We have all had the experience of being stuck somewhere, usually some kind of public space, where one finds one’s self mired in the conversations of others.
Recently, on a commuter train to work, I found myself in the midst of four young men, all dressed in sharp suits consisting of shiny material, drainpipe trousers and skinny but colourful ties, topped by ostentatious facial hair. These young men seemed unperturbed by the fact that the crowded train carriage, with standing room only, had thrust not just myself, but several others into earshot of their conversation.
That lack of care was manifest in the fact they were regaling each other with stories of nights out in which one or other had not partaken, and mentioning the exploits of absent revellers, some by name, some by nickname.
“In the 2015 Verizon data breach report, while the deficit between breach and detection was the lowest for 10 years, it says the average is still measured in days and weeks. Furthermore, in 60% of cases, attackers are able to compromise an organisation within minutes”
However, as the journey dragged on and the will to live ebbed gradually from all those around them, the chaps turned to weightier matters. They began to discuss work and it turned out that at least three of the four worked for the big four accounting firms. Of course, that made me prick up my ears and on actually listening as opposed to singing in my head to drown out their inanity, I learned some very interesting things.
Firstly, one was involved in an audit of corporate accounts where there was some confusion over how certain expenditure had been classified and there was a worry that if passed as such mere incompetence could be misconstrued as skulduggery. When this person pointed this out to their boss, they were told to just sign the bloody thing off and not worry about it. The young man duly did.
Another retorted that when the same thing happened at his firm, it turned out the supervisor who ordered the sign-off had repeatedly failed whatever level of accountancy exam they were facing and as such, was regarded as less than an authority on the matter. There was then a general ribbing for several people at the respective firms who had similarly attained positons of influence or responsibility with either poor or absent qualifications.
Finally, the stories were rounded off with a tale of general misconduct, which involved charity of dubious nature, and very odd spending patterns that were claimed as expenses.
All of this was recounted within the space of a 25 minute train journey, on a weekday morning where there were some 20 people within earshot. Not only that, but two of the group were continually texting or checking Facebook on their smart phones and so names and numbers were further within observable by anyone who cared to glance.
The final crime was that one of the four had placed his work ID card in his jacket top pocket, with a company name clearly visible on the lanyard and his own name easily legible as it sat somewhat proud of said pocket.
Was I to have been the type of individual who might have an interest in such things, I might have gathered all of that information and used it as the basis of social and professional media searches. I might have identified the individuals involved and ascertained their specific positions with their respective firms.
I may furthermore have used a false social media profile to track them and view their activities to perhaps craft a plausible communique to prompt them to open an attachment that may have been a dropper for a piece of malware.
I may then have sat back as the dropper waited for a reasonable length of time before calling to a command and control server to pull down a payload that would be capable of slipping past the identified protections to compromise the PC of the user. That piece of malware would then have scanned for further vulnerabilities to allow either full control of the user’s PC or perhaps one nearby, or better still, a server on the network.
Once that was established, a full network survey would be quietly accomplished, and various possibilities explored, such as where valuable data might be kept and how it might be exfiltrated.
With all of that established, and the information rolling in, I might have looked around at certain dark web forums to see who might be interested in a backdoor and network survey for a top accounting firm.
With an expression of genuine interest, I might have revealed some of what was on offer as regards confidential information, to secure an agreement.
An escrow arrangement would then have been set up, to ensure protection for both parties, and the full crown jewels would have been extracted.
On delivery, the escrow agreement would ensure all parties are happy and the trail would likely have gone cold, as the buyer would have a cache of documents to do with as they will, I would have a back door that may yet be accessible and the victim would still be most likely unware that anything had happened.
Then a news headline would detail how a major company has been hacked, with terrible losses and devastating effects. An investigation might reveal that the attackers apparently walked in with stolen credentials that appear to have come from some third party. The ripples would move outward to eventually reveal that the information came from an audit carried out by a large accounting firm.
In the 2015 Verizon data breach report, while the deficit between breach and detection was the lowest for 10 years, it says the average is still measured in days and weeks. Furthermore, in 60% of cases, attackers are able to compromise an organisation within minutes.
More worrying though, in 70% of the attacks where the motive for the attack is known, there is a secondary victim. Three quarters of attacks observed spread from one victim to another within 24 hours, and more than 40% hit the second organisation one hour later.
The Verizon report said that the top three industries affected are the same as previous years: Public, Information, and Financial Services.
It is a good thing that I am technology journalist and am simply writing about this appalling behaviour instead of acting on it. It is better still that someone might read this and think, I really shouldn’t discuss work on a crowded train. But who else was on that train? Who else was within earshot who may, even now, be watching a feed from remote access Trojan? When will the headline appear of a hack or worse?
Loose lips sink ships goes the old wartime poster — they could just as easily sink an enterprise.
Subscribers 0
Fans 0
Followers 0
Followers