September 2016


Black hats sneak into cyber networks

By Kate Tilley, Editor, Resolve

You’ve been hacked!

Those few words are some of the scariest corporate entities can hear today.

Katherine Hayes, senior associate at Carter Newell Lawyers, Brisbane; William Ulyate, Queensland general manager at Content Security; and Jennifer Ramsey, strategic adviser with public relations consultancy Rowland, presented a seminar to AILA Queensland in which a simulated cyber attack resulted in a data breach.

Their hypothetical company, HealthCo Ltd, was a listed company. It operated private clinics with 25,000 patient visits a year and maintained sensitive data about patients and more than 1,000 employees.

Before the seminar began, attendees ate a light lunch while watching Threat Clouds live map of threats around the globe attacking targets. William said one in 100 attacks was successful, and the daily average was six million.

Katherine explained the dark web, a place where 90% of internet information is stored but it’s not readily searchable by the public. “A lot of criminal activity occurs in the dark web but you need to be in forums to get to specific addresses ... to buy drugs, guns and porn.”

But she said the dark web was also used for good, for example to allow Chinese activists to circumvent government restrictions.

Bit coins, an untraceable digital currency, were frequently used by criminals. More than four years since LinkedIn was famously hacked, security researchers discovered more than 117 million account details being sold for bit coins on data sharing sites in the dark web.

Facebook founder Mark Zuckerberg was among those hacked and, in an embarrassing revelation, it was exposed he used the same simple password, dadada, for several social media sites.

William said hackers did not need very powerful tools to gain access to data like passwords. Just one compromised PC could do “an incredible amount of damage” once it was connected to a botnet – a network of remote-controlled computers infected with malware.

Jennifer said hacking was “a growing and present danger” for many Australian entities. William agreed. “There has been unprecedented growth since the late 1990s.” The amount of hacks in 1H2016 exceeded the amount in CY2015.

Credentials – ie user names and passwords – were hot property for hackers. William likened it to ‘black hats’ (the industry name for adversaries) obtaining copies of your keys and breaking into your home without your knowledge.

In the past, hackers needed niche, specialist skills, but products to enable attacks were now commodities sold on the dark web. A denial of service attack, which makes internet access unavailable to a host temporarily or indefinitely, was available for $US10/hour. “It’s like giving a toddler a live gun,” William said.

It was possible to go onto forums and buy bulk information for as little as $6 for 1MG of data – about 6,000 user names and passwords.

William said in only 15 minutes he could steal sufficient information to purport to be someone else, then send an email asking one of their colleagues to click on a link that would infect the organisation’s network. IT personnel were often victims because they had higher access levels. “I draft an email to ‘support’, add my malicious software, and that’s it.”

Some sophisticated hackers even patched systems they hacked to cover their tracks.

Once a portal was open, hackers could tunnel through firewalls. Anti-virus software was useless once a hacker was using an authenticated identity. They could go undetected for months, harvesting usernames and passwords to sell on the dark web.

Back to HealthCo and its woes. Jennifer said all organisations needed crisis management plans that identified personnel (and their alternatives) on a crisis management team, their roles and responsibilities to ensure “nothing falls through the cracks”, stakeholders and likely scenarios.

She advised organisations to put their teams through mock scenarios and conduct media training to be better prepared to handle tough questions.

“Consider your data retention and protection policies and external resources you may need when a crisis erupts. Reputation is everything – it can be more than 25% of a company’s value and your number one risk concern.”

William said HealthCo was a data-rich target because the health care sector held so much personal information about clients. Personal identification information was “hot currency”, ie, useful for identity theft. “You can’t change your date of birth or your mother’s maiden name,” he said.

Jennifer agreed. “The potential for community outrage is high and [data theft from a medical organisation] is popular with the media.” She warned social media could “go wild” and the media had “a never-ending story” once it identified people at risk from the hack.

William said hackers used social engineering, ie, manipulating the natural human tendency to trust others. Phishing was an attempt to obtain sensitive information by masquerading as a trustworthy entity in an email. Spear phishing was a more sophisticated level and cat phishing was scamming people by feigning friendship or romance.

William warned against making LinkedIn connections with unknown people. “It’s very dangerous.” They could eventually hold you to ransom, steal personal information and “you’d be surprised who falls for it”.

Typical breaches were to extort money and Katherine said ransoms usually started fairly low.

But William warned, if you didn’t pay, “they punish you to build street cred”.

Katherine said HealthCo would be in freefall once data was leaked and needed to notify its insurers, which could co-ordinate a crisis management response – if the company was covered.

Jennifer said HealthCo had to stand up its crisis team and establish principles of truth, integrity, open and transparent communication and co-operation with authorities. All stakeholders had to be notified.

“What are the key messages? Be consistent and react quickly,” she advised.

“Never say ‘no comment’. There is always something to communicate and, if you don’t, some one else will. If there’s a vacuum, the media will find someone to fill it.”

HealthCo could say it was taking the hack very seriously, safety and privacy for patients and staff were top priorities and it was working with advisers and the police and would keep the media informed.

Social media platforms were critical. HealthCo needed policies in place about what staff could say on platforms, but they could also be ambassadors. “Give them information to deal with queries,” she said.

HealthCo could use its website as “home base”, drawing people to it to get more information about how it was responding to the crisis.

Back to top

Resolve is the official publication of the Australian Insurance Law Association and
the New Zealand Insurance Law Association.