Types of Cybercrime
Cybercrime can affect anybody, regardless of whether or not they are online. Once a criminal acquires your bank or credit card details, they can spend your money, even if you have never used a computer. This Tutorial explores 50+ types of new Cyber Crime and cyber-attacks in 2019.
Cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets.
Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunication systems, and the totality of transmitted and/or stored information in the cyber environment.
Cybersecurity strives to ensure the attainment and maintenance of the security properties of the organization and user’s assets against relevant security risks in the cyber environment. The general security objectives comprise the following: Availability; Integrity, which may include authenticity and non-repudiation; Confidentiality.
Financial theft is the most widespread type of cybercrime. Unlike a conventional bank robbery, where hard cash is stolen, this type of crime requires little or no risk to the thief – no guns, masks or getaway cars – and can deliver a significantly greater reward.
One downside of financial theft by cyber means is that there may well be an audit trail, indicating where the money came from and where it was transferred to. Cyber thieves have tried to address this weakness in their plan for money laundering, and also by distancing themselves from the criminal act itself by using intermediaries.
Increasingly, cybercriminals are taking less interest in acquiring individual personal details in order to commit the crime – not that we should be complacent about this but are looking to acquire details of thousands or millions of individuals’ personal details so that they can maximize their return on investment since each item of information will have a value.
They may often achieve this by selling the data to larger criminal gangs whose resources make them better placed to make use of the information in wide spam campaigns such as those that purport to sell high-end watches and mobile phones.
Alternatively, criminal gangs are targeting specific groups of individuals by advertising on legitimate websites non-existent vehicles for sale.
After agreeing to purchase the vehicle via email with the fraudsters, buyers then receive an email purporting to be from an organisation such as Amazon stating that their money will be held in an escrow account, and that once the buyer has confirmed that they agree with the arrangement, the money will be released to the seller, therefore offering ‘buyer protection’.
In reality of course, once the money has been transferred by the buyer into the ‘escrow account’, the transaction ends with no vehicle in sight.
The term ‘hacker’ originally referred to someone who was inquisitive about how things worked, took them apart to understand them and put them back together again in a way that made them work better.
A later definition of a hacker was someone who wrote software that would perform a useful action in an elegant manner. When computer memory was an incredibly expensive commodity, a piece of code that was reduced to run in a very small memory space was considered to be ‘a great hack’.
Planting the flag
Some hackers will simply break into a system ‘because it’s there’, and ‘because they can’. There is little merit in this, other than to demonstrate to their peers how clever they are and how poor the target’s security is.
This intrusion, sometimes called ‘planting the flag’, is to show they have been successful, and will (they hope) gain them the admiration of their peers.
On occasion, this form of hacking is relatively benign and can result in defacement of website pages.
Hackers of this type are often so-called ‘script kiddies’, who take advantage of software and techniques they have discovered in the darker areas of the world-wide-web, and although they may mean no real harm, serious damage can easily result since their knowledge and ability to use the software and tools may be very limited.
However, script kiddies can graduate into fully blown cyber criminals if they are encouraged and able to develop their skills, and this can cause a great deal of damage.
Many organizations affected by this type of hacking accept they have been less than careful about their cybersecurity and respond by tightening their security practices, whilst others may press for arrest, prosecution and even deportation, as in the case of George McKinnon, who was accused of hacking into almost 100 NASA and US military computers over a 13-month period in 2001 and 2002.
Exploitation takes intrusion to another level entirely. A hacker who exploits a system they have penetrated may well exfiltrate, delete or corrupt information, and the impact of this can be extremely serious, not only for the target organization but potentially for its customers and system users.
In 2013, the American chain store Target was hacked and the personal details, including credit card details, of 40 million customers were stolen. The hackers almost certainly gained access by using the stolen credentials of a maintenance supplier before planting the malware in the cashiers’ terminals.
Their technical security measures (intrusion detection software) spotted the attack, but failure to follow processes and procedures resulted in nothing being done to prevent the information from being stolen. The cyber-attackers were to blame for the original crime, but the company was equally culpable for failing to act and protect its customers’ data.
Denial of service (DoS) and distributed denial of service (DDoS)
Although they can be used for other purposes, denial of service (DoS) attacks is usually mounted in order to prevent legitimate users from accessing an organization’s website.
The reasons for this will vary – some will be used as a weapon of blackmail (pay us money and we’ll stop); some will be due to political or other activism (usually known as hacktivism), and will simply be to cause financial loss and/or public embarrassment; whilst others will be in revenge for some action, real or perceived.
Some DoS attacks are designed to crash a website by overloading it to a point at which it can no longer function at all, whereas others will simply block legitimate access, leaving the supporting applications unable to receive and process requests for service.
Either way, the end result is that response from the website will slow dramatically, and will usually stop completely.
DoS attacks can also target an organization’s email service, for example by a disgruntled employee, causing the Exchange server to overload and stop handling valid email traffic.
Nowadays, the most seen kinds of DoS attack are distributed (DDoS) attacks, in which multiple computers work together to overload the target website. Attackers frequently use bonnets in order to assemble sufficient capability, since very few stand-alone systems are capable of successful attacks against very large websites.
A recent example of a successful DDoS attack was on 31 December 2015, when a hacking group calling themselves New World Hacking claimed responsibility for attacking the BBC’s website, causing problems for other services such as its iPlayer video service. The group claimed that they were only testing their capability.
Copyright violation and intellectual property (IP) theft
Copyright violation is a major industry, but often brings little direct reward, other than ‘free’ goods for the recipient. Infringement of copyright can include music, films, blogs, photographs, and computer software.
Whilst the copyright holder normally still retains ownership of the material, illegal copies are made and the owner, therefore, is deprived of the benefit they may have earned from it.
Copyrighted material is often distributed using file sharing websites, such as The Pirate Bay, using so-called ‘torrent’ files that link users back to the particular file or files to be downloaded. As more users join the sharing process, the downloaded material becomes shared between them and distribution is on a peer-to-peer basis.
This also makes it impossible to identify the individual who originally hosted the material, since many copies will have been made in a very short space of time.
Whilst exchanging files by torrent is not illegal, the content may well be, especially if it is someone else’s copyright and they have not agreed to its being shared in this way. Losses to various industries are estimated to be in excess of US $50 billion per annum.
Whilst the theft of intellectual property is similar in many respects, its subsequent sale or distribution is usually not. Whereas copyright violation generally allows a wide audience to benefit from free software, music or video material.
for example, IP theft is more generally carried out to order for one or a few select customers, and rarely becomes more widely distributed. In the past, this would have commonly been referred to as ‘industrial espionage’.
The consequential financial loss to the owner, however, can be significantly greater, especially in cases where, for example, a pharmaceutical company has developed a ground-breaking drug, only to lose its formula to a competitor who can then sell it with merely the production, packaging, marketing, and distribution costs.
Use of dark patterns
The use of so-called dark patterns, whilst not actually a crime, does tend to come very close to the line between fairness and dishonesty.
Occasionally when you access an internet website you will find that because the text on web pages was unclear, you have agreed to download software or accepted an offer when you did not intend to do so. Sometimes, web page designers deliberately place selection boxes in unusual places or make the choices complex so that you are driven to making their choice rather than yours.
Entire businesses exist that use psychological analysis to identify the shapes, sizes, and colors of buttons, click boxes and text that a user is most likely to click on – and those that they are least likely to – when accessing a web page.
The results are sold to organizations developing new websites or upgrading existing ones with the intention of encouraging users to select the organization’s choice rather than making their own.
In extreme cases, items you did not request might be added to your online shopping basket, and if you aren’t sufficiently aware, you may inadvertently purchase something you simply don’t want as well as the items that you do.
This process of making web pages confusing is referred to as dark patterning, and the techniques are extremely subtle, relying on known aspects of human behavior.
For instance, if you are trying to blog a flight, you may find that the airline or travel agency offers to sell you travel insurance, and that unless you deliberately opt out of the offer as opposed to opting in, you will discover that you have bought it and may have some difficulty in obtaining a refund.
