Is that really MY support company?

We recently had a client that had a rather concerning issue occur to one of their users.  Their main business application is supported by another company aside from Correct Solutions.  They use their support rather infrequently as the application runs fairly well for the most part.  On this day however, the user had a problem and rang the application support company.  They were then guided through installing a remote access application on their computer so that they could get onto the user’s desktop and resolve the issue they were seeing.  They resolved the issues and then disconnected from the user’s computer without further communication.

Shortly after this however, the user was using their computer when someone else took control.  Using Notepad on the computer the hacker told the user they would need around 20-25 minutes.  Now at this time the user’s problem was actually fixed and the user thought that the support company was doing some additional things.  After a little while however the hacker controlling the computer asked the user what country they were living in, and a few other details.  The user became suspicious at this point and asked “Who are you and where are you from?”.  The hacker responded with “I am from tax”.  Naturally the user realised at this point that the person controlling the computer was definitely NOT the support company any more.  They shut the computer down immediately and called us for help.

Now a few things here were incredibly helpful to us.  The first being that the user was able to be very specific about what happened, when it happened and so on.  This helped us understand the potential scope of the problems.  The second thing was that they closed down the computer right away – this was good and bad – good in terms of it stopped the hacker in his tracks, bad in that it might have been problematic if the hacker had planted some form of tool that was activated on the reboot.  Overall – the client did the right thing – they called us right away.

What happened next was that we had one of our senior techs review the computer to attempt to ascertain exactly what happened, and what data might have been taken from the client.  I won’t go into the details of this, but we recommended in the end that all the passwords for users and their main administrator password be changed.  We also instructed the client to advise the bank that their credit cards may have been breached and to take whatever action the bank recommended. It is VERY hard to be 100% certain what the hacker accessed.  The purist in me suggests that we should treat the entire machine as being hostile and format it, however the realist in me suggests that ultimately this is the clients decision. Formatting a desktop machine and reinstalling, reconfiguring all the applications is an expensive and time consuming process.  We could go on further to assume that the hacker might have gotten access to other resources too – so we could suggest that the entire network be treated as hostile and it to be rebuilt.  Once again however commercial reality sets in and the customer makes the decision on what they need.

So how did the hacker get in?  It turns out that the application support company was using a free piece of remote access software.  This software we suspect was vulnerable to people guessing the number code that was used to access the clients machine.  The hacker just got lucky on that day probably using an automated program to test many different codes until they got a connection to a machine.  After that they relied on the innocence of the user to allow them to continue.

How could the other support company have prevented this?  After they were done fixing the problem, they should have instructed the user to close the remote access software to prevent others from getting in.  They didn’t do this.

How does Correct Solutions prevent this?  The remote management tools we use are very secure.  They are ONLY available to our team once they sign in to our management systems.  They cannot be remotely accessed except via our own systems.  We also have full logging enabled so we know which of our team accesses your computers, how long they were on for etc.  This gives us complete confidence in both our team and our tools to ensure that when we connect to your systems to help you, it is definitely us doing it.  In addition, unless arranged beforehand, our team will call you before connecting to your desktop/laptop and will let you know when we are finished as well (either verbally or via a quick email).  With our systems there is no need for you to close anything after we are done as they are far more secure than those free apps out there.