Season 1 Episode 10: The risk of working from home
Bastien: We’re currently experiencing a pandemic and it’s unlike anything we’ve ever seen before. People are being hit, losing their jobs, there are all sorts of horrible things happening. For the fortunate few, some of us are able to work from home but with that comes a huge increase in hacking. You’re exposing your organization because the same controls that are at your office aren’t there for you at home, and that leads to a lot of opportunity for hackers. I want everyone to think like a hacker. If you were a hacker and you’d lost your job and you needed to turn to crime, traditionally that might have been stealing from a shop or something like that. Now we have this whole new digital landscape in front of us and crime might be actually downloading some malware and sending it to your contacts list, as horrible as that might sound.
Unfortunately, in countries unlike Australia that don’t have that social safety net, we’re seeing a huge increase in attacks from countries like South Africa, India, and China. A sixfold increase in social engineering attacks on people who are working at home because they really have no other choice. The other thing that we’re seeing is opportunistic hackers, and these are probably more the evil hackers so to speak, the organisational hackers. These guys are targeting hospitals, the people that are looking after your grandparents, children, mothers and fathers. They’re sending ransomware to these hospitals and basically having them pay millions of dollars just to be able to operate as normal. The way they’re doing this they’re targeting the administrative staff who are working from home right now that are still supporting the hospitals, which is horrible.
Hey guys, Bastien Treptel here, cyberhacker. Joining you in isolation today so it’s just you and me. We’re going to cover off some of the points today of why you are at risk, what could happen to you, who is actually doing these things to you, and some of the tools that you’d be using at home and how they can be a big risk to you. First of all: who. You’ve got all these people who have lost their jobs and hacking these days is so easy, you don’t need to be the coding guy like we’ve covered in other episodes. You can literally go and download these tools off of the internet and turn to cybercrime.
We’ve seen a massive increase since this pandemic started of people turning to cybercrime. There’s those two components, the people who have lost their jobs and don’t have a safety net like we have in Australia, and they’ve actually turned to cybercrime to make ends meet. The other people are those really evil organisations that are kicking people when they’re already down, and unfortunately they’re targeting hospitals and people working from home. They’re targeting organisations like the ones that you work for to put money in their back pocket. It’s a horrible thing and what I want to do today is get some information out that you need right now to make sure that you’re going to stay safe when you’re working from home.
The first thing that’s happened is employers, businesses, and organisations can’t have their employees in the office anymore and what’s happened is that you’ve all been told to work from home. A lot of the time organisations aren’t putting the thought into the security measures. It’s just about business as usual, how to get you working and making the wheel spin for the organisation. Unfortunately, they haven’t really thought about security a lot of the time and that as a hacker, such as what I used to be, allows for a huge opportunistic hit.
So let’s talk about why you’re at risk. You’re sitting at home and maybe for the first few days it was fun, but I’m pretty sure we’re all getting sick of it now. We’re using all these applications, VPNs, and tools to connect to your workplace and get it done. As a hacker I see that as an opportunity. All those controls that are normally in place aren’t protecting you right now. I could do the traditional attacks. Now we’ve seen a sixfold increase in social engineering attacks; that’s phishing emails where people send emails and they don’t come from the person you think they are and they’re asking for information. We’ve seen an increase in phone calls, people ringing up and pretending to be your organisation’s IT department and asking for information. Now I know I harp on about this a lot, but never ever give your password or any kind of information over the phone or via email – it’s really important.
We’ve actually seen in the last few weeks unfortunately more than ten organisations in Australia that have come to us personally for help, who have given their information online, via email or over the phone. Then they went to work on Monday and no work was able to be done. Unfortunately a couple of organisations are no longer with us, they’ve gone into administration. The reason being, once you give out that password and you’re the frontline worker, people will essentially gain access to your network and they can start doing things like ransomware, pulling data out, and figuring out where the money is and how it flows around. A lot of you right now have changed your process for invoicing or invoicing approvals – they are things that hackers look for. If you give out that information, they’ve got access to that and then you’re basically in their hands.
