Chapter 13
IN THIS CHAPTER
Surviving when your own computer has been hacked
Recovering when someone has stolen your data from a third-party provider
OMG! It happened.
You’ve discovered that you’ve suffered a data breach.
Now what?
Read this chapter, which discusses how to respond in these types of situations.
If you follow the various techniques described throughout this book about how to protect your electronic assets, you’re likely to be in far better shape to recover from a breach than if you did not. Of course, preparation not only helps you reduce the risks of suffering a breach in the first place, but can also help you recover and help ensure that you can detect a breach if one occurs. Without proper preparation, you may not even be able to determine that a breach occurred, never mind contain the attack and stop it. (If you’re unsure whether you’ve suffered a breach, see Chapter 12.)
A normal human reaction to a cyber breach is to feel outraged, violated, and upset. It is also normal to experience some level of panic. To properly respond to a breach, however, you need to think logically and clearly and act in an orderly fashion. Spend a moment to tell yourself that everything will be all right, and that the type of cyberattack with which you are dealing is one that most successful people and businesses will likely have to deal with at some point (or at many points).
Also, keep in mind that you need to act ASAP. Stop whatever else you’re doing and focus on fixing the problem. Shut down any programs that you’re using, save (and back up onto media that you will scan for malware before you reuse) any open documents and so on, and get to work on recovering from the breach.
Ideally, you should bring in a cybersecurity professional to help you recover. While this book gives you good guidance, when it comes to technical skills, there is simply no substitute for the years of experience that a good pro has.
If possible, you want to figure out as much about the attack as possible so that you can respond accordingly. If an attacker is transferring files from your computer to another device, for example, you want to disconnect your device from the Internet ASAP.
That said, most home users do not have the technical skills to properly analyze and understand exactly what the nature of a particular attack may be — unless, of course, the attack is overt in nature (see Chapter 12).
Gather as much information as you can about
Cut off the attacker by isolating the attacker from the compromised devices. Containing may entail:
Containing an attack (see preceding section) is not the same thing as terminating and eliminating an attack. Malware that was present on the infected device is still present after disconnecting the device from the Internet, for example, as are any vulnerabilities that a remote hacker or malware may have exploited in order to take control of your device. So, after containing the attack, it is important to clean up the system.
The following sections describe some steps to follow at this point:
While most modern users will not have a security software boot disk, if you do have one, boot from it. If you do not have one, please skip to the next section.
If you’re using a Windows PC, boot the computer in Safe Mode. Safe Mode is a special mode of windows that allows only essential system services and programs to run when the system starts up. To do this, follow these steps:
If you’re using a Mac, boot it with Safe Boot. MacOS does not provide the full equivalent of Safe Mode. Macs always boot with networking enabled. Its Safe Boot does boot cleaner than a normal boot. To Safe Boot, follow these steps:
Hopefully you can ignore this section, because you paid attention to the advice in the chapter on backups, but if you have not backed up your data recently, do so now. Of course, backing up a compromised device is not necessarily going to save all your data (because some may already be corrupted or missing), but if you do not already have a backup, do so now — ideally by copying your files to an external USB drive that you will not attach to any other devices until it is properly scanned by security software.
At this point, you may want to delete any files that you do not need, including any temporary files that have somehow become permanent (a list of such files appears in the chapter on backups).
Why do the deletion now?
Well, you should be doing periodic maintenance, and, if you are cleaning up your computer now, now is a good time. The less there is for security software to scan and analyze, the faster it will run. Also, some malware hides in temporary files, so deleting such files can also directly remove some malware.
For users of Windows computers, one easy way to delete temporary files is to use the built-in Disk Cleanup utility:
Hopefully, you already have security software installed. If you don’t, that may be the reason why you are dealing with the compromise in the first place! If you do have security software installed, run a full system scan. One important caveat: Security software running on a compromised device may itself be compromised or impotent against the relevant threat (after all, the security breach took place with the security software running), so, regardless of whether such a scan comes up clean, it may be wise to run the security software from a bootable CD or other read-only media, or, in cases of some products, from another computer on your home network.
If you are using a Mac and your Safe Boot includes Internet access, run the security software update routines prior to running the full scan.
Malware, or attackers, may add new files to a system, remove files, and modify files. They may also open communication ports. Security software should be able to address all of these scenarios. Pay attention to the reports issued by the security software after it runs. Keep track of exactly what it removed or repairs. This information may be important, if, for example, some programs do not work after the cleanup. (You may need to reinstall programs from which files were removed or from which malware-modified files malware was removed.) Email databases may need to be restored if malware was found within messages and the security software was unable to fully clean the mess up.
Security software report information may also be useful to a cybersecurity or IT professional if you end up hiring one at a later date. Also, the information in the report may provide you with clues as to where the attack started and what enabled it to happen, thereby also helping to guide you on preventing it from recurring.
