Internet Dating and Romance Scams

Welcome to the place to inform and educate yourself about safe internet dating

Hackers breach Jack Straw’s email

News that hackers breached the UK Justice Minister’s constituency email account and used his contact list for a bizarre fraudulent spam attack might have raised a few smiles, however, behind this story is a reminder of the serious threat that we face on a daily basis.

The burlesque character of this story suggests it may have been more aimed at political embarrassment than at financial gain. Hackers gained access to Jack Straw’s Hotmail account, which he used for constituency, but not government business, stole his contact list and sent spam emails to about 200 contacts asking each to send $3000 to Nigeria so he could get home, having lost his wallet while doing charitable work in Africa.

The recipients were his constituents, Labour Party members and Ministry of Justice officials. The reference to Nigeria echoes with the well-known ‘Nigerian Money Laundering’ attacks, although this incident is not about money laundering. Today, hackers are often expert at tailoring their ‘social engineering’ attacks, but this message was pushing credulity to its limit, particularly as the news media routinely report his travels. One person replied to the email, and nobody sent any money, although several people did phone his home to check the information.

The unsurprising failure of this attack as a criminal financial fraud should not hide the ‘successes’ of the attackers. It is likely that the attackers will make further use of the contact list, to launch future scams or to sell it on to the criminal fraternity through the sophisticated market it has for stolen information of all types. They have also achieved a significant coup in the political embarrassment area. Jack Straw is not just a senior government minister, but the head of law and order and a champion of moving the balance towards more government control and surveillance. He is therefore likely to be a target for this kind of attack. This makes it surprising that he had taken so few steps to secure his Internet activities. We do not know how the hackers gained access to his Hotmail account, but the likelihood is that they used a mundane method to steal his password such as guessing it, downloading spyware, shoulder surfing or intercepting an insecure Wi-Fi session.

A contact list in Exchange contains names, email addresses and optionally phone numbers, addresses and other information such as employment details. This is small fry both qualitatively and quantitatively, compared with the numerous leaks from government databases or incidents in the commercial world such as with the retailer TKMaxx. However, the hackers now have enough information to launch spam attacks, and other low-level identity theft attacks, on 200 people who did not even know their information was being held in this way or in this place. All such attacks highlight the danger of aggregating information into a single place.

Jack Straw is reported as saying that “there is no evidence that confidentiality of constituents was affected”. This may be true, but he would have to admit the likelihood is that their confidentiality has been affected. We may never know how far down the criminal line this information will pass. It is possible that the hackers also downloaded the contents of his mailboxes, which could contain some very sensitive information. Hotmail should be able to clarify the extent of the breach by examining its logs but this information is unlikely to be published. It could have happened, and the victims will be the last to know.

The moral of this story is that everyone has a duty to protect the information they hold online, and particularly when it belongs to, or refers to, others. This duty of care includes maintaining a high standard of cyber hygiene, refraining from using authentication credentials in insecure environments, protecting mobile devices from theft and misuse, and ensuring secure communications.

Advertisements

March 3, 2009 - Posted by | Uncategorized

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: