The recently announced hack of the web-based version of the WhatsApp messaging service didn’t draw a lot of attention. Why should it? The number of people affected was relatively small in comparison to other recent hacks — just (just?!) 200,000 users.
Another reason that this hack went relatively unnoticed was because it wasn’t a large breach of a corporate database. The victims in this case were individual users of the app. Once hackers breached these accounts they had access to the users’ personal data.
However, that doesn’t mean the hack isn’t worth noting. What should be interesting about the hack, and more than a little concerning to people who are interested in network security, is how these hackers gained access to these users accounts.
According to the report from CNBC, here’s how it happened.
“Hackers were sending so called vCard’s to random phone numbers they had obtained, according to Check Point, a security firm that originally found the vulnerability.
“A vCard is an electronic contact card that you can send to another person. For example, if somebody wanted the number of someone in your phone’s contact book, you could send the vCard over and the other person would have all the details. The vCard sent by the hackers contained a malicious code that would distribute bots, ransomware and remote access tools (RATs) on a person’s phone or PC.”
Lessons Not Learned
Those vCards carrying damaging data had to be opened to be activated. That’s what should concern the security minded. It means we haven’t done enough to educate people on the dangers of opening files of unknown origin. That, or lessons we’ve been trying to teach haven’t sunk in.
Shouldn’t it, at this point, be common knowledge that you don’t click on links or attachments that are sent from someone you don’t know? Well, yes. You would think so. But, apparently, that’s not the case. Just like children need to be repeatedly reminded to not accept candy from a stranger, it seems that their parents need a similar reminder.
Are Your People Your Biggest Vulnerability?
Too often, when we think about security and vulnerabilities we think about exposed devices or glitches in code than can be exploited. We don’t often think about our people that way, but that’s really what they are. They may be the biggest vulnerability to the security of your network.
We’ve spent a lot of time on this blog talking about security mindsets we believe everyone needs to adopt. Our top mindset is “I will make it harder to exploit my network.” Most of the thinking there has been about creating solid login credentials and really good passwords, locking down application logins to prevent brute force attacks, and then reinforcing the importance of not being too casual with login information.
Perhaps we should expand that to include structured and recurring training on social engineering tactics. Evidence seems to suggest that we’ve done a good job of getting folks to not click on odd attachments from unfamiliar email addresses. That is one way to explain the drop in Spam emails being sent. Apparently, that message needs to be broadened to include awareness about social engineering schemes no matter on which platform they appear. Guards need to be up anywhere that employees can send and receive messages with clickable attachments. Employees need to be reminded that the people wanting to infiltrate our networks are constantly changing their methods. They are looking for new vulnerabilities to exploit. Those vulnerabilities that are hardware- or software-based can be patched. The one vulnerability we can’t patch is them.