Hey, a Free App — All it Costs Me is My PII
Asymmetrical Warfare Moves Into Your iPad
HLSensory Overload: We’re Everywhere You’re Going To Be
Now that the Internet is so ubiquitous that you must accept direct deposit for your paycheck, and your refrigerator has to get online to check for sales on cottage cheese, we find ourselves totally dependent on a service that we don’t understand and can’t live without. System engineers, whether they work for huge companies such as Microsoft, or corporations that process payrolls for small businesses are heedlessly endangering not only our privacy and finances, but now our physical wellbeing. Much like the cigarette manufacturers in the recent past worked to make their product more addictive while denying the deadly consequences, software companies are pushing faulty products on unwary consumers and blithely shrugging off the dangers.
We are alerted daily to new innovative ways that cyber attacks are personally affecting us in ways other than through the computer hacking of financial records, which we have come to expect. The attacks that are gaining prominence today could cause injury or death tomorrow
For several years now reports have been widespread of major corporations like Sony, Target, Anthem, JP Morgan Chase, Home Depot and even the U. S. Office of Personnel Management being the victim of cyber breaches. Each has cost the company dearly in terms of credibility, not to mention actual financial loss, while leaving the average customer defenseless as their personally identifiable information (PII) has been compromised for criminal activity.
The FBI illustrates the defeat when Director Comey stated, “There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”
The financial numbers are staggering as reported by a Ponemon Institute report issued in late 2014. The mean annualized cost of cyber crimes PER US COMPANY is $12.7 million per year, with a range from $1.6M to $61M. Smaller organizations incur a significantly higher per capita cost than larger ones ($1,513 versus $517). The report further stated that 55% of attack costs resulted from denial of service, malicious insider, or malicious code events.
Corporations now have another cause for concern. At the recent DEF CON 2015 conference for hackers in Las Vegas, a presenter by the name of David Jordan of the U. S. based company Aerial Assault presented his drone that could be launched to land atop buildings or hover near walls of businesses to probe for unsecured wireless connections to business networks. The drone carries software tools needed for penetration type tests and seeks weak defenses in computer network systems. The drones offer a new method for delivery of remote attack and can easily bypass physical barriers that would prohibit entry by other means.
Enough about business what about you???
This past month brought us the cyber attack on the Jeep Cherokee that Charlie Miller and Chris Valasek demonstrated near St. Louis, Missouri. During that demonstration conducted on a public highway, the pair was able to wirelessly stop the Jeep via cellphone from a remote location. The researchers were able to gain access to basic functions of the vehicle’s systems through Chrysler’s Uconnect infotainment system. This attack resulted in a Chrysler recall of 1.4 million vehicles to fix the deficiency. This much-publicized event garnered the attention of the National Transportation Safety Board and members of the Senate who called for legislation to establish cybersecurity standards for motor vehicles. Senators Ed Markey and Richard Blumenthal have been vocal about the absence of security standards and the apparent unwillingness of automakers to move quickly to resolve this emerging problem. They have introduced a bill to Congress entitled the Security and Privacy in Your Car (SPY Car) Act in July 2015.
According to a Forbes magazine article this bill directs the Federal Trade Commission and National Highway Traffic Safety Administration to enforce standards beginning in 2017. The legislation requires all motor vehicles manufactured in the US to be “equipped with reasonable measures to protect against hacking attacks”, with “all entry points” given ”reasonable measures to protect against hacking attacks”. The bill also contains provisions for privacy and transparency.
These attacks came on the heels of revelations by researchers at the University of California in San Diego of a remote attack on a car’s core systems through a commercial telematics control unit (TCU) or dongle. The TCU’s are placed on board a vehicle and can perform a wide variety of functions. The researchers were able to determine that the dongles were vulnerable to attack as they lacked authentication and validation requirements for cryptographic keys and remote updating processes lacked sufficient safeguards to ensure integrity. The hackers were able to target the cellular data connection that provides Internet connectivity and then inserted messages into the CAN bus to activate the attacks. In their experiment they were able to successfully control the wipers, apply and disable the brakes on a Chevrolet Corvette.
From Cars to Criminals: Coming to a neighborhood near you!
As if these cyber attacks were not bad enough it was also revealed at the August DEF CON conference that a hacker was able to successfully disable an ankle bracelet designed to be worn by criminal offenders who have been sentenced by the court to periods of house arrest in lieu of incarceration in a correctional facility. The tests were performed on bracelets supplied by GWG International. These bracelets use a mobile network to transmit GPS coordinates and the hacker was able to stop the transmissions by enclosing the bracelet in a Faraday cage — an enclosure formed by conductive material that blocks static and non-static electric fields. At the same time, the hacker was able to trap the message that was to be transmitted to law enforcement when he opened the bracelet and removed the SIM card. The next step involved placing the SIM card in his phone and sending a text message to determine the phone number assigned to the card. Once the phone number was obtained the hacker was able to use an online spoofing service to send fake messages to the court or law enforcement that would give the appearance that the person was at home as mandated by the court. An ingenious hack, but one that can have severe consequences and leaves the community vulnerable while allowing a criminal to bypass sanctions imposed by the court. The main concern will no doubt be when other hackers will exploit this particular hack as the community of interest learns of the methodology for conducting the attack and spreads it through the Internet.
That exact scenario is referred to as Hacking-as-a-Service (HaaS) and is rapidly becoming a booming business enterprise driven like all business by consumer demand. This illicit marketplace supports the hostile activity observed on the Internet and mirrors sound business principles marked by professional service delivery. The repositories are competitive — offering a variety of products at different price points and capability. This industrialization of hacking methods allows nefarious actors with little to no expertise to purchase and initiate cyber attacks of varying degrees of complexity thus enabling anyone to become a hacker, if the price is right.
What do we do now??
Even though we may have feeling of hopelessness all is not lost. There are a number of steps you can take to protect yourself and your identity from the actions of hackers. Some of the critical steps include:
A) Educate yourself to the dangers associated with online activities and wireless communications.
B) Ensuring your personally identifiable information is never posted online in social media environments with lax security controls.
C) Most importantly ensure your security software is updated frequently to protect your system.
Personal Cyber Insurance?!?
One potential and contentious recommendation The Heritage Foundation recently made to Congress to consider was the use of personal cyber insurance.
Successful cyber attacks are inevitable because no security is perfect. With the number of breaches growing daily, a cybersecurity insurance market is developing to mitigate the cost of breaches. The recommednation was for Congress and the Administration to consider encouraging the proper allocation of liability and the establishment of a cyber insurance system to mitigate faulty cyber practices and human error.
The question now becomes, who is being insured? What are the responsibilities of programmers that put weak software out that makes its purchasers vulnerable to attack? Are the programmers being insured against lawsuits from damaged customers, or are the individual customers expected to purchase insurance on every device they purchase that may connect to the Internet? It would be easy for the manufacturers and retailers to hide behind “caveat emptor”, but how can a consumer assess the security of a feature that can’t be seen and is a trade secret to boot? The only answer is to realize that every internet-connected device is an open window into your world.
(For more information on this topic see links below)
http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10
http://www.securityweek.com/aerial-assault-drone-armed-hacking-weapons
http://www.forbes.com/sites/thomasbrewster/2015/07/21/senators-launch-spy-car-act/
http://news.softpedia.com/news/hacker-disables-house-arrest-ankle-bracelet-489121.shtml
http://www.securityweek.com/researchers-hack-car-insurance-dongle
http://www.securityweek.com/aerial-assault-drone-armed-hacking-weapons
http://darkmatters.norsecorp.com/2015/08/02/hacking-as-a-service-makes-everyone-attack-capable/