There are experts who recommend uninstalling and reinstalling any software package that you know was affected by the attack, even if the security software fixed it. While doing so is not usually necessary, don’t forget about this advice, as if you do detect any problems using the software after system recovery, you may need to go back and uninstall and reinstall.
For Windows computers, after you have cleaned the system, restart it in Safe Mode with networking using the procedure described above (but selecting Safe Mode with Networking rather than Safe Mode), run the security software, download all updates, and run the security software scan again. If there are no updates, then you do not need to rerun the security software.
If you are using a Mac, Safe Boot already included networking so there is no reason to repeat the scan. Install all relevant updates and patches. If any of your software has not been updated to its latest version and may contain vulnerabilities, fix this during the cleanup.
System Restore is a useful tool, but it can also be dangerous. If a system creates a restore point when malware is running on a device, for example, restoring to that point will likely restore the malware! After cleaning up a system, therefore, be sure to erase all system restore points that may have been created when your system was compromised. If you are unsure if a restore point may be problematic, erase it. For most users, this means that it may be good to erase all system restore points. To do this:
Some attackers and malware may modify various settings on your device. What page you see when you start your web browser — for example, your web browser home page — is one common item that malware commonly changes. It is important to change the browser page back to a safe page as the malware’s starting page might lead to a page that reinstalls malware or performs some other nefarious task. The following sections walk you through the process for each browser.
To reset the Chrome browser:
To reset the Firefox browser:
To reset the Safari browser:
To reset the Edge browser:
Sometimes it is easier, instead of following the aforementioned processes, to simply rebuild a system from scratch. In fact, because of the risk of security software missing some problem, or of user mistakes when performing the security cleanup, many experts recommend that, whenever possible, one should rebuild a system entirely after a breach.
Even if you plan to rebuild a system in response to a breach, it is still wise to run a security software scan prior to doing so as there are some rare forms of malware that can persist even after a restore (such as BIOS reprogramming malware, certain boot sector viruses, and so on), and to scan all devices on the same network as the compromised device at the time of the compromise or afterwards, so as to ensure that nothing bad can propagate back to the newly restored device.
If your computer, phone, or tablet was breached, it is possible that sensitive information on it was stolen. That data may be misused now or in the future, either by the party that stole it, or by another party to whom the original data thief sold or gave it.
As such, you should change any of your passwords that were stored on the device, for example, and check all accounts that were accessible from the device without logging in (due to your earlier setting of the device to “Remember Me” after a successful login) to ensure that nothing goes wrong. Obviously, if your passwords were stored in a strongly encrypted format the need to change them is less urgent than if they were stored in clear text or with weak encryption, but ideally, unless you are certain that the encryption will hold up for the long term, you should change them anyway.
If you believe that your credit or debit card information was stolen, contact the relevant party at the phone number printed on the back of your card, tell them that the number may have been compromised, and ask them to issue you a new card with a new number. Also check the account for any suspicious transactions.
Keep a log of every call you make, when you made it, with whom you spoke, and what occurred on the call. If the fact that information may have been stolen could impact other people you should, in most cases, notify them of what happened as well.
Here are some ways to think of information:
If you have proper backups, you can remove ransomware the same way that you remove other malware. If any data gets lost in the process, you can restore it from backups.
If you have been hit with over ransomware and do not have proper backups, however, you may face a difficult decision. Obviously, it is not in the common interest for you to pay a ransom to a criminal in order get your data back, but in some cases, if your data is important to you, that may be the route that you need to go. In many cases, criminals will not even give you your data back if you do pay the ransom — so, by paying a ransom, you may not only waste money, but still suffer a permanent loss of your data. You will need to decide if you want to take that chance. (Hopefully, the information in the preceding few sentences will serve as a strong motivator for readers to back up proactively as discussed in the chapter on backups, rather than to rely on paying ransoms as a possible method of addressing ransomware attacks.)
Speaking with the cybersecurity expert is important, because some ransomware can be removed, and its effects undone, by various security tools. However, unless your security software tells you that it can undo the encryption done by ransomware, do not try to remove ransomware on your own once it has encrypted your data. Some advanced ransomware wipes the data permanently if it detects attempts to decrypt the data. Also, keep in mind that some advanced ransomware does not encrypt data, but rather removes it from the victim’s device and only transmits it back if the ransom is paid. Such ransomware may be removable by security software, but security software cannot usually restore the data pilfered by the ransomware.
Speaking with an attorney familiar with the relevant areas of law is important because, in some cases, paying a ransomware ransom can be a serious crime that could potentially land you in prison. Seriously!
While to date, the United States has not made it a crime to pay ransoms in general — although there are various ongoing efforts being made to influence legislators to enact such legislation — there are cases in which paying a ransom violates other laws.
