Cloud apps, mobile devices and emails: Hacker paradise

Barry Cutts

Wednesday 16 August 2017

In June this year, British parliament’s email system was hacked. You might have thought, or hoped, that the bastion of democracy was a fortress in terms of cybersecurity. But if MPs and Lords can be got to, where does that leave the rest of us?

The mother of all hacks?

Hackers can roam the internet and probe at a network knowing that, with sheer persistence, they’ll eventually find a way into someone’s private world. It’s potentially a bigger payday for them if they hit an enterprise, but private individuals remain common targets. Individuals can be easy pickings, given the lower levels of defence they likely use.

Most enterprises are aware of the basic security measures they need to implement. Domestic users tend to be less aware. Given that the enterprise is made up of ordinary people, there’s an overlap when non-security-aware individuals bring their own online practices and habits into the office, or onto their company devices.

A parliamentary spokesman said of the cyberattack on Westminster that the 90 hacked email accounts were protected by weak passwords. A less-than-robust approach to protection was also a common characteristic to emerge in the aftermath of the WannaCry ransomware attack.

Ransomware gets anywhere

Ransomware has ramped up in recent years. The National Cyber Security Centre reports a threefold increase in ransomware variants in the first half of 2016, compared to the whole of 2015. How do these attackers get in? They must gain entry before they can make their demands, and this is where the enterprise and the individual are most at risk.

Enter phishing, a technique where attackers entice their targets into responding to seemingly alluring messages, via email, text or instant messaging. The Imperva Incapsula web app security centre offers two phishing attack examples:

  • A spoofed email ostensibly from is mass-distributed to as many faculty members as possible.
  • The email claims that the user’s password is about to expire. Instructions are given to go to to renew their password within 24 hours.

It’s clear that the entry-level skill for all users of any type of computer, and any other connected device, is to get nimble with passwords. Many people make light of such advice. This is partly due to the tedium of the password-creation process. You often receive annoying prompts when setting up a new password. “Use a capital letter” or “Insert both symbols and numbers”. The problem is that such requirements generate easily forgotten passwords.

Be obscure, be very obscure

For this reason, lots of us tend to go for easy-to-remember passwords. Unfortunately, this approach creates an even bigger problem. Easy passwords are simple for hackers to crack. This hacker’s advice on password protection is well worth following.

The more obscure you can make your passwords – with no connection to your birthday, middle name, address, place of birth or any other personal fact that a dedicated hacker can glean from another source – the more difficult they are to crack. Hackers are less inclined to spend time on a complicated challenge when they can far more easily penetrate a poorly supported line of defence.

Get off the radar now

Here are five reliable and simple practices that can minimise risk for both individuals and companies:

  1. Make your passwords obscure, and change them often.
  2. Vary your passwords so that no single one offers the keys to your entire online presence.
  3. If an offer looks too good to be true, it is.
  4. Delete any email from unfamiliar individuals or organisations, or countries where you do not have any contacts.
  5. Protect and back up everything you don’t want to lose. Use at least two of your own devices (external hard drive/USB stick) and an independent third-party source for cloud backup (and recovery).

You may be lucky. One day when you receive an email from the most obscure offshore republic in the world, telling you in the worst grammar possible that you’ve got £5 million locked in an account from an unknown benefactor, it just might be true. On the other hand, it might not.


Building the next-gen data centre

Where traditional and web-scale apps co-exist