Hack Attack

Is your fire department or municipality’s server and computer system connected to the Internet?  If so, your computer system is probably being attacked by a hacker as you read this article.

Those hackers are seeking information on your department’s EMS responses, looking at patient records, payroll records, emails, and other proprietary and protected information, if released, may make your organization vulnerable to litigation from your patients or your employees. As firefighters and fire departments we believe we are immune to hacking due to the nature of the ‘good work’ we provide to the community. The reality is we store a tremendous amount of information on our employees, patients and others in our communities and organization. Some examples are: medical information or Protected Health Information (PHI) subject to the provisions of your State’s laws on protecting PHI or HIPAA; personnel information to include social security numbers, employee addresses and other vital information especially important for protecting those identities for police officers; fire reports, cause and origin and incident addresses; payroll information especially if your organization provides a direct deposit function; personnel files indicating promotions, demotions, letters of commendation or discipline; vehicle maintenance records; training records and millions of bits of information that have been computerized for instant access and management. Trust me when I say, “if you want those records, so do the hackers.”

Hacking computers is not a new phenomenon as that activity has been occurring for many years. There is a plethora of software protections created every day to prevent these occurrences and many antiviral programs and anti-hacking programs are updated by the hour. If you search the internet on hacking, there are numerous sources to assist you in hacking a computer. Look at this site for some simple directions for gaining access to your computer if you forget the password or want access to someone else’s computer in several easy steps http://www.wikihow.com/Hack-a-Computer.

Malicious hackers use programs to:  

• Log keystrokes: Some programs allow hackers to review every keystroke a computer user makes. Once installed on a victim's computer, the programs record each keystroke, giving the hacker everything he needs to infiltrate a system or even steal someone's identity.

• Hack passwords: There are many ways to hack someone's password, from educated guesses to simple algorithms that generate combinations of letters, numbers and symbols. The trial and error method of hacking passwords is called a brute force attack, meaning the hacker tries to generate every possible combination to gain access.

• Another way to hack passwords is to use a dictionary attack, a program that inserts common words into password fields.

• Infect a computer or system with a virus: Computer viruses are programs designed to duplicate themselves and cause problems ranging from crashing a computer to wiping out everything on a system's hard drive. A hacker might install a virus by infiltrating a system, but it's much more common for hackers to create simple viruses and send them out to potential victims via email, instant messages, Web sites with downloadable content or peer-to-peer networks.

• Gain backdoor access: Similar to hacking passwords, some hackers create programs that search for unprotected pathways into network systems and computers. In the early days of the Internet, many computer systems had limited security, making it possible for a hacker to find a pathway into the system without a username or password.

• Another way a hacker might gain backdoor access is to infect a computer or system with a Trojan horse.

• Create zombie computers: A zombie computer, or bot, is a computer that a hacker can use to send spam or commit Distributed Denial of Service (DDoS) attacks. After a victim executes seemingly innocent code, a connection opens between his computer and the hacker's system. The hacker can secretly control the victim's computer, using it to commit crimes or spread spam.

• Spy on e-mail: Hackers have created code that lets them intercept and read e-mail messages -- the Internet's equivalent to wiretapping. Today, most e-mail programs use encryption formulas so complex that even if a hacker intercepts the message, he won't be able to read it.

If you are part of a sophisticated and well protected system, it is a bit harder for the uninitiated, the lazy or an older user (like myself), but your 12 year old child could probably hack your computer with only a few keystrokes. Imagine state sponsored computer hacking where the resources of a million twelve year olds are hitting on your system every day. Of course I am being sarcastic on the age thing, but there is someone out there trying to access your servers or computers. Just look at Sony Pictures (the American entertainment subsidiary of Japanese multinational technology and media conglomerate Sony, based in Culver City, California) was hacked and several un-released movies were placed on the Internet potentially costing the company millions of dollars and there are thousands of other examples to include personal credit card information stolen from Target, VFW, and other retail store: most of those thefts are not publicized. There are also hundreds of individuals stealing your credit card information as well.

Your personal computer is also vulnerable to hacking with number of bogus emails called Phishing (open them up and a virus enters your system) to the Nigerian Oil scam bilking millions of unsuspecting individuals of their hard earned dollars. Many of us keep our personal data on our computers and a loss of that information to a hacker is devastating. As a user of department electronic devices, it is your obligation and responsibilities to protect vital information contained in your servers, computers and personal or business computers you use at home and work.

Here are some simple tips to prevent personal hacking on your Smartphone or computers are:

• HTTPS Everywhere: HTTPS Everywhere is an add-on for Chrome, Firefox and Opera that ensures that whenever you visit a site that offers data encryption, you're using it. You can check whether a site offers encryption by looking at the address in your browser and seeing whether it begins with "https", as opposed to "http" or "www" (the "S" stands for "secure").

• Be diligent with software updates: Another no-brainer. When companies discover vulnerabilities in their software that hackers can exploit, they send out security patches to solve the problem that appear in the form of pop-ups or download prompts. It's definitely an annoyance to have to interrupt your work to download new software and restart your computer. But when the alternative could be getting hacked, it's a small price to pay.

• Two-factor authentication: Services like Facebook, Twitter and Google's Gmail offer a feature known as two-factor authentication, which works with your smartphone to add an extra layer of security when you're logging in. After you've entered your password, you're prompted to enter a numeric code that's sent to your phone via text message or generated by a mobile app. That way even if someone steals your password, they won't be able to get into your account unless they also have your phone as well.

• Tape over your cameras: Even when your webcam isn't in use, sophisticated hackers can activate it remotely, giving them a virtual peephole into your home. Fortunately, there's a low-tech fix for this -- just put a piece of electrical tape or a Post-It note over the camera when it's not in use.

• Stow your phone: Just like they can access video from your webcam, hackers can listen in on your private activities by remotely activating the internal microphone in your smart phone. Again, there's a low-tech fix: Keep your phone stored out of earshot in a separate room when you know you won't be using it.

• Browse anonymously: Without precautions in place, most Web users leave a digital trail that makes it easy for those with just a bit of technical sophistication to figure out every site they've visited.

• Protect your email: Securing your email requires more technical know-how, but it's possible using a tool known as GPG. Getting GPG up and running can be a challenge if you're not ultra-tech savvy, but fortunately, the process of encrypting email should soon become easier. That's because Google is currently testing a new Chrome extension that it says "will make it quicker and easier for people to get that extra layer of security should they need it."

• Safe photo sharing: If you're an Android user, the app ObscuraCam offers a great way to share photos while protecting the privacy of everyone in the picture. The software makes it easy to blur the faces of people who might not want their photos online, and also strips out location data from the image files.

Some simple steps to protect your business servers from hacking include: obtain the latest security software, require your employees to update their passwords frequently, have a robust firewall, hire a professional to manage your system, back up data daily and store off site and do not allow your employees to download software into your system.

Vigilance is the WORD of the day to protect vulnerable information stored on any electronic devices.

Endnotes:

1. http://www.wikihow.com/Hack-a-Computer.

2. http://computer.howstuffworks.com/hacker1.htm

3. http://money.cnn.com/2014/06/13/technology/security/dont-get-hacked/

JOHN K. MURPHY JD, MS. PA-C, EFO, Deputy Fire Chief (Ret), has been a member of the career fire service since 1974, beginning his career as a firefighter & paramedic and retiring in 2007 as a deputy fire chief and chief training officer and computer user but not a hacker. He is a frequent Legal contributor to Fire Engineering Magazine, participant in Fire Service Court Blog Radio and a national speaker on fire service legal issues.