SecurityBrief Asia logo
Asia's leading source of cybersecurity and cyber-attack news
Story image

Did you know your superyacht can be cyber-pirated?

Mon 26 Jun 2017
FYI, this story is more than a year old

I was reading an article several weeks ago on attackers being able to hold super yachts - the super-luxurious boats owned by the jet-setting rich and famous – hostage using ransomware, says Jay Kelley, senior product marketing manager at Menlo Security.

A white-hat hacker at a recent super-yacht investor conference (who knew there were even such events?) demonstrated, in less than thirty minutes, how he took control of a super-yacht’s satellite communications system, meaning that the cyber-pirates had control over the ship’s Wi-Fi, telephone system, and even the navigation system. They could read emails, gather banking information, and even steer the boat totally off-course without the ship’s crew being any the wiser.

This attack could be carried out several ways. One way was to hijack the targeted ship’s Wi-Fi – which, in most cases, offers an exceedingly strong signal, surpassing the ship’s boundaries and enabling an adjacent ship to “war-wagon” the target ship’s Wi-Fi and hack it. Another was by a simple drive-by download – where an owner, crewmember, guest, or person on-board the ship, using the on-board Wi-Fi, surfs to a sketchy website and clicks on an even dodgier web link, launching malware or a phony pop-up window stating that a new media player or update is required.

And, with that, malware is downloaded to the user’s device that hijacks the ship’s WiFi and spawns attacks, even ransomware throughout the ship’s networks. This got me thinking: What is the difference between an attack like this on the high seas versus a similar attack on land?

Aside from being stranded and steering off-course for miles, or dead in the water with your navigation and communication systems being held for a king’s ransom, not really that much. The same sort of attack, leveraging a drive-by download, watering hole attack, or even a phishing email, could strike your home, even your business. Let’s look at a similar attack on your home. You surf to a webpage that has been hijacked and is infected with malware, or you receive an email from an old friend that you haven’t heard from in ages asking you to click on a link to see a reunion picture or open video.

Once you click on that dubious link, your home systems begin to act wonky. Your IP address on your Wi-Fi changes automatically. Your connected thermostat suddenly stops working. Your connected refrigerator tells you need to buy 3,000 gallons of ice cream. Your connected sound system suddenly, out of the clear blue, starts blaring thrash metal music – and you’re a classical fan. Your home has been hacked.

And, the ransom note that has popped up on your computer says that unless you pay one bitcoin – which is now worth $2,500 USD – by the deadline, not only will all the data on your computer be and remain encrypted, then even deleted, but each of your home systems will fail, one by one, until you pay up. And, even if you do pay the ransom, there is no guarantee that you will ever get your data or even control of your home back.

Now, you’re a business owner. You have a medium-sized business, a small and overworked IT team, and a limited security budget. You have deployed anti-virus and anti-malware software on your user’s devices. You have email security, protecting against unknown user emails. You’ve also deployed firewalls and other perimeter defenses. You’ve even deployed a secure web gateway or similar functionality in a next-generation firewall, to ensure your users – employees, contractors, guests, etc. – can only access appropriate websites during certain times of the day.

You even have electronic doors with keycards to track your users’ access. And, you have security cameras throughout your company, inside and out. You feel that you’re as secure as you can afford to be. You have “good enough” digital and physical security. Then, one day, a person on your team receives an email from an old friend, asking them to click on a web link for a great video. Or, they receive an email from one of your suppliers, asking them to click a link to re-enter your company’s user name and password.

Or, one of your users navigates to a website that they’ve used every day to do their job, to gather research or whatever the reason, to be productive. Once that user clicks on a link, your network, your data, your business, even your office and all the connected devices in it, could be at risk. Think this can’t happen to you or your company? Thinks again. In January 2017, a boutique resort hotel in the Austrian Alps was attacked by ransomware initiated by a phishing email.

Their electronic door locking, reservation, and cash systems were held ransom. While guests were not locked in or out of their rooms – as electronic door locks need to work even if there is a power outage, so there is always an override – new electronic key cards could not be issued to guests checking in. Also, reservations could not be confirmed or canceled because the reservation system was also held hostage.

