Welcome, 2016 and here come the security threats!
2014 brought us the Sony hack wherein millions of confidential records, including internal emails between corporate executives – that revealed the still-thriving prejudices that exist in Hollywood – were illegal, electronically obtained and released to the public. Because they (the hackers) could.
2015 progressed to extortion hacks; nimble-fingered computer criminals accessed private client information from Ashley Madison hack, taking down a CEO and exposed possibly millions of would-be cheaters to public ridicule and worse; and then the hack of InvestBank in the United Arab Emirates, which resulted in the exposure of customer account information.
Extortion hacks play to the deepest fears of companies and top executives everywhere. If mishandled, company secrets run the risk of exposure, clients can file lawsuits and these very executives stand to lose their jobs. 2016 will see a massive rise in extortion hacks with astronomical demands.
Data Change/Manipulation Attacks
In testimony this year, James Clapper, the director of national intelligence, told Congress that cyber operations that change or manipulate digital data in order to compromise its integrity—instead of deleting or releasing stolen data—is our next nightmare. Mike Rogers, head of the NSA and US Cyber Command said the same thing. “At the moment, most [of the serious hacks] has been theft,” Rogers said. “But what if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?”
Data sabotage can be much more difficult to detect than the kind of physical destruction caused by Stuxnet. That’s because data alterations can be so slight yet have enormous consequences and implications. Anyone remember the Lotus 1-2-3 bug back in the 90s that would produce accounting miscalculations in spreadsheets under certain conditions? That was an unintentional error. But attackers could get into financial and stock-trading systems to alter data and force stock prices to rise or fall, depending on their aim.
Certain types of data manipulation could even result in deaths. In 1991 a Patriot missile in Saudi Arabia during the first Gulf War failed to intercept an incoming Scud missile due to a software glitch in the weapon’s control computer, allowing the Scud to hit an Army barracks and kill 28 soldiers. Again, this was an unintentional bug. But Chinese spies have invaded numerous US defense contractor networks in the last decade, raising concern among US military officials that they’re not just stealing blueprints to copy weapons, but might also alter or insert code to sabotage the integrity of weapons systems and change how they operate.
Chip and Pin Credit Card Hacks
Over the course of the last decade, major credit card companies have begun to implement EMV or “chip and pin” technology. This system requires that a card reader retrieve the customer’s information off of their card’s magnetized chip, which is followed by the cardholder entering in their PIN number.
As a result, chip and pin essentially constitutes a method of two-factor authentication (2FA) for payment card purchases. It is an added security measure that is designed to prevent credit card fraud if a card is physically stolen, so it is natural that VISA, Mastercard and others would switch to EMV technology – even despite the fact that many companies were just recently unprepared for the transition.
I just received my credit and bank EMV-embedded cards. As the Tripwire article mentions, many merchants are still unprepared to process these cards but that’s the least of worries. Given that 69% of most purchases utilizing these cards now occur online, the one-time code per transaction is irrelevant as neither the card or a PIN is required for online purchases. So we are back to cyber criminals simply stealing the card numbers.
The good news is that law enforcement agencies are hiring in record numbers those with anti-hacking experience!
Be smart: buy via trusted online vendors or use secure purchase transaction portals such as PayPal.
BNI Operatives: Situationally aware.
As always, stay safe.