This week on The Naked Scientists, cyber crimes in cyber times. Off the back of cyber attacks on the British Library and our own Cambridge University, we’ll be taking a look at the world of cyber attacks, from the state level down to the individual. How does it happen, and who is responsible, and how can we protect against them?
In this episode
00:59 - What is a cyber attack, and who are responsible?
What is a cyber attack, and who are responsible?
Ciaran Martin, University of Oxford
You don’t have to look very far to find victims of them, with the British Library still reeling from a large-scale hack by a shadowy group in the autumn of last year. But where exactly do they come from? The University of Oxford’s Ciaran Martin has been described as “a cyber security ace” and helped set up the National Cyber Security Centre here in the UK.
Ciaran - That's a great question because sometimes you get pretty nonsensical statistics from, say, banks. They say, 'oh, we suffer 10 million cyber attacks a day.' And what that means is there's 10 million micro events where something a bit dodgy touches the edge of the network. Most of the time it doesn't do any harm. I would describe a cyber attack as an unauthorised intrusion into a network that causes significant damage and then I'd split it into two because one type of cyber attack is fairly silent. If you are using the network or running the network, you don't really notice it, but they just steal everything from it. So data theft. But the second is more disruptive, you can't use it. So it's an unauthorised intrusion that either leads to the theft or disruption of a computer network, is what I would call a cyber attack.
Will - How do these nefarious parties then actually get into a system? Is it a case of writing the correct line of code or playing an individual who works there or maybe a bit of both?
Ciaran - There's all sorts of ways and most of these operations that I've talked about have at least one very basic and very old method of intrusion. They get more sophisticated. I mean you can teach anybody to hack. Back in the UK in 2014, TalkTalk suffered a pretty high profile breach and that was something called a SQL injection, which is basically writing pretty basic malicious code into a data entry form on a website. You can teach somebody to do that in 20 minutes. I mean please don't because it's a breach of the computer misuse act, but that's what you can do. Something like taking out a power grid or stocks net operation against the Iranian nuclear program will take years and really sophisticated teamwork and skill and money and and so on. So there's a whole spectrum of cyber attacks from the very basic, to the very sophisticated but most of them involve something very basic. And I actually think most people understand how this works. So it starts with a phishing email. So click on a link and then there's a malicious payload and the hackers are in. Guess a password, so when I was running the National Cybersecurity Center, we partnered with this wonderful Australian called Troy Hunt who just, out of the goodness of his heart, runs this service where he tracks all these data breaches. And we analysed it with him and we noticed that 23.2 million occasions where the password 123456 had been breached. There were about half a million where Liverpool FC had been breached. About 250,000 where Pokemon had been the cause of a breach. So you can just guess passwords. And that's why most people get annoyed by two-factor authentication or multi-factor authentication. But that's why that exists because if you can guess a password, and criminals can guess passwords, most people reuse passwords 'cause they can't remember. So ultimately the basic route of entry and you mentioned, you know, studying people. I mean LinkedIn is maybe a useful professional tool for millions of people, but it's also an absolute treasure trove for identifying vulnerable targets for cyber crime and cyber operations from nation states. There's a sort of joke in national security circles that if LinkedIn didn't already exist, some intelligence agency would probably invent it and that's what you might call a more hybrid form of attack where there's a human element.
Will - Obviously in terms of motive, we feel like it's pretty obvious on a state level it's to disrupt potential aggressors or to attack potential other countries. But in terms of other smaller scale attacks, do we know what the motives are or who the most common perpetrators are?
Ciaran - I would say there's probably three broad reasons why states do these things. So one which is probably the oldest form is spying, is finding out information. And in some respects that's kind of a good thing. Spying, it may be unpleasant to some, that may be deceitful, but actually better informed governments tend to make less rash decisions. And when people talk about international rules of the road for cybersecurity, nobody ever talks about banning or outlawing state on state espionage. So a lot of this started with just governments, including our own. Let's face it, we have laws that allow the likes of GCHQ to do electronic espionage. So that's one big reason. There is then an incentive for some of the more adversarial states to disrupt. But there's a third reason which is related to that, which is not so much to disrupt, but to be prepared to disrupt. In other words, it's what we call pre-positioning. So some people talk about cyber weapons, I really dislike that term. And so far cyber tools are weapons. You can't just pick them up and point them at something. To do a sophisticated cyber operation, as I said earlier, it takes quite a lot of time. So what you sometimes see and indeed the Americans have just accused China of doing this over a period of five years. You sometimes see foreign adversaries lurking in your networks so that if tensions escalate, they have a beach head to attack you. And then finally North Korea has pioneered a new form of state sponsored cyber operation, which is that a cash starved regime that's crippled by sanctions uses it to steal money. So nation states have all sorts of complicated motives for doing cyber operations. Then criminals just do it for money. We talk about big data, like we talk about big oil and just like there's oil smuggling, there's sort of an illicit data economy. But the reason why cyber crime got so disruptive was that the criminals worked out that this ransomware model really worked a treat for them. They made so much more money out of ransomware, out of locking people out of their networks and then getting these terrified companies to pay these huge sums of money. I mean, there was one American food giant that paid $11 million to them in 2021. So they just worked out there was far more money in this sort of disruptive crime than there was in the sort of data theft. So that's why cyber crimes got so disruptive. And the other sort of possible cyber dog that hasn't really barked is terrorism. I think we're legitimately worried about terrorists sort of harnessing cyber capabilities to inflict absolute horrors on our societies, but it turns out that they can't do that most of the time because the sort of skill and infrastructure and money and people and time you need to do a very sophisticated cyber operation that could do loads of damage just isn't available to organisations that are trying to evade detection by the Americans and the British and others. So mostly with a few exceptions, we're worried about governments and criminals.
08:11 - How cyber criminals are hacking shipping and goods transport
How cyber criminals are hacking shipping and goods transport
Lisa Lewis
Sometimes the aim of these attacks is to disrupt a country’s infrastructure. Indeed, in 2015 and 2016, Russian cybercriminals were found responsible for attacks on Ukrainian power grids, and they have since targeted Ukrainian telecommunications companies. But the threat of digital incursions extends to our transport of goods and services too. Finding the weak point in a transport chain can cripple the distribution of vital goods, such as food and medicine, across entire continents. And those weak points can come in the most unlikely of places, as risk management commentator Lisa Lewis explains.
Lisa - So the story I'm going to tell you about is a location, it was a terminal in Europe, it's actually an issue that involved hacking a terminal operating system. So remember we're talking about maritime terminals that are different to ports. Ports are where ships go for safety to hang out, as it were. Terminals are used for loading and offloading, whether it's people or freight. It can be bulk, it can be cargo in container boxes. So they're very high functioning, high performance kind of workplaces. Terminals are increasingly automated. They are more and more relying on AI and internet of things to track and move the goods. The systems that control those movements are as complex as you, I'm sure you can imagine. And that's called a terminal operating system, a TOS. And that typically will interface with multiple other systems and data sets within the terminal and externally in terms of customer invoicing and national border control systems.
Lisa - And that becomes really relevant for this example, the terminal team working around it noted there was a real uptick in increase in incidents and these were around cargo theft and illicit substance fines. These are a standard thing that happens in terminals because of the nature of what's happening there. So on investigation, they did some digging and they understood that the terminal operating system itself had been breached. And this enabled the hostiles to access the whole system in terms of physical access as well as the assets. So the cargo in terms of the boxes that were being moved on and off the ships, and also the workers. And in terms of the non-physical access in terms of remote, they were able to access manifest. These are the papers that go along with the cargo in terms of where it's coming from, where it's going to, who it belongs to, and who's paying for the movement.
Lisa - So the target of this incident, the hack, was around the smuggling of goods in terms of cocaine and the serious and organised crime gangs that were doing these crimes were infiltrating the terminal operating system to find their drugs in these large, if you imagine these very large kind of places and many, many millions of boxes on there. And to hide the evidence of their smuggling and the route that they got in terms of their back door to get into the system, it was very innocent in appearance. It was a light bulb, it was a smart light bulb, but still it was a light bulb. And the fatal error that allowed this incident to occur was not segmenting this device from the rest of the network.
Will - It's the definition of a chain that is only as strong as its weakest link, isn't it?
Lisa - Oh absolutely. I mean, it couldn't be more true. I think, you know, there is increasing evidence, not just in maritime, but domestically, in people's homes and all kinds of commercial settings. And I mean even in the public sector where something as innocent as a toaster could potentially be your backdoor into your system.
Will - That's a pretty extreme case. I hope it's fairly extreme and I hope it's not all widespread, but are there vulnerabilities in other parts of the goods and transport chain that people are concerned about?
Lisa - There are, absolutely. I mean, if we start with the Internet of things, it's a layered system. So what you have is different layers of data which are talking to each other, that's how IT works, right? You have your device, you know, your refrigerator or your light bulb or whatever it is, and then that has software and that needs to communicate with things and that tends to go through the cloud. And on the cloud there are applications. So, you know, there are multiple layers that need to interface in order for this to work. If you think of a container of goods, it's going to move by rail potentially, and by road and ship and through a port. And at each point it's going to maybe be touching on multiple technology devices and systems and data sets, which potentially where there's complexity, you do get vulnerability. So all of these are potentially vulnerable to attacks, including hacking where people are getting in and spoofing, which is when you pretend something is not as it is.
Lisa - So, if you picture those mission impossible kinds of movies where people see something on a CCTV and it's a recording and it's not what's actually going on, you can do that with PNT systems. So in maritime there's use of smart containers. So these big boxes I was talking at before, they can be applied with widgets that detect the position of the box, its motion, and any tampering in terms of has somebody tried to attack it from the outside or inside, you know, movement sensors or CO2 monitors if people are put inside them for whatever reason, these tags rely on all sorts of different ways to communicate their location, radio frequency, wifi, bluetooth signals from satellites. And as we all know in terms of GPS signals on our mobile phones, these don't work a hundred percent of the time. So they're vulnerable anyway. If you add into that hostile actor who's trying to get access to information, everything that's connected is vulnerable
Will - Because I've got you, I do have to ask about something that's been increasingly more pressing in the marine sphere, which is the presence of autonomous vehicles. Because if you are stripping all human elements of a vehicle away, does that not make it more prone to an incursion?
Lisa - It's an evolving area. Risk management is already mature and progressed by regulators and industry, you know, in the maritime world. So if we think about autonomous vessels, these are slowly being rolled out. Don't want anyone to think that they're already out there as it were, but not the large scale and not the high hazard kind of materials on board. So they are designed to remove people from the ships and use land-based surveillance instead, really? So if you imagine a ship's offshore, it's moving around, a port is coming into the port, instead of having the people on the bridge looking at the port, you would have an operator on the land with cameras and various other things feeding that data to the controller. Now, if a vessel or a landside system gets hacked or spoofed, if you had people on the vessel, they'd notice if something went awry, for example, if you are trained to believe the dials, you'll be standing there looking at the dials.
Lisa - And then if somebody goes into the system and changes the position to make you give you a false reading, for example, you would then follow that information. However, as a human being, you would use your eyes and you would look out of the window and say, hold on, the sun's not where it should be. And then you would attempt to take back control and correct the course and your location and things. If you are relying on electronic feed on the shore, then you, you don't, you lose that layer of protection as it were that other kind of check and balance to make sure that everything's okay. So, you know, potentially there, there have been instances globally where things have gone awry and there have been significant consequences for people and assets in terms of shifts grounded colliding or being stolen with cargo and just disappearing off the grid, right? So it is an issue, but it is, it is recognised by regulators and industry and it is being managed in an organic kind of way.
16:08 - How are individuals affected by cyber attacks?
How are individuals affected by cyber attacks?
Steven Murdoch, UCL
Anyone that’s received a dodgy looking text from a number claiming that your package needs a fee to be delivered can testify that cyber attacks of a slightly smaller magnitude are fairly frequent in day to day life. So how do these sorts of attacks work, and are they perpetrated by the same groups as larger scale incursions? Professor of Security Engineering at University College London, Steven Murdoch.
Steven - The big attacks against large publicly facing organisations are the things that make the headlines. But there's other groups who are targeting individuals, but the way that they work is quite different. There's not much point in carrying out ransomware against individuals because you might be able to extort thousands of pounds out of them, but not the same amount that you'd be able to get if you started going after massive companies with billions of turnover. So the criminals who attack individuals are often there either as a staging point to carry out attacks against companies they might be working for or they might be suppliers to, or they use it for committing fraud. Somehow a criminal will get access to their computer systems or information about them and then use that to somehow take money out of their bank account. What
Will - Is the most common way that someone might be able to assume your identity?
Steven - The current most concerning type of fraud is something called authorised push payment. So the way that this has come about is that banking security measures have got significantly better. So somehow the criminal has to convince the victim. So they need to come up with a plausible story, and often that plausible story is based on information that's collected from their computer or from other computers or from data breaches or so on. So the sorts of things that criminals might do is that if they can get into your bank account, they might not be able to steal money, but they can certainly see the transactions and then they call up the victim and say, this is your bank speaking to you, you know it's the bank because I know your last 10 transactions, so surely you should now do what I say. And then the customer will be tricked into sending their money to what they might think is a safe account, but is actually the criminal's account.
