to have traced the malicious URL contained within it to a single account on the popular URL shortening service, Bitly. Using a Bitly short-link, hackers concealed a longer link which, to the untrained eye, looked very much like a legitimate Google URL. Within this was a 30-character string that contained the encoded Gmail address of John Podesta.
The Bitly account used in this attack was found to be the very same one responsible for generating malicious short links used in a significant number of other hacks on members of the National Democratic Committee (including one on former Secretary of State, Colin Powell, where his private emails later appeared on the website DC Leaks.) Investigators at cyber firm SecureWorks also claimed to have been able to trace ownership of the Bitly to a domain under the control of Fancy Bears when they discovered that privacy settings had not been activated on the account.
Using Bitly allowed third parties to see their entire campaign including all their targets— something you’d want to keep secret
– Tom Finney, Researcher at SecureWorks
“It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone,” said Kyle Ehmke, a threat intelligence researcher at security firm ThreatConnect. “[Perhaps] the strings might help them keep track of or better organize their operations, tailor credential harvesting pages to specific victims, monitor the effectiveness of their operations, or diffuse their operations against various targets across several URLs to facilitate continuity should one of the URLs be discovered.”
As it stands, investigators have drawn connections between nearly 9000 malicious phishing emails used to target 4000 individuals across the US and Europe – all seemingly originating from Fancy Bears. The Podesta hack was not the first time the Bears have made the headlines; their connections to the Kremlin have remained the subject of speculation for some time following their meteoric rise to media fame when they leaked documents from WADA (The World Anti-Doping Agency) incriminating American athletes. Whether there is any truth in claims of suspected Russian ties remains to be seen – but if the authorities are in possession of any hard evidence, such information is unsurprisingly not in the public domain.
The use of popular link shortening services such as Bitly or Tinyurl [that left an uncharacteristic trail] might have a simple explanation – the hackers probably wanted to make sure their phishing attempts went past their targets’ spam filters
– Thomas Rid, King’s College London
What we do know is that in Podesta’s case, something as simple as apparently legitimate account security email has led even some of the most tech-savvy figures down the rabbit hole.
Phishing emails that even evaded Clinton’s IT team
Perhaps the most surprising thing of all in this account is the fact that John Podesta did actually report the email to his IT officers as suspicious – and was reassured that the request to reset is password was indeed ‘legitimate’:
Clearly, Podesta had some awareness of phishing emails as a means to obtaining sensitive private data, but was ultimately still duped into giving hackers access to his account and surrendering sensitive private information to criminals.
Comment from Bitly
When avid tech-reporters Motherboard published their original series of articles covering the Clinton campaign hacks, they approached Bitly directly for comment. Their official reply, amongst stating that they ‘can only do so much’ when it comes to preventing use of their services for unlawful or malicious purposes, read as follows:
“The links and accounts related to this situation were blocked as soon as we were informed. This is not an exploit of Bitly, but an unfortunate exploit of Internet users through social engineering. It serves as a reminder that even the savviest, most sceptical users can be vulnerable to opening unsolicited emails.”
– Bitly, speaking to Motherboard
Lessons learnt – how do businesses protect themselves against cybercrime?
Irrespective of their size or stature, no firm wants to fall foul of cybercriminals. The reality is that the ‘wolf-in-sheep’s-clothing’ analogy runs deep – within an organisation as high-profile as the Clinton camp, even seasoned IT security professionals were tricked into believing that a phishing email sent to one of their most prominent officials was legitimate.
As the tech world continues to advance, there will always be instances where data breaches and malicious attacks mounted on organisations by cybercriminals will be effective. This said, with an estimated fifty-percent of cyber security breaches attributed to human error, businesses need to view the education of their entire workforce as a critical line in the defence against hackers and cybercrime.
“We are all vulnerable, regardless of role or seniority”, says Mark Logsden, former Head of Cyber Security at AXELOS Global Best Practice. “The most effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
Still want more? Check out these other interesting resources
The fantastic original Motherboard article on the Podesta hack
Another piece on how Clinton’s IT team were duped by hackers
Interactive visualisation of the world’s biggest data breaches by sector/fault
Cyber Security Training from Unicorn in partnership with AXELOS GBP
Unicorn smashed through the £6m sales mark for the first time ever in the last financial year (2015-16), a new record in any 12-month period and £1m up on our previous financial year best. These are our top 10 highlights of our record-breaking year (in no particular order)…
You’ve probably heard of Craig Weiss? He’s widely considered to be the most influential person in eLearning in the world. Every year Craig produces his Global Top 50 LMSs Report and for the second year running, in January 2016, our learning and performance platform, SkillsServe, was recognised as the world’s best in our field.