The hotel paid the ransom to re-gain control of their systems. While this attack happened to a hotel, think about if this happened to your business. How difficult would it be for your users if their electronic keycards or badges were to not operate automatic doors? How would you be able to know who is accessing what, where and when? Or, if your Wi-Fi and even connected network were taken offline? How productive could your users be?

Or, if all your fire alarms and other alerts were blaring all day, with no means to turn them off? Or, if your HVAC was inoperable in the summer or in the dead of winter? What if your security cameras were turned off – and turned into botnet zombies? And, on top of all this, your data is being held for ransom.

Could you and your company cope? Consider that, in 2017, Gartner anticipates there to be over 8 billion connected “things” – the Internet of Things (IoT) – and over 20 billion by 2020; that’s in just three years. Then consider that security for the IoT in your home, business, even super-yacht, is seriously lacking.

Developers of connected devices for home, auto, and business have not been as security-conscious as they could be. This is one of the reasons why tens of thousands of CCTV cameras have been hijacked to become integral components of the infamous Mirai botnet. Additionally, users have been notoriously lax in taking security seriously, leaving no password or 3 default passwords as the gateway to their connected home, even business IoT devices.

Plus, even if a security opening is discovered with an IoT device, in most cases, there is no way to patch the device. Most IoT devices use an embedded operating system, many of which are dated and unable to be upgraded. Take all these factors into consideration, and you have a huge issue for consumers and businesses, and an incredible opportunity for hackers to exploit connected homes, businesses, autos – and, yes, super-yachts.

Now, stir into this stew of insecurity the fact that attackers are becoming much more sophisticated with their phishing email techniques, doing their pre-texting homework on targeted users, crafting phishing emails and email addresses almost indistinguishable from legitimate emails (artisanal phishing?), and specifically targeting the weakest link in the home or corporate email chain. Attackers are also developing and launching even more devious, better camouflaged web malware minefields and better targeted watering hole attacks. This is fast becoming a disaster just waiting to happen.

The only way to ensure that you, your home, your business, or even your super-yacht is not susceptible to attack is to stop users from accessing email, surfing the web, or clicking on links. But, none of that is possible: Everyone needs email to be productive today. The web is a necessary work tool.

And, trying to ensure that users don’t click on any links they receive or on any website they surf to is impossible – it’s almost human nature to want to click, especially if it’s about the Kardashians, am I right? So, what can you do? You can install what amounts to bulletproof glass between you and your users, and the Internet.

That bulletproof glass is called web isolation. While the word “isolation” sounds scary and lonely, consider that one of the definitions of “isolate” is to “identify (something) and examine or deal with it separately”. That’s what web isolation does: It identifies web access – regardless if it’s via a user surfing to a website and clicking on an ad or link on that website, or opening an email and clicking on a web link or a link to a web document (Word, Excel, PowerPoint, etc.) – and isolates the web session.

It launches the web page or web document in isolation, dealing with it separately. It sequesters any malware in a virtual, disposable container, and returns a clean, rendered webpage to the user’s endpoint device. There is no sandboxing – which, by the way, many of the latest ransomware infections look for and if one is found, the malware does not start.

There is no “good vs. bad” assessment, which can lead to false positives – or worse, false negatives. There is just no more malware, no more phishing, no more ransomware. It’s one-hundred percent safety via isolation, making it safe to click. Now, that’s security.

Article by Jay Kelley, senior product marketing manager at Menlo Security. 