There is nothing technically illegal about these dark patterns, but to many people’s minds, they represent sharp practice. Pressure groups are now developing that try to combat this by setting out a code of conduct for web developers.
But it is possible that only legislation will fully resolve the issue since the sales and marketing policies of the offending organizations are likely to drive the practice for the foreseeable future, especially where it increases that organization’s revenue.
CYBER HARASSMENT OR CYBERBULLYING
Cyber harassment or bullying is simply the act of harassing or bullying a person or group of people using cyber-based methods such as social media, text messaging and the like.
I have chosen to separate this from cybercrime since some aspects of cyberbullying are not actually offenses under either criminal or civil law, but which do represent a major issue in today’s society.
However, some jurisdictions have introduced legislation that extends the offenses of conventional harassment to include cyber harassment as well. The difference between cyber harassment and cyberbullying is usually that with cyber harassment, anyone or any organization can be the victim, whereas cyberbullying generally refers to children as being the victims.
Cyber harassment or bullying can begin in the same way as conventional harassment or bullying, where one person makes a negative comment about another, causing offense. The bully (who may well be a control freak) seizes upon this effect and continues to exploit it, often encouraging others to join in.
The results can be devastating, and some people who have been persistently harassed or bullied have been driven to take their own lives. Cyber harassment or bullying is no less aggressive and dangerous, and it may take a number of forms.
Cyber harassment is intended to make the victim aware that something very specific might happen to them. The person making the threats might be known to the victim, or they may be unknown, and targets can be widened to include organizations that the person making the threats feels have caused them or someone else some injustice.
As with conventional stalkers, cyber stalkers operate in two slightly different ways. First, they can follow the movements and activities of their victim by stealth, and not alert them to the fact that someone is following them.
Second, they can still follow the movements and activities of their victim, but this time rather more openly, with the victim being aware they are being stalked, but usually without knowing the identity of the stalker.
Sometimes the victim will be a person known to the stalker – a relative, former partner or neighbor; but on other occasions, the victim will be completely unknown to the stalker – perhaps a celebrity, the chief executive officer (CEO) of an organization or a politician. Whoever is the target of cyberstalking, its main objective is usually to cause distress, and it is frequently successful.
Cyberstalking is sometimes concerned with the intimidation of the victim by letting them know that the stalker is watching them, but that is normally where it stops.
The activity of cyber trolling is a form of verbal abuse designed to intimidate or offend the victim in some way. Cyber trolls make confrontational or abusive statements online and differ from cyberstalkers in that cyber trolls rarely make much effort to hide their identity.
Cyber trolling also differs from cyberbullying or harassment in that it is carried out quite openly, possibly in the hope that others will support the cyber troll’s point of view, designed to cause distress to the victim.
Cyber trolling also differs from the free and intelligent discussion, since it neither provides nor invites a rational interchange of views, and focuses purely on the cyber troll’s negative and usually strongly expressed and frequently irrational opinions.
Cyber trolls will often use social media or online discussion forums to post inflammatory comments, designed to provoke a reaction or response from the victim, which will invariably seed the troll with further opportunities for posting comments, and this can easily escalate into a full-blown online fight.
Current wisdom suggests that ignoring comments posted by cyber trolls is by far the best way of dealing with them since their activities will soon peter out if there is no reaction, response or exchange.
Alternatively, on many discussion forums, offensive users can be blocked so that victims of trolling no longer see their comments. Cyber trolls can also be reported to the forum administrator and may have their accounts deleted as a result.
The term cyberwarfare describes the process by which one nation-state or politically motivated group conducts an attack against some aspect of another – possibly its critical infrastructure (CI), its government’s political process or indeed the offensive or defensive capability of its armed forces.
Until recently, warfare was a relatively straightforward affair. One nation state picked a fight with another nation-state, and their two sets of armed forces attacked each other with gusto until one nation-state capitulated and the war was over.
This was only ever really complicated when more nation-states joined in on either side, but the net result was usually the same. This kind of warfare is often referred to as symmetric warfare since both ‘sides’ are usually evenly matched.
With the rise of terrorism, however, the boundaries became less clear. A militant group could declare war on many nations – frequently being quite indiscriminating about whether some of those nations supported the same religious or ideological concepts.
Since terrorist groups rarely have the same purchasing power as nation-states, the weapons they use are often home-made – improvised explosive devices (IEDs) for example – but since they can be used in unconventional ways – not in a straight battle – they tend to be deployed as roadside devices, or detonated by suicide bombers.
This kind of warfare is termed asymmetric warfare, since one side may be extremely small in numbers in comparison to their opposition, but can still deliver devastating results.
However, a cyber-attack or cyber incursion by one nation-state against another does not technically mean that they are actually at war, and the attack could simply be seen as an act of aggression as opposed to a full declaration of hostilities.
Cyber warfare adopts both symmetric and asymmetric methods since it can be used by one nation-state against another, or by small groups – even by individuals – against a significantly larger adversary.
Cyberwarfare can be conducted just as easily from an armchair, a stool in a cyber café or an office chair in a government building, and carries few of the dangers of conventional warfare unless the other side can locate the attacker and direct a drone to deliver lethal ordnance.
If they work for the government or military or are a highly skilled and experienced individual, once a ‘cyber warrior’ has completed their daily or nightly shift, they can walk home safe in the knowledge that they are unlikely to be shot at, despite possibly having caused their adversary significant cyber havoc.
Espionage is the capability to obtain secret information without either the permission or the knowledge of its owner. Governments routinely spy on one another.
They have done so for centuries and will doubtless continue to do so for many more. Sometimes, the espionage is concerned with finding out what another government has – for example, its nuclear missile capability – whilst at other times it is concerned with another government’s intentions, which may be more difficult to discover, but which might be deduced, given sufficient data.
Cyber espionage is no different, but whereas conventional espionage involves agents who place themselves in some danger by operating in enemy territory, cyber espionage can be safely conducted from a comfortable office with no risk whatsoever to the agent.
If a field agent is captured and exposed as a spy from another nation-state, the diplomatic repercussions can last for months or years, but because the cyber espionage departments of nation states take great care to conceal their identities and frequently disguise the attack as originating from somewhere else, it is difficult, if not impossible, to prove absolutely who carried out an attack, and assumptions, even if correct, do not constitute sufficient evidence.
Surveillance is slightly different from espionage – perhaps not in the way it is carried out, but in its aims and objectives. Surveillance focuses on keeping track of people’s activities, communications, and contacts, and in cyber warfare terms, could be described as being more akin to investigations into terrorism.
This is where there is a particular crossover in the techniques used by security agencies and the military, since both need to co-operate in order to track down suspected terrorists.
Surveillance has played a key role in identifying and locating individuals and groups who have clear intentions to carry out acts of terrorism, and although the details remain secret, the government has made it clear that a number of potentially lethal attacks have been prevented by careful surveillance.
And they are using this argument to make the case for legislation that makes it less demanding for the security services to be able to monitor the activities of the population – that unsteady balance between security and privacy we mentioned earlier.
Non-military surveillance is also discussed in greater detail in the section on cyber surveillance later in this blog.
Although governments and security services do not publicly discuss this area of cyber warfare, one of the best (but risky) methods of conventional surveillance has been through infiltration of activist groups, allowing agents to identify possible targets and the leaders of these groups.
Cyber infiltration is no different in terms of its objectives, and agents must be able to infiltrate online groups just as easily, and because of their physical separation from the rest of the group they are much less at risk if their activities are identified and there is the possibility of their being ‘outed’.
When we consider sabotage, we often think of war films in which a small group of saboteurs destroys something the enemy holds dear. Usually one or more meet a grisly end or are captured and interrogated, but usually, the film ends with success.
Cyber sabotage is again much less risky for its teams of saboteurs. Operating remotely, they will identify and surveil their target from afar, and by one of the methods of attack we have already described, will carefully position their weapon, which will then wreck the enemy’s infrastructure.
