On August 4th, 1945, just days before the US Airforce dropped the ‘Fat Man’ atomic bomb on Nagasaki, the US Ambassador to Moscow received an elaborate gift from the Soviets.
Ambassador Averell Harriman proudly received the plaque and had it mounted on the wall of the study in his Moscow residence. But the plaque wasn’t all it seemed – it was a bug, a passive listening device that could only be activated when a radio signal was beamed to it.
When the Russians did so, they were able to listen in on conversations in the office as the voices of the ambassador and other visitors created vibrations within a membrane hidden in the plaque.
"For seven years he had the Soviets listening to what was going on in his private study,” says Crispin Kerr, who heads up security company Proofpoint in Australia and New Zealand.
“It could very well be a predecessor to what we know today as the remote access trojan.”
He related the story of the great plaque bug at the Cybersecurity Summit in Wellington this week to make a point relevant to the state of cybersecurity today – humans are the weakest link when it comes to threats in the digital world.
The human element
That’s always been the case, but for the best part of twenty years, hackers and cyber criminals made hay exploiting vulnerabilities in software code, such as the Windows operating system, the Internet Explorer web browser and or Adobe’s Flash player, to gain unauthorised access to our computers and information.
But with better software and network security now in place, their focus has had to shift to social engineering to exploit human nature to breach our defences.
“For the past few years, attacks have been focusing on people not infrastructure,” says Kerr.
“The attackers are getting to people they are targeting to do the work for them.”
The simplest kind of attack involves email fraud, says Kerr.
“It's an attack that doesn't require any kind of malware or payload whatsoever.”
It’s also incredibly effective. According to the FBI, email wire fraud has cost companies US$26 billion since 2016.
Here’s how it works. A payroll officer receives a legitimate-looking email from an employee asking if they can change the bank account their paycheck goes into. But the email has been spoofed – the sender’s address has been forged. If the payroll officer isn’t wary to such attacks, the employee’s next paycheck could go into the bank account of a fraudster.
“What is perhaps the most depressing thing about the landscape today is just how spectacularly we've seen the rise of spoof emails,” says Kerr.
“They have no malware of any kind, no links, no attachments.”
According to the Government’s Computer Emergency Response Team (CERT), reported cybercrime incidents increased 205 per cent between 2017 and 2018. The cost of reported incidents was put at $14 million last year, with scams and fraud making up $8 million.
The Government boosted funding for CERT in May’s Budget to deal with the growing cyber threat activity and released a refreshed cybersecurity strategy in July but was criticised for being light on detail.
One of the five priority areas identified in the strategy is “cyber security aware and active citizens”. Indeed, education and behaviour change is crucial to tackling the new wave of people-focused cybercrime.
Other growing threats aimed at people involve using compromised accounts – where simple passwords have been guessed or cracked using brute force attacks. The problem is easy to eliminate using multi-factor authentication (MFA), which requires the user to verify their identity with not just a password, but a security token on their phone or even a biometric fingerprint scan.
However, it is telling that the majority of companies running Office 365, Microsoft’s popular online productivity suite featuring Word, Excel and the email client Outlook, haven’t switched on MFA. It turns out that IT managers fear it might prevent legitimate users from logging onto their computers so have left themselves more vulnerable to attack.
Phishing scams remain common, though they too have evolved. It used to be that an email would arrive with a link asking the recipient to click on it to enter some personal information – usually their username and password.
The hacker could then use the details to infiltrate their target’s email system to steal information. Now the links used in phishing attacks are often benign when first sent, but are changed by the attacker later in an attempt to install malware on a target’s computer to gain access.
“None of this works, unless people actually fall for it,” says Kerr.
“You need to know who those people are.”
Held to ransom
Leading cybersecurity expert Paula Januszkiewicz is also seeing hackers resorting to more desperate measures as their avenues for attack narrow.
“They are starting to run out of options,” says Januszkiewicz, the founder of CQURE, a 42-person company with offices around the world that advises governments, banks and major businesses on how to defend against cyber threats. Januszkiewicz is one of a small number of people outside of Microsoft authorised to access the code of the company’s software products.
Ransomware attacks, where an attacker uses malicious software to disable a person’s computer or smartphone, asking for payment to unlock it, continue to be the bread and butter of cybercriminals, says Januszkiewicz.
The 2017 WannaCry ransomware attack, which targeted insecurities in outdated versions of Windows, is estimated to have affected more than 200,000 computers across 150 countries. Victims received a message on their device asking for US$300-$600 in Bitcoin cryptocurrency to be sent to an anonymous online wallet to have their computer’s encrypted files restored.
“100,000 might get it, 1,000 will pay. That’s your monthly living,” Januszkiewicz told NOTED on a visit to New Zealand last month.
“What I am expecting to see is ransomware that involves public shaming,” she adds.
