Cyber security mega breaches: attacks go personal

Cyber security mega breaches: attacks go personal

We are beginning to encounter mega breaches in cyber security every month. While these attacks still include banking and business, the attacks have expanded to cross political boundaries, encompass all professions and infiltrate our sports arena too.

No digital format is safe from attack. The Indian Computer Emergency Response Team (CERT-In) recently reported that the cyber security statistics for 2016 were the hottest in recent years with over 50,362 cyber security incidents observed. These attacks included phishing, scanning/probing, website intrusions and virus or malicious code insertions, and denial of service. While this represents only a 2% increase over last year’s attacks, the amount of information compromised with each new cyber security incident, now represents millions of users and a vast amount of information.

One of the most recent mega breaches, an attack on the videogame community through E-Sports Entertainment Association (ESEA), resulted in more than 1.5 million player records getting compromised.

The ESEA, one of the largest competitive video gaming communities in the world, confirmed that the leaked records included registration dates, city, state, last login, username, first and last names, bcrypt hashes, email addresses, dates of birth, ZIP Codes, phone numbers, website URLs (Uniform Resource Locator), Steam, Xbox, and PSN identifications — essentially everything that identifies individual players’ identities.

While these were key pieces of information obtained, the ESEA maintains over 90 individual player fields within their records. This represents more than 135 million items of personal information. Individual passwords were not compromised, but sufficient data was leaked to enable multiple, socially-based future attacks, through phishing schemes representing millions of dollars of potential losses.

The Indian security forces were recently alerted to a new virus in the popular smartphone and tablet application WhatsApp, which targeted the National Defence Academy (NDA) and other agencies. This virus could have resulted in loss of personal information and banking data, but was thwarted in the nick of time by vigilant agencies.

The British National Cyber Security Centre stopped 86 major cyber security attacks in January alone, targeting the Bank of England, the Ministry of Defence, nuclear bases, security services and critical infrastructure. Most activities originated from China, North Korea, Russia, Iran, and criminal gangs, targeting not just infrastructure or money, but personal information.

In the US and Italy, political hacking by nation states, particularly the Russians, were prevalent in 2016 and promise to deliver even more potent mega-attacks in 2017. Forbes highlighted the potential for increasingly bold political cyber-attacks as elections in Germany, France and the Netherlands draw near this year.

Many of these attacks use very sophisticated cyber espionage techniques which will become increasingly more innovative. Interestingly, these attacks are expected to exploit legitimate processes and protocols to access data, keeping the victims unaware of breaches.

Another expanding area for mega-breaches will be in the healthcare sector through malicious ransomware which encrypts your files and then blackmails the user to send money as a ransom to unlock and restore the files. If the ransom is not paid, the users will often steal and sell the data on dark web markets, further exposing the data of multitudes of victims. This year, it is likely that users of smartphones and tablets will increasingly get exposed to ransomware and other attacks as access to the Internet and in turn, access to the devices gets easier.

On March 7, WikiLeaks released a large cache of documents reputed to have come from a high security network known as Vault 7 within the US Central Intelligence Agency. This programme contained information on “tens of thousands” of CIA targets.

The information was garnered through hacking of the operating systems of smartphones and mobile devices, as well as Microsoft Windows personal computer software, and even Samsung’s smart TVs, which could be remotely accessed and placed in a false “off” position, covertly enabling the TV to record household or business conversations.

Limit exposure
The key to prevent loss is to limit exposure. This means limited exposure in everything cyber. Start by making your passwords complicated, unique and difficult to break. Try not to use any words found in the dictionary, or those that could be inferred based upon your individual characteristics. Most importantly, never use these passwords, “123456” or the obvious term, password.

It is a good suggestion to use a sequence you can remember, that includes capital letters, numbers and special characters. For example, MFJ1910Efmm! This has significance only for the user, but could be easily remembered.

In this case, MFJ are the individual’s initials backwards, 1910 is a unique number representing nothing significant to the user, and Efmm is the letter combination for the laptop name offset by one letter (D-e-l-l), while the final special character is a unique, special character selected and remembered by the user. Combinations of three or more unique character sets makes the password difficult to break, yet can be easily remembered by the user. Update your password regularly, and never reuse a previous password. Always maintain at least nine characters for best security.

Never click on links in emails. A link sent to you in email you did not specifically request, or that was not previously identified by the sender may cause trouble. When in doubt, contact the sender and ask them if they sent you a link, and why. Clicking on links that appear to be from financial institutions or organisations requiring you to sign in are often phishing attempts, and can lead to download of malware, especially ransomware.

Limit the amount of information you have online. Although difficult to do, try to limit information about yourself on-line. Start by limiting information you freely provide to websites and online organisations. The more information you have online, the more your potential for a mega-breach of your personal information.

(Iyengar is a distinguished Ryder Professor and Director, School of Computing and Information Sciences, Miami; Miller has been with US Air Force for over two decades and is Coordinator, Discovery Lab, Florida International University)