For example, if criminals operating a particular ransomware system are under sanctions — meaning that it is a federal crime to conduct any financial transactions with them — it can be a felony to pay them a ransom in order to obtain access to your own data. While individuals have not, to date, been prosecuted by the U.S. government under such laws, at the end of the Trump administration’s term, the federal government threatened to begin doing so, and regardless of who is in power, such enforcement is likely to become reality at some point in the not-so-distant future. After all, if sanctioned parties can easily become rich by perpetrating cybercrimes, and nobody is prosecuted for participating in the transactions that enrich them, what good are sanctions in the first place?
Likewise, eventually, we may see prosecution of ransom payers under federal statues related to wire fraud and/or money laundering.
It is important to learn from breaches. If you can figure out what went wrong, and how a hacker managed to get into your systems (either directly or by using malware), you can institute de facto policies and procedures for yourself to prevent future such compromises. A cybersecurity professional may be able to help you vis-à-vis doing so.
Nearly all Internet users have received notification from a business or government entity (or both) that personal data was potentially compromised. How you address such a scenario depends on many factors, but the following sections tell you the essentials of what you need to know.
Multiple types of data breaches lead to organizations sending notifications. Not all of them represent the same level of risk to you, however. Notifications may be sent when a company has
In all these cases, action may be warranted. But if a company notifies you that an unencrypted database of passwords including yours was stolen, the need to act is more urgent than if it detects unauthorized activity on a system on the same network as another machine containing only an encrypted version of your password.
Criminals see when a breach receives significant attention and often leverage the breach for their own nefarious purposes. One common technique is for crooks to send bogus emails impersonating the breached party. Those emails contain instructions for setting up credit monitoring or filing a claim for monetary compensation for the pain and inconvenience suffered due to the breach. Of course, the links in such messages point to phishing sites, sites that install malware, and other destinations to which you do not want to go.
Criminals also act quickly. In February 2015, for example, Better Business Bureaus across the United States started reporting complaints of emails impersonating Anthem, Inc., less than one day after the health insurance company announced that it had suffered a breach.
One of the types of breaches most commonly reported in the mass media involves the theft of password databases. Modern password authentication systems are designed to provide some protection in case of a breach. Passwords are usually stored in a hashed format, meaning that they are stored with one-way encryption. When you enter your password during an attempt to log in, what you type is hashed and then compared with the relevant hash value stored in the password database. As such, your actual password is not stored anywhere and is not present in the password database. If a hacker steals a password database, therefore, the hacker does not immediately obtain your password.
At least that is how things are supposed to work.
In reality, however, not all authentication systems are implemented perfectly; hashed password databases have multiple exploitable weaknesses, some of which can help criminals decipher passwords even when they’re hashed. For example, if a criminal looks at the database and sees that the hashed password for many people is the same, it is likely to be a common password (maybe even “password”), which often can be cracked quickly. There are defenses against such attacks, but many authentication systems do not use them.
As such, if you are notified by a company that it has been breached and that an encrypted version of your password was stolen, you should probably reset the password. You don’t need to panic, though. In most cases, your password was likely protected by the hashing (unless you selected a common, weak password, which, of course, you should not have). If, for some reason, you have reused the compromised password on other sites that you don’t want have unauthorized parties to log in as you, you should reset your password there as well and don’t reuse the new password this time!
If your credit card information or debit card information may have been compromised, take the following measures:
If your passport, driver’s license, or other government-issued identity document has been compromised, you should contact the agency that issued the relevant document and ask how you should proceed. Document everything that you’re told, including details as to who told you what, and when they did so. Keep a log of all calls that you make and what transpired on those calls.
You should also check online on the agency’s website to see whether it offers instructions for such scenarios. In some cases, agencies will advise you to replace the document, which may necessitate a physical visit to an agency office. In other cases, the agency will advise you to do nothing, but will tag your account so that if the document is used for identification at other government agencies, those checking the ID will know to be extra vigilant (which, in itself, might be a reason to replace the document so that you do not encounter any extra aggravation when using it as ID).
If your school or employer ID information is compromised, you should immediately notify the issuer. Not only could the compromised information be used to social engineer your school or employer, but it may potentially be used to obtain sensitive information about you from either one, or to otherwise get you into trouble.
If any of your social media accounts is compromised, immediately contact the relevant social media provider. All major platforms have mechanisms to address stolen accounts because all major platforms have had to deal with stolen accounts numerous times. Keep in mind that you may be asked to provide government ID to prove your identity as part of the account recovery process.
In such a situation, it is also often a good idea to warn people with whom you are connected on the compromised social media platform of the potential misuse of your account. If you make fully public posts on the platform housing the compromised account, you may wish to notify the public at large.
You can notify people via your non-compromised social media accounts that the compromised account has been compromised, so that if the party that took over the accounts attempts to perpetrate a scam using the account (such as by posting some request for money or the like), fewer people will fall prey. You can also use email, texting, or the phone to contact individual parties who may be put at risk.
3.137.217.17