How Many Hacks Can a Hacker Haz if the Hacker Can Hack More

By /

…week of Mar 01, 2021

Welcome to my weekly letter! The hacks…. we are talking about this week! Without further ado…

Weekly Read

  1. New phishing attack uses Morse code to hide malicious URLs (bleepingcomputer.com) – always be wary of clicking on email attachments. And in Windows, you may want to flip this setting to see files’ full extension
  2. New browser-tracking hack works even when you flush caches or go incognito (Ars Technica) – wow that’s an interesting one. Innovation never ends in the world of hacking! 😀
  3. Hacker Tried to Poison Florida City’s Water Supply, Police Say (Vice) – how many recent incidents are due to misconfiguration of remote desktop softwares (TeamViewer, VNC, …etc)? Another one too many.
  4. Hackers Tied to Russia’s GRU Targeted the US Grid for Years, Researchers Warn (Wired) – this also reminded of another article by the same author about the experiment to break a 27-ton generator with 30 lines of codes. Our infrastructure is in need of some security hardening, badly.
  5. China Hijacked an NSA Hacking Tool in 2014—and Used It for Years (Wired) – This article mentioned EpMe, EternalBlue, and EternalRomance being the NSA’s hacking tools that got repurposed by Chinese hackers. How many hacks did I just hear here?
  6. The fake ‘kitchen hacks’ with billions of views (BBC) – just to show that hacks are not limited to cybersecurity. This is more of a content hack to drive engagement (hence ads revenue).

Thoughts

Hacks everywhere! Let’s take a step back and take a look at the attack perimeter of these ‘hacks’. We’ve seen a) phishing hack to steal account credential; b) a hack to trace our digital activities (privacy) even in privacy mode; c) hacks to break power or water supplies; d) hacks that exploit government’s hack and hack right back to government; e) hacks to mess up your dinner (while accumulate ads revenue). It’s occurring on news so much, I’ve learned yet another acronym: APT – for Advanced Persistent Threat. As a way to index the stealthy threat actor.

Living with the convenience of today’s digital world means we also need to constantly be aware of the threats against digital security and data privacy. Realizing that ‘security’ is no longer just an IT or any particular company/product’s function. It is a responsibility shared by everyone from the underlying infrastructure, to service operators, to product design and engineering, down to… every user. Realizing the stakes being our heavy reliance on technical services, one would consider the concepts should probably be covered in grade school education.

For now, let’s cover a few ‘actionable next steps’:

If you are a developer or technical operations person: always be vigilant of your security practice and be mindful how a failure may taint your product branding and company reputation. Don’t deprioritize those security/privacy risks.

If you are a business or product owner: today may be a good day to review your business’ or product’s security practice and policy. The traditional concepts of VPN, remote desktop are common targets of exploits, so perhaps consider future proofing with Zero-trust.

If you are the government: move along, you’ve got work to do. Work that is more important than reading my blog here. 🙂 Not persuaded? Thank you, but go read Wired magazine’s special February issue, which is an excerpt of the book ‘2034: A Novel of the Next World War” by Elliot Ackerman and Admiral James Stavridis. I am not quite done reading yet, but so far it touches on cyber attack disabling communications (phone and internet blackout), power grid (real blackout, like what happened in Texas during a winter storm) and also breaking the undersea network cables (this will really hurt). Still here? Other than hardening security, we will also need a disaster recovery plan if we are to be hit with a partial or complete blackout due to cyber attack.

If you are an individual like me: set up two-factor auth with an authenticator app or a security key. The experience will still be a little bit annoying, but it’s a lot more secured and many products and services are continuing to improve the experience.

One last thing, perhaps it is time to reflect on the balance of our tech and non-tech life. Perhaps a technology detox every few months? Or have a non-tech backup plan if we are to lose the convenience of tech for a few weeks?

Stay Tuned…

It’s super easy to follow my updates:

  1. If you use any feed readers (e.g. Feedly): Subscribe to my site’s RSS feed
  2. If you are a Medium user, follow me or my publication. Optionally you can adjust your email preference to get my updates via emails.
Scroll to Top