We all need to do more to protect our identities online, as we learn from a reformed computer hacker
A reformed hacker shares his tips on how to stay safe online
It’s difficult for most of us to recall a time when we were not constantly connected to the internet. Practically every aspect of modern life requires the use of a computer, smartphone or tablet. Banking, shopping, flight and hotel bookings, consumption of news, and communication with colleagues and loved ones – everything is dependent on us being online nowadays. Living off the grid is an almost absurd notion, like going back to the dark ages.
As a result, there is the increased likelihood that many of us will experience the effects of hacking (even brand-new cars can be hacked and controlled remotely these days). It’s a sad inevitability and, no matter how careful we are, there’s always somebody out there waiting to help themselves to information about us that we’d rather they couldn’t access – whether that’s our passport number, bank account information or a photograph we wish we hadn’t shared.
Richard Neale knows all about this. In May 2014, after a falling-out with colleagues at his company, Esselar, he took leave of his senses and compromised the systems of Aviva, the United Kingdom’s largest insurance provider, which was at the time an important client of theirs. Esselar, it turned out, had failed to disable his access to the main systems even eight months after his departure – systems he himself had set up, leaving him free to make mischief.
In short, he was able to basically waltz into the system and temporarily wipe data from 900 of Aviva’s mobile phones. The reset was a simple one and things were back to normal 24 hours later but Esselar’s blatant lack of diligence taught the company a very harsh lesson, costing it dearly. In fact Esselar hadn’t even rescinded his access to the company’s Twitter account or its financial systems after his departure – poor form for any business purporting to be looking after the IT interests of one of the country’s leading firms.
Neale did not go unpunished by the authorities but is now an “ethical hacker” – one who exposes flaws and vulnerabilities in computer networks. He’s fighting the good fight and wants to help people and businesses protect themselves against such threats, and is now the CEO of a successful online security consultancy, the ultimate goal of which is to protect your most precious asset: your brand. And that’s not something to be sniffed at – your brand is, in many respects, everything.
The dangers of getting hacked
Whether that’s your reputation as an individual or the name a company has spent years nurturing, the damage to either can be devastating. Consider that, in 2014, Yahoo was the victim of what’s thought to be the biggest data breach in history, with all 3 billion of its user accounts compromised – the disclosure of which resulted in approximately Dh1.3 billion being wiped off the company’s valuation. Many institutions simply wouldn’t be able to recover.
Neale was recently in the UAE with his business partner, Simon Taylor, to present a discourse at the Arabian Hotel Investment Conference in Ras Al Khaimah, and their advice should be heeded and acted upon immediately.
“Over the past five years, approximately 9.7 billion data losses have occurred globally, that we know of – data that could potentially identify an individual. Of these cyber attacks, 92 per cent were phishing and global ransomware, which is a growing problem that affects all sorts of businesses. Every 40 seconds, a business falls victim to ransomware attacks and these can result in huge costs through infrastructure downtime, data recovery and fighting the resultant public relations fires. The average cost is US$7.1 million (Dh26m) and yes, businesses can insure against this, but there’s no cover when it comes to reputation and the effect it has on a brand,” says Neale.
Phishing can be something as simple as an email from a scammer asking for our bank details so the inheritance left to us by a mysterious Nigerian benefactor can be deposited into our account. And yes, people do still fall for this one. More often than not, however, it’s a link in an unsolicited email or an attachment that can then infiltrate our system, working away in the background until one day it’s too late. The prevalence of ransomware attacks is terrifying, and involves malicious software invading our devices and literally holding us to ransom – either pay up or lose your precious data forever.
Taylor says that what we see online is just the tip of the iceberg in some respects, as what’s known as the “dark web” does exist. “What we see in daily life is what’s known as the surface web,” he cautions. “I’ve explored the dark web and can tell you it’s an extremely unpleasant place. Anything is available there. And it’s in this space that plenty of illegitimate activities are carried out that don’t need to be accessed by conventional means. But the anonymity of it means there are very real dangers lurking within. You don’t want your personal information ending up there, I can assure you.”
Why would someone hack to begin with?
Something that puzzles many ordinary people is why anyone would hack them in the first place. What is it about our run-of-the-mill lives that could possibly interest anyone else out there? “Many hackers do it for fun or notoriety,” Neale says. “There’s a wide range of different people with different motivations, but they’re unlikely to target us individually. Rather, they throw a net out there and capture the personal data of multiple users. But if you are difficult to see online, hackers will just move on – they’re inherently lazy people and take the line of least resistance.”
We rarely stop and think about just how much information we share with strangers in our daily lives. What about the data that hotels around the world have in their possession? Passport scans, checking-in and-out times, the flights we’ve been booked on, payment details, the list goes on and on. And we part with all this valuable data because it’s part of the process. But when a business such as a hotel chain suffers a data breach, then somebody has to carry the can and Taylor says it’s always the person in charge. “The CEO has to shoulder the responsibility,” he remarks, “and the weakest link in every system is always the people that use it.”
To illustrate how vulnerable every company can be, Neale relates the time a client asked him to break in and test its levels of security, which were assumed to be impenetrable. “It’s a wealth management firm with offices seven floors up in the centre of London’s financial district – biometric access, fingerprint recognition, the works. I turned up in the evening, dressed in a suit and looking suitably harassed.
"I asked one of the cleaning contractors to do me a favour as I’d forgotten my pass and needed to get something important from my office. That was all it took; I was in and could have brought that company to its knees. I placed a key logger in line with the CFO’s computer and left it on for a week. Every key stroke was relayed to my own laptop, and I could easily have planted infectious malware if I’d wished,” he explains.
How to protect yourself
How, then, do we mere mortals protect ourselves from this constantly evolving threat? “When prompted to do a system update, you really must do it straight away,” cautions Taylor. “Many attacks could be avoided if people just did that one simple thing. Also keep changing your passwords, but not by increasing the number by one. I use the titles of songs I like and substitute letters for numbers – it’s important to make hacking as difficult as possible,” he adds.
Neale reminds us that our phones are constantly scanning for wireless networks we’ve previously used. Coffee shops, shopping malls, airport lounges – isn’t it clever how they remember and get us online without us even asking? “I can use a device,” he adds, “that tells your phone that mine is a trusted network that it’s connected to in the past. Your phone will connect to this and I become what’s known as the man in the middle.
“All of the data that goes through your phone will run through this thing, into my laptop and then, if I so choose, it will go onto the internet. This is the most important and privileged place to be for a hacker.”
Should we be worried? Without a doubt. Whether we’re running a business large or small, or simply are an online shopper or social media user, all it takes is one click on an email link or the opening of an attachment for disaster to strike. And all of us can take effective measures to protect ourselves by installing an effective anti-virus software (and keeping it up to date), turning on firewalls, regularly changing passwords and keeping them strong. Yes, it’s annoying having to do this, but it’s essential if we are to avoid letting our virtual guard down. Prevention is always better than cure when it comes to living, as we all do, in the dark, mysterious and sometimes dangerous world of cyberspace.