Psychological cyber warfare
Psychological cyber warfare differs only from cyber harassment or bullying in one key aspect – that of scale. Whereas cyber bullies are generally individuals or small groups, psychological cyber warfare is conducted by much larger groups, for example, terrorist organizations, and by nation states.
Psychological cyber warfare generally has one of two main objectives. First, it is used by one organization or government to demoralize the population of another country, with the ultimate objective of them withholding their support for the current regime.
During World War II, both the Allies and the Axis forces used psychological warfare radio broadcasts in attempts to cause antagonism towards the opposing governments. In this respect, psychological cyber warfare simply takes the medium from broadcast radio to the internet.
The alternative objective is subjugation and repression of the population by its government – often an oppressive regime – which can use cyber techniques to deter the population from standing up to it and to spread the fear of the possible penalties for doing so.
By not only using the internet as a weapon in this way, but such regimes frequently also control how the population can use the internet by preventing access to websites that do not support the regime, or that actively oppose it.
Negative news stories in the foreign press about a regime can be suppressed, and glowing accounts of its leadership and their achievements can be substituted – all whilst the population lacks the basic amenities that less repressed societies enjoy.
Declarations of war are very public. When one nation-state actively and openly declares war on another, the event is fairly obvious; the outcome can be witnessed by everybody; the participants are easily identified, and an open attack by one nation-state against another may be the trigger for war to be declared.
However, in asymmetric warfare, the question of ‘sides’ is less easy to visualize, and many nation states may be targets, whilst a few individuals may be waging their war.
Does then a cyber-attack by one nation-state against another nation-state or its infra-structure qualify as an act of war? It is often very difficult to establish and prove exactly which nation-state or which terrorist group has initiated the attack, and although it may appear obvious on the surface, things are not always as they seem.
One nation-state may obscure the origin of a cyber-attack against another by planting ‘evidence’ in the attack vector that would lead one to infer its origin, but who is to say that it is not the work of yet another nation-state that wishes to take advantage of a possible breakdown in diplomatic relations?
Whatever the reason, establishing the source of an attack will always remain an extremely difficult challenge, and for that reason, the term ‘cyberwar’ is perhaps somewhat misused.
Whether or not we are conscious of the fact, we are continually under surveillance. There are two quite distinct types of cyber surveillance.
The first that readily springs to mind is that of intrusive or invasive snooping, which particularly since the Snowden revelations is usually associated with surveillance by the security services.
The second, which on the surface is much less intrusive, is the collection and use of data about us by organizations with whom we interact on a daily basis.
This will usually be because the subject has come to the attention of the authorities, who are taking an active interest in his or her activities. Such people are normally (but not always) criminals or terrorists, and we are content to know that the appropriate police or security services are giving them their full attention.
However, if we gain the impression that we are being snooped upon we tend to take a rather different view, and it is in this that we are conscious of the problem that the police and security services constantly experience when they do not have a definite target.
They have to collect far more data than they need and then (in theory) throw away the data that is not relevant and which they don’t need to retain.
Because the cost of storage media is continuing to fall rapidly, data collection and storage is costing less as time goes on, and therefore organizations will collect and store as much as they can and keep it until they can understand how best it can be used.
In the aftermath of the Snowden leaks, we hear that the security services on both sides of the Atlantic are monitoring telephone calls, emails, internet searches, and transactions without necessarily having the legal right to do so, and this gives us serious cause for concern since we have absolutely no control over this.
The National Security Agency (NSA) has its own interpretation of the word ‘collect’. We might think of this as simply involving monitoring, interception, and storage of data, but the NSA considers that it also includes analysis of data.
It is also worth noting that the USA does not currently have any data protection legislation, which means that should your personally identifiable information be hosted there (for example on Facebook) you have no control whatsoever over it.
Alarmed by the recent spate of requests by the American security services for operators to hand over personal correspondence, and following the unsuccessful attempt by the FBI to force Apple to weaken the security settings of an iPhone, in April 2016 the authors of WhatsApp introduced end-to-end encryption12 of users’ messages so that they can only be decrypted by the recipient.
However, in January 2017, it came to light that the WhatsApp service may not be as secure as claimed, since the company has the ability to reset the encryption key, and in certain circumstances, attackers can pose as the recipient of a message and force WhatsApp to reissue keys.
Sophisticated manipulation of this system would let attackers intercept and read messages, and unless the sender has selected the ‘Show Security Notifications’ option, they might never know that a new key had been generated.
However, Apple refused to comply with the FBI’s request, and the FBI later withdrew it, claiming that they had been able to successfully break the security of the iPhone in question, possibly with the assistance of the Israeli security company Cellebrite.
We shall deal with the state aspects of surveillance later, but for now, let us consider the theoretically more benign aspect of surveillance undertaken by organizations with whom we interact on a day-to-day basis making use of the data they collect when that interaction takes place.
For example, whenever we make an internet search, along with our anticipated search results, the search engine will deliver advertising material that matches either our current or previous searches in order to help us make informed decisions. Well, that’s their story anyway!
In practice, of course, the operators of the search engines are not completely altruistic. They earn revenue from advertisers and the more often they can place an advert in front of the potential customer, regardless of whether or not it is actually read, the more revenue they are likely to earn.
It’s all about someone else making money on information that they acquire (legally or otherwise) about you or your preferences, and usually without your knowledge or active consent.
When you search for something on the internet, how much personal information are you giving away freely? Probably more than you think. Let’s just take Amazon as an example.
They keep an accurate record of everything you’ve bought from them so that if you need the same thing again, with a couple of clicks you can order more and not have to try and remember who supplied it.
They also keep a record of every item you’ve searched for in the recent past, so in spite of the fact that you’re trying to locate a mint vinyl copy of Dark Side of the Moon, you will still see ‘recommendations’ below your search results for the camera lens you looked at last week, a blog you thought about buying a month ago and a DVD similar to the one you bought for your partner at Christmas.
They know what interests you and they want to sell you more. They know how often you actually buy compared with simply browsing; they know that if you look at an item more than a number of times, you will probably buy it; they know how you like to pay, and they know whether you will save up items so that you get free delivery. What don’t they know?
When you use an internet search engine, your search request is stored. The links that you subsequently click on are stored. The search engine stores details of every website you search on regularly and automatically make it a ‘favourite’.
In December 2016, the UK’s Investigatory Powers Act obtained Royal Assent and became law. One of its more controversial aspects is that the records of any website and messaging service visited by UK-based citizens from any device must now be retained by the communications company providing the service.
It has been reported that a total of 48 government departments15 will be able to view this data, and whilst many, including the police and security agencies, would appear to have a legitimate need to do so, it is difficult to imagine why the Foods Standards Agency might.
Apart from the increased invasion of privacy that this introduces, one of the chief concerns, voiced by the chairman of the Internet Service Providers’ Association, is that ‘it only takes one bad actor to go in there and get the entire database’.
It’s not the only search that leaves a digital trail – whenever you visit a website, it can leave a small file on your computer known as a ‘cookie’. Many cookies are essential to being able to use the website.
For example, when you are shopping online, the store needs to be able to link your shopping basket with your computer so that you buy what you actually want. Other cookies are less helpful to you and may record which pages you have opened, which flights you’ve examined or which camera you’ve investigated.
These may not seem to be particularly awful things, but when you next visit the website selling airline tickets, it may just use the fact that you’ve been there before to hike the ticket price or advise you that the cheaper flight is full and that you must choose another more expensive one.
This form of surveillance – and subsequent manipulation – is very subtle, and we are not usually aware of it.
Other cookies record these things so that advertisers can place their adverts in prominent parts of the screen. If you use one of the main search engines or shopping websites and subsequently examine a particular type of camera when you revisit the site you will almost certainly see an offer from one of the photographic suppliers for that very camera.
Again, this is relatively benign in its own right, but remember that the search engine or website may well have recorded every single item you’ve looked for. This kind of information enables advertisers to build a very accurate profile of you as an individual, and (in theory) to deliver highly relevant advertising to you.
In practice, of course, the advertiser will be advertising what they want to sell you, not necessarily what you might want to buy.
