Imagine that you’re a network security company, and you’re in the middle of a demonstration to a prestigious customer in the insurance industry – a customer who is worth £80,000 a year in business.
Imagine that you want to show how quickly and efficiently you could remotely wipe a mobile device to render it useless to a crook, for example after it was reported lost or stolen.
And now imagine that an estranged former business partner managed to hack into your network, perhaps using legitimate-looking credentials set up when he was still an insider, to stage a sort of “demo-within-a-demo” of his own, right in the middle of your demo…
…so that not only the test device got wiped, but also a further 900 of your important customer’s mobile phones.
That’s not too far away from what happened in May 2014 to a company called Esselar, thanks to the vengeful attitude of one of the company’s orginal founders who had recently fallen out with his erstwhile partners and exited the business.
(The customer, insurance giant Aviva, apparently cancelled the contract as a result.)
According to a BBC report, the estranged business partner, Richard Neale, just picked up an 18-month jail term this week for this and other cybercrime offences against the UK’s Computer Misuse Act.
Neale apparently also took over his former company’s Twitter account and changed the logo to a “Heartbleed” by way of advertising the company’s insecurity, which is a particularly bad look for a network security consultancy.
He also he also used a fake account left behind inside the company to mess with his former colleagues by fraudulently rejecting their expense claims.
The BBC notes that Neale’s legal representative categorised these crimes as “foolish and childish” and as “causing mischief” based on festering resentment.
We’d call deliberately wiping some 900 mobile devices belonging to a trusted and trusting customer goes well beyond “foolish and childish”, and we’d suggest that Neale can consider himself fortunate not to have earned a longer sentence.
What to do?
A little vigilance goes a long way:
- Use a standard, formal process to remove or to disable the accounts of anyone who leaves, whether on good terms or bad.
- Regularly review accounts that have remote access to prevent “sleeper accounts” being created for later misuse.
- Consider requiring two-factor authentication for all remote access so you have two ways to lock out a departing user.
- Regularly change passwords on social media accounts if you have been forced to share the same account and password with multiple staff.
- Regularly review your remote access logs in case you notice unusual or unwanted access – you definitely won’t spot anomalies if you don’t look.
TonyG
Could be why Aviva’s mobile phone protection service supplied to Natwest Black Account customers is permanently offline? It is a wonderful catch 22 – when you get through everything to get to register it, it is an Aviva holding page with a phone number. So you call the number, work your way through and then get told that you should do it online, get told “goodbye” and then directed to music. Natwest deny all responsibility because it is a third party service despite accessing it through a Natwest login.
Not the first time this sort of thing happened – last time I figured out how some Natwest account holders protection benefits could be accessed with basically public information.
LonerVamp
Definitely one of those things that looks bad for a security company. If you can’t follow your own advice…