Thwarting a Hacker

Security Jul 4, 2021

So, yesterday, my daughter started to receive some texts from her friends. They were responding to her most recent messages. But, she hadn't sent them any messages that day!

Turns out, someone had gotten access to her Instagram account and was sending out messages as her! Lucky, dad was prepared and this is how we dealt with it!

Response

The first thing that we needed to do is stop the hacker in their tracks. It was unclear as to how sophisticated this individual was but based on how fast the messages were coming out, I could tell that they were being sent from an automated script.

This was good news because often these scripts cannot adapt to changes that occur to the account or the environment. We quickly changed the Instagram password...

...and the messages immediately stopped!

OK. The initial issue had been stopped...for now.

We also went and changed all of the passwords to any bank and email accounts as there was a risk of actual financial or control loss at that point.

Recon

The next thing that I wanted to do is see if it was just one of her accounts that was compromised or if we had a bigger problem and one of her devices was compromised.

At home, I run a Ubiquiti network. This is a few steps up from the average home network and is, in fact, an enterprise grade network that is quite economical. I also installed a Ubiquiti controller which you can either purchase or build on a Raspberry Pi, like I did. I put it in just for situations like this.

Using the Ubiquiti controller, I quickly disabled all of her devices on the network so that if they were compromised, they could not infect other or transmit further information to the person who was causing us all this trouble.

The Ubiquiti network also allowed me to see how my daughter's devices were connected to the network and the type of traffic that was coming from them.

Portion of Network Display

After some analysis, it was apparent that there was no unusual network activity coming from her systems. A virus and malware scan confirmed this.

Reinforce

Once we felt that we no longer had someone making trouble in the network on accounts, it was time to fix come of the security holes that existed. I'm not going to go into detail of all the changes that we actually made but I will talk about all the things that we went through to make sure security was increased.

Bitwarden

One of the most important tools that I have implemented was Bitwarden, an open source password manager and security tool.

Bitwarden Tools Menu

It helped to perform the basis of many of the follow-up actions that we performed.

Migrate to Bitwarden

The first thing that we did was migrate all of the emails my daughter had stored to Bitwarden. Here is how we did it:

  1. Create a Bitwarden account
  2. Enable two factor authentication of Bitwarden account
  3. Export all passwords stored in web browsers
  4. Import/enter all passwords in Bitwarden
  5. Delete all passwords recorded anywhere else

Install Bitwarden Mobile

In order for my daughter to have a copy of all her passwords readily available, we also installed Bitwarden on her cell phone after enabling combined biometric and PIN access for the phone and Bitwarden.

With this configuration, someone would not only need her physically to open her phone to access her passwords, they would also need her cooperation.

Install Bitwarden Browser Extension

By installing the Bitwarden extension for the browser that you use, it gives you quick access to the usernames and passwords for the website accounts that you frequent.

Run Bitwarden Reports

As pictured above, there are a number of reports that Bitwarden can run. We ran all of them and then fixes all of the issues identified:

  • Exposed Passwords Report - Exposed passwords are passwords that have been uncovered in known data breaches that were released publicly or sold on the dark web by hackers.
  • Reused Passwords Report - If a service that you use is compromised, reusing the same password elsewhere can allow hackers to easily gain access to more of your online accounts. You should use a unique password for every account or service.
  • Weak Passwords Report - Weak passwords can easily be guessed by hackers and automated tools that are used to crack passwords. The Bitwarden password generator can help you create strong passwords.
  • Unsecured Websites Report - Using unsecured websites with the http:// scheme can be dangerous. If the website allows, you should always access it using the https:// scheme so that your connection is encrypted.
  • Inactive 2FA Report - Two-factor authentication (2FA) is an important security setting that helps secure your accounts. If the website offers it, you should always enable two-factor authentication.
  • Data Breach Report - A "breach" is an incident where a site's data has been illegally accessed by hackers and then released publicly. Review the types of data that were compromised (email addresses, passwords, credit cards etc.) and take appropriate action, such as changing passwords.

Enable 2FA

Two factor authentication (aka "2FA") is a form of security that requires two things to prove that you are who you say you are. Often, this is something you know (e.g a username and password combination) and something you have (e.g. access to an email account or a cell phone to receive a SMS message).

When using my cell phone as a 2FA device, it is important that you also make sure that the device itself is secure with (at minimum) a PIN or, better yet, some type of biometric lock (e.g. fingerprint scanner).

I would recommend avoiding email and SMS as a form of 2FA, only because it can be relatively easy for someone to lock you out of your accounts if they get access to your email or steal your SIM card from your phone.

If you are looking for a 2FA application, I would highly recommend Authy as it not only provides excellent 2FA support, it also has the ability to back-up your accounts so that you are not hooped in the event that you need to buy a new phone (because that never happens!).

Adding an Account with Authy

Best Practices

Here are some of the best practices that I have implemented with these tools:

  • Store passwords only in Bitwarden
  • Generate long complex passwords (since you no longer need to remember them)
  • Every site/application should have a unique password
  • If 2FA is offered, use it
  • Never give a password to others
  • Check regularly to see if your email address is part of a security breach (see https://haveibeenpwned.com/) or, better yet, sign up for alerts
  • Change your passwords regularly
  • Never enter your username/password into a webpage unless you confirmed the website address (look carefully, https://google.com and https://goog1e.com look very similar)

Report

The one thing that people often forget to do is report the incident to someone. At the very least, report it to the social media site support team.

Here are some common social media sites and where to report security incidents:

You should also report the incident to the local police.

Just a quick note on expectations. There is a very small chance that anyone will be able to identify or capture the person that compromised your account. This is more so that there is a record of the compromise (for the police) and that security can be tightened (for the support team).

Repair

The last thing that we did was attempt to repair the damage done by the hacker. My daughter got in contact with everyone who received message and explained the situation to them so that they understood what was happening and they could then protect themselves.

Conclusion

In general, my daughter was relatively lucky. She was able to get control of her account again relatively quickly with minimal damage to her reputation. It could have been a lot worse.

We hope that the new security measures that we put in place will help to prevent this from happening again in the future.

Tags

Tephlon

A passionate tech nerd for over 25 years. I consider myself to be a generalist so I know a little about a lot. My latest obsessions are Raspberry Pi computers and n8n automation.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.