Your antimalware (antivirus) appliance is up and running. It’s updated with the latest information and automated updates keep it that way. Your operating system is fully patched and set for automatic update, as is your web browser, and all your applications. You’ve eliminated programs and apps that you don’t use and you are cautious when installing new ones. All the miscellaneous devices connected to your network have strong, non-default passwords. Your passwords are long, strong, and well-managed with no duplicates. You run backups regularly, store them remotely, and check them periodically. You have separate administrative accounts on all your computers that you only use when necessary. Your firewalls are all set for maximum security. Your Wi-Fi network has a long, strong password as does your network router. You are careful with public Wi-Fi and Bluetooth. You are on the alert for malicious social engineers.
Congratulations! You are among the elite who use computer systems with intelligent regard for cybercrime.
Now let’s talk about what happens when all these precautions are of no avail and the worst happens. The worst is not likely to happen, much less likely for you because you are careful, but it can happen.
Cybercriminals are smart and diligent, and there is always a chance that they will get to your equipment before it has been patched against the latest exploit or artful social engineers will weasel their way into your confidence despite your caution. But when an attack occurs, all is not lost. With prompt and reasonable action, most attacks can be reduced to annoyances, not grow into catastrophes.
Third-Party Data Theft
Sometimes it is not your fault. Things just happen. For instance, a department store is hacked and your credit or debit card data falls into criminal hands, or a government agency is attacked and other records are exposed.
Detection
Detecting third-party data theft is not easy. The hacked systems are not under your control. Those in charge of the compromised system may not inform you because they want to avoid adverse publicity. Sometimes legal departments recommend keeping security breaches private to avoid publicizing evidence of negligence.
There are things you can do. Review your financial accounts and check your credit reports regularly. Identity theft often appears as credit checks that you did not initiate or new lines of credit you did not open in your credit report.
Beware of passwords that change without warning. An unexpected password change may mean that a hacker has your password and has changed it. Contact the site immediately and have them help you secure your account again. If you made the mistake of using the compromised password on more than one account, you must also resecure those accounts. You don’t remember all the accounts that have the same password? Then resecure all your accounts. If possible, when resecuring, choose multi-factor authentication , especially if you do not know how the hacker got your password and you don’t know how to prevent it from happening again. Multi-factor authentication will stop the hacker if your password is stolen again. Assume that any of your computing devices could have been hacked.
The sooner you spot a problem, the sooner it will be resolved and the more likely the resolution will be in your favor. The optimum frequency depends on the activity on the account or report. A good goal is to spot anything out of order within a week of its occurrence. A charge to a store that you do not patronize, an unexpectedly large charge, a charge from a remote location are all candidates, any charge you do not recognize. Report any anomaly to the card issuer or institution involved immediately. Your financial institution may allow you more time, but don’t delay. The longer you wait, the less likely it becomes that the criminal will be caught and the more likely that you will be forced to jump through hoops to be made whole.
Payment Card Information Theft
Before a hack occurs, there is little you can do to force a department store to be diligent about security, and most people do not have the information or expertise to evaluate corporate security controls. Payment card theft is usually handled by your bank or credit card company. Your old card will be terminated and you will be issued a new card. In the meantime, you are not liable for illegitimate charges against your card, but you are obliged to point out to your bank or payment card company the charges to your account that are not yours. If you see a problem, you should report it immediately.
Identity Theft
Identity theft can begin with a direct invasion into your computer, tablet, or smartphone, but more often, identity thieves purchase information on the darknet and use it to grab assets. The information on the darknet comes from big raids on all sorts of institutions. You can purchase services that monitor your credit and accounts to spot spurious activity, but many experts suggest that if you have the discipline to monitor yourself, you are likely to be more accurate than a service that uses general rules about consumer behavior rather than the intimate knowledge you have of yourself and your family’s habits.
When you detect questionable activity, the first step is to notify any payment card companies that may be affected. The next step is to freeze credit reporting at all the major credit reporting services (currently TransUnion, Experian, Equifax, and Innovis.) Whenever someone requests a new line of credit, the bank or other institution requests a report from the credit reporting service. If there is a freeze on the account, the credit reporting service will refuse to send a report. This stops most requests for a new line of credit. Very few, if any, organizations will extend credit to an individual with a freeze on their account, and criminals are usually unwilling to identify themselves further by arguing.1
The freeze is the most effective tool you have for curtailing identity theft. Some people choose to freeze their credit as a defensive measure before their information is compromised. You play the odds. If you freeze your credit reports, you must unfreeze them whenever you want a new line of credit, and the credit bureaus sometimes charge for putting on a freeze. That’s a hassle. Is it worth the peace of mind that comes from knowing that your identity is difficult to steal? You must answer for yourself. My credit reports are not frozen, but I reconsider the decision regularly. I would freeze them immediately if I suspected someone was trifling with my identity.
You may be offered a free subscription to an identity theft monitoring service by an organization that lost your data. Take their offer. Another layer of protection is always useful. In theory, these services take over the job of monitoring your accounts, although, as I mentioned above, I don’t think they are a good replacement of your own scrutiny.
Should you subscribe to one of those services on your own? If you are diligent about monitoring your accounts, you probably are more capable of spotting anomalies than the algorithms of the monitoring service, but that assumes you have the time and discipline to monitor your accounts carefully.
I do not subscribe to a monitoring service because, between my wife and I, we watch our accounts and credit reports closely, but if I felt we were slacking, I would subscribe.
Hacking
When your computer, tablet, or smartphone is invaded by a malicious intruder, you have been hacked. The hacker is usually trying to gain access to your critical accounts, gather information that can be used for identity theft type operations, requisition your device for a botnet, or extort some form of ransom.
Detection
There are no strict rules for knowing when you have been hacked. Sometimes it is obvious, such as when a ransomware message pops up with instructions for paying ransom to release your files. Or it might be an unbidden pop-up from some service that offers to “fix” your computer. Other times, an indication is subtler but still obvious, such as a command line screen popping up and responding to an unseen typist or a screen cursor that suddenly takes on a mind of its own. Other signs are inexplicable password changes, or your friends receiving a flood of phishing or spam emails that are from you or traceable to you. If your computer has been pressed into a botnet, the only sign may be periodic sluggishness that can’t be attributed to anything you do. Your ISP may inform you that your home network is emitting suspicious traffic. In that case, the culprit may be an appliance such as a thermostat that can be controlled from a smartphone app or even a hacked Internet router.
Unfortunately, the signs are often ambiguous. An overly sensitive touchpad and a wandering thumb can make it seem that a phantom has taken over the cursor on your laptop. Poorly written, but benign, software can also cause weird pop-ups and messages. A hacked system is only one among many causes of a sluggish system. You must think before you act, but acting fast when you think you have been hacked is important.
Immediate Action
First, stop the damage. Power down your computer, tablet, or smartphone immediately. You may want to save any unsaved work. This is your decision and you will probably want to consider how much work could be lost, but if I were certain I had been hacked, I would cut power without hesitation. On battery-powered devices, I would remove the battery as fast as I could. On smartphones and tablets, follow whatever procedure your device has for a full power off. Why? Because the damage that could be done by a hacker is worse in my estimation than losing a few minutes work. If you must keep running, at least disconnect from the Internet.
After your computing device is shut down, take a minute to think and plot a strategy. Most of the time, the next step is to start your device in safe mode. That means not connected to the network. Unplugging your Ethernet cable or turning off your Wi-Fi radio is also a good idea, just in case you don’t start in safe mode through some mishap.
Recovery
When you are up and running and off the network, run a thorough antimalware scan. Hopefully antimalware will find the culprit and remove it. You may need to update your antimalware tool to catch the latest infections. If your antimalware tool did find a problem and removed it, you can cautiously restart and connect to the network. Make a note of the name of the malware that was removed. You can look it up and learn more about the invasion, which may be helpful.
At this point, your ordeal may be over, but do not assume that you are safe yet. Antimalware threat removal is not always perfect and there is always a possibility that the infection involved additional threats that were not detected or removed.
If you have a backup, restoring from backup is an excellent idea, even if your antimalware scan assures you that the threat has been removed. You may want to try an alternative antimalware tool just in case your tool missed something. If your antimalware did not detect any threats to remove, it is certain you should restore from a backup. After the restoration, run another scan to check if the restored system is clean. You may have to go through a regression, restoring successively older backups until you find an uninfected version.
When you think your system is clean, you are not finished. You don’t know what the hackers hauled into their clutches during the time your system was infected. They may have passwords and identity data that they can use for future attacks. You must be vigilant. Take the same precautions that you would after a site that has your information has been hacked. Change all your critical passwords and look out for anomalies on your system. There are a few kinds of attacks, such as BIOS attacks , that are lodged so deep in your system that they are not wiped out by a full restore.
Ransomware
Ransomware is a special variety of malicious software that threatens to damage your computing device or expose you in some way, if you do not pay the ransom. The most common form encrypts your files, but other varieties threaten legal action, fines, or exposure to social sanctions such accusations of viewing objectionable material. Most of these threats are idle and can safely be ignored. Legitimate orders to pay from agencies like the Internal Revenue Service can always be confirmed by calling the agency at their public phone number.
Immediate Action
Ransomware that encrypts your files requires immediate intervention. Some ransomware is reported to bring up the ransom demand when they start encrypting. Encryption is slow and you may be able to minimize damage by switching off your computer as quickly as possible. Follow the procedure you would follow for any hack. I would not try for an orderly shutdown; just go for the power switch or the wall socket as quickly as you can. Remove the battery from battery powered devices. Block the criminal from communicating with your system. Disconnect from the Internet by unplugging Ethernet cable and turning off your wireless radio. If you are quick enough, you may spare yourself a lot of effort.
Recovery
Good and frequent backups are the key to recovery. There are some services that offer to unlock your files based on keys discovered from previous attacks. If the hacker is clever, those methods are not likely to work, because most hackers understand strong unique passwords.
After you have shut the system down, let it rest for a while. If the attackers are waiting for your system to come back up, give them a little time to lose interest. Get a cup of coffee, take a walk in the fresh air. The break will do you good.
If you have a good backup, you are set to restore your system and return to normal operation. However, your immediate goal is to remove the ransomware from your system. Restart and run an antimalware scan, if you can. You may not be able to if the hacker has disabled your antimalware software.
If antimalware removes the source of infection, you only need to restore the encrypted files. If nothing is detected, you should do a full restore, including reinstalling the operating system. This can be several hours wait, but not difficult if your backup system is good. At this point, you are restored to your state at the time of the backup. If your system is still infected, you may have to restore again from an earlier backup.
You should always try to analyze the source of the infection and use your knowledge to avoid future infections. Frequently, the infection stems from opening a malicious attachment to an email, but think about any recent downloads or software installations. Did you surf your way onto a click-bait site? Office documents with embedded macros are often used by hackers for delivering malware. Microsoft often puts up a warning when a document contains embedded macros. When you see the warning, think carefully about the possibility that a criminal inserted something undesirable. Above all, be aware!
Reporting Cybercrime
Cybercrime tends to be under-reported. When you are hacked, when your payment card information is taken, when you are subjected to ransomware, you are the victim of a crime. The unfortunate truth is that law enforcement is not likely to offer much help to the victim of small cybercrimes. However, we cannot expect cybercrime to decrease and cybersecurity to increase if the authorities do not have reliable information on the extent of the problem.
