By Carl Weiss
It
is said that the only sure things in life are death and taxes. While this pearl
of wisdom has stood the test of time, in the not too distant future there could
be an addition to that list: Cyberattack. That's because cyberattacks on
businesses and individuals are up nearly 50% in the past year alone. Where
cybercriminals used to almost exclusively target big businesses with deep
pockets, now that ransomware has become so prolific, small businesses and even
individuals are finding their online assets and machines being hijacked. And
why not, since most individuals and small businesses offer little in the way of
resistance.
Enter the Cyber Sharks
 |
| Image courtesy of worth1000.com |
Who can forget the opening
music to the movie Jaws. In it’s day,
the novel and subsequent blockbuster motion picture was enough to keep people
on the beaches and out of the surf. But
as paranoid as many moms became about letting their kids frolic in the waves
back in 1975, forty years later we should all be hearing the strains of
da-da-dum-dum every time we surf the web.
That’s because while Jaws was a work of fiction, the arrival of schools
of Cyber Sharks is all too real.
Just like the real deal,
there is no 100% reliable cyber shark repellent that can keep someone from
putting the byte on your computer, tablet and/or smartphone. Even worse is the fact that while individuals
are woefully unprepared to be hacked, what’s even worse is the fact that many
of the devices connected to the Internet of Everything have absolutely no
protection whatsoever.
Literally everything from
appliances to medical devices to automobiles are rapidly becoming
web-enabled. While this provides the
public with even more interactivity, it also provides hackers with more ways to
get to consumers and business owners. Just as most people make the mistake of
thinking their smartphone is a phone instead of a computer that you can talk
on, nearly everyone doesn’t realize that the average automobile being built
today have 100 lines of code onboard. Many
are now Wi-Fi enabled as well. You don’t have a car with q computer onboard. You
have a computer that drives. Soon, these
computer cars will do most of if not all of the driving. So if a hacker can take control of your car,
what does that mean for the passengers and driver? (On a recent 60-Minutes telecast, hackers
gained access to the car in which Leslie Stahl was driving, turning on the
lights and windshield wipers. So this is
not a hypothetical possibility.)
Who’s Watching Who?
 |
| Courtesy of Samsung.com |
Smart Houses and appliances
are also becoming more and more commonplace.
They’re also becoming easy pickings for hackers. If a hacker can crack your home’s security
system, this makes breaking and entering child’s play. Don’t even get me started on what a hacker
can do to your web-enabled Nanny Cam. The
same smart TV that you just installed in your living room can be hacked with
ease, since most contain little or no security.
A February 24, 2015 blog by
CNN reported: Earlier this week, we learned that Samsung televisions are eavesdropping on
their owners. If you have one of their
Internet-connected smart TVs, you can turn on a voice command feature that
saves you the trouble of finding the remote, pushing buttons and scrolling
through menus. But making that feature work requires the television to listen
to everything you say. And what you say isn't just processed by the television;
it may
be forwarded over the Internet for remote processing. It's
literally Orwellian.
What’s
really scary is the fact that last year alone more than 10,000 smart appliances
were hacked, according to leading US security firm Proofpoint. Once inside your smart TV or refrigerator,
hackers can then gain access to other web-enabled devices. Believe it or not, your refrigerator can spam
your smartphone, laptop or tablet once infected. Even if your device does come with some
semblance of security, unless the protection is updated on a regular basis,
it’s only a matter of time before a hacker will prevail.
How Do I Hack
Thee? Let Me Count the Ways.
So
many smart devices…So little time.
Everything from wearables to medical devices are becoming vulnerable to
hacking. Symantec reported on March 12
that: “All of
the devices failed to check whether they were communicating with an authorized
server, leaving them open to man-in-the-middle attacks. One out of five devices
did not encrypt communications and many did not lock out attackers after a
certain number of password attempts, further weakening their security. All of
the potential weaknesses that could afflict Internet of things systems, such as
authentication and traffic encryption, are already well known to the security
industry, but despite this, known mitigation techniques are often neglected on
these devices”
http://www.eweek.com/security/symantec-study-finds-home-smart-devices-wide-open-to-cyber-attack.html
 |
| Image by culturedigitally.org |
While
Symantec’s report was referring to smart appliances, in October of 2014, the US
government told the FDA to start taking medical device security seriously while
citing the same problems that smart appliances were facing. The next time you go to the hospital for a
dialysis treatment or to get your pacemaker checked out, you might like to ask
your physician about the inherent hacking vulnerabilities of these systems.