Will - That's what we would probably consider a pretty classic form of cyber attack. But as we move towards an almost entirely digital lifestyle, it does seem that we're going to see increasingly bizarre and out there forms of cyber attack. I've even heard of people being hacked through their electric toothbrushes.
Steven - Yeah, so it turned out the toothbrush hack probably wasn't true, but it's not far away from the truth. Criminals want to make money. The way they do that is because they need something that's of value to them. So a computer might have an internet connection and if they hack into that computer, they can then attack other computers and get paid for that. They might be valuable data. So the information that could be used for committing fraud. So the criminals are always looking for what is the weakest internet connected device. And that tends to be where you see the more unusual hacks. The criminals are hacking into things like air conditioning units or fish tank units, not because they care about the air conditioner or the fish tank, but because they're just normal computers and maybe the criminals don't even know that these are connected to some hardware. They just want to get on the network. Those devices are often purely maintained compared to servers or desktop computers. And once they're in, they're inside the network and it's much easier to move around.
Will - Increasingly there are some frankly rather chilling stories of facial recognition being involved in these sorts of schemes. I was wondering if you could talk us through a couple of those.
Steven - Again, computing is driven by economics and one kind of unusual issue is that cameras have become so incredibly cheap because of smartphones. So whereas before you might have some sort of dedicated sensor for identifying whether someone is standing in front of a computer or you might have sensors on doors to see whether they're open. It can actually be cheaper to build a camera and machine learning system to recognize all of these things. But that could be quite intrusive because it's recording photos and in some cases the company's promise that the photos never leave the device. They're just used for identifying what's happening and then the images themself are being thrown away. But you've got to trust the company when it comes to them cleaning that. And even if it is true now, it might not be true forever. The company could change their policies or the device you get hacked and then it's a device with a camera in a potentially sensitive organisation.
Will - And that almost gives them a secret eye on a part of the company that people would much rather they don't see.
Steven - Yes, and there's certainly been examples for good or for bad where people have acted into cameras. So there's certainly malicious uses of these and, and some quite terrible examples of where people are blackmailed based on images that have been collected from cameras that are hacked. But there's also more amusing cases like where someone has hacked into the camera that is surveilling a call centre that is used for committing scams. So they were able to see in real time the people who were calling up trying to impersonate Microsoft and yeah, the scam beaters had an amusing time being able to see what these people were wearing and then tell that back to them. And they seem quite surprised.
Will - We've talked a lot about in the show the economic impact of cyber attacks and I think that is important and I think that is also the first thing a lot of people think of when they think of a cyber attack. They think they are held to ransom large amounts of money or even the loss of personal data. But is there also almost a personal psychological side to this? Because if someone is the victim of a cyber attack, if you think their trust in digital services may drop, they might have a drop in technological confidence.
Steven - Yes, absolutely. There is quite a significant psychological cost to some of these attacks. It's not just their money that they've lost, they've also lost their autonomy. And so they are definitely traumatised even if they do get the money back. I could see the same thing if there was going to be personal data stolen, even if that personal data is never used, that is an intrusion in itself. They might be less trusting of individuals. It could harm their life, their family and their friends. It might mean that they're less likely to go out and meet people. Maybe they'll be less trusting of their bank and put their money underneath their mattress and reduce risks in some ways, but could cause them harm in other ways. It's much easier to lose something if there's no power of organisation looking after it.
23:14 - How can we protect against cyber attacks?
How can we protect against cyber attacks?
Ross Anderson, University of Cambridge
So, in a world almost totally reliant on technology to communicate and do business,what measures can be put in place to protect institutions and individuals? The University of Cambridge's consultant in security engineering, Ross Anderson.
Ross - If you're a business that is a real target of capable state actors. If you're someone like Google or Facebook or Microsoft or Infosys or Tata or firms that the Russians and Chinese will have dedicated teams trying hard to hack, you end up having several hundred people in your security team, perhaps even more. You have more than one security team. You've got a network control centre where you're monitoring all the traffic coming into and out of the devices on your network. You're looking constantly for signals, indicators of compromise, which suggests that there may be a compromised PC on your network, which you might spot because it's phoning home to a known command and control server that somebody else has pointed out is under the control of a foreign intelligence agency. You have got various kinds of malware detection, what used to be called antivirus. You have got rigorous controls to ensure that your software is patched all up to date. You then have a fair amount of staff training. Now, most of the initial compromises of people in companies are due to phishing. Somebody sends you an email that purports to come from somebody inside the company, but is actually from outside. And this tricks people into entering their credentials. And so companies who take defence seriously very often have regular drills where they send phishing emails to their own staff and staff who keep on repeatedly clicking on phishing links may actually be fired. But that's only part of what you do. Another part of what you do is to see to it that phishing won't work. You see to it that you get two factor authentication and everything, and at the same time you assume that some attackers will always get in because attackers will always be able to subvert somebody who works for you. They can just get some of their intelligence agencies to apply for jobs.
