ESET is a CPG Business Partner and member of the Business Club by CPG – Find out more here
Have you ever wondered how a cyberattack takes place? Many people question it, but few think it would actually happen to them. However, the simplest of cyberattacks target the human aspect, which can be easily manipulated with the right knowledge and tools – and the outcome of a successful cyberattack can be catastrophic.
I’ve not played golf in a few years but back in my uni days, I spent a good number of weekends with a tee time booked, hacking up the course with my 7-iron. However, more recently, I have turned to a different kind of hacking which is far more fun and much less ego-bruising for me.
I have 14 years’ experience in the cybercrime and digital forensics unit in my local police force and now work as a Cybersecurity Specialist for internet security firm ESET, where I hunt and analyse potential cyber threats facing businesses. Being able to understand criminal hackers often means becoming one (ethically of course), revealing insights which can help potential victims better protect their security.
I was recently asked to investigate the security of an independent UK golf club and like with any good heist, research is vital. Although I am familiar with the surroundings, lingo and attire of a quality golf club, I needed to learn everything I could about the staff and specific club in question; and this is where Google is your best friend. Armed with my online findings and a couple of quality techniques in my back pocket, I was pretty confident I could have some fun with my target golf establishment.
Firstly, I need to add a little disclaimer. Before I embarked on my escapade, I was granted full access and permission by the owner of the club to go wherever I wanted and to do whatever I desired – within reason, of course!
I decided to pose as an ITV employee, enquiring to do a reconnaissance for a new commercial and requesting to take some photos to report back to my producer. I rang the club up a week in advance and gave them my pre-context story. The business development manager answered and (naturally) loved the idea, inviting me to visit the club the following week.
I arrived at the course one sunny morning and headed straight to their reception shortly after 9am, equipped with my laptop, USB, DSLR camera and a trusty hi vis jacket. Once I had met with the business development manager who I’d previously spoken to, I walked off for an hour with my camera and pretended to take some photos of the course. On return, I showed him the photos and asked if I could use the private WiFi, requesting the password which was happily given to me. I then mentioned that I’d forgotten some paperwork, so I asked him if I could pop my USB in his machine to print off a release form. He obliged and even said, “I probably shouldn’t let someone I don’t know do this.”
It was then that I witnessed the true horror show which I did not ever expect – they were still using Windows XP! Support for this operating system was ceased in 2014 and it is highly dangerous when connected to the internet. To make matters worse, XP was running on the machine in the shop with the point of sale software on! With all the financial and sensitive data being run through this device, it would make for a very dangerous outcome if it were targeted.
Once I had pretended that the document I needed to print was missing from my USB, I sent a fake pre-release form via Google Forms in order to obtain some additional personal information from him, along with one of his passwords. He clicked on this link immediately and filled it out. In fact, he then took a call and left me with full access to two further machines with no one looking.
Of course I didn’t actually exploit the network at this golf club, but the lessons learnt were vital. The simplicity of hacking anywhere is eye-opening impressive and relatively easy: a quality backstory, a touch of charm and a spot of luck will get you into most areas all fit enough to exploit. A high vis jacket just helps to seal the deal.
On report to the golf club’s owner, he was somewhat shocked yet equally unsurprised. He thought it may have been easy and said himself that he never thought anyone would ever hack his business. The truth is, however, every business is a potential target and whilst they remain so easily penetrable, they will remain potential victims.
So here’s how to keep a golf club secure:
- Install the latest, most up-to-date operating system on all computers
- Implement a guest WiFi and never allow anyone other than staff access to the main WiFi connected to the network
- Never assume anyone is who they say they are when they request to use a club computer or desire access into rooms unsupervised
- Keep all passwords away from prying eyes and never write them down
- Educate your staff on phishing emails and ensure policies are in place should staff need to report something.
- Encrypt any sensitive data and never leave computers unlocked
- Never click on unsolicited links or attachments
- Use a robust antivirus product on all computers