I was at GovWare 2014 last week, an annual conference and exhibition on cyber security ecosystem. IT security conferences like this one have the tendency to send you away sad. It’s not so much I learn something new, but more so that I’m reminded our vulnerable our society is to cyber security threats and cyber terrorism.
IT is everywhere, in every aspect of our lives, and maybe for some of us, even taken over our lives. We know that. But perhaps not everyone is equally aware of the importance of IT security, the prevalence of cyber security threats, and how significantly they can impact and disrupt our society.
It’s not about an annoying virus that slows down your PC, or spam email that clog up your inbox. No, if you’re still dealing with virus and spam email, then there’s something wrong with how you use computers. I’m referring to terror scale threats that put you right in the middle of a war.
Yet, most people are oblivious to the IT security threats that surround us. Just this past week or so, for example, we’ve seen so many developments. Some of these you may be aware of. Let me just name some of them.
First, there is Shellshock, a bug in the GNU Bash shell, which potentially enables remote attackers to execute arbitrary commands on a computer system. GNU Bash happens to be extremely popular and often used as the default command-line interpreter in many Unix based operating systems. How old is this bug? Since GNU Bash version 1.14, which is in year 1994. Oh wow.
Earlier this year, there was Heartbleed, and that made big news everywhere. Heartbleed affected OpenSSL versions from only over a 2 year period. This GNU Bash bug is 20 years old! If you’re interested, I’ll leave you to read about it on Wikipedia. There has since been some 6 bugs related to Shellshock, and who knows, the list may grow.
Have you heard of BadUSB? It’s malware that infects USB devices. A proof of concept was demonstrated a few months ago, but now more details have been revealed, including publication of code. Briefly, this malware embeds itself into USB device firmware, giving the device new covert capabilities. When you connect an infected USB device to your computer, that malware can carry out a variety of attacks on your computer.
But, you think, won’t anti-virus stop this malware? No. Anti-virus can’t see this malware, because it is in the USB device firmware. This isn’t a file stored in a USB flash drive, for example, but within the USB firmware. You can’t stop what you can’t see.
To stop BadUSB will essentially require USB to be redesigned. This isn’t going to happen any time soon. Even when an “improved USB” does come, it’s still going to take manufacturers to move to it, and then, what about all the old USB stuff you have? If you’re interested in more information, check out this BadUSB article on Arstechnica.
If you’re thinking that these are IT problems for IT people to solve, let’s move on to other threats that might worry you a little more. There’s this highly successful malware, Gameover Zeus, which has been targeting banking customers in other parts of the world, has now come to Malaysia. This malware infects computers, presents imitation banking websites, and steals personal data. It can also work its way to infect your mobile phone, on which you receive your 2FA PIN, so that the attackers also has access to your 2FA device. Last week, police reported that at least eight people had lost more than RM$59K in just the last month.
Related to banking, and still in Malaysia, did you hear about how 15 (and maybe more by now) ATMs were hacked, and that bad guys made off with some RM$3M of cash? Oh, to be clear, it wasn’t that they hacked the machines with axes or blow torches. They simply asked the ATMs for money. Ok, it was a little more persuasive than just asking. These high-tech hacks are happening next door. Oh yes, one of the affected bank is UOB.
Having to deal with malware is complicated enough for many people. Don’t trust suspicious attachments, suspicious USB flash drives, etc. But what do you know, even the police might be handing out malware to you? In this case, it’s spyware that police and other government agencies in the United States that are handing out to their residents. Some 245 agencies in more than 35 states have apparently handed out ComputerCOP to the people they’re supposed to protect. According to EFF, ComputerCOP includes key-logger software that sends unencrypted logs to a third-party server. How cool. Your government is the bad guy. Oh wait, I think most Americans already know that. That’s what the NSA does…
The last thing I want to share about isn’t directly an exploit of IT security vulnerability. Let’s hear about it first. On 26 September 2014, an apparently suicidal employee set fire in the basement of an air route traffic control centre in Aurora. The incident triggered the evacuation of the air traffic centre, and subsequently led to the cancelation of some 4000 flights, causing much travel disruption and mayhem. U.S. President’s Air Force One was also diverted, although that was a White House effort to relief pressure on the Chicago area airports still fighting to resume normalcy. The Aurora facility isn’t scheduled to resume operations till 13 October 2014.
I’m speaking of this incident because it demonstrates how dependent we are on IT and on technology. Think about this. The fire at the Aurora facility was just a very small fire, but it can cause such a massive disruption. Imagine, for a moment, terrorists had wanted to cause a really massive air travel disruption that is truly of a national-scale. They just simply needed to coordinate a series of small little fires at those few strategic air traffic centres in the U.S., and trigger the simultaneous shutdown of significant airspaces throughout the country. This would be so much easier to do than 9-11 to shutdown the entire U.S. airspace!
Coming back home for a moment, think about the fire that took out the cable camber at Bukit Panjang Exchange. The disruption brought down mobile phone service, banking services, and many other businesses were affected. Residential broadband services were also out for several days. This is just one small fire, because someone (according to official reports) used an unauthorised blow torch.
So my point is, within just about a one week period, we can see so many events taking place. Each one has the potential to be so much worse than it had been. These are threats that are lurking around us every day, even though it’s only just once in a long while the main stream media will pick up a topic or two to write a big story about.
Unfortunately, I don’t have good short answers. My short answer is about the need for awareness. Cyber security isn’t just about malware and software patches. It isn’t just about banking misadventures. It’s about critical infrastructure that we need to worry about, and not just from software attacks, but also physical attacks. This has the potential to critically impact our lives. We’re just lucky no one has planned out an elaborate cyber attack, yet.