A few weeks ago on a dark and snowy night, I was convinced my home network had been hacked. Turns out the hacker was me.
Some backstory: I was up way too late studying for my OSCP certification, and as part of my studies, I had setup a Web site on my laptop and was monitoring traffic to it. While researching a separate issue, suddenly I saw my site logs going nuts – I was under some sort of attack and someone on mynetwork was scanning the site, looking for vulnerabilities! To make an extremely long and embarrassing story short, the hacker was me. I had totally forgotten about a vulnerability scanner I had installed on another machine earlier that month, and also forgotten that I configured it to scan my home network at midnight on the last day of the month. So with embarrassed relief I decided it was time to close the laptop up for the night and endure a good teasing from the security team at FRSecure the next morning.
But what if this had been an actual hacking incident? What if you suspected your computer was acting strangely, or you suddenly couldn’t log into an important email account or banking site? What kinds of things should you do? What should you not do?
Step 1: Recognize the warning signs
Here’s a great and fair question to start things off: how do you know if you’ve been hacked? Well, the signs may be subtle, but here are a few to watch out for:
- Friends start contacting you, saying they have received odd messages from your email address.
- Your bank or financial institution calls about suspicious transactions on your account.
- Credentials to online accounts no longer work.
- New toolbars appear on your computer’s Web browser, and/or the computer starts running slow or behaving strangely.
Step 2: Don’t panic
I love when people say that, don’t you? A recent reminder I received while driving down 169 in the southern suburbs was, “Brian, we’ve seen a lot of deer crossing the highway lately. If one hops out in front of you, just keep the wheel centered and drive right into it – do not swerve or apply the brakes!” That’s way easier said than done, yet, I understand why the advice makes sense. So in the same vein, if you suspect hacking activity, take a deep breath first. If you are going to properly respond to the situation and analyze it to find a root cause, you need to be thinking clearly.
Step 3: Contain the damage
A good way to troubleshoot a suspicious incident is to contain it, if possible. Last year a customer of ours suspected their public-facing terminal servers had been compromised and malware had been installed, and so they pulled the plug to the Internet connection immediately. That was absolutely the right thing to do, because it prevented the attackers from launching new attacks inside the network, and also kept the terminal servers from “phoning home” over the Internet to the attackers to receive additional instructions. This allowed us to come on site to analyze the network in a contained environment, without worrying about it changing from one minute to the next.
In the same way, if you think your PC has a virus or malware of some sort, disconnect it from the network if hard-wired, or disable the wireless network card (check articles like this one if you are unfamiliar with how that is done). Again, this can help prevent additional attacks or malware from being installed while you assess the damage.
As harsh as this may sound, my general recommendation at this point would be to backup the files you need and then completely format the hard drive and reinstall the operating system and software programs. Yes, there are some great free tools out there like Malware Bytes that have a fantastic reputation for removing icky stuff from your PC, but the question I think we have to ask is this: once we know a piece of malware has been on our machine, can we really trust that its remnants have been 100% cleaned, and the machine is safe for general use again? I would argue that answer is no.
Step 4: Change your passwords
If you fear that some of your online account credentials have been compromised, go to a known “clean” machine (in case your computer has a keylogger or other information-stealing software on it) and try using the site’s password reset function to change the password back to one you know – oh, and make sure it’s a strong password!
Ah, but what if the non-working credentials are to your email account itself? Great question. It certainly doesn’t make sense to use the password reset feature if you can’t get into your email, right? Well, the good news is most of the large email providers have some safeguards in place by default to help you if you suspect your account has fallen into the wrong hands:
- Gmail – has an account recovery process you can follow here.
- Yahoo – check out their knowledge base article and warning signs that your account has been hacked.
- Hotmail – Microsoft has a thorough article on how to recover your Outlook/Hotmail account here.
Step 5: Notify the appropriate parties
If your email account was taken over, hackers often use it simply to send out spam to your contact list. So shoot out a note to your friends and family letting them know that the account is back under your control, but that they should be cautious of any recent messages received.
If this was a more serious incident such as identity theft, check out resources like this one from the FTC, which walks you through some immediate steps to take to lock down and monitor your accounts.
Step 6: Review your defensive strategy
As important as it is to react and recover from a hacking incident, it is almost more important to do a “lessons learned” session with yourself to figure out how this could be avoided next time. Run through this short list of security questions to make sure you have a good fundamental defense in place:
- Are you using strong passwordson all your important accounts?
- Are you using a unique strong password on all your important accounts?
- Do you have two-factor authenticationenabledon any service that offers it?
- Have you changed the default password on any devices you have installed on your network (routers, switches, firewalls, etc.)?
- Do you have passwords written down anywhere – under keyboards, inside drawers, stuck to monitors, etc.? (If you answered “yes” please slap both your wrists on my behalf)
- Are you changing your passwords routinely in the name of good password hygiene? Yes it’s annoying, but I think it is good practice to do several times a year on all accounts.
- Are you being careful about letting other services and plugins post or tweet on your behalf? Research these carefully, as there are plenty out there with a questionable security reputation.
A wise person said, “There are two kinds of people: those who have been hacked, and those who are about to be hacked.” No matter which one you are, now is a perfect time to strengthen the security of your online accounts (including awesomely strong passwords!), review recovery procedures for your most important accounts, and be ready to respond to an adverse incident if necessary.
If you have questions about a hacking incident or perhaps how FRSecure could help you identify some of your company’s risks and vulnerabilities, I would love to talk to you. I can be reached at 952-467-6385 or at firstname.lastname@example.org.
Coming up next
In March we will look at why iPhones are better than Androids (kidding, I just wanted to get a rise out of some of you). But we are going to discuss some smartphone security best practices to help keep your device more safe and secure.