In 2011, an EU directive required owners of websites to obtain consent from users before placing cookies on their computer. However, although this seems at first like a great idea, there are two fundamental flaws.
Most websites do not allow you to say ‘No’ to cookies. They frequently allow you to click on ‘I understand’ or something similar, click on ‘Tell me more’, or simply ignore the message.
Many websites operate a system of ‘implied consent’, which means that if you ignore the cookie message described above and continue to use the website, you have implicitly given your permission for the placement of cookies. Both of these failings are morally reprehensible.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
When you send or receive an email, a copy is stored by default on your provider’s server in case you ever need to find it again. You can disable this, but how many of us actually take the trouble to do so?
Analysis of emails, whether these are obtained by interception or by access to an ISP’s servers, can provide a surveillance organization with a wealth of information, since there may well be a complete archive of all emails in the ‘conversation’, and every email sent and received will contain details of the sender and recipients.
Email can be just as pernicious as website cookies. Unless you delete every copy of every email you have sent or received, including those that you have forwarded to other people, the message will still exist in some form somewhere, and emails can also reveal many facts about you, just as web searches can.
Unless you encrypt all your emails containing personal information (again, how many people actually do this?) they can be read just like a postcard, copied, printed, forwarded to others and used in evidence against you if they contain either something derogatory you have said or that implicates you in a crime.
Email can be an extremely powerful tool in the cyber surveillance world, since not only can the content provide valuable information to the security services and law enforcement agencies, but also the ‘to’ and ‘from’ fields in an email can yield additional targets for surveillance.
Far from being a blessing, email can be a curse, and many of us will look at our inboxes and wonder how and why we have accumulated so much junk. This is similar to keeping all the letters, postcards, advertising material and free newspapers we receive in the post: we would drown in a sea of paper!
Email can also attract cyber-attacks through the receipt of spam, and this is perhaps the worst aspect of this so-called ‘modern miracle’.
Many people now have moved away from conventional mobile phone. All it can do is make and receive calls and text messages. Along came the iPhone and changed all that. Now all the major mobile phone vendors have jumped on the Smartphone bandwagon, and the amount of data they can collect from you is absolutely staggering.
The term ‘smartphone’ is probably a misnomer. The device is actually a very small computer that runs applications, take photographs and just happens to make and receive calls and text messages as well, so in those terms, it is not too different from your laptop – just much smaller and often no less powerful.
Unless you have switched your phone off, your network operator always knows roughly where you are so that it can route calls and text messages to you. Unless you have ventured into the security settings on your Smartphone, you will probably be recording your GPS coordinates and this will pinpoint your position to within a meter or two.
Every application on the Smartphone that makes use of your location is now able to track your movements. This will be absolutely fine if you’re using a mapping application, but are you as happy to have your location sent back when you’re playing a game or reading a blog?
Of course, the application developer is not particularly interested in where you are, but they might be selling your location along with thousands of others to a third party.
Have you taken a photograph on your smartphone? The location was recorded in the photograph’s metadata, known as the EXIF data. When you upload that photo to the internet, that EXIF data became available as well. The EXIF data will also contain details on when the photograph was taken and probably also the serial numbers of the camera and lens you used!
Facial recognition permits the identification of individuals either live from a modern camera or Smartphone, or from a previously taken photograph. The image is compared with those held in a central database, and sophisticated algorithms are used to match features such as the eyes, the mouth, the shape of the head and so on.
Once a match has been made in this way, additional information about the individual may be acquired, either from the same database or from a wider search of the internet.
The police and security services must make considerable use of this in tracking down and monitoring suspected criminals and terrorists, but as individuals, we must face the fact (no pun intended) that if someone’s photograph is posted on the internet, they can be identified and possibly traced regardless of whether or not they have committed a crime.
However, if facial recognition is used as a means of authentication, it could be possible to falsify the matching process by wearing a mask, so this should not be used in isolation.
Consider, for example, someone who was photographed whilst taking part in a peaceful demonstration in a country where the government exercises total control over its population. The demonstrator might subsequently receive a visit from the secret police and vanish forever.
Terms and conditions
Terms and conditions are potentially a major issue as we discussed earlier in this blog. Few of us even glance at them.
Due to their general length and complex ‘legalese’ wording, hardly anyone will have read any of them from start to finish and will have simply clicked on the ‘Accept’ button, potentially committing themselves to sign away any control they might have had over their personal information.
Of course, the software vendors give us no choice – there is no negotiation involved, and if we want the software, we have to revoke all rights we may have had.
Additionally, and possibly more worryingly, is that by signing away our rights by accepting the terms and conditions, we may leave ourselves open to some form of surveillance, such as providing our location when using a Smartphone.
Not only that, because many of us don’t turn off the GPS facility in our smartphones, the application can contain the ability to track your location and report it back to the provider – sometimes even when you are not actually using it.
Even if you do read the terms and conditions when you initially load an application or purchase goods on the internet, the seller may at some stage update them (their ability to do this without telling you may be enshrined in the original terms and conditions), so you may never know that they have changed.
If the supplier does inform you there has been a change, the privacy bar may have been lowered, but will you read them this time?
Store loyalty schemes
Are you enrolled in a store loyalty scheme? Many of us are, and this allows the store to record the fine details of everything we buy there, how much we have paid for it, where and when.
Store loyalty schemes are a wonderful invention. The deals the store subsequently offer us usually represent good value for money, and often helps the store to dispose of goods it might not otherwise be able to sell.
We might be able to enjoy a discount on some products; a free coffee and cake on our next visit; an invitation to the ‘special’ pre-Christmas shopping event; or jump the queue when a new product is announced. Some stores now produce a smartphone application that gives you access to their website, your account, and many other things.
Do you collect Nectar points or Avios? Think of the volume of data they can collect based on your spending habits.
Have you ever received an email out of the blue from a company you have never dealt with online and wondered how you came to receive it? It is highly likely that when you signed up for a loyalty scheme, you failed to tick one of the opt-out boxes on the form – or was it an opt-in box?
Many companies use dark pattern methods to trick you into making the wrong choice when completing such a form, and since you didn’t actually read the terms and conditions, you find that you have agreed to the store selling your contact details to a third party.
Of course, you can try and change this, but often it is either too much trouble or the means of doing so are too difficult to find on the company's website, so you just put up with it.
Is this a cybersecurity issue? Definitely, since now a third party has all your details as well as the store that offered you the loyalty scheme, and when the third party’s network is hacked, those details could go anywhere.
What about credit and debit cards? In the UK, billions of pounds are spent annually using credit and debit cards rather than cheques or cash, and much of this spend is online.
The UK Card Association reported that in 2015, £210 billion was spent online, representing 32 percent of total card spending, and of that, approximately 51 percent of all online transactions were completed via a mobile device.
They allow us to make spontaneous purchases when we might not have sufficient funds in our bank account; as long as we pay off the outstanding balance each month on our credit cards there is no financial charge, and they even act as protection if something goes wrong when we make some purchases.
The same applies to newer forms of payment. mPay, ApplePay, Android Pay and travel money cards such as Caxton all represent a benefit to the provider as well as to the consumer, but with similar levels of risk.
Combine a credit or debit card with a loyalty scheme and things begin to look very rosy indeed for the provider. Combine them yet again with their Smartphone application you downloaded that tracks your movements and you could find that the next time you are shopping you receive a text message as you pass a particular supermarket aisle that offers you an extra discount. Possible? Absolutely.
Combine them further where retailers provide the SIM card for your mobile phone (and therefore know your regular contacts and movements), and where you accepted the terms and conditions, you may have agreed to allow the retailer to include the fact that their banking service is aware of all your current account financial transactions.
Do you travel to a major city like London? If you do, you will probably use an Oyster card or something similar. You load the card with money and use it whenever you need to – on the Underground, the buses, the river and even on some over-ground train services.
Again, the card provider knows exactly when you have traveled, your route, how long it took (except on buses, where you only use the card when you board and not when you leave) and where, how and how often you top up the card.