Let’s talk about a really interesting tool that we all use now for meetings, and we’re going to use Zoom but it applies to all of them whether it be Microsoft Teams or WhatsApp etc. You might have seen recently Hamish from ‘Hamish and Andy’ doing something really funny, he was bombing people’s Zoom calls. It’s really funny, but he’s actually managed to get into some pretty secret conversations. Now it seems innocent, but people are publishing their Zoom IDs online or in their emails and there’s no password protection. Now if I’m a hacker and I want to target an organisation I’d listen to what they’re talking about. Let’s jump in on these meetings, a lot of the times people won’t even notice. A really important feature that Zoom has just enabled is having a waiting room. So the administrator for the call will actually click to let people into the meeting. You also should have a fairly complex password to let people into the meeting, something that’s easy to remember and easy to type.
Right now Zoom is going through a whole heap of change and they’ve learned the lesson the hard way. Organisations have had some pretty horrible things happen to them, for example we had some fairly racist people join a phone call and it hugely affected the reputation of the organisation that had been bombed. The other problem is once you’ve got your Zoom ID, and if you use the same password for everything else, there’s also a vulnerability for sale right now on the darknet for $500,000. Whether it be your usernames or passwords or a way to use a Zoom app to get information from your business. So if you’ve got that Zoom app installed on your computer you then have what’s called a zero day exploit. Someone might have paid for this, and then they can access all your businesses.
Now Zoom has already addressed this, so hopefully it’s no longer an issue. But these are some of the things that you’ve got to think about as an organisation before you just start letting people use all these collaboration tools. Zoom’s great, but look for some of those features such as a way to let people into a meeting, a way to password protect meetings. Please don’t publish your meeting IDs publicly because you will end up with someone that you don’t want on your call (which would hopefully be funny, but could also be very detrimental). These are some of the things that we need to think about.
The other thing that we’re seeing is we need to harden our staff to social engineering attacks. What I mean by that is you as a business and as a person need to educate yourselves into what is normal behaviour. The IT department should never be ringing you up and asking you for your username and password, they should already have a way to remotely manage your machine. No one will ever ring you up and ask you for your banking details or personal information, anything like that. If they ever do, ask them where they’re from and jump on to Google to look up the company. If it’s a reputable company and you do want to talk to them then call them back on that number. In these times they will a hundred percent understand and that will put a safeguard measure between you and these hackers that are attacking you left, right and centre.
For all you business owners out there, we’ve actually got a checklist that we’ll link in the bottom of this podcast that you can download. Make sure you’re covering off these points to ensure your staff are working safely from home. You need to make sure that the applications you’re using are secure and reputable. Make sure that you’ve got a policy, sit down with your policy writers and write out what you expect your staff to do from home and what you expect them to use; it throws up all these interesting questions. People are going to be using their own computers a lot of the time to connect in. We call that “bring your own device,” and we need a policy and a way to secure those things. You need endpoint protection on every device that’s connecting into your network. That’s basically going to keep you safe.
We would recommend using a remote access system, such as Citrix or a VPN system. You need to make sure those things happen before your staff go and work from home. Do a one hour call on a secure collaboration portal and train them on some social engineering stuff, because they’re going to be facing these attacks. The statistics at the moment are showing that one in three people in Australia are experiencing some kind of social engineering attack. So if you’ve got a staff member or a hundred staff members, do this training with them because some of those staff are going to be hit with those types of attacks during this pandemic. There are all these great technologies that are going to help you secure your business, collaborate better, and help you do all these fantastic things but you must make sure that they’re set up correctly.
Let’s have a little bit of fun now. I’m going to cover off two types of hackers. First of all I’m going to be the opportunistic hacker: I need some money to put food on the table for my family. Now first I would go and find a few target organisations. You might think that you’re just an employee, but I’m going to go after you. If you’re the weak point in that organisation, you listening to this podcast are my target. If I can find out information about you online, about your job role on LinkedIn, where you live, your favourite things to do, who your IT department is, then I’m going to start to write down a list of all these attributes that I know about you. It might be just a simple phone call, maybe I’ll start off as a survey.
