I am a I.T. professional and have been involved in all aspects of system security for the past 31 years.
Do you know what the two most common passwords for a user account are? (As of 2019)
'password' and '123456'.
Does anyone wonder why systems so often get hacked?
Then you should know that when greeted with a box that says 'YES' and 'NO', most users will automatically click the yes box.
In this incident, it's very highly likely that a spam email, or a more embarrassing SPOOFED email came across someones email, pretending to be something from corporate, and they clicked to read the attachment, or go to the web sit ein the link, and (hopefully for their sake) was presented by a realistic looking login page, that they used to enter their identification in. They likely got a fake error, but were then able to login properly, and the 'deed was done'.
Most people that are hacked HACK THEMSELVES!!! I get emails from banks I've never had an account with on a weekly basis. I get emails from banks I DO have accounts with sporadically. I got a weird confrontation at my bank years ago. THe teller looked at her screen, and at me, and asked me why I hadn't responded to their email. They looked puzzled. Apparently I had gotten some emails concerning 'questionable activity' on my account. I was surprised. I told her what I just said above, and she understood, I hope.
One email message looked so genuine, that I started filling in the form, but they asked for information they would have had already, and I got suspicious. It looked to be 100% genuine, except for the questions they asked.
My own mom lost control of her internet account about 10 years ago. She got an email from 'tech support' and it asked for her password. I could have been more kinder, possibly, but told her under no circumstances should ANYONE EVER GET HER PASSWORD! Especially 'tech support', or 'customer service', 'accounting', etc. Being a system administrator, I don't need her password. Yadda yadda yadda. You all know the drill...
This was, on Garmin's side, a HUGE screwup. They should have had procedures and software to help stop this from happening. I hope they can recover from this...
A tangent (tm): I had a friend that was in a social group, and they were having 'issues' with hacking. Someone in the group, who called themselves a 'computer expert' advised them to ditch their physical firewall appliance, and use ZoneAlarm (or whatever) software firewall. I strongly advised agains tit, but they were sold. less than a year later, they were seriously attacked. See above. People were presented with a popup that said asked if they wanted to allow a program they had no idea what it did access to their computer. Most trained monkeys will click 'YES'. Too many people did click 'YES', and, brick by brick, their 'firewall' became cheesecloth. DOH!!!
[automerge]1595639147[/automerge]
NB: Am affected by this as have a Garmin product.
Glad you performed a thorough analysis and debrief of the incident before suggesting who to kill... /s
I ran a computer networking company for nearly 40 years. I had software, and policies in place to deal with this kind of problem.
For one thing, I beat the idea that no one should ever get your password into all of my clients and their employees. There are ways to deal with these kinds of attacks, and a capable IT department would have protection and policies in place on the 'pre-attack' end, and backups and other protection on the back end.
It might be interesting to find out that Congress had a bill to penalize corporations that were attacked and either disclosed user information, or had a large scale lock down. And the Chamber of Commerce didn't think it was needed, and their political minions killed it. The bill had teeth. Any corporation that was reckless and exposed user data without taking precautions would be more than spanked. But the CofC can't have that. And there was a requirement that businesses that were attacked to inform clients and customers in a quick manner. No more two years latter having a company say, 'Oh, by the way, we were attacked two years ago, and all your information was stolen, and, well, we didn't want to bother you, and it's been so long, you can't be mad at us, can you?'
Yeah, it's probably too easy to break into corporate America now than it ever has been, and there is no drive for the corporations to adequately protect themselves.
Yeah, IT blew it. Someone has to walk the plank. Data is their business. If they can't take proper care of it, then maybe they shouldn't be in business.
