SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image
Did you know your superyacht can be cyber-pirated?
Mon, 26th Jun 2017
FYI, this story is more than a year old

I was reading an article several weeks ago on attackers being able to hold super yachts - the super-luxurious boats owned by the jet-setting rich and famous – hostage using ransomware, says Jay Kelley, senior product marketing manager at Menlo Security.

A white-hat hacker at a recent super-yacht investor conference (who knew there were even such events?) demonstrated, in less than thirty minutes, how he took control of a super-yacht's satellite communications system, meaning that the cyber-pirates had control over the ship's Wi-Fi, telephone system, and even the navigation system. They could read emails, gather banking information, and even steer the boat totally off-course without the ship's crew being any the wiser.

This attack could be carried out several ways. One way was to hijack the targeted ship's Wi-Fi – which, in most cases, offers an exceedingly strong signal, surpassing the ship's boundaries and enabling an adjacent ship to “war-wagon” the target ship's Wi-Fi and hack it. Another was by a simple drive-by download – where an owner, crewmember, guest, or person on-board the ship, using the on-board Wi-Fi, surfs to a sketchy website and clicks on an even dodgier web link, launching malware or a phony pop-up window stating that a new media player or update is required.

And, with that, malware is downloaded to the user's device that hijacks the ship's WiFi and spawns attacks, even ransomware throughout the ship's networks. This got me thinking: What is the difference between an attack like this on the high seas versus a similar attack on land?

Aside from being stranded and steering off-course for miles, or dead in the water with your navigation and communication systems being held for a king's ransom, not really that much. The same sort of attack, leveraging a drive-by download, watering hole attack, or even a phishing email, could strike your home, even your business. Let's look at a similar attack on your home. You surf to a webpage that has been hijacked and is infected with malware, or you receive an email from an old friend that you haven't heard from in ages asking you to click on a link to see a reunion picture or open video.

Once you click on that dubious link, your home systems begin to act wonky. Your IP address on your Wi-Fi changes automatically. Your connected thermostat suddenly stops working. Your connected refrigerator tells you need to buy 3,000 gallons of ice cream. Your connected sound system suddenly, out of the clear blue, starts blaring thrash metal music – and you're a classical fan. Your home has been hacked.

And, the ransom note that has popped up on your computer says that unless you pay one bitcoin – which is now worth $2,500 USD – by the deadline, not only will all the data on your computer be and remain encrypted, then even deleted, but each of your home systems will fail, one by one, until you pay up. And, even if you do pay the ransom, there is no guarantee that you will ever get your data or even control of your home back.

Now, you're a business owner. You have a medium-sized business, a small and overworked IT team, and a limited security budget. You have deployed anti-virus and anti-malware software on your user's devices. You have email security, protecting against unknown user emails. You've also deployed firewalls and other perimeter defenses. You've even deployed a secure web gateway or similar functionality in a next-generation firewall, to ensure your users – employees, contractors, guests, etc. – can only access appropriate websites during certain times of the day.

You even have electronic doors with keycards to track your users' access. And, you have security cameras throughout your company, inside and out. You feel that you're as secure as you can afford to be. You have “good enough” digital and physical security. Then, one day, a person on your team receives an email from an old friend, asking them to click on a web link for a great video. Or, they receive an email from one of your suppliers, asking them to click a link to re-enter your company's user name and password.

Or, one of your users navigates to a website that they've used every day to do their job, to gather research or whatever the reason, to be productive. Once that user clicks on a link, your network, your data, your business, even your office and all the connected devices in it, could be at risk. Think this can't happen to you or your company? Thinks again. In January 2017, a boutique resort hotel in the Austrian Alps was attacked by ransomware initiated by a phishing email.

Their electronic door locking, reservation, and cash systems were held ransom. While guests were not locked in or out of their rooms – as electronic door locks need to work even if there is a power outage, so there is always an override – new electronic key cards could not be issued to guests checking in. Also, reservations could not be confirmed or canceled because the reservation system was also held hostage.

The hotel paid the ransom to re-gain control of their systems. While this attack happened to a hotel, think about if this happened to your business. How difficult would it be for your users if their electronic keycards or badges were to not operate automatic doors? How would you be able to know who is accessing what, where and when? Or, if your Wi-Fi and even connected network were taken offline? How productive could your users be?

Or, if all your fire alarms and other alerts were blaring all day, with no means to turn them off? Or, if your HVAC was inoperable in the summer or in the dead of winter? What if your security cameras were turned off – and turned into botnet zombies? And, on top of all this, your data is being held for ransom.

Could you and your company cope? Consider that, in 2017, Gartner anticipates there to be over 8 billion connected “things” – the Internet of Things (IoT) – and over 20 billion by 2020; that's in just three years. Then consider that security for the IoT in your home, business, even super-yacht, is seriously lacking.

Developers of connected devices for home, auto, and business have not been as security-conscious as they could be. This is one of the reasons why tens of thousands of CCTV cameras have been hijacked to become integral components of the infamous Mirai botnet. Additionally, users have been notoriously lax in taking security seriously, leaving no password or 3 default passwords as the gateway to their connected home, even business IoT devices.

Plus, even if a security opening is discovered with an IoT device, in most cases, there is no way to patch the device. Most IoT devices use an embedded operating system, many of which are dated and unable to be upgraded. Take all these factors into consideration, and you have a huge issue for consumers and businesses, and an incredible opportunity for hackers to exploit connected homes, businesses, autos – and, yes, super-yachts.

Now, stir into this stew of insecurity the fact that attackers are becoming much more sophisticated with their phishing email techniques, doing their pre-texting homework on targeted users, crafting phishing emails and email addresses almost indistinguishable from legitimate emails (artisanal phishing?), and specifically targeting the weakest link in the home or corporate email chain. Attackers are also developing and launching even more devious, better camouflaged web malware minefields and better targeted watering hole attacks. This is fast becoming a disaster just waiting to happen.

The only way to ensure that you, your home, your business, or even your super-yacht is not susceptible to attack is to stop users from accessing email, surfing the web, or clicking on links. But, none of that is possible: Everyone needs email to be productive today. The web is a necessary work tool.

And, trying to ensure that users don't click on any links they receive or on any website they surf to is impossible – it's almost human nature to want to click, especially if it's about the Kardashians, am I right? So, what can you do? You can install what amounts to bulletproof glass between you and your users, and the Internet.

That bulletproof glass is called web isolation. While the word “isolation” sounds scary and lonely, consider that one of the definitions of “isolate” is to “identify (something) and examine or deal with it separately”. That's what web isolation does: It identifies web access – regardless if it's via a user surfing to a website and clicking on an ad or link on that website, or opening an email and clicking on a web link or a link to a web document (Word, Excel, PowerPoint, etc.) – and isolates the web session.

It launches the web page or web document in isolation, dealing with it separately. It sequesters any malware in a virtual, disposable container, and returns a clean, rendered webpage to the user's endpoint device. There is no sandboxing – which, by the way, many of the latest ransomware infections look for and if one is found, the malware does not start.

There is no “good vs. bad” assessment, which can lead to false positives – or worse, false negatives. There is just no more malware, no more phishing, no more ransomware. It's one-hundred percent safety via isolation, making it safe to click. Now, that's security.