You’re probably familiar with the stories of data breaches at large companies. Sometimes, the greatest threat to an organization’s network may be its employees. Human Kill is a well-known role in security breaches. Human gullibility, carelessness and negligence are often referred to as the weakest link in computer security. Here are some of the worst user failures ever.
1. Take a Phishing Expedition as your prey
March 2016 was the year of phishing. John Podesta was the chair of Hillary Clinton’s 2016 Presidential Campaign. He received an email that looked like it was from Google. It said: “Someone just used you password to sign in to Google account… Location Ukraine The email contained a link that allowed him to change his password “immediately”.
Podesta had great instincts. He found the email suspicious and forwarded the information to his chief of staff. The campaign’s IT personnel received it. IT replied with a short message that contained useful guidance, but unfortunately it only had one sentence. “This is a legitimate mail. John needs to change his password immediately, and ensure that two-factor authentication is turned on… He can go to this link: https://myacount.google.com/security to do both…” (IT says they intended to write “illegitimate email”.)
Learn how to become a security expert with SPOTO’s Cybersecurity Training
It appears that IT’s complete response may not have made it all of the way to Podesta. In any case, someone from Podesta’s office clicked on IT’s link in the phishing email and gave the hackers Podesta’s password.
In the final weeks before the election, select internal messages and confidential documents were leaked daily via WikiLeaks. They were widely covered by the media in the media. The outcome of a close presidential race was determined by the phished material.
Bruce Schneier, a 2000 hacker, noted that only amateurs target machines. Professionals target people. Social engineering, an ancient art of the con artist has always been a part of the arsenal of black-hat hackers. Many of the most successful hacks of the past few years did not involve burning a zero-day, but rather cajoling or panicking people into giving their credentials, emailing back private data, or wiring them a few million.
Phishing is a type of social engineering that uses text messages, email, and phone calls to convince people to share information or run malicious payloads on their computers. Phishing could be a generic message sent to thousands of people in the hope of getting one or two bites back. Spear phishing is a form of phishing that targets specific individuals. This is done by using personal information from the Internet and other social media to create convincing bait.
Multiple things went wrong with the Clinton campaign breach, as is often the case. Podesta was right in trusting his gut. But if Podesta (and his staff), had been “savvy IT consumers”, they would have known that the email link was not to be clicked on in suspicious emails. They would also have known to navigate directly to the website of the company. They would have already had two-factor authentication enabled.
2. Reused Passwords and Passwords that are easily-guessed
Hackers took control of Mark Zuckerberg’s Twitter, and Pinterest accounts in 2016. They were vulnerable because of a password that was both too simple and repetitive across multiple accounts.
In 2012, millions of LinkedIn passwords were stolen and published. Years later, hackers found Zuckerberg’s password in the LinkedIn dump. They used it to post threatening messages from his dormant Twitter account and Pinterest account. (“You were in LinkedI