All cybercrimes can be reported to the FBI’s Internet Crime Complaint Center (IC3) .2 The IC3 will analyze the complaint and forward it to the appropriate international, federal, state, or local agency. For most cybercrime, this is your most effective step. The IC3 may be able to bundle your issue with other issues and inspire action that an isolated issue could not create.
Complaints that are clearly local, such as a neighbor stealing bandwidth or local email fraud, are most effective when reported to local authorities. Many states’ attorneys general have cybercrime offices. How much activity your complaint will generate is hard to predict, but consider that your goal of recording the crime is so that authorities can plan for appropriate future enforcement.
A Final Note
Cybercrime may seem to be a miasma that is dragging us all down. For every advance in computing, there seems to be a corresponding surge in cybercrime and new ways that our devices can be used against us.3 As a computer veteran, I sometimes feel that hackers are about to invalidate over half a century of progress in computing, progress that has made the work force more efficient, ushered tremendous scientific and medical progress, and brought us Flappy Bird and Pokémon GO.
Nevertheless, I am optimistic. Developers have been serious about security only since the turn of the century. Computing gallops ahead at breakneck speed, but its foundations change slowly; resistance to cybercrime must be built into those slowly changing foundations as well as into the superstructure. The insecure foundational code that was written in the 80s and 90s is going away gradually. If you listen carefully to the dialog on exploits and patches, you will find that many exploits today are based on mistakes made 10 or 20 years ago. Although new security issues always come up, the code written today to replace the old foundation is more secure and each year hackers are forced to work harder for their exploits. The unpleasant counterbalance to improved code is increasing reliance on computing for financial transactions and business, which make cybercrime more lucrative and worth extra effort.
At present, most law enforcement is still poorly prepared to deal with cybercrime and the system of laws and international agreements are still heavily grounded in the concepts of physical, not electronic, crime. Cybercrime is difficult to address because it involves complex engineering problems as well as moral and ethical issues. Few legislators are prepared to evaluate the engineering sides of the issues and may tend to dismiss them or enact suboptimal laws. Legislators must be informed that cybercrime is a real danger that damages their constituents, not just a theoretical annoyance. It is important to let them know of your concerns and to lodge complaints with law enforcement. They must not look away and say that cybercrime is a problem for engineers and technology vendors.
The battle against cybercrime occurs on several fronts. One is engineering , building systems that are more resistant to crime. The second is regulation to restrain insecure practices such as the hackable Internet of Things. A third is laws that make it easier to prosecute cybercrime, such as streamlined extradition laws and agreements. Yet another is adequate funding of law enforcement for execution of cybercrime laws.
The final front in the battle is fought by individual computer users. The sorry fact is that the victims of cybercrime become victims when they leave themselves open to attack. Reasonably securing your computer, laptop, tablet, and smartphone takes some effort, but not more effort than securing the doors and windows of your house and locking your car. If you follow the practices in Chapter 9, even only a few of them, you will be much safer and the probability that your devices will be hacked will go down. If you pay attention to what happens in your payment card accounts, the probability that you will lose money to payment card theft is low. Watch your credit reports and the chance you will be stung with identity theft is also low.
You can be safe!
Footnotes
1 See Brian Krebs, “How I Learned to Stop Worrying and Embrace the Security Freeze,” KrebsonSecurity, June 15, 2015. http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/ . Accessed October 2016. Brian Krebs is a cybersecurity journalist whom hackers attack regularly in retaliation for exposing their nefarious schemes. He has experience with resisting and recovering from attack.
2 File complaints at www.ic3.gov/complaint/default.aspx . Accessed October 2016.
3 Artificial intelligence and machine learning are examples of progress on both sides of the law. Artificial intelligence can be used to both prevent cybercrimes and perform crimes. See John Markoff, “As Artificial Intelligence Evolves, So Does Its Criminal Potential,” New York Times, October 23, 2016. www.nytimes.com/2016/10/24/technology/artificial-intelligence-evolves-with-its-criminal-potential.html . Accessed October 2016.