Very often your biggest threat is not what you think it is.
Some years ago a friend who was going through a messy relationship break up was staying at my place.
FRIEND: I think my laptop was hacked when I used it in an Internet cafe. My email password keeps getting reset.
ME: How do you set it back again?
FRIEND: Oh, I answer questions like my birthday or the town I was born.
ME: Are those things your ex would know? They might be hacking your email.
FRIEND: They wouldn’t do that. Would they?
FRIEND: They were hacking my email so I hacked theirs back.
ME: Wait! You hacked someone’s email? From MY IP address?
Things went downhill a bit from there. However, I think I managed to persuade them both to stop hacking each other or at least improve their email security. This does illustrate an important point though. For many people the biggest threat to their security is not a sinister hacker thousands of miles away. It’s an abusive partner or ex-partner.
Using a password reset to hack someone’s email is fairly obvious and easy to detect. However, there are companies out there selling products to enable far more subtle and pervasive surveillance, in spite of the fact that intercepting private communications without permission is a violation of wiretapping laws in most countries. These packages have been called “stalkerware” and have attracted considerable criticism.
Recently, several privacy activists have gone further than just criticism of stalkerware. They have hacked into the companies distributing these products and sabotaged their operations. Both Retina-X and FlexiSpy recently had all collected personal data stolen and their servers deleted. It seems that these companies have failed not only ethically, in selling software that promotes illegal surveillance, but also operationally, in exposing the data collected by their customers to comparatively unsophisticated attacks.
Stalkerware is deliberately quite hard to detect and remove when installed on a phone. If you believe your phone may be compromised there is some advice in this article. From a technical point of view the safest thing to do is to switch to another phone, of if you can’t afford that, to reset your phone to factory settings. Relationship advice is beyond the scope of this blog, but the use of spyware is probably not a healthy sign. If you need it you can get help and advice from the National Domestic Violence Hotline.
Sometimes the use of stalkerware can rebound on the attacker. Cybercriminal Sergey Vovnenko was notorious for sending a package of heroin to security reporter Brian Krebs in the hope of getting him arrested for possession of drugs. Vovnenko apparently did not trust his girlfriend, and installed key logger software to monitor her emails. The reports went to an email account owned by Vovnenko which compromised by a security researcher, who was able to pass along the information on the movements of the couple to law enforcement. As a result, Vovnenko was arrested when visiting Italy. This is another example of someone getting their threat model wrong. Vovnenko was worried about his girlfriend, when he should have been concerned about the hundreds of white hat hackers who will be out to get you if you mess with Brian Krebs.
Accurate threat modeling is important for enterprises as well as individuals. Sony Pictures’ management did not consider it to be a high value target, and did not invest in information security. However, they suffered an attack from a nation state actor, when one of their movies offended the government of North Korea.
Within InfoSec, there is a lot of attention given to zero day threats. Yes, you should make sure you apply all the latest updates to your operating system and software, but zero days are rare, expensive, subject to being fixed, and often require strong technical skills to use. Phishing is a much more useful tool for most attackers, and many of the most devastating attacks such as the Target breach and the DNC email hack have started with nothing more than a carefully crafted phishing email.
To maintain good personal and business security, it’s important to consider what the most likely threats are and prepare for them. It doesn’t help to be prepared for data exfiltration for Chinese industrial espionage if your controller is wiring hundreds of thousands of dollars to Eastern Europe thanks to a spear phishing attack which impersonated the CFO. It’s no good using an encrypted app such as Signal for text messaging if you phone has been compromised and is sending screenshots of the messages to an ex who is stalking you. Consider what the real threats are, and stay safe.