Did you catch my Florida Politics column last week on hacking?
I had mentioned being interviewed for a Tallahassee Democrat article on the recent incident with the City of Tallahassee and by early this week USA TODAY had picked it up nationally.
Once I started sharing the national column, what followed were a lot of questions and comments; the one that stuck with me was one person who said it seems like there is nothing you can do to stop these attacks.
Even those “in charge” of protecting us from these sorts of things are getting hacked.
Case in point: This week, it was the FBI’s turn to get hit.
There is a slight similarity in the FBI and City of Tallahassee situations; both have very competent IT teams and protective measures in place.
But it was a third party that brought them down.
In the FBI scenario, the compromised group was an affiliate of the Bureau — the FBI National Academy Associates.
Academy Associates is a not-for-profit, which promotes training in law enforcement and has chapters across the U.S.
So, what was hacked? And how?
In this case, it wasn’t phishing or ransomware; it was an old-fashioned “jailbreak” of the group’s websites.
The sites had certain vulnerabilities which were exposed, leaving the information ripe for the picking. They housed databases of former and current agents, which was what the hackers were after.
Usually when someone says “vulnerabilities” that means they failed to run updates to protect the site; keeping patches and security current and robust.
Numbers of what was stolen vary, but somewhere in the vicinity of 4,000 unique details were nabbed. Name, address, phone number, job titles, etc.
I wanted to learn more about the Florida chapter and get them to weigh in on the story, but at 3:07 p.m. Monday, April 15, 2019, its website looked like this:
Needless to say, I was not able to get a “Florida” angle on the story. One could assume they were among the chapters hit.
When your website looks like that (as they say in Hollywood) it’s “bad.”
Making it even worse is that the hackers, in this case, uploaded contents of the hack immediately to their website — for any criminal to download.
This made it vastly different from the Tallahassee hack.
In the Tally attempt, the criminals wanted money. Those types of attacks we call “black hat.”
In the case of the FBI, it appears the hackers wanted to cause chaos. Those folks we call “hacktivists.”
You didn’t know there were different types of hackers? According to MalwareFox, there are 10 types of hackers. Dive in here for a crash course.
In last week’s column, I listed some tips to keep you and your organization safe from hacking. What I left out was that your website is certainly a potential vulnerability if you take payments or have databases (such as voter lists) with any “valuable” information. If so, you need to make absolutely sure you are taking all considerations into account for web safety.
For starters, have an SSL Certificate, know who your host is and what their protocols are, and don’t let users upload files to your website, etc.
More tips here (or contact your webmaster).
It might seem as if threats are lurking around every cyber corner, that’s because they are. Have a plan, go through constant due diligence to make sure you are protected, and you just might stay out of trouble.
Also, just in case, have a cyber insurance policy as a fallback.
These threats will get worse and there will be new ones. So, stay on the case and don’t let your guard down — or you might be national news on USA TODAY tomorrow. Ha.
Blake Dowling is president of Aegis Business Technologies a technical support and cybersecurity company (according to USA TODAY). He can be reached at firstname.lastname@example.org.