“You can see a bit of it now. If you don’t pay, we will publish your data. Maybe it is your pictures. This requires bigger payments.”
The route to compromising photos or information that can be leveraged to extort money is exactly the same – weak security that leaves the door open a crack.
Where do these attacks come from? The cybersecurity company Crowdstrike assigns code words denoting the key originators of cyber attacks – ‘bear’ for Russia, ‘panda’ for China and ‘chollima’, the mythical winged horse, for North Korea.
Crowdstrike’s threat report for the first half of 2019 showed a larger proportion of intrusion attempts against its customers coming from cyber criminals, rather than what they refer to as “state sponsored activity”.
That is countries employing their own offensive cyberwarfare teams to infiltrate other governments’ IT systems and companies for the purposes of spying or espionage.
But this doesn’t indicate a reduction in state-sponsored activity overall, the report noted.
“China remains one of the most active adversaries. Similar to prior years, Chinese nation-state adversaries were the most active out of all the nation-state actors observed so far this year.”
Crowdstrike had observed Chinese hackers, likely working on behalf of the state, target industries across the board, from hospitality and manufacturing to technology and telecommunications.
Proofpoint’s threat monitoring systems similarly see the fingerprints of nation states on targeted intrusion attempts in Australasia. Of late, a hacking group originating from Pakistan has been particularly active.
It's a group affiliated to Pakistan, most likely the ISI, which is Pakistan's national intelligence organisation,” says Kerr.
“They do espionage work, but on the side, they freelance in much more traditional cybercrime. We know this because they are using the same toolsets across their espionage work as well as their more commercial undertakings.”
Januszkiewicz’s team has closely studied the traits of state-sponsored cyber attacks. It analysed the Stuxnet computer worm, which first reared its head in 2010 when it was responsible for damaging centrifuges at an Iranian nuclear facility.
Again, Stuxnet relied on human frailty. It is likely that the worm was introduced into the locked-down Iranian facility by a contractor unwittingly infecting the system when plugging a USB flash drive into a computer.
“During the analysis we came to the conclusion that the piece of code was actually written by many people because of the logic of the code,” says Januszkiewicz.
No nation has ever claimed responsibility for the attack, though security experts suggest Israel, possibly in partnership with the US, is the likely originator of the worm.
Says Januszkiewicz: “When we are assigning it as a country-level attack, then who do you blame?”
Stuxnet was one of the first attacks to do physical damage and highlight potential for cyber attacks to take down power plants and electricity grids.
Threats to infrastructure
“I’m very concerned about the risk exposure for critical infrastructure,” says Greg Touhill, who President Obama appointed as his Chief Information Security Officer in the White House, after Touhill had spent decades in the military and then at Homeland Security working on cybersecurity.
“All too often we would find public and private sector entities that didn’t realise that they had industrial control systems or Internet of Things (IoT) devices that were connected to the internet,” says Touhill, who was the keynote speaker at the Information Systems Audit and Control Association conference in Auckland last month.
Now working for a private security firm, Cyxtera Technologies, Touhill says the fact that much of our critical infrastructure is in private hands, requires government and private industry to collaborate to a greater extent to combat cyber threats which could disrupt the economy and the lives of millions of citizens and even threaten national security.
Touhill abruptly left the CISO role in the US Government with the arrival of Donald Trump in the White House. Did he quit, unwilling to work for Trump?
“Cybersecurity is a non-political issue and so am I,” says Touhill.
“I have served every president of the United States since Jimmy Carter, but our officers take an oath to the constitution, not to a person. I left the camp site a lot better than I found it, but there’s still a lot of work to be done.”
He described the New Zealand military personnel he had worked with on cyber-related issues as “top notch” but said that New Zealand faced the same fundamental issue as every government. The internet had become a “global equaliser”, allowing attackers to reach targets from literally anywhere.
It’s not a technology issue as much as it is a risk management issue,” says Touhill.
“The best practice is that your people, process and technology are kept current.”
That’s the gospel Januszkiewicz also spread as she visited Microsoft’s customers in New Zealand.
“The ongoing problem is organisations running code that we don’t know or trust. We perform penetration tests and we can see that the solutions aren’t in place,” she says.
A proliferation of connected IoT devices will only exacerbate the problem in the coming years and the rise of quantum computing will pose challenges for maintaining the security of encryption systems.
State-to-state cyberwarfare is causing governments, including New Zealand’s, to beef up its cybersecurity capability.
“Governments are investing heavily in training people in cybersecurity,” Januszkiewicz says.
“We can conclude from these investments that more of this [state-sponsored] activity is happening.”
Cybersecurity therefore remains an arms race between bad actors and those tasked with defending people and property, she says.
“Things will be breached, then they’ll be fixed. This is the cost of growth.”