​ ​​ ​​ ​​ ​ Getting​ ​Personal The impact of cybercrime on executive leadership. ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ ​ Executive​ ​Risk​ ​Whitepaper Corporate leaders and directors are often the targets of cyber crime. Sometimes they​ ​are​ ​just​ ​collateral​ ​damage.​ ​​ ​In​ ​either​ ​case,​ ​it​ ​can​ ​be​ ​costly​ ​and​ ​career​ ​ending. EXECUTIVE​ ​RISK​ ​WHITEPAPER Contents ​ ​[2]​​ ​​ ​​Executive Summary [3]​ ​​ ​​Take​ ​it​ ​from the​ ​top ​ ​​ ​​ ​​ ​​ ​[6]​ ​​ ​​A​ ​Broken​ ​Circle of​ ​Trust [7]​​ ​​ ​​Accidents Happen [8]​ ​​ ​​Sent​ ​Packing [9]​ ​​ ​​Spare​ ​Me [10]​ ​​ ​​Conclusion ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​1​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER Executive Summary When it comes to cyber threats, the C-suite and board room have a lot to worry about. What would a breach do to our company’s reputation? What could happen to our stock price? What if our intellectual property is stolen? How could the cost of a breach affect our financials? Or our viability​ ​as​ ​a​ ​company? These are all important questions, and smart companies consider how to answer them before an incident occurs. But there is one question that few executives think to ask​ ​until​ ​it’s​ ​too​ ​late: What​ ​if​ ​I​ ​am​ ​the​ ​source​ ​of​ ​the​ ​breach? When a CEO’s account is breached, it can trigger an earthquake for the entire enterprise. Aftershocks often include phishing scams, exfiltrated intellectual property, exposed stolen customer lists, and countless other incidents that cause severe​ ​financial​ ​and​ ​reputational​ ​damage​. 4iQ’s unique, outside-in approach can keep you and your company safe. We scour the full attack surface to uncover lost, leaked or​ ​stolen​ ​credentials​ ​and​ ​data. ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​2​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER Take​ ​it​ ​from​ ​the​ ​Top Increasingly, cyber criminals are targeting company leadership to gain access to networks, information, notoriety and money. Nobody is safe. Consider just a few of the executives and high-profile people who have been hacked​ ​recently: Exposed​ ​Executives​ ​and​ ​Celebrities Alf​ ​Goransson​,​ ​former​ ​CEO. Bo​ ​Shen,​ ​​founder​ ​of​ ​Fenbushi​ ​Capital. Identity​ ​Theft Social​ ​Engineering Stolen identity was used for a false Bo, an early investor in digital currencies loan application in March 2017. No Ethereum and Augur, was considered a “whale.” legal action was taken until District Hackers stole and dumped his REP and ETH, Court​ ​declared​ ​him​ ​bankrupt​ ​in​ ​July. which​ ​then​ ​caused​ ​trading​ ​prices​ ​to​ ​plummet. Amy​ ​Pascal,​​ ​Sony​ ​Pictures. CFO​ ​and​ ​Head​ ​of​ ​Investor​ ​Relations Email​ ​Hijack Insider​ ​Hacking Hackers leaked Pascal’s embarrassing Former IT technician stole passwords of company emails that damaged her reputation, executives and remotely accessed electronic caused a PR disaster for the company devices and mined confidential information to and​ ​ultimately​ ​forced​ ​her​ ​to​ ​resign. make​ ​“highly​ ​profitable”​ ​stock​ ​trades. Sundar​ ​Pichai​, Google CEO. Werner​ ​Vogels​, Amazon CTO. Account​ ​Takeover Account​ ​Takeover OurMine Hackers took over his Twitter CTO of Amazon Web Services had his social account by going through his linked networking​ ​account​ ​hacked​ ​and​ ​taken​ ​over. Quora​ ​account. Katy​ ​Perry,​ ​​celebrity. Anne​ ​Hathaway​, celebrity. Social​ ​Media​ ​Hijack Social​ ​Media​ ​Hijack The most followed person in the world Intimate photos have surfaced and widely shared had her Twitter account hijacked. on​ ​Tumblr,​ ​Twitter​ ​and​ ​Reddit​. Hackers tweeted profanity and slurs targeting​ ​rival​ ​popstar​ ​Taylor​ ​Swift. Tiger​ ​Woods​,​ ​golfer,​ ​celebrity. Social​ ​Media​ ​Hijack Dozens of nude photos of Tiger and other celebrities were hacked and released on an internet​ ​porn​ ​site. ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​3​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER These examples are of sophisticated executives at the helm of cutting edge tech companies or people in the public eye with careers dependent on their reputation, yet their accounts and identity are often compromised largely​ ​using​ ​the​ ​same​ ​tactics​ ​that​ ​put​ ​us​ ​all​ ​at​ ​risk.