Of all the IT detective agencies in all the towns in all the world, she walked into mine. She was blonde, beautiful, and had eyes so blue they would scorch your soul. And I knew just how much that would hurt. See, I was in love with her once. Hey, maybe I’m still in love with her. How could I not be? She knew her way around a secure IT password policy and she worked for a major credit reporting agency. Even though she was the life of the party, I knew she was all business where it counted.
One look at her and my heart started banging like a bad platter on a Seagate hard drive, but I knew I had to play it cool. “Hello, pretty lady.” I said. “What brings you to my office?”
“Hi there, handsome fella’,” she replied. “I hear you’re investigating that big data hack from September. I figured I’d come looking for you before you came looking for me.”
“A lot of people’s Personal Identifiable Information (PII) was stolen,” I said. “People were outraged. They were mad, and they want answers. They want to know why it happened, and what to do next. And I want to give them those answers.”
“Well, I don’t work for Transfaxian anymore. And I had nothing to do with that data breach,” she insisted. “I just want to help you help the people who got hurt.”
She said she had nothing to do with it, but the timing of her departure was a little too coincidental. Still, if she was willing to sing, I was willing to play backup, so I invited her to Sam’s Pub to tell her story.
When she walked into the bar, she lit that dark room up like the activity lights on an overworked Cisco router. Sam poured us some drinks, I tossed him a quarter for the jukebox, and he played our favorite song. It was time to grill this pretty lady. Did I have an axe to grind? Maybe I did. We were a nice couple for a while, but work got in the way. I spent so much time investigating data breaches that it affected me day and night. How could it not? Who can sleep when their PII is being sold on the dark web?
I was stuck in a dark cloud and depressed. She got tired of being ignored, and kicked me to the curb. But before the first question came out of my mouth, she flashed me a smile. You know, the smile that melts the most frozen of hearts and makes you feel at ease. The last time I smiled like that, I’d just pulled off a flawless two-day security audit.
“So,” I said. “Why were the hackers able to get the Social Security numbers, birth dates, addresses and some driver’s license numbers?”
“I just know what I read in the papers,” she said. “They knew there was an unpatched flaw with Apache Struts CVE-2017-5638, but their own security team couldn’t find the flaw to fix it.”
“So they knew!” I nearly yelled. I knew she hated black olives, zero-day attacks, and unpatched servers, and when I raised my voice, I could see tears in her eyes.
“Yes, they knew,” she whispered. “But I was just another hard-working sales person trying to make a quota.”
She was one of the best sales people ever; she once sent me a postcard from Cancun after she won a sales contest. I knew this lady could pull the wool over my eyes if I wasn’t careful.
“Did you always use two-factor authentication?” I asked carefully. “When you logged into your computer or a company website, did you have to enter a username and password plus a random 4-8 character one-time code?”
She frowned. “No, I just put in my username and password when I booted up my computer or logged on to the website. I didn’t need anything else.”
“What was your password?” I asked.
“What was yours?” she responded coldly.
“Your name plus the date we met, hashtag smiley face.”
“So, at least 10 characters with numbers and special characters?” she said. “Yes, we followed that standard.”
“Ah, but how often did you change it?”
“It was supposed to be 60 days, but I changed mine every 45 days,” she said.
Clearly, it was time for harder questions. “Did your department use email to send documents like PDFs, Word files, or Excel files as attachments to other employees? Not to customers or people on the outside?” I asked. She looked away. I could see she was stalling. “Or did you use some kind of cloud storage, like SharePoint or Google drive, and just email links to the document locations?”
“Okay, okay. We emailed attachments to other department members all the time. It’s not a crime, even if it can leave cached copies on servers outside our firewall,” she snapped. Like she was a dancer in another life, and she was dancing fast now. “We didn’t use shared storage. I guess we could have emailed the links instead of emailing the documents to other team members, but we didn’t.”
“Did anyone in your department ever get phished by a hacker?”
She looked offended. “We were smart. We had great email filters. Email from customers came to the inbox, and email from spammers went to the spam folder.”
When she talked security, it drove me crazy, and it crushed me that we were not together anymore. I reminded her, “It’s a lot easier than you think to get phished, pretty lady.”
