Localization Business School: Advanced tips for advanced security threats

“How much do localization service providers expose their clients by emailing PDF files?” I asked this question to the head of cyber security of one of the largest defense contractors to the US government. We ended up having an all-night conversation at the bar of Founding Farmers in Washington, DC. Here is what I learned.

PDF files are a threat. You may think that nonexecutable files cannot do harm. But that’s wrong. The Israeli Ministry of Defense fell victim to malicious PDF files in 2014, and so can you.

Take, for example, the story of web-based startup Distribute.IT. By 2011, it had secured 10% of the market for Australian domain names, held multiple international domain accreditations and had 30,000 hosting clients through 3,000 active resellers. Then, malware took them out of business in less than three weeks.

Hackers carefully targeted an individual employee inside the company and installed keylogging malware onto his laptop. The malware secretly built a password database and used the computer’s secure virtual private network (VPN) connection to bypass the company’s entire security protocol to gain access to its master user access information. With Distribute.IT’s clients in danger of losing their livelihoods and many websites unrecoverable, the company had no choice three weeks later: ‘“My brother and I knew at this point that our business was gone,” said CEO Carl Woerndle.

How can hackers do that? One effective way is through malicious files. PDF files, for example, are tricky. They can contain legitimate JavaScript code, such as 3D content, form validations and calculations. JavaScript is also used to prevent reverse engineering of proprietary applications. Hackers, however, conceal malicious code within PDF files and prevent it from being recognized by antivirus software.

Once you open an infected file, malicious code can download an executable file from the internet, which then initiates an attack on your computer without you realizing it. Most attacks related to PDF files are conducted using JavaScript code embedded inside a PDF.

How many PDF files do you receive and open every day? You may think that these come from trusted vendors and that there is only a slim chance that these are malicious.

That’s exactly how the largest steel company in America, U.S. Steel, got hacked. The company opened cleverly designed emails purported to be from colleagues or board members, with subject lines relating to meeting agendas or market research. The emails, however, delivered malware attachments that included malicious code. The result: the hackers stole host names for 1,700 servers that controlled access to the company’s facilities and networks. Their bounty included documents on business strategies; pricing; production amounts; timing and content of trade complaints; and more.

In other words, hackers stole documents of the nature that language service providers (LSPs) around the world are translating every day. And because LSPs are often an easier target than big corporations that can afford cyber security teams, you may already be under attack and sharing your clients’ trade secrets without knowing it.

So, why would a translator be part of such a scheme?

I asked my cyber security friend this very question. I wondered if government sponsored hackers could secretly add malicious code to nonexecutable files. He looked at me and said: “Dude, there are governments out there that tell a translator to put it in or they will be thrown in jail. It does not need to be more sophisticated than that.”

How LSPs get hacked

Hackers first look at the list of clients on the LSP website, and then locate the Facebook page of the LSP CEO or any other staff member that represents that company at conferences or speaks on its behalf. They may then look up every family member that is connected to this person. Once they have found names and email addresses of their kids or spouses, they attack their computers. These are the easier targets, because odds are that home computers are less secure.

Finally, hackers send very plausible emails to the CEO or company representative that appear to come from family members, like a shopping list or a report card. These emails contain correct headers, sender email addresses and mail agents as well as clever mechanisms to bypass spam filters.

The moment the attachments are being opened, the hackers own the email inbox and computer. They may install keyloggers that record every single keystroke to get sensitive information like passwords, bank information, social security numbers and so on. From then on, it’s easy to access the whole sever network.

Average people are being targeted by automated bots that can be easily spotted and deflected. But if hackers target you as described above, they may be very effective.

How do you safeguard your customers’ data?

1. Protect all your home and business computers with a solution that integrates antivirus, anti-spyware, firewall, anti-spam, anti-phishing and backup technologies. Protect your mobile devices as well.

2. Turn on auto-update on all your computers and mobile devices. Developers update their apps and operating systems regularly to address vulnerabilities. Install patches as soon as they are distributed. Update your antivirus software daily.

3. If your IT team is against auto-update, you may need a new IT team.

4. Use common sense when opening an attachment even from known senders. If the tone of a text in the email message sounds off, be vigilant. It is unlikely that your vendor suddenly offers Russian mail-order brides or organ enlargement pills, for example.

5. Don’t click on the link: No one in Nigeria knows you well enough to wire a million dollars into your bank account.

6. Use a VPN service, especially when you are accessing a public Wi-Fi. VPNs encrypt your data, hide your IP address and location, and allow you to surf anonymously without leaving behind a digital footprint. Don’t use free services, though. You may want to subscribe to services, such as ExpressVPN, NordVPN, PureVPN or IPVanish. Many free VPNs are security nightmares themselves as their developers sell user data to third parties or use outdated encryption.

7. Be a good digital citizen. Don’t be part of the problem. Don’t share your passwords.

8. Install a password manager and change all your passwords so every single one is different, and every single one is long and hard to crack. Don’t use the same password for all your services. You will only expand your boundary from your inbox to your bank. When your LinkedIn account gets hacked, you will get hacked — big time.

9. Beware of the Internet of Things. Amazon Echo, for example, listens and records. If you asked your Amazon Echo, “Alexa, what is the weather right now?” you could go back to the app later to find out exactly what time that question was asked. What you say will be stored in the cloud, and the cloud can be hacked.

10. Put a cover or sticker over your webcam when you are not using it. Even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.

11. Turn on the firewall. Your computer probably comes with it, which will prevent unauthorized access to your computer.

12. Don’t put USB sticks from unknown sources into your computer. A 2016 study found that almost half the people who pick up a USB stick they find in a parking lot will plug it into their computer. Only 16% of users bothered to scan the drives with antivirus software before loading the files.