on 06-06-2019 09:15 AM - last edited on 06-06-2019 09:32 AM by Meghan
Today is my favorite day of the year, my firm's birthday, marking 12 years since I poured my heart, my soul and my savings into my dream; this company. It’s an incredibly proud and emotional day for me as I have spent my whole career building this business. It’s a small firm, but the key to my success lies in my skill to network and I digitally store a comprehensive list of all my network contacts and clients’ details in a secure computer. Through this, I can tailor my service to each individual client without having to re-ask for information I already know.
My nephew Matt is a good kid, he helps me out with my firm’s IT environment and set up all my networking stuff, including the firewalls which protect web traffic. He will often visit and check my systems whilst he has a coffee and chat, but lately, he has been pretty busy with his studies, so my IT environment has taken a back seat for the meantime.
I vaguely remember my nephew mentioning something about a new Microsoft patch released to fix a vulnerability, but I'm too busy at the moment. Besides, last time I installed a patch my computer restarted, and I don't have the time to go through and save all my working documents; I’ll install it tomorrow.
Little did I know that today is also Elliot's favorite day, Microsoft’s “Patch Tuesday”. The day that Microsoft releases patches for Windows’ users to protect their machines. Elliot is a skilled hacker and is able to analyse the details of the patch and uncover what vulnerabilities it might be trying to solve. This means that on “Exploit Wednesday”, Elliot and his team can deliver codes to exploit systems that haven't installed the patch, and he has just selected me as his victim.
I'm sitting at my desk tending to my daily emails when my mouse cursor starts moving across the screen without me touching it. At first, I think it's my brain playing tricks on me, last night was a big night out celebrating with my colleagues after all, so maybe I’m just tired, but no! There - it moved again!
Confused, I take my mouse and bang it against the desk - but that doesn’t help. I look up and see my cursor opening and closing my client’s files with all their personal information. I frown. I don’t have time for technology to be breaking, especially when I'm so busy. I send a frustrated message to Matt asking him to order me a new mouse.
As I leave the office my receptionist calls out to me, she sounds worried. She tells me that her mouse has been doing strange things lately, even when she disconnects it from her PC. To my dismay, I see her cursor darting around the screen like it did on mine, opening and closing files.
I start to feel concerned - two mouse devices can’t possibly break on the same day! I call Matt again and ask him to come in first thing tomorrow.
As I leave the office Elliot continues his work, he is able to control my screen through his own, a vulnerability that the latest patch would have fixed. Elliot is especially interested in the numerous files I have of client information and is able to seamlessly access and copy them. Elliot loves people who don’t install their patches, it almost makes his job too easy!
Matt inspects my computer and I stand behind him, anxiously shifting my weight to each foot. Eventually, he leans back in the chair and closes his eyes, “did you install the Microsoft patch on Tuesday?”.
I stammered, informing him that I hadn't. But surely that wouldn't explain the issue with my mouse? Matt goes on to inform me that both mine and the receptionist’s computer had been remotely accessed and controlled by a third party via remote desktop. And because of this, the hacker was able to access all our sensitive information – including my client’s.
Before I can begin to panic, a notification pops up on my computer, Matt stops mid-sentence and opens the email, but it's an email from me, to me. How could that have happened?
I have accessed all your client’s information including photo identification, names, email, addresses and bank information. I have posted them for sale on the dark web. If you transfer 0.72 bitcoin* to XXX XXX XXX I will remove them immediately.
You have until 3pm.
*Approximately $8,803 AUD
I look to Matt, waiting for him to tell me this is a joke, but he sits there quietly staring into the distance. Upon further investigation, we see that each computer has been sending my client information to a strange email account, but there is nothing we can do – it's too late now. And how can I trust that this so-called Elliot will pull the information down from the dark web if I pay him??
I’m filled with despair and guilt, if my client's information is purchased, then criminals could perform identity theft and significantly impact their lives, and I would be the one responsible for it! I’m filled with shame, how am I ever going to sleep knowing this was my fault?
Gosh, Why me?
The next day
The next few weeks are spent cleaning up the mess Elliot made, I have emailed all my clients and informed them that their sensitive information has been obtained and the possible effects of this. In addition, I have reported the incident to the Privacy Commissioner, just to be safe.
The patch that Peter didn’t install, known as CVE-2019-0708, was fixing a vulnerability in the Remote Desktop Protocol (RDP) service that enabled it to be abused remotely. Because Peter did not install the patch, highly skilled and trained Elliot, was able to remotely use Peter’s desktop, access his files and send information to himself.
Software patches usually fix identified vulnerabilities within your system that could be exploited by hackers. Most operating systems, by default, are configured to automatically apply patches when a system is restarted. If yours does not do this, speak with your IT professional to “enable automatic updates”.
Often, people avoid installing patches because they see it as an inconvenience. Usually, your PC must fully shut down for the patch to be installed. However, in Peter’s instance, he could have saved his clients sensitive information and his business by taking a few minutes to install the patch. Read more information on patching here.