S&R Confessional: The Time I Almost Got Hacked
I’m continuing the trend my colleague Josh Zelonis started last year during Cybersecurity Awareness Month to share a few stories of the time I almost got hacked. It can — and does — happen to everyone, including folks that should know better. Blaming users for mistakes becomes a trap far too many of us security and risk pros fall into, and sharing the moments when we made mistakes can help us all become a bit more empathetic toward our users. Here’s a selection of three examples from my past of when I made some poor decisions online:
The E-ZPass Phishing Email
I travel often, and on occasion, I head to states with plenty of toll roads. Back in 2016, I’d recently traveled to Northern Virginia, New Jersey, and New York, all within a couple of weeks. I returned home, and about a week later, I got the email below:
My mouse moved slowly over the word “here,” and my finger just itched to click and figure out just what was going on. And as I hovered over, I thought, “Wait, my rentals had E-ZPass. Did the rental car company make a mistake?” Then I thought, “Wait, how could the government and rental car companies be so sophisticated that they then emailed my personal email account for a toll I didn’t pay?” I don’t think government is that efficient. So yes, in this scenario, my skepticism of government efficiency saved me from malware. While not as useful as antivirus technology, it worked this time.
“This Torrent Seems Fine”
In my past lives — well before Forrester — I may or may not have engaged in file-sharing. I’ll also go ahead and state for the record that I agree with Gabe Newell of Valve that “Piracy is almost always a service problem and not a pricing problem.” Anyone that engaged in extensive file sharing, especially when using public trackers on BitTorrent, knows all too well the feeling of unpacking an archive, running the antivirus scanner, and finding nothing, only to then double-click and have your computer suddenly start smoking with alarm bells ringing. Yep, it got me, too, more than once, and I’d even started in the infosec industry at the time, so I should have known better. Or I should have used virtual machines and tested things out. But sometimes you want to watch that movie or play that game you just downloaded right away!
The Malware Analysis Oopsie
One of the first things you’ll learn from an experienced malware analyst is the guarantee that you will accidentally infect your system in the normal course of duties. I’d gotten my hands on the “alien book” and got ready to dig in! I configured a lab and started to learn. But then, like all victims of hubris, overconfidence sets in, you’ll multitask and forget what you opened, accidentally double-click, or even move files from one place to another, and, suddenly — boom! You’ve succeeded in determining the file that you already knew was malware was, in fact, malware! I managed to move fast and definitely broke things.
My Examples Are Self-Inflicted, And I Learned From All Of Them
Cybersecurity Awareness Month grants us an opportunity for increased exposure and access to the people that we should help — including ourselves. Naming and shaming never solves the problem, and empathy goes a long way. People answer hundreds of emails a day in their job, and avoiding the one that they shouldn’t click on is not easy. Joseph Blankenship recently blogged about the need for layers when it comes to defending against phishing. That’s why we have analysts such as Jinan Budge and Claire O’Malley discussing the importance of awareness, behavior, and culture. Hopefully, this blog sheds some light on the fact that accidents happen to everyone and that we can all use them as opportunities for improvement, rather than exploit them (pardon the pun) to spread blame.