…in addition to the number of other Unicorns who did amazing stuff supported by our Fundraising Team. This included Dean, Tai, Katrina and Simon all completing multiple distance and endurance running challenges raising money for The MS Society, Macmillan Cancer Support, Macmillan Caring Locally and The Samaritans, while Sam and Xiomara pounded the capital’s streets in the wee hours in their quest for The Big Issue Foundation.
3 Million+ course activities were completed on SkillsServe
Off the shelf courses, user-generated content and eCreator courses, CPD recording, Training and Competency (T&C), on-the-go learning and Apps, you name it and SkillsServe has probably helped the financial services industry achieve it.
You know Craig Weiss’ LMS report we just mentioned? As well as maintaining top spot for financial services, SkillsServe also moved up a place overall from fifth in 2015 to fourth this year. In the report Craig said: “New User Interface, expansive features. I love that they have a CPD mobile app. Regulatory is strong which is a must since their target vertical is Financial Services. An overall, top tier performer.”
5 the number of key areas Unicorn was assessed to receive Service Excellence accreditation from the National Skills Academy for Financial Services
This means Unicorn has demonstrated its dedication to high-quality, professional customer service and commitment to consistent improvement in service and staff training. With Helpdesk now 11 strong, 4,000 more calls were dealt with last year compared to 2014. This is reflected in an SLA of over 95% between March 2015 and March 2016. Already in 2016 Helpdesk have dealt with more calls month-on-month than 2015. What does this mean? Quicker and more effective issue resolution for our clients and happy customers ☺
It was looking good at the end of the calendar year, when we reported sales exceeded £5.6m ($8.5m), but we are delighted to report continuing strong organic growth in our core business streams, culminating in sales crashing through the £6m for the first time.
We first received ISO certification in 2011, but 2015 saw Unicorn transition to the new ISO27001:2013 standard from the previous ISO27001:2005 benchmark. The new standard reflects the changing demands of IS security in the face of challenges that didn’t exist in 2005. To maintain ISO27001 certification requires monthly security audits and an annual British Standards Institution (BSI) assessment.
8 where Unicorn Training CEO and founder, Peter Phillips, is ranked in the Top 10 of the UK’s most influential people in corporate eLearning
Now in its seventh year, the 2016 annual lists of the ‘Top 10’ most influential people in the corporate eLearning sector – in the World, North America, Europe, the UK and Asia-Pacific – saw Peter break into the top 10 for the first time ever as one of four debutants in the UK rankings.
…according to a University of Colorado Denver Business School study (2010). This is a snippet from our 2016 White Paper ‘The Future of Game-based Learning’ (produced with our games partners, Amuzo). Games are still BIG news in learning and, in its first year, this partnership has helped clients, existing and prospective, really understand games aren’t just fun they’re effective and it’s mobile technology shaping this.
10 (+1) the number of our commercial, trade and professional industry partners
These relationships are invaluable in underlining Unicorn’s long-standing position as the solutions provider trusted by the financial services industry. As regulation tightens, having our partners’ expertise in helping inform the direction of the learning and supporting the development of appropriate learning tools, makes Unicorn the only credible choice. A great example is the work we’re doing with FSTP and the BBA to develop ComplianceServe in response to the FCA’s Accountability Regime for banks, building societies, credit unions and designated investment firms.
ISO27001 is the only auditable international standard defining requirements for an Information Security Management System (ISMS), to help organisations manage and protect valuable information assets and to give customers complete confidence they are dealing with a robust and secure business, especially key in financial services.
Unicorn first received ISO certification in 2011 and this year saw the business transition to the new ISO27001:2013 standard from the previous ISO27001:2005 benchmark. This new standard has been brought in to reflect the changing demands of IS security in the face of challenges and threats that did not exist in 2005.
This is the last year that firms can get the old standard – all ISO27001 audited businesses have to upgrade to the new standard but Unicorn opted to get ahead of the curve by upgrading a year early. Find out more about ISO27001:2013 here.
