Cyber-attacks & Hacking: What You Need To Know

The British chancellor, Phillip Hammond, has announced a £1.9bn investment in Britain’s cybersecurity strategy. The money is to be used to protect the country from hacking attacks on all fronts, from opportunistic raids on individuals and businesses to focused cyberwar led by state-run teams.

Hammond has promised a big sum, but the world of hacking is easily large enough to occupy all that money and more. It’s double the amount set out for a similar strategy in 2011, but has to deal with a world where cybercrime has moved from science-fiction novels and Hollywood movies to our banks, phones and even kettles.

What are Cyber-Attacks?

The range of misdeeds which can be described as a cyber-attack is vast, and demands a similarly large range of responses.

At the most technically complex end, cyber-attacks can entail a close-knit team of elite hackers working under the remit of a nation state to create programs which take advantage of previously unknown flaws in software – called 0days, or zero-days, for the amount of time the manufacturer has had to fix them – in order to exfiltrate confidential data, damage key infrastructure, or develop a beachhead for further attacks.

Examples of that sort of cyberwarfare include the Stuxnet worm, a specially made computer virus attributed to the US and Israel, which was deliberately designed to infect and damage centrifuges used in the Iranian nuclear programme, and the 2015 hack of the Office of Personnel Management, attributed to China, which led to the personal information of millions of US government workers being stolen.

The most dangerous hacking groups are known as “advanced persistent threats” (APTs): not only nation-states, but highly competent criminal organisations that carry out technically difficult targeted hacks.

But not all cyber-attacks involve high-end technical skills or state-sponsored actors. At the opposite end of the scale are hacks that take advantage of long-fixed security mistakes, ambiguities in user interfaces, and even good old-fashioned human oversight.

Many hackers are opportunistic, picking not the most valuable targets but the most lightly defended ones, such as computers that haven’t had security updates installed, or users who will happily click on malicious links if they are told that their bank sent them.

If APTs are like the Hatton Garden Heist, these hackers are the sort of people who will grab an unattended handbag and run. It may be less impressive, but for the vast majority of computer users, that’s the sort of cybercrime they should spend more of their time defending against.

Does Cyber-Crime even have to include Hacking?

Not according to Hammond. Some of the government’s past successes in fighting cybercrime involve tackling “phishing”, the practice of sending a fake email purporting to be from a trusted sender to encourage the recipient to enter confidential information.

Phishing can be fought by taking down the servers that collect the confidential information, which the government has been doing, but also by education: teaching individuals how to recognise a phishing email, and how to tell real websites from fake.

At its simplest end, cybercrime may not even involve computers much at all. “Social engineering” is the name in the hacker community for convincing an organisation or individual to do things they shouldn’t, and is an important part of the hacker toolkit. For instance, Mat Honan, a Wired reporter, had his entire digital life erased when hackers convinced Apple to reset his iCloud password with information they had convinced Amazon to hand over – all using nothing more complex than a phone call.

And then there are the simplest “hacks” of all: just logging into things using the default passwords. That’s how a rag-tag collection of cheap “smart” devices like webcams and kettles ended up being corralled into a network big enough to take down most of the internet for the east coast of the US in October.

By being press-ganged into a “botnet”. The devices were all vulnerable because their default passwords were known, and, worse, couldn’t be changed. That made it simple for a (still unknown) hacker to write a program that would automatically log in to those devices, rewrite their software, and leave them controlled by a central server. Even more impressively, those enslaved devices then start seeking out further devices to drag into the botnet, meaning that today, if you connect a vulnerable kettle to the internet, it will be hacked within an hour. It doesn’t need a human to do the hacking, the botnet (named “Mirai”) just scans for new kettle and logs in using the default username and password.

But how does that Botnet take down the Internet?

Through a technique called “distributed denial of service”, or DDoS. A denial of service attack involves overwhelming a particular server with requests – as though you decided to harm a small business by permanently calling their landline and refusing to hang-up, so no one else could get through. But the denial of services attacks is fairly easy to block, because they come from one location, and it’s hard to send enough traffic from one computer to overwhelm another computer.

A “distributed” denial of service attack involves commanding networks of thousands or millions of computers, or kettles, to all send their requests at the same time. Not only can it leave the server unable to respond to real demands, it can even leave it so overwhelmed that it fails completely, crashing key services or even revealing non-public information to the world.