All this is seemingly quite harmless, since we benefit from much of the technology and services, but to go back to one of the original points of this section – if the security services wanted to build up a profile of you, it would be extremely easy to pull together the credit/debit card, store card, travel card, email messages, internet searches and combine them with closed-circuit television (CCTV) images.
Data aggregation and analytics
We have mentioned data aggregation in an earlier blog, but now we have had an opportunity to examine some of the types of data that organizations hold on us, and over which we have absolutely no control, we can see that a data aggregator could build up a very detailed picture of our daily lives.
They would know where we lived; where we work, and possibly the kind of work we do; who our partners and friends are; when and where we shop; what and where we eat and drink; where we go on holiday; what music and films we like; what newspapers and magazines we read;
what television shows we watch; what kind of car we drive and where we go in it; and what our hobbies are. In short, there’s very little about our private lives that is actually private any more.
Home entertainment systems
In recent years, home entertainment systems have become increasingly sophisticated. Televisions are able to connect to the internet, not only to allow the downloading of viewing material but also to provide the manufacturers with statistics relating to viewing habits.
In theory, this form of remote monitoring should only be carried out with the viewer’s express permission, but there have been cases in which manufacturers have uploaded viewing information without the viewer being aware of it.
In March 2017, following a Wikileaks publication, it was reported that the CIA was using software developed in-house to remotely enable the microphone on certain televisions, even when the viewer believed that the set was switched off.
The report stated that the programmed ‘Weeping Angel’ also allowed audio to be recorded whilst the set was in standby mode, the recording is uploaded once the set was switched back on again.
Whilst this form of information gathering may be less common than others, it is considerably more intrusive and suggests that George Orwell’s 1984 has come to a step nearer.
WHY WE SHOULD CARE
From a personal point of view, we should always be concerned that our personal information is being stored and used in a proper manner. When our credit card provider calls us to query a transaction that appears to fall outside our normal spending profile, we are delighted that they have taken the time to do so in order to protect us.
Proactively, therefore, we should take greater care over the information we give out to others – information that can be abused or misused for their gain and our loss; and reactively, if we detect abuse or misuse of our information or credentials, we should take immediate steps such as changing passwords and notifying financial institutions.
From a business perspective, there are four key reasons why we should take notice of cyber incidents, plan to defend ourselves and our organizations against cyber-attacks, and be prepared to respond to them if they occur.
It is nothing less than good practice to manage risk, and that includes the risks of cyber-attacks, whether these are accidental or deliberate; whether as individuals or businesses. Indeed, there are fiduciary responsibilities for corporate (and board members) to do this.
Customers have a right to expect organizations to safeguard their information when they provide it to them for whatever reason, and they need to trust that they will not misuse it – in other words, robust adherence to data protection legislation. When the General Data Protection Regulation (GDPR) comes into force in 2018, these expectations will be considerably extended.
WHAT MAKES cybersecurity DIFFICULT?
Unfortunately, life is not as simple as we would like it to be, and there are a number of inhibitors or barriers to our achieving our expectations about privacy and security, especially for individuals, smaller organizations or SMEs.
cybersecurity knowledge and skills
cybersecurity is often seen as a highly specialized subject, and many individuals and smaller organizations believe that they do not possess the necessary knowledge or skills to understand or undertake the necessary work to protect themselves from cyber-attack.
Organizations of all sizes frequently do not possess the people resources they can allocate to this kind of work.
The organization’s senior management team may not fully understand the need for good cybersecurity, and how it might be beneficial to their business, and also generally do not understand that the data and thus the information held by the organization belongs to them and not the IT department.
When we examine the standards produced in the cybersecurity field, it appears that many of them are geared more towards larger organizations and multinationals.
However, the Cyber Essentials scheme does address this for smaller organizations. Many SMEs outsource their IT and in many cases, the outsourced companies themselves are also SMEs and often lack good cybersecurity skills.
If an organization is able to allocate resources to internal IT work, it is often assumed that those members of staff will also take on the responsibility for cybersecurity. This is a major mistake, since it may conflict with one of the main principles of cybersecurity – that of the segregation of duties.
The organization must define the cybersecurity requirement because it owns the data, information and the strategic direction. The IT function must use good security practice to turn the requirement into technical policies.
The human resources (HR) function must then, in consultation with the IT function and the business function, develop staff training and education to support the requirement.
In cases where the IT function is outsourced, there is a tendency to overlook or underplay the need for good cybersecurity in the outsourced contract, since those undertaking the negotiation may not have sufficient understanding of the requirement or they may remove it since they see it as an unnecessary cost.
When the security function is outsourced, it may very often have been a form of abrogation of responsibility rather than of delegation. The principle that must be applied is that whilst organizations can outsource the information security implementation and management, they cannot outsource the responsibility for ownership.
There will be additional financial burdens on the organization in developing and implementing a cybersecurity framework that will be suitable to protect it, and obtaining capital or operational budget approval may prove a challenge.
The ability to develop a sound cybersecurity strategy is somewhat dependent upon the organization having a clear understanding of information security risk management, and in some cases, this will not be the case.
Organizations can also consider their cybersecurity capabilities in terms of any of the Capability Maturity Models, often used for software development, but which have many parallels in the cybersecurity environment.
Cybersecurity standards and implementation
As you will see in the appendix, there are literally dozens (if not hundreds) of standards in the information and cyber security domains. Some of these are largely generic and apply to a wide range of security topics, whilst others are highly specific, being applicable to a single technology.
Unfortunately, many of the mandatory requirements of the existing standards are more relevant to larger organizations and therefore difficult for individuals and SMEs to use effectively.
There is also a danger, especially for larger organizations, to believe that gaining certification to ISO/IEC 27001 means that they are fully secure and that all they now have to do is to ‘keep turning the handle’.
This could not be further from the reality of the situation since complacency is often the cause of both organizations and individuals missing a new threat or vulnerability and being successfully attacked as a result.
Although there are many excellent standards (mainly the US National Institute for Standards and Technology (NIST), BSI and ISO/IEC standards) in the cybersecurity field, few of them are easily adaptable to SMEs. This is where the UK government’s Cyber Essentials scheme comes into its own.
Implementation guidelines tend also to be more suited to larger organizations, and therefore SMEs will find it challenging to adapt them to their own situation.
Many of the international standards carry the implication that organizations will have implemented some higher-level processes and procedures that many smaller organizations will not have been able to undertake.
SMEs may not feel able to commit to the level of expenditure that might be required to achieve ISO/IEC 27001 accreditation. we shall cover many of the recommendations that both individuals and SMEs can undertake without the need for extensive knowledge or skills, and without resorting to expensive work in interpreting and implementing the international standards.
With any large network, persistence and focus will get you in.
In this blog, we shall examine the various potential targets of cyber-attacks. I have tried to separate the various types of organizations into the following categories since the motives for these attacks may vary:
critical national infrastructure (CNI);
academia and research;
manufacturing and industry.
Whether we like it or not, we are all potentially the target of cyber-attacks. In the case of individuals, attack is most likely to come from cyber criminals who may not target us directly, but they will certainly do so as part of a larger plan – for instance, acquiring credit card details of thousands of individuals that they can then sell on to other criminals who will target us more directly.
This means that our personal information and to a certain extent, we ourselves, have become a commodity – a product to be bought and sold.
There is little, if anything, we can do about the criminals’ larger game plan, but we can take ownership of our individual part of the problem by securing our computers, Smartphone’s, tablets and networks, being careful to whom we give personal information, avoiding scams and generally being more aware – just as we hold a bag close when walking through cities where pickpockets have a reputation for preying on tourists.
Businesses are a major target for attackers since there are rich rewards to be gained if attacks are successful. There are two slightly different situations:
Where the actual target is not the business itself, but something the business has, such as a database of customers and their credit card details; something the business has developed, such as a new product or service;
Something the business is planning, such as the takeover of a rival organization; or simply details of the organization’s financial position if they were the object of a possible takeover.
Where the target is the business itself, and it is the intention of the attacker to cause immediate financial or reputational damage.