Will - And all of this we've spoken about to this point, has been focused on large scale companies, but for the individual who is worried about fraud, who is worried about getting scammed, are there any lessons we can take? Obviously the, it feels like the obvious ones are to be vigilant and enable two factor authentication, but is there anything else you would recommend?
Ross - From the individual's point of view, it's difficult because the tech industry has devoted an awful lot of time and energy and attention over the past 30 years to training people to click on links and working out all sorts of ways to grab your attention and to persuade you to pay with money you don't have for junk that you don't need. And so scams are just more of the same in many cases. Just as you have got people who will try and sell you diamonds on the internet, there's other people who will try and sell you cubic zirconia pretending that it's diamonds. And when that happens, it's a scam. So we live in a world of wall to wall scams and one of the things that a prudent citizen will do is to start understanding this. So understanding where the hustle is, where the squeeze is, because if you've got a general understanding of how people get persuaded and how people get ripped off, then that sixth sense will stand you in good stead. As for specific scams, the problem is that these scammers are very often following the scripts that are developed by exploitative companies. We've all experienced that you may be just driving along one day and somebody phones up and says, ''hello, this is Lloyd's Bank. What's your mother's maiden name? If you say 'take a hike' and put the phone down, then you may suddenly find that your bank cards don't work. But if you give the time of day to these callers, you may find that this isn't in fact the bank that's calling you, but somebody who's pretending to be the bank. So it's extraordinarily difficult and you just have to keep your wits around you in the online world, just as you have in the offline world.
Will - What do you anticipate for the future? We've got so much AI stuff coming in, we've got a shift in increasing ransomware perhaps. What do you anticipate for the future in terms of cyber attacks?
Ross - In terms of the common or common or garden cyber attacks where you, um, have people being scammed by people overseas for smallish amounts of money, for rentals and things like that, that's going to continue I think because it's a fairly stable ecosystem and we've tried on numerous occasions to try and get the politicians to change the rules a bit so that for example, there's some enforcement against cyber criminals. And I can see no real way to get traction on that. I'm afraid ransomware is going to continue to grow because there are large numbers of medium sized companies which are absolutely inviting bait for the ransomware gangs. And the ransomware gangs will now share their profits with a disloyal employee at a company. If you can give the ransomware people your company logons, so they can go in and hold up the company to ransom, you can get a share. So it's very, very difficult to deal with that given that these gangs have got sanctuary in Russia and Russia is not going to extradite them. So ransomware is going to continue, it's going to continue to be a bonanza for lawyers, insurers and others. It will eventually train owners of medium sized companies, government departments, hospitals, schools, et cetera, to be a little bit more careful about how they organise stuff. As far as individuals are concerned, the majority of the cyber crimes to which we're exposed, they're actually hustles by companies, by perfectly respectable companies whose shares are quoted on the stock exchange. And we have seen one scandal after another where things like payment protection insurance and so on ends up being declared by the financial conduct authority to be a scam. And so the banks end up having to pay billions back. We see the American government cracking down on junk fees on airline tickets, for example. So there's going to be continued pressure from companies to rip us off using all sorts of mechanisms and growing pressure on politicians to start doing regulation properly and push back on that. And that's going to be a big political thing I would expect over the next 10 years. As far as the high-end stuff, states going after other states. The fact that the Russians are doing more and more attacks on our infrastructure as are the Chinese may with luck result in our having more resilient infrastructure because people like power companies and telcos and so on are being pressured by governments to get their act together to replace old weak cryptography with modern more resilient stuff and to patch stuff faster. But it all depends on the trajectory. You see if you suddenly get a rapid escalation in global tension, say for example if China invades Taiwan, then you would expect to see the Chinese breaking as much infrastructure as they can as quickly as possible, particularly in America, in order to blunt any possible military response and to run the Americans off engaging in a protracted conventional war in the Western Pacific. So in that case we might see a whole lot of damage being done to infrastructure before we've had time to harden it, but that work of hardening is ongoing. So it's difficult and it's complex, but you know, there's an awful lot of interesting stuff here to study.
Comments
Add a comment