Example 3: Night with the DarkHotel
A Night with The DarkHotel
True Story: In 2014, the world learned of an advanced hacking group called The DarkHotel. They have since moved on to other types of attacks, but they were initially known for taking over WiFi networks in popular hotels across southeast Asia. They typically targeted traveling businessmen staying at those hotel; their main method of attack was to deliver fake software updates for applications over the public WiFi to the person’s device. If the target fell for it, the hacking group was able to steal work data from the device and use it to compromise the company the employee worked for. Read more here.
Moral of the Story:
- Whether it’s for personal use or work, it’s best to simply avoid using public WiFi altogether. You just don’t know who’s listening or what creative attacking methods could find you.
- This story also shows the prudence of limiting who has access to what. Stolen data from a work laptop could be merely an annoyance, not a catastrophe, if the right access controls are in place.
Browsers and Phones
Implore your users to leverage a secure browser like Chrome, to only use plugins that have a true business need, and to stick to websites that use HTTPS. However, it’s a good idea to let them know that many phishing websites now use HTTPS, so they shouldn’t solely rely on that lock icon to determine whether or not a website is safe. It never hurts to double check, for example, that they are in fact on google.com and not go0gle.com. Lastly, they should listen when their browser warns them about entering a website; this is often a sign that something is off.
Let your employees know that they should protect their phone with a password or PIN, and they should have it set to be wiped after a certain number of incorrect attempts. After all, more than likely their personal email is on their phone, if not their work email as well, and they can end up losing everything if their phone is not secure.
They should enable remote wipe in case they lose their phone, and they should also make sure to update their phone with the latest patches whenever they become available.
Secure Interactions with the Public and Social Networking
Educate employees about secure practices when interacting with the public online. For example, they should always know who they’re talking to. If someone initiates contact with them, they should never give out information in this situation. The initiator should already have all of the information they need, so it should be an immediate red flag if the initiator requests more. They will be targeted with these kinds of social engineering attacks, so a good rule of thumb to share with them is this: if someone needs an immediate answer, the answer is no. Lastly, to reiterate, make sure your employees know your policies related to sharing private information.
When it comes to social networking, remind personnel to use good judgement and to watch out for malicious links. Alert them that they can expect to be targeted because of their connection with the company.