Businesses, both large and small, may be much better placed than individuals to understand cyber risks, but may often ignore them, thinking either that they’re too small or uninteresting to attract an attacker, or believing that they have nothing that might be of value to one.
This is potentially a major mistake, since attackers may not target a specific business, but might gain some benefit if an employee unwittingly provides them with a way into the organization’s network.
A successful attack on a small maintenance company might, for example, allow an attacker to gain access to a larger organization for which it is working and which is actually the attacker’s real target.
For example, it is believed that when the Stuxnet attacks took place against the Iranian nuclear research programmed, the attack was conducted by delivering the malware to five of the research center’s strategic suppliers, at least one of whom then unknowingly took the malware into the center, probably on a Universal Serial Bus (USB) memory stick.
This illustrates that regardless of an organization’s security arrangements, malware can be introduced by a third party, and demonstrates the need to ensure that all software entering the organization is verified.
Another example of a situation in which a business might be attacked is if the attacker perceives that the organization had committed some offense or injustice and needs to be publicly exposed or rebuked. The media are occasionally complicit in this kind of activity since they can (and frequently do) add fuel to an already burning fire.
Businesses are not always targeted directly for perceived actions of this kind – in recent years, dissatisfied customers and disgruntled employees have adopted the use of social media to spread the word, often resulting in damage to the organization’s brand and reputation, loss of business and more.
Does this type of action qualify as a cyber-attack? Maybe not in the strictest sense perhaps, but since the action takes place in cyberspace, I submit that it does qualify as a form of cyber-attack and that organizations should consider the possibility as part of their response strategy.
CRITICAL NATIONAL INFRASTRUCTURE TARGETS
Attacks against critical national infrastructure organizations are extremely common, and may often originate not from cybercriminals, but from foreign nation states or terrorist organizations since their objectives are usually to disrupt the target nation in as many ways as possible.
The UK’s Centre for the Protection of National Infrastructure (CPNI) has defined the following areas of critical infrastructure, and the CNI sectors in other countries, if not identical, will be very similar:
The communications portion of the CNI consists of several different areas. The public fixed (landline) and public mobile networks are the most obvious manifestation, but additionally, some private networks are included as well, especially the Airwave network that provides communications for the emergency services and related government and some non-government organizations.
Although less used in the UK, satellite communications are also a part of the CNI, and these tend to be used for both public and private communications in areas where the public fixed and mobile networks do not provide complete or reliable coverage.
Last, but not least, is the internet, which although provided nationally and occasionally locally by Internet Service Providers (ISPs), is centrally connected through a number of so-called ‘peering points’, which make the interconnections between ISPs at a national level and with ISPs in other countries.
Two particularly fragile components of the internet are occasionally subjected to cyber-attack. The first is the Border Gateway Protocol (BGP), which determines how data packets travel between one part of the internet and another. Once one gateway router is hijacked, it can, for example, advertise the fastest route as being to a malware site.
The second is called the Domain Name System (DNS) cache poisoning, in which a cyber-attacker makes changes to the domain name system to redirect traffic to another destination.
The next CNI area is that of the emergency services. This covers not only the police, fire and rescue and ambulance services but also mountain rescue and the Maritime and Coastguard Agency.
People who do not necessarily intend to commit cybercrime, but who intend to undertake some other form of criminal activity can attack the networks and systems of the emergency services.
They may realize that by causing some form of distraction, they are able to carry out their intrusion, robbery, or whatever, and feel that it is perfectly within their right to do so. Whether undertaking a DDoS attack on the website of any branch of the emergency services would aid them is uncertain.
Alternatively, they may hold some form of grudge against one of the services and feel that a cyber-attack is a perfectly justified response. The principal target of such an attack is always likely to be the police, but no service would be immune to a determined attacker, including fire and rescue, ambulance, maritime and coastguard or mountain rescue services.
The fact that a cyber-attack might potentially cost someone their life might not even occur to them. Fortunately, however, the incidence of this type of attack appears to be very low.
Next, we move to the energy sector, which is split into three distinct areas, each of which has slightly different arrangements: electricity gas; oil.
The electricity sector consists of three separate components – generation, which may be from a variety of sources; fossil fuels, including coal, oil and gas, and nuclear, all of which are non-renewable sources; and renewable resources such as hydropower, biomass, biofuels, wind, solar and geothermal.
The second component of the electricity sector is the transmission of power from the generation point through the national grid to the various distribution network operators (DNOs) around the country. Finally, the distribution network operators then sell the electricity to homes, businesses, and industry.
Since just about everything we do on a personal, business, commerce and especially critical infrastructure level depends ultimately on the supply of electricity, cyber-attacks are most likely to target the electricity generation facilities, since there are many of them and therefore there is a chance that some may not have as strong a cybersecurity management process as others.
The transmission management centers, however, would come a close second, since considerably more damage might theoretically be achieved with just one attack.
In December 2016, it was reported that hackers had planted malware on a computer in the Burlington Electric Department – the electrical grid provider in the US state of Vermont.
Whilst the computer was reported not to have been connected to any part of the grid, the presence of malware (attributed to Russian hackers) does raise the point that critical infrastructure is potentially a major target.
Supplies of gas come from natural (non-renewable) resources below ground, known as onshore resources, and beneath the oceans, so-called offshore resources, and increasingly, gas is imported from overseas.
The transmission and distribution work in much the same way as electricity, with a central body delivering the supply to DNOs who then sell the gas to homes, businesses, and industry, but the onshore gas storage facilities are likely to be the major targets.
Oil has similar beginnings to gas – indeed, the acquisition of the raw product uses almost identical techniques, but that is where the similarity stops since crude oil must be refined and turned into useable products such as heating oil, petrol and so on.
On leaving the refineries, as with gas, much of it is delivered by underground pipes and is delivered to storage depots from which distribution is either by road or rail or again sometimes by underground pipes as in the case of distributing aviation spirit to major airports.
Although it did not result from a cyber-attack, the explosions in December 2005 at the Buncefield oil storage depot at Hemel Hempstead in the UK resulted in considerable disruption to the supply as well as to local residents and businesses.
Offshore oil production platforms and smaller onshore production facilities are likely targets as well as the storage and distribution sites.
It is worth adding at this point a brief note about a technology used in the energy, water, civil nuclear and chemicals sectors of critical infrastructure regarding the use of a technology known as SCADA (Supervisory Control And Data Acquisition), which is widely used both to monitor the state of elements of the generation, production distribution systems, and to control their operation.
The generation and distribution networks themselves tend not to have actual connections to the internet, but the SCADA systems that monitor and operate them do. Hence, attacks against these sectors may well commence with an attack on the SCADA systems. This is discussed in greater detail later in this blog.
The finance sector has to be one of the most serious targets. Cyber thieves who can find ways of extracting funds from banks and financial services companies stand to make a killing.
Finance organizations, therefore, take cybersecurity extremely seriously, since a successful security breach could cause them to go out of business, regardless of any potential fines levied by the Financial Conduct Authority (FCA).
Increasingly, banks are making use of one-time passkey generators in order to secure access to customers’ bank accounts. The customer places their bank card into the calculator-like device, enters their private PIN, and the screen displays the eight digit pass-key that they must then enter into the bank’s website in order to provide authentication.
The passkey has a short useful life, usually measured in minutes, after which it becomes useless and another passkey must be generated. This greatly lessens the risk to the customer unless the attacker can either manipulate the system and conduct a man-in-the-middle attack, discussed later, or can persuade the customer to part with both the card and PIN by whatever means.
Denial of service attacks against financial institutions is also on the increase. The implication of this is that not only would customers be unable to access their accounts, but in a worst-case scenario, inter-bank transfers could be affected.
Whilst this might appear unimportant to many people, recent instances of banks making changes to their (often legacy) systems have resulted in services being badly affected for days at a time; property purchases failing because monies are not transferred in time; salaries and accounts unpaid; and many more.
As an example, in 2014 the Royal Bank of Scotland was fined £56m by the regulator after a 2012 software issue left millions of customers unable to access their accounts.
