Hacked Off!

By Steve McDaniel, JD, PhD, Technology Litigators | October 23, 2013

Whatever you do, take measures to lock up your sensitive information.

At last. Here I was at the trailhead of Avalanche Lake in Glacier National Park. 3,000 foot waterfalls and blue-ice glaciers darted the scenery. It was cool. It was fresh. It was beautiful, and it was just the respite from the Texas heat and months of hard work that I so desperately needed.  For weeks, I had prepared to be gone from the office, taking care of a month’s worth of business in advance, contemplating all that could go wrong and putting measures into place to back up operations in case they did. I couldn’t be happier to be embarking on my first hike.  And then I saw it…no, not a bear,…a voicemail.  Shouldn’t I just ignore it, I thought?  I did my time in the office before I left; everything’s in order. But it was my banker, and with all the banking transactions I had done for the coming month’s expenses, I thought better of it and listened. 

“I was just calling to find out the purpose of this last wire request. We need to know for international wires” was the message from my banker. Indeed, I had made several international wires to pay patent fees prior to my departure.  I dialed her back. Before I could even say hello, she cut me off “Don’t worry, honey, I don’t need anything more. I just got your e-mail explaining the wire transfer to Singapore and sent it off on time!” Singapore, Singapore, Singapore…we didn’t have any patents pending in Singapore!  She continued, “You know, the one for the purchase of your condo there.” “Sounds exotic,” I remarked, “but that wasn’t me; Barbara, I’ve been hacked.” 
“I’ll call you back,” was all I heard, and the phone went dead.  Fifteen minutes later, I learned that almost $75,000 held in the company’s money market account had been wired to an account in Singapore, no doubt to fund some organized crime ring there. I heard a vacuum sound as the life was sucked out of my vacation. 

The e-mails my banker saw never went through my email account. The entire communication took place outside my view. They appeared to originate from my e-mail address, and except for some broken English, sounded and looked like my e-mails from the previous week to Barbara. Specific account names were referenced, and the withdrawal amount coincided with the balances in the account.  The hacker had assumed my identity, and taken control over my communications.

How did it happen? Well, as I sit here writing this article at Starbucks, I am touched by the irony that not long ago, on some coffee- fueled work rant at Starbucks, I was hacked. Could have been the guy sitting next to me with password hacking software who saw me on the Starbucks public network and cracked my AOL (yes, I am still on AOL) password. “How could they do that?” I begged of my company IT guy, only to find that it’s free software that anyone can get online and it works great and is very user friendly. As e-mails are travelling over public wireless networks, i.e. the ones that give you a warning that others might be able to view your information,…ok, that should have been a hint….your e-mail password travels with it, and with free, easy to use software, anyone who wants it can see your e-mail password. In fact, I was told, it was not likely the first time someone had intercepted my password. It’s happening all the time. What’s the lesson here? No more sending e-mails over unprotected networks…ever. Don’t even have your e-mail open when you on a public network.

So besides draining your bank account, what are hackers after? They want your money, your trade secrets, you customer files. Often, the hackers are part of a consortium of hackers for hire. Their customers hire them for various purposes. Just imagine…your customer launches a complaint that your next-generation coating is not performing as advertised; causing cracking and degradation of the underlying article.  You are surprised because you’ve had nothing but positive results in testing and raving reviews from your customers. You ask the client to send you the coating for testing, only to discover that the formula has been altered, but in every other way, including the serial number, the coating appears to be your brand.  You’ve been hacked all up and down the place. Trade secrets, like formulations, know-how, branding, internal codes, employee and customer information, business strategies and other sensitive information… all compromised. And out there somewhere, there’s a website that looks exactly like yours; a parallel universe where your customers are being directed to purchase what appears to be your goods, but they aren’t. And they aren’t good. 
It can’t be that easy, can it? In researching for this article, I did a quick Google search.  Wikihow popped up first with “How to Hack a Computer” and there it was, step-by-step instructions for getting past a password, getting remote access to a computer and cracking a WIFI password.  Yep, that easy.

Of course, firewalls and anti-virus programs provide some barriers to entry. But unknowingly, unwittingly, you can take a voluntary action that subjects you to attack. How many times have you popped that custom-designed USB thumb drive into your lapotop after a meeting or trade show? Or provided your USB key to someone to upload a presentation?  When you get it back, it might contain a little extra gift...a piece of malicious code, or malware that when plugged back into your computer causes an execution of the infection. Now your networks are exposed, and you are naked before the hackers.

Or it may happen with an e-mail you receive.  Recently, I was in the heat of contract negotiations when I received an e-mail from the other attorney that he wanted me to view a Google document using Google Docs. We had been trading documents back and forth so there was really nothing suspicious about it at first. The e-mail sent me to a “Google” site which requested my Google password.  When I pushed “enter” I had second thoughts. Indeed, I should have checked with the attorney, because he had been hacked.  This is referred to as “spear phishing.” It happens when one party tries to get access to another’s login information by masquerading as a legitimate contact. It can also happen, for example, in the form of a customer inquiry sent to your sales department. Once your employee clicks on the link or downloads the attachment, a vulnerability in the system, such as a word processor or browser will be exploited, allowing the malware to begin executing on the machine and give the hacker access and control over your system. Sometimes, hackers will target a particular website, and seek out exposure on the site in order to target the users of that site.  By implanting a malicious code on the website, users of the site can become immediately infected.

What are some practical measures that can be taken to prevent hacking? There are many high security tactics to take, however, not all businesses have the financial wherewithal to install the most sophisticated security systems throughout their systems.  But it’s wise to spend some time identifying and compartmentalizing and providing vigiliant security measures around your most sensitive information. In all cases, though, prudent businesses should do the following.

1. Perform software and browser updates whenever they are released, and check regularly to make sure none have been missed.
2. Install firewalls and anti-virus programs and keep them updated.
3. Install anti-spyware/ adware. Often overlooked as merely a nuisance, this malware can slow down your computer by placing ads on your browser and pop-ups on your programs. The slowdown can result in vulnerabilities in your system allowing a hacker to get through.  Your system information could also be sold to others by the spyware intruder for malicious purposes.
4. Never click on suspicious or unknown e-mail links. Don’t believe that it’s ok because it looks legit.  You’re just one click away from a virus. Think before you click.  And delete suspicious or unknown e-mails from your system.
5. Have separate passwords for all your accounts and divisions.  Make them tough and use a password manager. These programs will create and store passwords for you.
6. Use two-step verification for social networking sites. A two-step verification requires that you enter a password, and then a verification code is texted to you before allowing you entry. 
7. And of course, don’t send e-mails or do banking business over public networks.

Whatever you do, take measures to lock up your sensitive information.  Cyber hackers are just thieves, looking for an easy entry point.  You lock your doors at night; lock your cyber valuables as well. With proper security, that hacker will likely move on to some unsuspecting victim. And then maybe you won’t find out the hard way about that condo in Singapore you bought that you will never see.