Cybersecurity and Its Need for Improvement
Image Source: Pixabay
Computers and technology are not so much prominent as they are ubiquitous in of all our lives. Cybersecurity has never been more needed but, as proven in just the past few years, systems have also never more vulnerable. Cyberattacks are happening daily, and the U.S. government is struggling to defend against foreign hackers. For future generations, where technology will be integrated into everyday life in ways we can’t imagine, cybersecurity will be of the utmost importance.
The 2016 Vote
We start the story in 2016, with the U.S. presidential election. There’s plenty of evidence, and it’s widely accepted, that Russia hacked the 2016 election. First, Russians scanned the online systems of 21 states though no information was stolen.
That was just the beginning. An attack hit Illinois, compromising up to 200,000 personal voter records. While the records were not altered, the personal information contained in them was compromised. Arizona suffered an attack as well, after an election official opened a malware-infected email. The official’s credentials were compromised though the system itself was not.
The Election Assistance Committee, a federal agency that regulates voting machine security, was also compromised. Thy discovered a Russian-speaking hacker had obtained the credentials of 100 EAC employees and was trying to sell them on the black market. A Russian phishing scam targeted VR Systems, an election system provider for eight states. Seven VR Systems accounts were targeted, and at least one was compromised.
Whether any of this swayed the vote is moot; the point is that the systems are still vulnerable. As of this writing, midterm elections are weeks away. Future votes could also be affected unless voting stations are secured and hackers kept at back. Keeping the vote sacrosanct is essential for future generations.
Next, we jump to 2017, a year where ransomware grabbed public attention. The WannaCry malware in particular made headlines as it used internet of things (IoT) devices to lock down hospitals, forcing them to pay to access locked patient files. Locky ransomware had already done something similar in locking out patient records.
Hospitals, however, were not the only targets. It affected more than 300,000 computers in 150 countries, demanding between $300 and $600 to decrypt locked files for each user. The hackers took a hard line: Pay and unlock the files, or they will be deleted.
Europe was targeted first, and was soon followed by Japan and China. The ransomware attacked Major corporations, including car manufacturers Nissan and Renault.
WannaCry started as an exploit kept secret by the NSA, known internally as Eternal Blue. It was backdoor into the Windows operating system. A month before the WannaCry attack, Eternal Blue was stolen from the NSA and leaked by a group known The Shadow Brokers. Hackers created WannaCry by exploiting Eternal Blue.
Microsoft had patched the exploit a month before the virtual theft, in March 2017. Despite Windows XP no longer being supported, Microsoft took an unprecedented step in rolling out a patch.
This wasn’t the end of the ransomware attack on the U.S. however. Known as NotPetya or just Petya, a new form of WannaCry started encrypting entire hard drives, rewriting the core boot code so that the operating system itself was held hostage.
Ransomware should not come as any surprise, as hackers exploit a computer’s weakness and a high chance of the user not having recent backups to extort money for files. In 2016, the year before the attacks, some 89 percent of breaches had a financial or espionage motive. The cost of cyberattacks the year before was $15.4 million, with an average cost of more than $21,000 per day.
Possibilities for the Future
As mentioned, Generation Alpha — the moniker given to children born after 2010 — will grow up completely surrounded by technology. Their lives will be dominated by a digital world, more than their millennial parents can comprehend. If current trends continue, there will be smart devices in houses, with the IoT controlling everything from lights to locks in a house.
Imagine, for a moment, the effect a hack could have on wearable medical devices. Instead of locking a patient’s information at a hospital, it might be able to steal personal medical information. If they don’t pay, any medical secrets they have could be revealed to the world. This could be catastrophic for the user, with potentially damaging information released. The best-case scenario is suffering embarrassment.
The malware could also mask information recorded from the user, who would then believe themselves to be perfectly healthy when the actual, hidden data shows they are not.
Malware doesn’t just end in mental harm, however. Hacked IoT devices could do physical harm or destroy property.
Picture this scenario: Using cheap software, a hacker scans for unsecure home networks. Once he has found a target and gained access to a network, he finds an IoT thermostat. Because he can, and for simply no reason other than his own fun, he turns the heat to the maximum at the height of summer while the homeowner is on vacation. Anything that melts at lower temperatures in the house will be found as a puddle by the returning homeowner.