The botnet that brought down parts of the Internet recently was targeted at a particularly important server, which acted as the main gateway for a number of large sites including Amazon, whose AWS network itself hosts even more sites.

Is that everything?

Mostly, but with the proliferation of smart devices, the number of things that can be hacked is growing daily. We’re connecting more and more things to the internet, and some of those things we really don’t want to be hacked.

In October 2015, for instance, security firm Rapid7 revealed vulnerabilities in a brand of insulin pump that diabetics use to control their condition. The weakness allowed an attacker to remotely trigger insulin injections, potentially leading to a fatal hypoglycemic shock. In 2013, weaknesses were discovered in power plants across the US and Canada that could cause them to overheat, shut down or malfunction if a malicious hacker decided to attack them. And as cars become more connected, hackers are going after them too: researchers who discovered how to remotely disable the brakes on Jeeps in 2015 reported this year that they had found new attacks which could do even more on an unpatched vehicle.

Can £1.9bn really defend against all of that?

It can do a lot, though not in the ways you might think. The extra money spent on staff in GCHQ and MI5, for instance, won’t result in teams of spooks staring at big screens shouting things like “reverse the trace and send spike the server!”. The money will be used, the government says, to “take the fight to those who threaten Britain in cyberspace”, in part by “striking back against those that try to harm our country”. It’s not clear what form retaliation could take, especially when identifying the perpetrator is not straightforward.

And £1.9bn from Britain can’t do everything. Experts agree that much of the response to cybercrime needs to be transnational: there’s no other way to ensure, for instance, that cheap electronics made in China and sold in the UK can’t be used to attack websites hosted in the US but serving the entire Western hemisphere.

Some solutions are cheap, but come with other costs. In the wake of the Mirai botnet, for instance, researchers have called for stronger regulations requiring timely security updates, and putting the cost of any damage on the manufacturer if no updates are available. That could help prevent future re-runs, but might also raise the cost of such devices.

Guardian:     UK To Increase National Cyber Defences:

 

« UK Will Retaliate Against Cyberattacks
Securing Data in the Cloud »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Leonardo

Leonardo

Leonardo (formerly Finmeccanica) is a global high-tech company in Aerospace, Defence, Security & Information Systems including Cybersecurity & ICT solutions.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

GrammaTech

GrammaTech

GrammaTech is a leading developer of software-assurance tools and advanced cyber-security solutions.

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium

Singapore Cybersecurity Consortium was created to encourage use-inspired research, training and technology awareness in cybersecurity.

CISPA Helmholtz Center for Information Security

CISPA Helmholtz Center for Information Security

The CISPA Helmholtz Center for Information Security is a German national Big Science Institution within the Helmholtz Association. Our research encompasses all aspects of Information Security.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

PKWARE

PKWARE

PKWARE is a global leader in business data security, providing encryption and compression solutions to enterprise customers and government entities around the world.

Scantist

Scantist

Scantist is a cyber-security spin-off from Nanyang Technological University (Singapore) which leverages its expertise to provide vulnerability management solutions to enterprise clients.

National Accreditation Agency of Ukraine (NAAU)

National Accreditation Agency of Ukraine (NAAU)

NAAU is the national accreditation body for Ukraine. The directory of members provides details of organisations offering certification services for ISO 27001.

Agio

Agio

Agio is a hybrid managed IT and cybersecurity provider servicing the financial services, health care and payments industries.

SHe CISO Exec

SHe CISO Exec

SHe CISO Exec is a sustainable global training and mentoring platform in information security and leadership.

Corellium

Corellium

Corellium are dedicated to supporting our peers in the ARM community who seek to build more secure, performant, and accessible software and devices.

ramsac

ramsac

ramsac provide secure, resilient IT management, cybersecurity, 24 hour support and IT strategy to businesses in London and the South East.

Acora

Acora

Acora provide a range of best-in-class managed services, Microsoft-centric business software, and cloud solutions designed to help mid-market organisations succeed in the digital economy.

Patriot Consulting Technology Group

Patriot Consulting Technology Group

Patriot Consulting's mission is to help our clients manage cybersecurity risk through secure deployments of Microsoft 365.

Cyber News Live (CNL)

Cyber News Live (CNL)

Cyber News Live provide vital information and raise awareness about all things 'cyber' to ensure you stay protected in the digital world.