In the report Unicorn was commended on the quality of its Information Security Management System and how a process of continual improvement and excellent visibility of incidents is in place, along with improvements with good processes around HR, IT and hosting, and KPIs and management information within this area.
To get ISO27001 certified means reviewing and often improving every aspect of how you operate and includes identifying and mitigating potential vulnerabilities and risks, ranging from recruitment, identifying IT vulnerabilities to ensuring you have a robust business continuity plan.
To maintain certification for ISO27001 requires monthly security audits and annual external assessments.
Stuart Jones, Unicorn Training’s Director of IT, said: “This is a nice procedure to go through once a year because it shines a light on a lot of the hard work that goes into our processes and systems which don’t all get seen by staff or customers but are essential to our ability to grow the business operationally and ensure we continue to deliver the highest levels of information security for clients.”
ISO27001 is made up of 10 detailed control disciplines including information security policy, security organisation, asset classification controls, personnel security, physical security, communication management, access controls, system deployment, continuity planning and compliance.
The Heartbleed bug made headline news recently. Just as quickly as word spread about this security flaw, major financial institutions issued assurances to customers their data was safe. But the next Heartbleed is never far away. Unicorn IT director, Stuart Jones asks ‘What should we learn from this?’
As soon as news broke about the Heartbleed breach last month, we immediately sought confirmation that our systems were not vulnerable to the bug.
The ferocity of data protection demands in banking and financial services are arguably greater than in any other industry, and that is as true of the people who work within financial organisations as their customers.
Heartbleed affected websites using OpenSSL encryption between a user’s computer and website by exposing information it shouldn’t have. Unicorn products including SkillsServe and STUDYserve were fortunately unaffected. Microsoft officially confirmed the encryption component we use isn’t susceptible to the Heartbleed bug.
But around 500,000 sites were believed to be vulnerable to the bug, exposing the personal information and passwords of millions of people to possible exploitation.
Forbes cybersecurity columnist Joseph Steinberg described Heartbleed as “commercial traffic began to flow on the Internet.the worst vulnerability found, at least in terms of its potential impact, since commercial traffic began to flow on the Internet.”
Heartbleed has served as timely reminder that no one who deals in data protection and online security – both server-side and client-side – can rest on their laurels.
For every Heartbleed, which it is believed was more a result of bad coding than criminal intention, there are countless cyber-criminals looking to exploit lapses in Internet security for potentially sinister purposes.
So what can we all do to make sure that when the next Heartbleed does inevitably strike, you can be confident your systems will not fall pray to its sophistications?
1) The power of robust passphrases
In the immediate aftermath of Heartbleed the advice was for people to change their passwords, and the message around choosing passwords that are as secure as possible, and changing them regularly, has been reiterated countless times.
But instead of passwords, think passphrases, using a mix of words and numbers. They are easier to remember and harder to crack, as they are longer.
2) Get ISO 27001 certification
The process you go through to get ISO 27001 certified means reviewing and often improving every aspect of how you operate. Unicorn has this internationally-recognised information security standard.
Ratified by the British Standards Institution (BSI), ISO27001 includes identifying and mitigating potential risks and vulnerabilities, ranging from recruitment, identifying IT vulnerabilities to ensuring you have a robust business continuity plan.
To maintain certification for ISO 27001 requires monthly security audits and annual external assessments.
3) Understand your obligations
Client-side security is as important as server-side, and data protection and information security are among the key compliance obligations for any firm or organisation.
‘How to Comply with the Data Protection Act’ and ‘Information Security and your responsibilities’ are two core competency courses within ComplianceServe, Unicorn’s comprehensive compliance training solution.
The practical content is focused on learners actually applying knowledge to encourage long-term changes in behaviors in line with FCA regulatory requirements and the desire for a whole-scale shift in compliance culture.
4) Deliver securely online
When delivering online learning solutions, implement encrypted communication (HTTPS). This ensures any data transferred between the user’s web browser and the LMS is encrypted.
Remove support for old, less secure versions of SSL, which even before Heartbleed, were considered to be vulnerable to attack.
5) Regular penetration testing
Get your online solutions regularly penetration tested by expert security companies to identify potential issues and help resolve them. Regular testing provides validation that the system is not only secure but also ensures new functionality and developments continue to be examined. The results of testing over the years also provide excellent feedback to make your system even more secure as it evolves.