[Hey Greg, how are you doing mate. It’s Steven here from the IT department, we’re just doing a survey about working from home. We want to find out how you’re doing with it]
Now these questions are going to start off very light weight, checking how you’re coping and if your work environment is okay, how you’re doing mentally… Then I’m going to weave in some little things in:
[Mate we just need to make sure that you’ve got a secure password, can you let us know what it is and I’ll let you know if it complies with our current IT policy at the organisation because we might need to get you to change that]
People, after they’ve been asked a whole heap of questions and built trust, tend to answer these things. Once I’ve got your password I’m now logging into your organisation as you. I’m now sending emails around the organisation as you. The next thing I need is someone to blame. I need to open up a bank account, open up some crypto wallets. You unfortunately, Greg, are now my sheep that’s going to cop all of this. So I’ve jumped into your organisation and I’ve figured out how to get an invoice raised by payroll approved by you sent to your bank account. This is not going to be fantastic for you moving forward, you’re probably going to get the police to knock on your door in a few days. That’s just the opportunistic way of hacking, not even really using any skills other than just a phone call.
The other type is these evil organisations and they’ll probably be a little bit more funded. They’ll go onto the dark web and do something like we talked about, say downloading this new Zoom tool. For people who haven’t updated Zoom, boom you’re a target. Once I’ve got access to Zoom, if you’ve got that installed on your organisation, I can then get access to your enterprise credentials. Once I’ve got that, probably my best port of call is to infect your entire environment with ransomware. Now I’m a pretty clever guy and I would have done this to your backups, your servers, and your cloud environments – you won’t be working on Monday.
You won’t know this is happening because I’ll do this in the background. Now this has happened so many times in Australia, even in the last two weeks we’ve seen ten organisations have this happen to them. Once you’re completely infected there really is no recourse for action other than try and find offline backups or pay the ransom. Sometimes these ransoms are worth millions of dollars, and the really crappy thing is a lot of the time these servers who issue the keys so you can get your data back get shut down by law enforcement. You don’t get your key, you don’t get your data back, you’re screwed. You’re essentially trying to rebuild an organisation from what you can remember in your head.
We recently had a winery in Australia who had ransomware. These guys are salt of the earth kind of people, they see IT and computers as something they were forced into. But they sell wine all over Australia and they’re at risk of getting a fine with GDPR, which would end them. GDPR is the European data regulations that we’ve talked about in previous episodes. They don’t really have any options, it’s either to pay this ransom which is in the order of millions of dollars, or to shut up shop. It’s a horrible thing for a business that’s been around for a hundred and fifty years. This pandemic has caused this thing to happen and now they may not be around next year.
That gives you two examples, now I want to segue into something that is really interesting for me at the moment. If I was a hacker I would be paying close attention to this new government app. I want to preface this and say that I completely support any tool that is going to help the Australian public limit the effects of this pandemic and stop people from dying. But it’s also really interesting to think about the implications as a hacker. We’re suddenly going to have this data, and thanks to some laws that were passed a few years ago the government’s going to have information ability. The information to track where we’ve been over the last two years and where we are right now live.
That’s fantastic from a pandemic point of view. If we’ve had someone come over from overseas and we’ve spent more than fifteen minutes in close proximity with that person, we’ll alert you to self-isolate. It’s a really powerful tool for the government to stop this pandemic from spreading and enable us to stop social distancing, which would be great (so I could get some guests onto this podcast). But as a hacker, think about that. I can tell the patterns of when you’re home. I can then go and steal your car. I can tell when your children go to school, I can tell when you’re at the office and when you’re not. When you couple this dataset with machine learning it would give a criminal organisation everything they would need to really run rife for you.
Everything from simple petty crime to information such as where you live, because obviously the data is going to show where you spend most of your time at night. So suddenly I have this data object of you: the person, your name, where you live, where you’ve been, and where you’re going. Probably enough information about your family members too. Now machine learning is very clever, it can build up some pretty important maps of who you are as a person based on that. Once I have all that information you are really mine. Let’s not forget here that the government who was promising this will be secure also set up MyHealth, and that’s been hacked successfully 42 times in the last 24 months.
I really want this tool to happen and I want this to help protect those that are likely at risk, and I want it to stop the pandemic in Australia. But let’s really think about this and get it done properly. Perhaps think of some measures where we don’t give the government access to this data. It literally goes into a machine learning thing and we turn it off after this pandemic. We have it as a tool that we can use during these things, not just an ongoing tool that the government has access to. Because I guarantee this data will eventually get out.