​ ​​ ​Let’s​ ​start​ ​with​ ​this​ ​one. 1. CEO​ ​Phishing​ ​Scams Cyber criminals use phishing to gain access to identities and networks for one good reason – it works. Every day, even the most tech savvy execs fall for spoofed emails. By clicking on a seemingly innocuous link or entering a password in a familiar looking site, they put untold personal and corporate information and reputations​ ​at​ ​risk. Preventing phishing scams is particularly vexing for corporate IT departments because they often do not set off spam​ ​traps.​ ​​ ​They​ ​aren’t​ ​mass​ ​emails​ ​and​ ​they​ ​use​ ​familiar​ ​domains. In 2015, Ubiquiti Networks, a San Jose based maker of networking technology, was taken for $46.7 million when a​ ​hacker​ ​“impersonated”​ ​executives​ ​and​ ​directed​ ​funds​ ​to​ ​be​ ​transferred​ ​to​ ​an​ ​overseas​ ​bank. Tech Firm Ubiquiti Suffers $46M Cyberheist ​ ​ ​ ​ ​ ​​ ​ ​ ​ ​ ​ Networking firm ​Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international​ ​wire​ ​transfers.​​ ​​[1] In April 2016, Brian Krebs reported that the U.S. Federal Bureau of Investigation (FBI) alerted the public of a global increase (270%) in identified victims and exposed losses from “CEO scams.” As Brian notes in his blog, spoofed​ ​emails​ ​rarely​ ​set​ ​off​ ​spam​ ​traps​ ​because​ ​they​ ​are​ ​carefully​ ​calculated​ ​and​ ​targeted,​ ​not​ ​mass​ ​emailed. FBI:​ ​$2.3​ ​Billion​ ​Lost​ ​to​ ​CEO​ ​Email​ ​Scams The ​U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than​ ​$2.3​ ​billion​ ​in​ ​losses​ ​over​ ​the​ ​past​ ​three​ ​years.​​ ​[2] [1]​ ​August​ ​8,​ ​2015.​ ​Brian​ ​Krebs.​​ ​​Tech​ ​Firm​ ​Ubiquiti​ ​Suffers​ ​$46M​ ​Cyberheist [2]​ ​April​ ​16,​ ​2016.​ ​Brian​ ​Krebs.​​ ​​FBI:​ ​23​ ​Billion​ ​Lost​ ​to​ ​CEO​ ​Email​ ​Scams ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​4​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER 2.​ ​Stolen​ ​credentials If cyber crime is a fast moving wildfire across the global internet, stolen credentials are the oxygen. They are the source​ ​of​ ​80%​ ​of​ ​all​ ​data​ ​breaches. Massive​ ​711​ ​Million​ ​Emails​ ​and​ ​Passwords​ ​Dumped​ ​and​ ​you​ ​are Probably​ ​on​ ​the​ ​List...I​ ​Was A malware researcher going by the Twitter handle, ​Benkow moʞuƎq​, uncovered a huge stash of emails and passwords stored on an open server in The Netherlands. The stolen credentials were apparently harvested by a spambot known as, Onliner. This spambot has been used to deliver banking malware which has compromised over 100,000​ ​accounts.​​ ​[3] Like the rest of us, executives frequently use the same username and password combinations to log in to multiple​ ​accounts.​ ​​ ​On​ ​average,​ ​most​ ​people​ ​use​ ​2​ ​-​ ​5​ ​passwords​ ​to​ ​access​ ​25​ ​accounts. This means that once a hacker gains the credentials that At​ ​4iQ,​ ​we​ ​estimate​ ​an​ ​80%​ ​chance​ ​a unlock one site, with a little time and the right software, he or she can gain access to the executive’s other online hacker​ ​can​ ​find​ ​a​ ​password​ ​belonging accounts, including the enterprise network. This is an to​ ​the​ ​victim​ ​if​ ​​ ​3​ ​different​ ​accounts all-too-common way intellectual property, money and are​ ​able​ ​to​ ​be​ ​tested. identities​ ​are​ ​stolen,​ ​and​ ​networks​ ​are​ ​held​ ​for​ ​ransom. After the credentials are used, accounts drained and networks ransacked, criminals usually sell (or dump) the information on the dark web for others to use. At this point, it is a “free for all” and the stolen credentials are available​ ​for​ ​anyone.​ ​​ ​It’s​ ​akin​ ​to​ ​leaving​ ​your​ ​keys​ ​in​ ​the​ ​ignition​ ​with​ ​the​ ​engine​ ​running​ ​and​ ​the​ ​doors​ ​unlocked. Mark Zuckerberg used the same password (“dadada”, seriously) to login to his Facebook, Adobe and LinkedIn accounts. Needless to say, they were breached multiple 92%​ ​of​ ​Executives​ ​have times. The last time, he learned of it by a tweet sent by credentials​ ​Exposed hackers​ ​from​ ​his​ ​very​ ​own​ ​Twitter​ ​account. PASSWORD DECRYPTED EMAILS BREACH/SITE ALGORITHM PASSWORD [email protected] Linkedin SHA1 dadada [email protected] MySpace SHA1 *****fee [email protected] Last.fm MD5 *****v3a [email protected] Adobe 3DES dadada [email protected] Tumblr SHA1 *****nis [email protected] Dropbox SHA1 *****325 [email protected] Fling None *****980 [email protected] VK None *****123 [email protected] Adobe 3DES dadada [3]​ ​August​ ​30,​ ​2017.​ ​SecureYourWorkplace.net.​​ ​​Massive​ ​711​ ​Million​ ​Emails​ ​and​ ​Passwords​ ​Dumped​ ​and​ ​You​ ​Are​ ​Probably​ ​on​ ​the​ ​List...I​ ​was ©​ ​2017​ ​4iQ,​ ​Inc.​ ​All​ ​rights​ ​reserved. ​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​ ​​​ ​​[​​ ​5​​ ​] EXECUTIVE​ ​RISK​ ​WHITEPAPER A​ ​Broken​ ​Circle​ ​of​ ​Trust Password​ ​Security​ ​Checklist By analyzing hundreds of