Related stories
Top stories
Story image
Employment
Tech job moves - Forcepoint, Malwarebytes, SolarWinds & VMware
We round up all job appointments from May 13-20, 2022, in one place to keep you updated with the latest from across the tech industries.
Story image
Migration
Let’s clear the cloud visibility haze with app awareness
Increasingly, organisations are heading for the cloud, initiating new born-in-the-cloud architectures and migrating existing applications via ‘lift and shift’ or refactoring.
Story image
DDoS
NT selects Radware to improve telecom cyber defenses
National Telecom Public Company (NT) has chosen Radware to strengthen the cyber defences of its international telecommunications infrastructure.
Story image
Remote Working
Successful digital transformation in the hybrid work era is about embracing shifting goalposts
As organisations embraced remote working, many discovered they lacked the infrastructure needed to support history’s first global load test of remote work capabilities.
Story image
Qualys
Qualys updates Cloud Platform solution with rapid remediation
The new update is designed to enable organisations to fix asset misconfigurations, patch OS and third-party applications, and deploy custom software.
Story image
BeyondTrust
BeyondTrust integrates Password Safe solution with SailPoint
BeyondTrust has announced the integration of BeyondTrust Password Safe with SailPoint identity security offerings.
Story image
Digital Transformation
How to modernise legacy apps without compromising security
At a time when digital transformation has become central to business, even the most important applications come with a ‘use-by’ date.
Story image
Data Protection
Barracuda launches new capabilities for API Protection
"Every business needs this type of critical protection against API vulnerabilities and automated bot attacks," Barracuda says.
Story image
Supply chain
Jetstack promotes better security with supply chain toolkit
The web-based resource is designed to help organisations evaluate and plan the crucial steps they need to establish effective software supply chain security.
Story image
VPN
Palo Alto Networks says ZTNA 1.0 not secure enough
Palo Alto Networks is urging the industry to move to Zero Trust Network Access 2.0 because previous versions have major gaps in security protection.
Story image
Cybersecurity
More than 40% of banks worried about cloud security - report
Publicis Sapient's new report finds security and the lack of cloud skills and internal understanding of business benefits are big obstacles for banks moving to the cloud.
Story image
SaaS
Absolute Software expands Secure Access product offering
Absolute Software is enhancing its Secure Access product portfolio, enabling minimised risk exposure and optimised user experiences in the hybrid working environment.
Story image
Cybersecurity
Video: 10 Minute IT Jams - An update from IronNet
Michael Ehrlich joins us today to discuss the history of IronNet and the crucial role the company plays in the cyber defence space.
Story image
Artificial Intelligence
How to ensure ethical deployment of AI implementations
The increase in automation and machine technology such as AI and machine learning has unlocked a whole new level of scale and service to organisations. 
Story image
Digital Transformation
Physical security systems guide the hybrid workplace to new heights
Organisations are reviewing how data gathered from their physical security systems can optimise, protect and enhance their business operations in unique ways.
Story image
Cybersecurity
The 'A-B-C' of effective application security
Software applications have been a key tool for businesses for decades, but the way they are designed and operated has changed during the past few years.
Story image
Application Security
What are the DDoS attack trend predictions for 2022?
Mitigation and recovery are vital to ensuring brand reputation remains solid in the face of a Distributed Denial of Service (DDoS) attack and that business growth and innovation can continue.
Story image
Cybersecurity
HackerOne launches Attack Resistance Management solution
HackerOne has launched Attack Resistance Management - a new category of security solution that targets the root causes of the attack resistance gap. 
Story image
Data Protection
Managed Service Providers key to customer data protection
Frequent cyberattacks in the ASEAN region drive the demand for MSPs that can deliver purpose-built security solutions for SME customers.
Story image
Nozomi Networks
Nozomi Networks, Siemens reveal software integration
Nozomi Networks and Siemens have extended their partnership by embedding Nozomi Networks’ software into the Siemens Scalance LPE local processing engine.
Story image
Cybersecurity
CyberArk launches $30M investment fund to advance security
CyberArk has announced the launch of CyberArk Ventures, a $30 million global investment fund dedicated to advancing the next generation of security disruptors.
Story image
Amazon Web Services / AWS
RedShield leverages AWS to scale cybersecurity services
"Working with AWS gives RedShield the ability to mitigate significant application layer DDoS attacks, helping leaders adopt best practices and security architectures."