Cyber-attacks on organizations in the business of growing, importing, producing, distributing and retailing food are not particularly frequent, but occasionally we read of situations in which an activist group decides to take on a multinational organization related to food, whether this is to cause a denial of service or to steal.
In 2014, the Target group in the USA was infiltrated by hackers who stole the details of 40 million credit card users. The company had been prepared for such an eventuality and had an intrusion detection system (IDS) installed that actually detected the attack, but the company failed to respond. The incident cost the group tens of millions of US Dollars.
Government departments and agencies have always been a target for attackers. Fortunately, in the UK a government department, a part of GCHQ called the National Cybersecurity Centre, known simply as NCSC, has responsibility for providing guidance to all government departments – national, regional and local – and also to official government websites such as the Driver and Vehicle Licensing Agency (DVLA).
Beginning in October 2016, there were concerns that state-sponsored hackers from Russia were attacking the American Democratic National Committee’s network, and that attempts were being made to influence the outcome of the November 2016 presidential election.
Following the election, the media6 reported that the CIA had declared ‘high confidence’ that the hackers were Russian, but, unsurprisingly, there is no mention of this on the CIA website.
The NCSC brings together and replaces CESG (the former information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT-UK) and the cyber-related responsibilities of CPNI.
Its purpose, outlined on its website, is: to reduce the cybersecurity risk to the UK by improving its cybersecurity and cyber resilience. We work together with UK organizations, businesses and individuals to provide authoritative and coherent cybersecurity advice and cyber incident management.
The NCSC’s Certified cybersecurity Consultancy (CCSC) acts as the accreditation agency for government cybersecurity professionals (CCPs). The scheme is outsourced to three private certification bodies and CCPs offer their services via a CCSC unless they are employed directly in a government department.
Government departments and agencies operate their own cybersecurity standards and processes, and NCSC also provides highly useful advice and guidance to private sector organizations through their website.
Another government organization that has significant input to the UK’s cybersecurity strategy is the CPNI, which maintains strong links with all the sectors described in this part of the blog.
The health sector deals primarily with the public-facing services – hospitals, health centers, and general practitioner surgeries – but also ties in closely with the need for medical research, investigating all health matters and researching new medicinal and surgical treatments for patients.
Hospitals, health centers, and general practitioner surgeries
Why would anyone want to attack a hospital? Well, it seems that some attackers simply don’t care who their targets actually are. In March 2016, the Medstar group, which runs ten hospitals in Washington DC and Maryland, was the subject of a ransomware attack that blocked staff access to many of the group’s IT systems.
Several other hospitals in the US have also reported this kind of attack, and some pundits have speculated that there is also the possibility of an attacker taking control of life-critical systems, which puts an entirely different perspective on the issue of cybersecurity.
There is another potentially sinister aspect to this area – that of internet-connected health-related devices. It is not difficult to imagine that the administration of some drugs and medicines could be achieved remotely and that the mechanisms could be connected to the internet to enable this.
Delivery of too much or too little medication could be life-threatening, and if we ever reach the stage where heart pacemakers become part of the Internet of Things (IoT), security will have to be absolute.
A successful attack on National Health Service (NHS) systems could allow an attacker to obtain details of our medical history, which could potentially be sold to an interested party – an insurance company or a drug manufacturer for example. We normally consider these types of organization in the UK to be beyond reproach, but those overseas might not be so honest.
Additionally, if an attacker was able to access our medical records, they could alter the content either to improve or worsen the history, the results of investigations and tests, recommendations for treatment and the prognosis.
In January 2017 Barts Health Trust, the largest NHS trust in England, was hit by a cyber-attack that resulted in file sharing across its four main hospitals being turned off in order to limit the spread of the impact.
Finally, if a hospital’s systems were compromised as part of a larger physical terrorist attack, the result would certainly be panic amongst the general population.
One of the areas in which there is a massive scope for cyber-attacks, especially where the theft of intellectual property is concerned, is that of medical research.
The amount of time, effort and money that pharmaceutical organizations invest in the development of new drugs and medicines is enormous, and this goes some way to explaining the cost of new medical treatments as the developers try to make a return on their investment.
If attackers were able to steal the formula for a new cancer drug, for example, they could potentially sell this to less honest manufacturers who would naturally undercut the developer’s selling price.
In an even worse scenario, between the testing of a new drug and its final production, an attacker could potentially alter the list of ingredients or change the process by which the drug is manufactured. The result could at the very least be contamination and could bring about serious side-effects, or threaten lives.
The transport sector covers commercial air transport, road, rail and merchant shipping for both passengers and cargo.
Increasingly, commercial aircraft are fitted with monitoring systems (especially for jet engines) that allow maintenance teams to see in real time how they are performing, and to understand when to have spare parts delivered to an airport, often before a problem has actually manifested itself, since there is no value to an airline in keeping an aircraft on the ground when it could be earning its keep filled with passengers or cargo.
Fortunately, current standards do not permit control of commercial aircraft from the ground (unlike drones), and it is to be hoped that the events of 11 September 2001 (9/11) will dissuade manufacturers from combining control with monitoring, since the prospect of the more frequent use of a civil airliner as a weapon of mass destruction is too horrible to contemplate.
There was also an unverified report in 2015 of a cybersecurity expert taking control of an airplane’s flight control systems via the in-flight entertainment system (IFE) whilst it was airborne. Whilst this is currently just a theoretical possibility, it remains to be seen whether this eventually becomes a practical form of attack.
Another aspect of cyber targets in the transport area of critical infrastructure would be that of the infrastructure that supports air traffic control.
At any one time, there are thousands of civil aircraft in the skies, each one of which relies on an air traffic control center to direct it out of the flight path of other aircraft by ensuring physical separation both horizontally and vertically. If this infrastructure were to be successfully attacked, it could turn aircraft into weapons of mass destruction without the need to target individual aircraft.
The European Commission has placed a requirement that by March 2018, manufacturers of all vehicles sold in the EU must be provided with a system known as eCall, which will automatically alert the emergency services in the event that the vehicle is involved in a collision.
On the surface, this appears to be a highly noble undertaking, since the faster response to an accident could save lives, and many vehicle manufacturers have pre-empted the requirement, and in addition to eCall systems, have installed event data recorders (EDRs) in their vehicles.
The EDR has the ability to store a large number of parameters, including location, speed, and direction of travel, throttle position, and cornering data. The driver has no knowledge of exactly what data is being collected, or what might be done with it.
Whilst this would be helpful to the police investigating an accident, it follows also that the vehicle manufacturer is likely to be using that data to help in developing better vehicles – again, a positive development.
The driver has no control whatsoever over this data, and there is also the potential that the vehicle manufacturer could be selling that data to insurance companies. The potential for abuse of this has yet to be fully debated since one could reasonably argue that the data was collected without the agreement of the driver.
Far worse, in 2015, security experts were able to demonstrate their ability to take over control of a Jeep Cherokee under controlled conditions in the USA.
They were able to enter through the vehicle’s cellular phone connection to access the entertainment system, from which they broke out into the vehicle’s Controller Area Network (CAN) and took over control of a number of the engine control units (ECUs). If this type of attack becomes commonplace, the implications are frightening.
Although driverless trains are something of a rarity, they do exist. On the London Transport system, there are driverless trains on the Victoria underground line and on the Docklands Light Railway. Rather less obvious examples exist at airports such as
London Gatwick, where driverless trains shuttle passengers between the north and south terminals.
Railways rely totally on electronic signaling to control the movement of trains, and should the infrastructure become internet-connected, one could imagine that consider-able chaos, damage and potentially loss of life could ensue.
More recently, railway companies in a number of European countries have been installing train monitoring systems that can report information on passing railway stock about weight distribution, wheel loading, wheel defects, and noise emission. Identification of the type of rolling stock is carried out by measuring the distance between axles.
An interesting software bug discovered in 2016 was that if a train running on the Swiss railway network has 256 axles, the monitoring system will reset the truck count to zero, indicating that there is no train on the particular stretch of line. It is rumored that the company works around this problem by connecting additional trucks to 256-axle trains to ensure that they always show up!