“Well, not me. I followed the company’s rules. I always used the VPN when I was on the road or in the coffee shop. And we were pretty restricted on our laptops. We couldn’t open our personal email accounts on Gmail or Outlook or Hotmail. Oh, and we weren’t supposed to use social media on the laptops.”
“You expect me to believe that?” I pressed.
“Okay, fine. So I would sometimes check Facebook or hit an Ann Taylor sale online,” she said. If she was wearing Ann Taylor now, nobody wore it better than her.
“I just worked a big case involving some Nigerian hackers,” I explained. “They used a company’s email account to send fake invoices to customers that used routing numbers for a bank in Nigeria. The customers paid the invoice, but the Nigerians got the money. Did anybody get hit with ransomware at your company, as far as you know? Or did you hear talk about any other kinds of security issues?”
“No way. The security was tight,” she said.
“Okay, so what if someone at Transfaxian lost their corporate cell phone?”
“They did a remote wipe. You lost the phone, but the data was gone. I didn’t lose sleep over it,” she said coolly.
“Did you ever have to back up your laptop?” I said.
“No, why would I? Most of my work was saved in the corporate app. I never had a device fail on me. I like to play the odds,” she said with a devilish grin.
“Well, how often did your corporate IT department apply Windows updates to your laptop?” I asked. “Large companies typically push updates to their employees on their own schedule. The credit bureau hack was possible because your company did NOT update an Apache server. Do you remember being asked to reboot your computer during the work day on a regular basis?”
“I know I occasionally had to reboot for updates. Sure. I thought we were on top of the security fixes, but I’m really not an expert,” she said sadly. “You believe me, don’t you? It wasn’t my fault. I heard some big-shot officers traded their stock and walked away with a fortune. All I walked away with was a coffee mug and a red Swingline stapler.”
“I believe you, pretty lady. However, there are folks out there who are just trying to make it in this world, trying to see if a little sun will shine on their dreams. So what do you want me to tell those hardworking stiffs who are running scared because their PII is exposed?”
She took a deep breath. “Tell ‘em, you should keep your credit frozen for the rest of your life. Or until they come up with a new kind of credit fix. Freezing your credit will keep you as safe as possible. Right now my former company says they’ll waive any fee to place, lift, or remove a security freeze through January 31, 2018.
“Other than that, make sure to join a service that lets you monitor your credit on a regular basis. I personally use Credit Karma. You also need to know that in the next few months, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Oh, and tell people to read the Ouch! Security Awareness newsletter so they can learn to protect themselves,” she finished.
“That’s a nice speech, but it doesn’t address how the hackers got in,” I said. Her face turned red and that firecracker personality that I’d fallen for came to life. “So what would YOU have done, big shot?” she challenged.
“That’s a hard fix, but an easy answer,” I replied. “After all, that’s why they call me the IT Detective.”
- Hide the version and OS identity from errors whether you are running Apache or another server. When an attacker types a nonexistent URL on your server, the version of the server can be displayed in the error message. On an Apache server, you can turn the ServerSignature off to stop the server version to being seen during an error.
- If your web page will accept comments from customers, validate those comments to prevent cross-site scripting (XSS) attacks.
- Explicitly parameterize queries to prevent SQL injection attacks to prevent an attacker from using a web form field or URL parameter to gain access to or manipulate your database.
- And for heaven’s sake, keep your software updated on your server, including third-party software.
When the hail of bullets stopped, she waved away the smoke and said, “I was your bleeding heart. I was your crying fool, but you loved your IT detective job more than me.”
“I was in love with you once, you know,” I told her. “And I’ll always take the blame for why we split. I’m no good at being noble, but it doesn’t take much to see that the problems of two people don’t amount to a hill of beans in a crazy world where people’s PII is being stolen every day. Someday, maybe you’ll understand that.”
She tossed a $50 bill on the bar and stood up. “It’s time to move on, time to get going. What lies ahead, I have no way of knowing. But I told you what you wanted. So this is goodbye, handsome fella.”
“Goodbye, pretty lady,” I said. We hugged. I did not want to let go, but I did.
As I watched her walk away, I knew two things:
She would always have a piece of my heart, and the data breaches would continue. My job would never get any easier. When the most vulnerable piece of any network is the user, it just makes my job harder. It comes with the territory.
I ordered another drink, tossed out another quarter for the jukebox, and said, “Play that song again, Sam.”