Now we’ve talked about how at risk you are and how someone would go about getting your information or using you as a pawn to get into your businesses. Unfortunately this is going to happen no matter how much I get up here and yell and scream, saying you should do these things. Again I can’t stress enough the importance of downloading our little checklist at the end of this podcast which will be linked. Make sure you’ve checked off each of those steps to make sure that your staff are working from home safely. But let’s be realistic here, if someone really clever comes along they are going to get into many organisations.
So what do you do? It’s the same steps that you have if you’re in the office, but you need to think about these things now. Hopefully the majority of you are in the part where it hasn’t happened before yet and you’re hoping that it won’t happen. I’m telling you that it will happen to some of you, so make sure you’re prepared. Have an incident response team. If someone in your office thinks that they might have done something wrong, I should be able to go and ask that person about it. Anyone in your organisation from the cleaner, the receptionist, the CEO, anyone. If they think they’ve done something wrong they should know who to contact, and they should do it straight away, they shouldn’t be afraid of it either.
You need to watch those cultural things in your organisation where people are shamed into doing the wrong thing. They should confidently say, “hey someone’s outsmarted me here, and thanks to the training you’ve provided me as an organisation I’m contacting you because I think I stuffed up.” Now you can do something about it and that incident response team can quickly have a look at what data has been accessed, what data was given, and do something quickly. Hackers, once they’re in, will take a certain amount of time to get their lay of the land. You might be able to stop them before they get too far into your organisation. Those are the things that you need to implement as a business right now, because I don’t want you calling me next week saying you’ve had a breach or your data’s blocked out. Unfortunately, some of these new software programs out there and these malicious software codes such as zero day exploits are so good that there’s nothing we can do to help you. It has to be preventative measures. We will see more Australian businesses go bankrupt or go into administration if you don’t do this properly.
Let’s talk about the future, there’s actually going to be some positive things that come from this pandemic. I don’t know if anyone’s had the opportunity to drive around lately but traffic is amazing. Driving from one spot to another has never been better in Australia. Maybe after this pandemic we would have adapted our work from home practices so much and use future technologies to secure our staff from home, same as if they’re in the office. We can actually have staff working from home a lot more than we currently do. That’s going to help the environment. Look at the ozone layer at the moment and all these things happening around our planet. Fish returning to reefs and fantastic things that are happening because we’re not out and about so much. We can use this as a change for good.
To make that happen we really need to focus on the technology to make sure that it’s adapting to our needs. We have to make sure that we have the right policies and procedures in place to make sure we can use that technology safely. We need to make sure we’ve had some thought into it. Security these days needs to be at the forefront of your thinking. Think to yourself whenever you have an app online, whenever your staff are working from home etc, put your hacker hat on. Ask what information are they going to have access to, what applications do they have access to, and have we thought about how to secure those things? At the end of the day pay someone like us to come in and test these things, because you might not have that skill to be able to look at a concrete wall with a concrete floor and think to yourself how to go under, around it, through it or over it, or even blast a hole through it. That’s how a hacker thinks, they won’t take no for an answer.
You have to have systems in place that will detect a hacker doing that, and that will mitigate the damage or limit the information that they’ll have access to. It’s still really scary these days, you have every staff member in the business that has access to absolutely every document within a business, and it happens a lot. Those things need to be in the past, let’s use this as a good change to move into a more secure and safer future that’s better for our environment so we can actually deploy these amazing tools that the government’s talking about. To do it safely and not have all this information out there. Let’s use this as a catalyst for change, it should be really positive for us.
Lot’s to think about there but I urge you again to download the checklist for everyone to work safely from home. One of the things I’m really proud of is that we’ve actually created a team of people during this pandemic that are here to help Australian businesses and people through this. So if you’re worried about your staff working from home or concerned that your security is wide open get onto our website: ctrlgroup.io or give us a call on 1300 287 528, and honestly we’ve got a team of really great people that are here to help you and get through this thing and make sure that your business is here in the years to come.