So, you have just been hacked, now what ?
Firstly, if the hackers have accessed your bank account, call your bank and get them to start sorting this out for you. They are very, very good at this, but it takes time. While you are waiting, lets secure everything we can.
Step 1 – Secure your e-mail account.
First of all, ensure that your e-mail provider supports ‘Multi-Factor Authentication’ or MFA for short.
I cannot stress how important this is, if you use your ISP’s ‘free’ e-mail, there is a very high likelihood that they do not support MFA, even if they do, there is more than a strong chance that in order to access your account from your phone, you are forced to use a static ‘application’ password.
This ‘static application password’ is the email equivalent of having ten deadbolts on your front door and your back door protected by a small, rusty, 99p padlock from Wilco.
So this first step is really several steps.
If ALL – and I mean all, there can be no exceptions – of your email accounts support MFA, you need to enable it.
If your e-mail account does not support MFA, or if the MFA that it does support is not supported by your e-mail clients (Outlook, Mail, phones etc), you need a new e-mail provider.
MFA will send you a text message to augment your password when you login or when you setup the account on your phone. Without your phone, a hacker has severely limited attack vectors to this e-mail account.
If you are still using your ISP account, you are an idiot, if you are using TalkTalk, then I am surprised that you are smart enough to have read this blog entry thus far. This goes for all of the ISP accounts, cox, sky, virgin, NTL, all of them. They are all utterly hopeless and crazy easy to hack.
If you have no MFA ability OR you are using your ISP account, you need to change the password at the very minimum while you prepare to transition away.
At this point you have no idea which of your devices is compromised, so this is tricky.
Literally the only possible thing that you can assume is that all of your devices are compromised and you probably should not trust anything on your network either as worms are dirt easy to install on devices and they spread.
So, how are you going to do this ?
Kick everything off your network except one computer, literally power everything down and turn off WiFi on your phones.
Grab a copy of Ubuntu and created a Bootable memory stick.
If you are on a desktop PC, smash your way into the things and pull out all the hard drives – it is not a bad idea to power it off prior, but that is reasonably optional – I am not going to trust this installation as far as I can spit it.
Having booted Ubuntu from a memory stick, you now have a decent OS from which you can start to recover.
This is the only computer that we are going to use for a while.
Change your Wifi password, just to be safe. This has the added advantage of making sure that everything is off your network.
If you have any iOT devices (smart light bulbs, cameras, etc) turn them off. They should be unable to connect to wireless assuming you just changed your password.
Now, we are ready to fix the e-mail accounts.
Assuming you have a decent e-mail provider – Gmail / Outlook, then head to your sign-in page and enable MFA. Initially use the ‘authenticate via a text message’ option, later on we will upgrade that though.
If you are still using your ISP e-mail address, then you need to get something more industrial strength.
- Gmail is very good, but I have serious privacy concerns
- Outlook is very good and I have less privacy concerns.
- A custom domain, hosted on Office365 is brilliant, but not free.
I cannot stress this strongly enough, ISP supplied free accounts are super, super dangerous, you should not use them, they are stupidly easy to hack and lack decent spam and phishing protections.
Side discussion – eMail addresses.
Free email is all well and good, but the chances of getting an e-mail address that is ‘cool’ and representative of you is close to zero, recently I got an email from a colleagues home e-mail address, it was something like (name changed, duh), MetalFr33k381@[free e-mail domain].
What looks better firstname.lastname@example.org, or email@example.com ?
Rightly or wrongly, your email address says a lot about you. If you cannot get first.last @ a decent email provider, then adding additional numbers after it, while possible, is going to add to confusion – are you John.Smith78 or John.Smith1978 or John.Smith800001 ?
Registering your own ‘family’ domain is cheap, pointing that at office365.com is cheap, having your name @ your domain in a full-on MFA protected Exchange instance backing it is awesome. A future blog entry will no doubt cover that.
So armed with an MFA protected e-mail address, what is next ?
Step 2 – Passwords
I have already spent a lot of virtual ink on passwords
Each one is still valid, but as we are now in the middle of a hack recovery, we need to change our strategy a tad. We cannot use a password manage yet because we have no idea what ha been compromised and we need to secure everything first.
For the moment we are going to create passwords on paper, get a notebook and a nice pen ready.
Use a nice simple three random words, interspersed with special characters and make it unique for each account.
One interesting strategy is to make it four words and use the account name in the middle of it, so rather than each one being a variation on ‘HorseBiscuitLawnmower’, you get something like this
Barclays – H0R53B@rcl4y5!!L4wnM0w3r
Gmail – hOR5EGO0gL3!!L@wnM0wEr
Step 3 – Secure your financial accounts.
Make a list of the bank and credit card accounts you have in your notebook.
Login to each one from your Ubuntu stick computer…
Note: Each account is going to have a different password – it is fine to use the same scheme, but each password must be unique.
- Enable multi-factor, if it is not already setup.
- Change your password to a unique one for that account.
- Follow the rules in the previous blog posts linked above for help with passwords.
- Change your memorable information.
- If you now have a new e-mail address rather than a moronic ISP one, change your e-mail address too.
- Change your passwords and write the new password, memorable info etc down in your notebook.
Repeat for each financial account.
Now go back and log in to each one to make sure they are all good.
Put the kettle on – you deserve a brew.
Step 4 – Other accounts
Make a list of the accounts you hold everywhere that you can think of.
