Am I being hacked! What's next?

Recently, the online "Password Pwned" website has a new release. What is interesting, if you are not aware yet, is that you can check whether your password exists in any leaked data from those major published data breaches. 

There is another existing "Email or Username Pwned" service. It is free. This service is intuitive enough to easily figure out how to use it - key in your password or email address, and the result appears in a second or so. Just that simple. 

Some of you may feel uncomfortable keying in your password but there is a way to build your confidence to use it. Nevertheless, you would not be worst off since your details like username or email are likely already public information.

Don't get me wrong, I am not asking for support or donation on the service. But if you do that, it is great to motivate the community to build more of such useful tool. With more data breaches reported every other day, we can always use these tools to keep in constant watch whether our credential are in jeopardy. 

This leads to me writing this article. In the past, I wrote on protecting one's identity and privacy but as I reflect what is really missing is how can we self-help to catch early sign on compromise indicators - red flags and clues that tells you something may be wrong and take timely action. 

Adopt an ALERT strategy.

The gist is to make us stay ALERT, respond quickly, and protect ourselves from the traps in our computer (or mobile device). That is the place that all wrong starts!

Common Compromise Indicators

Antivirus / Firewall - Do you see any alert triggers or message popping up saying a particular threat such as malware is being contained or quarantine attempt has failed? How did the malware manage to get into your computer?

• Take Action(s) - Scan your thumb drive or any other portable storage peripheral. Look out for temp folder having executable files. Check for any other unknown wireless connectivity established on your computer, especially those insecure public hot spots that get connected automatically  as convenience - remove these low hanging for hacker to get entry.

Browser  - Do you see anything amiss in the settings, such as the default page being changed, or new extensions or duplicated add-on (but of different names, authors etc) found in your browser?

• Take Action(s) - if these are not installed by you reset the browser to default setting and remove those add-on. Observe any recurrence over the next few days on the changes made. Conduct regular AV scan wit latest signature and check for any anomalies. Avoid visit of certain non-reputable websites, or opening up some unknown email attachment. 

Shortcut - Do you find your favorite desktop shortcuts missing  and nowhere to be found? You are sure that these are not removed by you and have not use any recent clean up software for housekeeping.

• Take Action(s) - Look at the shortcuts' icons and check if they have any significant changes such as in color, size, etc and these are not due to recent software patches. Do not double click on these icons but check the execution path under the properties. It may be masqueraded to run another unknown executable (planted somewhere in your computer or about to connect to a remote site when executed).

Software - Do you keep seeing software giving errors prompts or sighted other unknown software installed not due to a recent OS or application patch releases?

• Take Action(s) - Check the machine on the list of installed software and your startup folder for any "new" add-on like remote application such as Teamviewer, VNC (those with remote administration features). Avoid logging in as an administrator for daily use of your machine - least privilege as default and use a standard account. This can help such that any attempt to get higher permissions to run installations of plugins or libraries etc will be prompted for your attention as compared when you are logon as administrator. 

File - Do you observe that when you open your document has been taking longer than usual especially when these are uncommon and suspicious.

• Take Action(s) - Check the document's file extension. Open your File Explorer (in windows) and verify the view settings in the explorer to see the full file extension. Identify any additional file extensions that are appended. It may be running an executable (e.g. MyDoc.pdf.exe) instead of just the usual Microsoft document. 

Email - Do you see the number of emails in your "Sent Items" folder on a reducing or increasing trend,  despite your constant discipline in performing archival schedule?

• Take Action(s) - Malware can consolidate stolen information and send back to the hacker or cyber criminal. Check that the firewall and AV are updated and not having any alerts. Stay vigilant on spams and phishing email. If unsure of the email intent and the content is suspicious, always err on the safe side - Do NOT click or open, just delete the email.

Account - Do you log in as administrator as usual and observe there is some unusual account that is created which you are not aware of?

• Take Action(s) - Logon as a normal user by default so that malware and hackers cannot gain high privilege easily when your computer gets compromised. Account created for remote access, or shadow account that remains silent may be used for running another suspicious backdoor to make sure your computer remains accessible to the hacker remotely.
  
  
• Disable unnecessary services like remote desktop (RDP), Telnet, SSH, file shares (SMB), file transfer (ftp). Always conduct regular account and access right reviews and remove unnecessary or unused accounts and excessive rights given to any users.

Login - Do you have difficulty logging into your machine or an online account like Hotmail, Yahoo, Facebook etc? 

• Take Action(s) - Recall if there are any recent call or alert that you received saying your machine is suspected to have unauthorized login by another remote machine or device. Your account may have been hacked. Report it to the provider if you are denied access or reset your login password or check on your recovery account (hopefully, you have set it up).
  
  
• Adopt a strong passphrase to deter opportunistic attempts by the bad guys.
  
  
• Go for multi-factor authentication where possible. This simply mean to ask not just password only login but adding another check such as another pass code or one-time password from Google Authenticator or Authy or use your biometric (such as Face ID or Touch ID for iPhone/iPad). Minimally opt for additional pass code if you are not comfortable to use your biometric. 

The above list may not be an exhaustive list but it serves to help you stay aware on anomalous activities that we should stay vigilant and take action fast. 

Stay ALERT

Minimally you should be ALERT on those red flags  and take away the following from this reading  

• Attentive - Protect yourself by being vigilant. A call to action for you to improve your cyber hygiene habits.
  
  
• LEarn  - Detect the clues and confirm if it is a "hit". If you are in doubt, ask around. Do not stay silent.
  
  
• React - Response swiftly. Do not panic. Unplug your computer. Do not switch off the machine as it may remove precious traces for investigation. Escalate and report to your peers or supervisor or senior accordingly.
  
  
• Teach - Prepare to share with others. You learn more when you share. Part of after action review on what went wrong, what can be avoided and what can be improved in the long run.

Have a safe and secure cyber journey!