Are Cyber-Thieves In Your Breakroom Fridge?

One FBI computer cop has a unique way of getting people’s attention when he talks about cyber-security.

He tries to lure them into a phishing email scam – and a surprising number take the bait.

FBI Special Agent Jamil Hassani is invited to speak to lots of groups on hacking and cyber-safety. Before he goes, he sends them a spear-phishing email.

“They get an ominous screen saying ‘I just spear-phished you’ and a follow-up saying ‘Just kidding,” he said at the ABA Annual Meeting in San Francisco. “One in 20 click on the link.”

The stunt shows how the first line of defense against cyber-crime is not a firewall or an anti-virus program. It’s people using common sense.

Cyber-security was on everyone’s mind at this year’s ABA’s get-together. Hassani was one of a number of speakers who spoke on topics ranging from smart refrigerators to dumb regulations.

Hackers are Coming for Your Ice Cream

Here are some highlights, compliments of the ABA Journal:

• Oh, hack! What to do now?” Attorney Jennifer Martin, whose New York practice concentrates on guiding businesses through cyber-crises, said the question is not if you will be hacked, but when. As a result, firms of all sizes need to have a response plan in place and ready to go. Don’t wait until disaster strikes. “More and more companies have plans, but the devil is really in the details.” A good plan should cover the basics, like how data is backed up and who makes the call on taking down the server.

• The more things change, the more they stay the same. Hassani said the tactics criminals were using in 2004 when he got into this line of work are “virtually identical to the ones they’re using today.”  The difference: the internet has grown exponentially. He said he was able to hack into his hotel’s network through the smart refrigerator in his guest room.

• But I didn’t order that truckload of Rocky Road! Speaking of refrigerators, Professor Gary Marchant of the Arizona State University Sandra Day O’Connor College of Law forecast the explosive growth of the Internet of Things, from wearable devices to smart cars. Which raises the possibility of “someone hacking your fridge and delivering 10,000 gallons of ice cream.”

• Good luck understanding the rules of cyber-engagement. Businesses not only have to fend off hackers, they have to comply with a bewildering – and ever-growing – web of state and federal regulations. DC lawyer Mary Jane Wilson-Bilik  spoke of a “mosaic of laws” that are often confusing and conflicting.  Example: the Gramm-Leach-Bliley Act of 1999 places requirements on financial institutions to safeguard data that don’t always square with Commerce Department standards.

About That Spear-Phishing …

And in case you’re wondering what “spear-phishing” is, here’s how the FBI describes it:

“Instead of casting out thousands of e-mails randomly hoping a few victims will bite, spear phishers target select groups of people with something in common—they work at the same company, bank at the same financial institution, attend the same college, order merchandise from the same website, etc. The e-mails are ostensibly sent from organizations or individuals the potential victims would normally get e-mails from, making them even more deceptive.

First, criminals need some inside information on their targets to convince them the e-mails are legitimate. They often obtain it by hacking into an organization’s computer network (which is what happened in the above case) or sometimes by combing through other websites, blogs, and social networking sites.

Then, they send e-mails that look like the real thing to targeted victims, offering all sorts of urgent and legitimate-sounding explanations as to why they need your personal data. [T]he victims are asked to click on a link inside the e-mail that takes them to a phony but realistic-looking website, where they are asked to provide passwords, account numbers, user IDs, access codes, PINs, etc. Once criminals have your personal data, they can access your bank account, use your credit cards, and create a whole new identity using your information.

Spear phishing can also trick you into downloading malicious codes or malware after you click on a link embedded in the e-mail, an especially useful tool in crimes like economic espionage where sensitive internal communications can be accessed and trade secrets stolen.”

What cyber-security concerns keep you up at night? Send us a comment.

 Lawyers Mutual insureds should have received their complimentary copies of “Protecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy” in the mail. Please read this guide for important information on how to best protect your firm from cyber threats.

Sources:

• ABA Journal http://www.abajournal.com/news/article/21st_century_cybersecurity_people_are_the_first_step
• Federal Bureau of Investigation
• https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109