Matthew Van Andel downloaded an AI tool free from Github on his work computer at Disney. Before he knew it, his life was ruined. The AI tool contained a keylogger that went undetected by the antivirus provided by Disney. Worse, Van Andel's password manager 1Password did not have 2FA (2 factor authentication) set-up and so the hackers were able to gain access to his entire digital life, which was also his real life lets be honest. As a result, Van Andel lost his career, his health insurance, and is now reduced to suing Disney and trying to raise money off a GoFundMe.
https://archive.is/S4SvS
Van Andel did a lot of dumb stuff here, but in the past I've made similar mistakes, and I'll bet some readers are making those same mistakes right now. The fact remains, everyone who uses technology needs to use challenging, unique passwords for every service that they use. The kind of password you can't memorize. Those passwords should be stored in a highly reputable password manager that works on computer and mobile.
All accounts, including the password manager, should be secured with 2 factor authentication. One of the most secure forms of 2 factor authentication is a USB based key system, such as Titan Key (but others are fine). Another important method to consider is an authenticator app on your smartphone. There are also different authenticator apps and some service providers (vendors) require a specific authenticator app. This is a good thing so your security isn't entirely reliant on a single app.
Cellphones should be encrypted when possible and secured with a passcode, not facial recognition or a fingerprint. The passcode should be a pain in the ass to guess, not 1,2,3,4. You can be legally compelled to provide your face or fingerprint, but passcode is harder.
Use a secure (end-to-end encrypted) messaging app such as Signal when messaging. Use 2FA with Signal and set up any security offered. Set your conversations to delete after a reasonable amount of time. Don't talk to anyone over SMS and don't get 2FA codes over SMS if you can possibly avoid those things. If Signal has to withdraw from your country, move to another secure messaging app.
Obviously, don't expect privacy or too much security when you're working on a machine owned by your employer!
Other Stuff
Questions that someone, at some point, might ask in a courtroom about the Van Andel case:
What the hell, 1Password? Why would it NOT require secure 2FA? Bad app, bad!
Session cookies? Damn, how long duration and how insecure were those Slack session cookies that the hackers were able to access so much via Disney's Slack? Maybe Slack should, I dunno, add 2FA and make people log-in periodically???
That antivirus, again, what the heck. Apparently Disney's antivirus did a terrible job detecting this keylogger.
I think Van Andel's career might never recover from this and I think he might spend a lot of time in court, but I also think that several companies had glaring insecurities in their products and services that put Van Andel at greater risk than what he could have reasonable expected (Github got some 'splainin to do too!). I hope he sues them all and get settlements that motivates every single one of them to improve their security. What a mess. And at the end of the day, Van Andel and his family are some of the most aggrieved victims here as well as the one least able to recover from the attack and I hope that a court sees them as sympathetic. Downloading free AI tools at work is dumb, but no one deserves all this for acting dumb.
https://archive.is/S4SvS
Quote:Van Andel’s digital unraveling began last February, when he downloaded free software from popular code-sharing site GitHub while trying out some new artificial intelligence technology on his home computer. The software helped create AI images from text prompts.
It worked, but the AI assistant was actually malware that gave the hacker behind it access to his computer, and his entire digital life.
The hacker gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as “session cookies,” digital files stored on his computer that allowed him to access online resources including Disney’s Slack channel.
Van Andel did a lot of dumb stuff here, but in the past I've made similar mistakes, and I'll bet some readers are making those same mistakes right now. The fact remains, everyone who uses technology needs to use challenging, unique passwords for every service that they use. The kind of password you can't memorize. Those passwords should be stored in a highly reputable password manager that works on computer and mobile.
All accounts, including the password manager, should be secured with 2 factor authentication. One of the most secure forms of 2 factor authentication is a USB based key system, such as Titan Key (but others are fine). Another important method to consider is an authenticator app on your smartphone. There are also different authenticator apps and some service providers (vendors) require a specific authenticator app. This is a good thing so your security isn't entirely reliant on a single app.
Cellphones should be encrypted when possible and secured with a passcode, not facial recognition or a fingerprint. The passcode should be a pain in the ass to guess, not 1,2,3,4. You can be legally compelled to provide your face or fingerprint, but passcode is harder.
Use a secure (end-to-end encrypted) messaging app such as Signal when messaging. Use 2FA with Signal and set up any security offered. Set your conversations to delete after a reasonable amount of time. Don't talk to anyone over SMS and don't get 2FA codes over SMS if you can possibly avoid those things. If Signal has to withdraw from your country, move to another secure messaging app.
Obviously, don't expect privacy or too much security when you're working on a machine owned by your employer!
Other Stuff
Questions that someone, at some point, might ask in a courtroom about the Van Andel case:
What the hell, 1Password? Why would it NOT require secure 2FA? Bad app, bad!
Session cookies? Damn, how long duration and how insecure were those Slack session cookies that the hackers were able to access so much via Disney's Slack? Maybe Slack should, I dunno, add 2FA and make people log-in periodically???
That antivirus, again, what the heck. Apparently Disney's antivirus did a terrible job detecting this keylogger.
I think Van Andel's career might never recover from this and I think he might spend a lot of time in court, but I also think that several companies had glaring insecurities in their products and services that put Van Andel at greater risk than what he could have reasonable expected (Github got some 'splainin to do too!). I hope he sues them all and get settlements that motivates every single one of them to improve their security. What a mess. And at the end of the day, Van Andel and his family are some of the most aggrieved victims here as well as the one least able to recover from the attack and I hope that a court sees them as sympathetic. Downloading free AI tools at work is dumb, but no one deserves all this for acting dumb.