The
number of ways that hackers can get into your devices is staggering. Below are
some of the most popular tools of the hacker’s trade:
1. Sniffers are programs or device that
monitors all data passing through a computer network. It sniffs the data and
determines where the data is going, where it's coming from, and what it is. In
addition to these basic functions, sniffers might have extra features that
enable them to filter certain types of data, capture passwords, and more.
2. The Hex Dump (aka
Voodoo) - When
an electronic device is manufactured, it is programmed with firmware. Hacking firmware is simply a matter of buying
a programmer that can receive the memory dump and transmit it to a computer
where the code can be altered. Then
transmit the modified code back to the device.
3. Attacking Defaults –
Virtually every piece of hardware on the market comes with a set of standard
defaults, including username and password that provide access to the
system. Since most people do not change
these default settings, this is the easiest way to exploit a system.
4. SQL Injection – While
it sounds like a medical procedure, what an SQL Injection attack are conducted
by entering unexpected entries into a database and then probing the returned
error messages to reveal information that can be used to hack the system. For instance, by entering metacharacters like
#$%^ into a field that processes only alphanumeric information, the database
could be tricked into revealing the contents of the database, or in some other
way compromise an SQL server.
5. DDoS Attacks - Directed Denial of Service Attacks occur when hackers flood a targeted website with so much bogus traffic that it brings the victim's server to a halt. This is usually followed by a demand for payment in order to restore service.
6. Data Extortion - Most people aren't aware that their data can be hijacked and held for ransom. This can take a number of different forms, including threatening to release sensitive information stolen from a machine, to locking a legitimate user out of their own website or machine by changing the password. Just as with DDos attacks, all too many extorted users don't realize they've been hacked until a ransom note appears demanding payment. Even worse than DDos attacks, non-payment in this case can result in your website or data being erased. (Lately, online extortion has also extended to threats of having one's reputation smeared online unless payment is rendered.)
7. Ratting - Remote Administration Tools are an increasingly popular and insidious means of hacking everything from laptops to tablets and smartphones. Once successfully deployed, a ratted machine is literally under the control of the hacker. Ratted machines can not only be rifled for information, but their webcams and built-in microphones can be surreptitiously turned on, allowing the rat to become the equivalent of a cyber peeping Tom. (There have been a number of high profile celebrities who have been ratted, resulting in compromising photos and videos making the rounds online.
5. DDoS Attacks - Directed Denial of Service Attacks occur when hackers flood a targeted website with so much bogus traffic that it brings the victim's server to a halt. This is usually followed by a demand for payment in order to restore service.
6. Data Extortion - Most people aren't aware that their data can be hijacked and held for ransom. This can take a number of different forms, including threatening to release sensitive information stolen from a machine, to locking a legitimate user out of their own website or machine by changing the password. Just as with DDos attacks, all too many extorted users don't realize they've been hacked until a ransom note appears demanding payment. Even worse than DDos attacks, non-payment in this case can result in your website or data being erased. (Lately, online extortion has also extended to threats of having one's reputation smeared online unless payment is rendered.)
7. Ratting - Remote Administration Tools are an increasingly popular and insidious means of hacking everything from laptops to tablets and smartphones. Once successfully deployed, a ratted machine is literally under the control of the hacker. Ratted machines can not only be rifled for information, but their webcams and built-in microphones can be surreptitiously turned on, allowing the rat to become the equivalent of a cyber peeping Tom. (There have been a number of high profile celebrities who have been ratted, resulting in compromising photos and videos making the rounds online.
 |
| Courtesy itunes.apple.com |
While all of the abovementioned tactics
require a bit of technical knowhow, there are many other hacking programs and
devices that can be bought online. There
are also online forums, hacking blogs and clubs that teach hackers the tools of
the trade. There are also annual hacker
conventions and hackathons such as the one held yearly in Las Vegas. If you don’t believe me, simply google,
Hacking devices available online.”
The real danger is that the Cyber Sharks have
the upper hand since detection, much less prosecution is hit and miss at
best. Meanwhile hacking continues to
proliferate nearly unchecked. CNN
recently reported that in 2014 hackers exposed the personal information of 110
million Americans, roughly half of the nation’s adults.
So the
next time you turn on your Smart TV or start your web-enabled car, don’t be
surprised if the sound you hear emanating from your surround speakers is
something like, “Da-da, dum-dum.”