Still want more advice? Please don’t hesitate to contact us at firstname.lastname@example.org
Unicorn’s commitment to superior information security was first recognised with certification for ISO 27001, ratified by the British Standards Institution (BSI), in August 2011, and we are delighted that recognition has been renewed after our first annual inspection.
ISO 27001 is the only auditable international standard defining the requirements for an Information Security Management System (ISMS), helping organisations manage and protect valuable information assets. Unicorn Training has built its ISMS in SharePoint and information security has been embedded in the core operation of the business.
Stuart Jones, Unicorn Training Director of IT, said: “We are really pleased with the audit report. We’ve worked hard this year to implement the recommendations in our initial report and develop new safeguards and measures to ensure our clients can continue having complete confidence that their information is secure. This is a fundamental given in every customer relationship Unicorn has and is critical to the success of our business. We continue trying to improve information security while being on guard for new threats or incidents.”
ISO 27001 is designed to ensure the selection of adequate and proportionate security controls to give customers complete confidence they are dealing with a robust and secure business, especially critical in the financial services arena.
The certification comprises 10 factors including information security policy, security organisation, asset classification controls, personnel security, physical security, communication management, access controls, system deployment, continuity planning and compliance.
Unicorn Training’s commitment to superior information security has been recognised with certification for ISO 27001, ratified by the British Standards Institution (BSI).
Unicorn Training has been at the forefront of financial services eLearning innovation for more than two decades. With Unicorn having so many clients and partners in the financial sector, keeping client information secure is critical to the success of its business and a fundamental given in every customer relationship.
ISO 27001 is the only auditable international standard defining the requirements for an Information Security Management System (ISMS), helping organisations manage and protect valuable information assets.
It is designed to ensure the selection of adequate and proportionate security controls to give customers complete confidence they are dealing with a robust and secure business, especially critical in the financial services arena.
The standard adopts a process approach for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an organisation’s ISMS.
Obtaining an ISO 27001 certificate is not a one-off exercise – Unicorn will continue reviewing and monitoring its ISMS on an ongoing basis, and be audited annually by an external auditor to ensure the company’s processes and procedures continue to meet this superior standard.
Stuart Jones, Unicorn Training Associate Director IT, said: “Bringing ourselves in line with this international standard provides all our stakeholders with confidence in our business, especially as it has been independently verified. ISO 27001 certification is just the first, albeit perhaps biggest hurdle. From now on we need to follow the processes we have defined and regularly check them. We need to work on the basis of constantly trying to improve our information security and being on guard for new threats or incidents.”
ISO 27001 is made up of 10 detailed control disciplines including information security policy, security organisation, asset classification controls, personnel security, physical security, communication management, access controls, system deployment, continuity planning and compliance.
Unicorn Training provides eLearning, competence and assessment services to more than 100,000 users in most of the UK’s largest financial companies. Its industry partners include the Chartered Insurance Institute (CII), British Bankers’ Association (BBA), the Council of Mortgage Lenders (CML), Wolters Kluwer Financial Services (WKFS), Chartered Banker (CIOBS), Chartered Institute of Purchasing and Supply (CIPS) and Bacs.
For more information about Unicorn Training visit http://www.unicorntraining.com
Our new Information Security and How to Comply with the Data Protection Act courses can help you help your staff get to grips with the fundamental dos and don’ts unique to each area to ensure your company does not end up embroiled in a costly data nightmare.
Driven by our belief that the best learning comes from putting facts into the right context, and delivering them with meaningful emotional impact, both courses start with attention catching cameos highlighting the consequences of an information security breach or what happens if someone fails to deal with data protection obligations.
Information Security takes a comprehensive look at why information security is important, how to mitigate information security risks and your responsibilities for information security in your job. The content examines all aspects of information security and includes a number of interactive tasks, and real life examples of how it applies.
How to Comply with the Data Protection Act focuses on you and your firm’s legal obligations under the Data Protection Act and also features a number of interactive tasks and real life examples of how data protection applies.
Both courses finish with multiple choice assessments allowing you to test your knowledge and apply it in the correct context.
For more information about these and all our updated and engaging compliance titles please email us at email@example.com or call 0845 130 5138.