The user now has two options: pay up, with hackers often demanding cryptocurrency ransoms, or face a high energy bill, plus the clean-up and loss of the melted belongings.
What about physical harm? The hacker could turn off heat in the dead of winter. This could put the elderly or infants in serious danger. If there is an IoT lock, the hacker could even make it difficult to leave the house in these conditions.
One more scenario: A person is having an otherwise normal morning as they get in their car to go to work. Hackers have been remotely hacking internet-enabled cars since 2015. Our poor worker’s car’s autopilot function is hijacked, the doors are remotely locked, and they are driven out of the city to somewhere remote. If driver wants access to the steering wheel again, they have to cough up money. While only 10 percent of cars were connected 2013, estimates show about 90 percent will be connected by 2020.
The Business Side
A Cisco poll found that 73 percent of the 1,845 business polled used IoT data to improve their business. A problem arises, however, as 46 percent of those using IoT data used the data to help make decisions. A ransomware attack could lock out the devices, crippling the business’ ability to make informed decisions..
This, in turn, could affect stocks or sales. Or, if the information itself is what the company sells — take the information collected by Nest and sold to utility companies for example — a large part of revenue could simply disappear.
What You Can Do
There are two steps to take in order to begin combating hackers. First, keep backups of data segregated from your main hard drive or server. Whether it be in the cloud or a physical backup, it should be much harder for hackers to get to.
Having an off-site or segregated backup makes data recovery much easier in the event of a ransomware attack. Simply wipe the affected hard drive and copy over the backup, and your problem is solved.
Second, companies need to be proactive. They need to constantly scrutinize their software and firmware on devices for possible exploits and patch them as soon as possible. The NSA knew about Eternal Blue five years before it was stolen. They did not tell Microsoft about the vulnerability, despite the fact that it was there and ripe for exploiting for a hacker — which is exactly what happened.
Passwords Are Out, Passphrases Are In
Randall Munroe, a former NASA roboticist and the author of science-leaning webcomic XKCD, wrote a comic about how he discovered that four random words — “correct horse battery staple” — has 44 bits of entropy (in this case, the “average information content” of the data). A random word picked from the dictionary has an average of 16 bits of entropy. Doing the math, a brute force attack of 1,000 password guesses per second attacking 44 bits of entropy would take 550 years to guess. It’s important to note that the example passphrase, “correcthorsebatterystaple” no longer has any bits of entropy. It’s very easy for hackers to guess, thanks to the exposure from the comic.
The old method of creating passwords was pioneered by Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). Using the old NIST method would give a password like “Tr0ub4dor&3” with numbers replacing letters, and using special characters like an ampersand. However, that password only has 28 bits of entropy. The same brute force attack as above would take only 3 days.
General advice is to change your passwords every 90 days. However, it’s even better if you change it frequently and, instead of changing a single letter or number, use a completely new password. This is especially important in business, as it could be more than just your information at risk. With a password manager, it’s easy to change passwords, even across devices.
Finally, protect yourself and your information. You may not think about it, but you may be sharing key information via a quick social media update that could lead a hacker to your password. Saying you miss you old pet could give hackers a name to enter into a lost password verification query. It may be ever better to use false information when creating accounts when it comes to password verification questions, so long as you don’t forget the fake answers.
Finally, an easy way to add security is two-step verification (2SV). This protects your account if a login is detected from a new computer or device, or even a new location. You receive a text message or email with a one-time secondary password required to gain access to your account. In this way, if you suddenly have an email or text with a 2SV password, you know someone is trying to access your account without your knowledge. This adds a second layer of authentication to your account.
That’s not to say 2SV is foolproof. It can be countered by hackers phishing details from you, or by hacking into your Wi-Fi network and “sniffing” or intercepting the data that’s being sent to and from your computer. In 2010, a sniffing program called Wireshark could find usernames and passwords and display them as plaintext. While technology and encryption has evolved in the past 8 years, caution is still advised. Even with programs sniffing data, multi-layer authentication is still safer than having just a single password. Multi-layer authentication, while taking an extra step, is the best way to easily combat hackers.
The future is technology. However, as technology improves, so does hacking. The next generation will be steeped in technology, but they must also be protected from cyberthreats. While we can’t predict what the future will hold, their personal information, as well as the contents of their computers, can be made safer through better passwords, backups, and multi-layer authentication.