- Council Tax
- Mobile Phones
Repeat the steps above, if there are any additional security options available, take them, but do not install apps on your mobile phone at this point, just use the text authentication options wherever possible.
I would strongly suggest that you use a different e-mail account for `Utility bills’, some of the bigger e-mail and password hacks have been against utilities.
Step 5 – Forums and Social Media
Twitter, Facebook, Instagram have MFA via text messages, go to your account, change the passwords, change the email address if you have a new one, setup MFA and step back – do NOT update any of this on your phone.
Any forums you use, you need to update your passwords too – but these are reasonably low risk, you could put this off for the moment.
A secondary or tertiary e-mail account for social media use is not a bad idea.
A non-primary e-mail account for forums should be considered mandatory, even if it is just an alias for another e-mail account.
Step 6 – have a cup of tea.
At this point you need to make some decisions and some of these are not going to be easy.
What you need to do is to backup all of your data to ‘the cloud’, but this means that you need some connectivity and you may need to boot your primary operating system.
Additionally you need to secure all of the photos and other data on your phone.
You need a cuppa and you need to plan this.
Side discussion – Mobile Phones
There are two major phone operating systems.
- iOS from Apple
- Android from Google
iOS is considerably more secure than Android. Love or hate the closed ecosystem, the limited device choice and the eye-watering prices, it does not matter, iOS updates that close security issues are frequent and apply to devices that are up to five years old, they are available on release date to all.
Android is a brilliant OS, but it is utterly ruined by the OEM’s that load it onto the phones that they sell and then do not issue vital security patches. If I was forced to run Android, I would do so on a Google Pixel, or perhaps a OnePlus device. Most OEM’s issue perhaps a couple of updates for each device and then abandon them. I literally would not permit a Samsung or LG device on my network they are so full of security holes.
Saying that, if you are stuck with a Samsung/LG/non-google Android phone, then not only do I pity you, but I want to help you….
- Disable non-android Cloud services
- Delete your non-android accounts
- Switch to Google services for everything
- Sign in with your newly secured e-mail account
- sign out all others
- Backup your photos to Google Photos
- Make sure you contacts are syncing to your e-mail account
- Essentially get yourself into a position where you could replace your phone.
- Do a factory rest – wipe that phone.
Post reset, sign in to your email account and let it do its thing to recover everything.
Do NOT install all your old apps, there is a huge chance that one of these could be problematic. Load apps only on a ‘yeah I trust this and yeah I need this’ basis.
Do not sign up for Samsung/LG etc Cloud services, limit things to just MFA authenticated e-mail accounts too.
If you have an iPhone, just ensure that you are on the latest update of iOS.
Repeat this for all phones that connect to your network.
If you are an Android fan, please consider updating to a phone that has regular (monthly) security updates and one that runs the latest version of Android (Pie released in August 2018)
Step 7 – Safeguarding your data.
Neither MacOS not Linux are 100% invulnerable when it comes to viruses or Malware, but compared to a Windows PC, they are god-like. If you are running Windows XP or Windows VISTA, you are an idiot, both have been discontinued long ago and neither get security updates, Windows 7 and 8 are on its way out too, you need to be on Window 10.
Not only do you need to be on Windows 10, but you need to be on the absolute latest patches and updates, you need Windows Defender and Windows Firewall running.
I’d suggest that regular scans with Malwarebytes is a good idea too.
Fixing a computer that is suspect is dammed difficult.
It may be easier to simply trash the old one and buy and new one, again, but I recognise that this is not practical.
What we need to do is to safeguard all of the data that you have on your PC, preferably without booting windows. Ubuntu may be the key here, you may be able to get to the data on the windows computer from within Ubuntu.
If you can, then all you need to do it s login to your Google account (MFA) from an Ubuntu browser then literally drag the data you want to keep from the hard drives to your google drive account. Note that you may need to buy more storage – it is pretty cheap to do this, at the time of writing you get 15GB for free and 100GB is £1.99 per month.
Depending on your network speed, this may take many, many, many, hours.
Once you have moved everything that you want to keep over to Google Drive, check that this is all accessible from your phone.
You can repeat this step for each Windows machine you own.
Step 8 – Clean installations time
Most modern computers have a recovery partition that can be booted, this allows for a re-installation of Windows. If you have this and you can get the computer to boot this, then go ahead and start again.
A couple of things
- Setup separate accounts for all users of family computers
- Nobody needs to be Admin (this is insanely stupid)
- Admin needs a different name and a secure password.
If you do not have a recovery partition, then you need to find the Windows installation media and work through that – I strongly suggest formatting the drives in you PC and doing as clean an installation as possible.
Step 9 – more tea
In a family environment, everyone needs to have proper e-mail accounts with MFA, everyone needs to be responsible. Nobody needs to be admin.
Older Android phones are fantastically susceptible to attacks, giving your child a hand-me-down Android is extremely risky, they are the least responsible and you are given them the least secure device, they will click on stuff that exposes their data, they will run games and apps that expose them to hacking. There is no way around this, you either have to accept the risks that are inherent in non-Google branded Android phones and understand that there is a decent chance that your children will be used as attack vectors, or you switch them to iOS, or you give them dumb phones.
Splitting your home WiFi and running a guest network and only allowing your Android phones and tablets to connect to this is viable, but if you have a networked printer, it will not be available to guests.
Consider switching to Linux, and perhaps running windows in virtual machines – it is much easier to fix.
Trust the cloud for your data, but only if it is secured with MFA.