Story image
Cybersecurity
Hard numbers: Why ambiguity in cybersecurity no longer adds up
As cybersecurity costs and risks continue to escalate, CEOs continue to struggle with what their investment in cyber protection buys. Getting rid of ambiguity becomes necessary.
Story image
Customer experience
Gartner recognises Okta for abilities in Access Management
Okta has announced it has been recognised as a Customers' Choice for the fourth time in a row in the Gartner Peer Insights "Voice of the Customer" report.
Story image
Cybersecurity
Noname Security partners with Netpoleon to target API issues
Specialist API security firm Noname Security has appointed Netpoleon as its distributor in Australia and New Zealand.
Story image
Malware
New vulnerabilities found in Nuspire’s Q1 2022 Threat Report
“Threat actors are quickly adjusting their tactics and these exploits tend to get industry attention, but the threat posed by older and attacks still persists."
Story image
Sift
Sift shares crucial advice for preventing serious ATO breaches
Are you or your business struggling with Account Takeover Fraud (ATO)? One of the latest ebooks from Sift can provide readers with the tools and expertise to help launch them into the new era of account security.
Story image
Cybersecurity
Managed service providers: effective scoping to avoid costly vendor pitfalls
Managed security services are outsourced services focusing on the security and resilience of business networks.
Story image
Training
Fortinet training edges toward closing cybersecurity gap
The Fortinet Training Institute has made significant progress in closing the cybersecurity skills gap, on track to train one million people by 2026.
SonicWall
Find out how you and your business can prevent being caught out by everything from ransomware to cryptojacking.
Link image
Story image
Remote Working
How zero trust and SD-WANs can support productive remote working
The way people connect with applications and data has changed, users are remotely accessing resources that could be stored anywhere from a corporate data center to the cloud.
Story image
Artificial Intelligence
Updates from Google Workspace set to ease hybrid working troubles
Google Workspace has announced a variety of new features which will utilise Google AI capabilities to help make hybrid working situations more efficient and effective.
Story image
Ivanti
Ivanti and Lookout bring zero trust security to hybrid work
Ivanti and Lookout have joined forces to help organisations accelerate cloud adoption and mature their zero trust security posture in the everywhere workplace.
Story image
Cybersecurity
A10 Networks finds over 15 million DDoS weapons in 2021
A10 Networks notes that in the 2H 2021 reporting period, its security research team tracked more than 15.4 million Distributed Denial-of-Service (DDoS) weapons.
Story image
Apricorn
Data backup plans inadequate, data still at risk - study
The Apricorn 2022 Global IT Security Survey revealed that while the majority organisations have data backup plans in place, data for many are at risk.
Story image
Ransomware
Ransomware hits 65% of organisations in Singapore
Next-generation cybersecurity firm Sophos has released its annual survey and review of real-world ransomware experiences in the State of Ransomware 2022.
Story image
Artificial Intelligence
ForgeRock releases Autonomous Access solution powered by AI
ForgeRock has officially introduced ForgeRock Autonomous Access, a new solution that uses AI to prevent identity-based cyber attacks and fraud.
Story image
Workato
Workato unveils enhancements to enterprise automation platform
"The extra layer of protection with EKM, zero-logging, and hourly key rotation gives customers a lot more visibility and control over more sensitive data."
Story image
Cybersecurity
ThoughtLab reveals 10 best practices for cybersecurity in 2022
The benchmarking study reveals best practices that can reduce the probability of a material breach and the time it takes to find and respond to those that happen.
Story image
Cloud Security
Aqua Security createa unified scanner for cloud native security
“By integrating more cloud native scanning targets into Trivy, such as Kubernetes, we are simplifying cloud native security."
Story image
ChildFund
ChildFund launches new campaign to protect children online
ChildFund says WEB Safe & Wise aims to protect children from sexual exploitation and abuse online while also empowering them to become digitally savvy. 
Story image
Artificial Intelligence
AI-based email security platform Abnormal Security valued at $4B
"A new breed of cybersecurity solutions that leverage AI is required to change the game and stop the rising threat of sophisticated and targeted email attacks."
Story image
Ransomware
Cybersecurity starts with education
In 2021, 80% of Australian organisations responding to the Sophos State of Ransomware study reported being hit by ransomware. 
Story image
Phishing
KnowBe4 celebrates reaching 50,000 customers worldwide
KnowBe4 has reached the milestone of 50,000 customers, adding nearly 2,500 in the first quarter of 2022 alone.