If an attacker wishing to cause a major accident was able to penetrate the monitoring system and tamper with the code that counts axles, a great deal of damage could be done.
Cyber-attacks against water companies do not appear to be too widespread, but it has been reported that in 2016, a hacktivist group associated with Syria attacked a water treatment works in the USA. Although their exact motivation is unknown, it appears to be that they wanted to alter the balance of chemicals added to the drinking water treatment process, with the aim of contaminating the supply.
Similar attacks could take place against treatment works for foul water, in which an attacker could again conceivably alter the balance of chemicals used in the treatment process, rendering the resulting output harmful to human and animal life alike, or in extreme cases, could release untreated sewage into rivers and watercourses.
The defense sector is made up primarily of the armed forces – nominally army, navy and air force – and also organizations providing research and development or supply services to the military.
Any individual or organization that conducts a cyber-attack on the armed forces of a major nation can probably expect swift and painful retribution. However, this does not prevent nation states from trying their hand as a means of testing the strength of the opponent’s cybersecurity and occasionally conducting intrusive attacks.
Some people define these attacks as acts of cyber warfare, and in part this is true, since one nation-state (or terrorist group) has conducted an attack on another; but at the same time, since the origin of the attack may be unclear or even point to another possible attacker, a state of war does not necessarily exist between them.
Cyber-attacks against military suppliers are very common, and have two fundamental purposes:
First, they are conducted in order to steal intellectual property such as the designs of new technology used in weaponry and defense systems. An example of this is the attack (attributed to China) on Lockheed Martin, in which designs for the F-35 fighter jet were taken.
Second, they may be conducted in order to change the way in which military software operates or to plant malware in weapons or defense systems. It is not difficult to imagine what might result if the engine management system of a fighter jet cut out when the pilot was making an attack run, or the effect of a radar system suddenly failing to display incoming bombers.
This might sound like fantasy, but you can be certain that many countries will have thought of the idea, and that some countries may have actually succeeded in making it happen.
The so-called arms race that took place in the latter part of the 20th century was a serious affair. East and West spent vast sums of money in trying to develop weapons and defense systems that would allow them to defeat their enemies.
Often relying on the element of surprise and leaving their opponent with little or no time or capacity to retaliate, and it was eventually concluded that the end result of this could be nothing less than ‘mutually assured destruction’.
This has not prevented or even slowed down the development of conventional weaponry or defense systems, but it has become clear that in the event of another worldwide conflict, conventional ground, sea and air forces would be heavily supplemented by pre-emptive cyber-attacks in an attempt to reduce the enemy’s ability to operate their command and control structure.
Nation states have therefore invested heavily in developing cyber weapons and cyber defenses, and there is a distinct possibility that another major war could actually be conducted without a single shot being fired.
Although we normally think of civil nuclear activities as being in the realm of power generation, there are many requirements for radioactive products used in medicine, where it is utilized in some calibration sources, radioactive drugs, and bone mineral analyzers; and in engineering where radioactive isotopes are used in the detection of pollution, carbon dating and the quality control of welding operations.
Although the Chernobyl incident in 1986 was not triggered by cyber means, a cyber-attack against a nuclear power station remains a real possibility in an attempt either to degrade electricity generation or to drive the reactor core into instability, resulting in a devastating explosion with radioactive material being dispersed over a wide area.
Attacks on other nuclear facilities might result in a significantly less dramatic impact but could result in hospitals unable to diagnose illnesses or treat them, and in major engineering projects unable to progress.
The UK is not normally the first country that springs to mind when we talk about space, but in fact, we are one of the leading countries that design and manufacture satellites used for communications and research, and we are an active partner in the European Space Agency.
Similar cyber-attacks to those discussed in the air transport section of this blog are not beyond the bounds of possibility, and although there are no officially confirmed incidents in which one nation-state has attacked the space technology of another, it remains a real possibility, especially if viewed as being part of cyber warfare.
Chemical plants produce many of the items that we use in everyday life, giving us food products such as sugar, agricultural products such as fertilizers and chemicals used both in the home, such as cleaning agents and in industrial processes, such as acids and alkalis.
As with other areas, the impact of cyber-attacks on chemical production facilities could be highly harmful, with compounds being incorrectly mixed, resulting in the poisoning of products, crops, and people; or with dangerous toxic or explosive mixtures being generated, resulting in widespread pollution. Therefore chemical manufacturing and storage remains a strong potential target.
One does not always think of the potential for buildings to be targets for cyber-attacks, but they are becoming increasingly internet-connected for the purposes of management, mainly for heating, ventilation and air conditioning.
Access to the HVAC systems would permit an attacker to raise or lower internal temperatures to unacceptable levels, causing staff to have to leave or causing the temperature of critical environments to exceed operational requirements – an entire data center could be taken out of service in this way.
Also, an attacker might be able to gain entry to the building’s access control system, allowing doors to be locked or unlocked, preventing staff from entering or leaving, or providing them with the opportunity for physical ingress.
The types of building that might be attacked in this way include:
factories, such as car manufacturing plants where an attacker might take control of an assembly line;
warehouses and distribution centers, especially where high-value goods are stored;
transport hubs, such as airport terminals and railway stations;
operational buildings, such as call centers, telephone exchanges, and air traffic control installations;
hotels, where an attacker could lock or unlock guests’ doors at will and steal guests’ credit card details;
sports and recreation buildings, with the potential to access scoring systems as well as HVAC;
retail properties, including shops, shopping malls, petrol stations, and restaurants.
There has been a much recent interest in home automation, with the ability to connect to a central heating system online from an application on a smartphone; to control curtains and windows; and also for manufacturers of white goods to receive alerts of potential failure of appliances.
Unfortunately, the manufacturers of home automation systems hardware are not always as skilled as they should be in writing secure code. As the market for home automation devices continues to grow, attackers are ideally-placed to target well-publicized vulnerabilities in these systems.
There have been cases where baby video monitors have had little or no security software included, resulting in unauthorized people being able to watch a child remotely.
Ironically, some security systems are also vulnerable. CCTV systems that make use of a digital video recorder to record images may allow an attacker to gain access to an organization’s data network through backdoors in the recorder, and so-called ‘smart’ TVs equipped with a camera and microphone can also present a means of an attacker gaining access.
We are being made increasingly aware of the Internet of Things and how it has the power to transform our lives. Many of the interconnected devices already being sold in the area of home automation have been implemented with little or no security, thus presenting an attacker with almost unlimited opportunity to cause mayhem and render our homes vulnerable to burglary.
Smart meters are now being installed by energy companies around the UK. However, it has been discovered that there are a number of fundamental flaws in the design, rendering the meters susceptible to cyber-attack. It could be possible for a cyber-attacker to under- or over-report the usage of energy, or to remotely shut off the power to the building.
ACADEMIA AND RESEARCH TARGETS
Many universities have been the victim of cyber-attacks. In December 2015, a major DDoS attack was launched against the Joint Academic Network (JANET), resulting in much-reduced connectivity.
Universities have suffered infiltration of exam results, and in cases where universities undertake programmers of research for business and industry alike, intellectual property has been exfiltrated.
Academic networks present tantalizing opportunities for attackers. Many networks (or network segments) are poorly secured, due partly to the spirit of openness that exists in the academic world, and partly through the efforts of students to secure unauthorized network access off campus as well as on.
Additionally, academic networks frequently have links into organizations that conduct commercial research and to government organizations, meaning that they can be used as a stepping stone to rich pickings.
It is thought that not all of these attacks originate from outside the universities themselves, but often from within, with students testing their hacking skills. The first example of a form of malware known as a worm was released in 1988 by Robert Morris, a student at Cornell University in the USA, and caused devastation on the early internet.
Morris was eventually identified and prosecuted under the USA Computer Fraud and Misuse Act.
As a result of this, the Defense Advanced Research Projects Agency (DARPA) funded the establishment of the Computer Emergency Response Team/Coordination Centre (CERT/ CC) at Carnegie Mellon University.