What Cyber Security Threats and Flying Monkeys Have in Common

img blog What Cyber Security Threats Flying Monkeys Have Common r1

As cyber security experts, you may think that Adaptive has already written everything you need to know about the current state of cyber threats, but nothing could be further from the truth. Why? Because there is no (static) “current state” of cyber threats. Unfortunately, the cyber landscape – from threats to protection – is growing and shifting every day. 

You know how you’ve been taught to look left and right before you cross the road, but nobody ever told you to look up? In the past, it wasn’t a precautionary measure you had to take to cross the street. But, in this new covid dimension, the cyber security threats are as bizarre as flying monkeys preying on vulnerable humans, perched somewhere out of sight just waiting to catch them off guard. And when they do, their unlucky victim will have no idea what’s going to happen next.

Yeah… these new cyber threats are just as bizarre as the idea of being hijacked by flying monkeys. Only worse. Cyber criminals aren’t just ruining businesses, or stealing personal data, they are threatening mankind. Do you think we’re exaggerating? Look what we discovered today…

In an article by Arms Control, they wrote, “The Nuclear Power Corporation of India Ltd. (NPCIL) confirmed on Oct. 30 that a cyberattack against the Kudankulam Nuclear Power Plant in Tamil Nadu had occurred in early September. 

Pukhraj Singh, a cybersecurity analyst and former employee of India’s signals-intelligence agency, the National Technical Research Organization, tweeted that there had been ‘domain controller-level access’ at Kudankulam and that ‘mission-critical targets were hit.’

Despite attempts by the plant and NPCIL to downplay the incident, security experts and Indian government officials have expressed concerns over future attacks.

Shashi Tharoor, a member of the opposition Congress Party of India, tweeted, “If a hostile power is able to conduct a cyber-attack on our nuclear facilities, the implications for India’s national security are unimaginable.”

You might think, I live in Canada, what does this have to do with me? It has everything to do with you. There are 6 Nuclear Power Stations in Canada – 5 in Ontario, and one in our own backyard… right here in New Brunswick. 

Cyber Security is EVERY one’s responsibility. If you think you’re doing enough, you aren’t. Unless you have a cyber security specialist working with you. Is this a shameless promotion of our cyber security plans? No… it’s a fact. Cyber threats have gone off the rails, and you need someone who knows how to drive the train. 

*** Yes, we are painfully aware that we’re mixing metaphors throughout the entire article. But, some people like monkeys, others like trains and a select few like installing a wireless router and hard drive into their leg. (More on that soon) 

Need some more “bizarre” convincing? If you think cyber criminals care about the people or organizations they attack, this next snippet will convince you otherwise… 

In an article by the Washington Post, they wrote, “A massive cyberattack targeting the International Committee for the Red Cross is showing how hacking can even threaten vital humanitarian work. 

‘The breach compromised the personal information of more than 500,000 recipients of Red Cross assistance, including victims of war and violence,’ the Red Cross said. The breached servers belong to the organization’s Restoring Family Links service, which focuses on reconnecting loved ones separated by war and other causes. 

That raises the specter of those people being victimized again by hackers either stealing their online identities or sharing their information with groups that may wish them harm. 

‘We are appealing to whomever is responsible: The real people, the real families behind the information you now have are among the world’s least powerful,’ Director General of the International Committee of the Red Cross Robert Mardini said in a rare public appeal to the hackers to not do anything with their bounty.

The hack has caused ‘immeasurable damage’ to the notion any program can safely manage the personal information of so many victims of war and violence, Lukasz Olejnik said. Adding,‘This contributes to the debate and the big questions of whether some kind of data should really be run via open-access digital systems.’

It’s also underscoring the damage hackers could cause by targeting humanitarian agencies more broadly — most of which have far fewer technical resources than the Red Cross. 

‘We talk a lot about the monetary damage of cyberattacks, but this really brings home that there is a tangible human toll to cyberattacks and intrusions that impact very vulnerable populations,’ Chris Painter, former top cyber diplomat during the Obama administration, said.”

So, Cyber criminals will attack everything from Nuclear Plants to Charity organizations. But, before you start to think that you’re ‘just’ a small business, there are victims you would think would be entirely off the radar, but they weren’t. Take, for example, school lunches.

According to excerpts of an article by Sophos, they wrote, “When it comes to school lunch, you’ve got choices.

You can get 1) the French toast sticks, 2) the baked fish sandwich with lettuce and tomato, or 3) to be a ruthless school concession tycoon who hacks into your competition, rips off student data, and tries to anonymously frame them for having crappy security.

Keith Wesley Cosbey, the chief financial officer of a Bay Area company in the student lunch business called Choicelunch, was arrested in April on two felony counts of allegedly choosing menu item No. 3. Or, in legal terms, for “illegal acquisition of student data” from the website of Choicelunch’s archrival, The LunchMaster, of San Carlos, California.

Vishal Jangla, the San Mateo County deputy district attorney, says that Cosbey, 40, is looking at more than three years in prison if he’s convicted of charges of hacking into The LunchMaster’s site to get data about hundreds of students, including their names, their meal preferences, information about allergies, their grades, and more, according to the San Francisco Chronicle.”

RELATED: Executive hacked competitor’s website to steal students’ meal preferences

Talk about despicable! Hacking into information about children?

If that weren’t weird enough, hackers are literally modifying their bodies to steal information. 

In an article by Wired, they wrote, “Forget the thumb drive, how about a leg drive? 

An implantable device about the size of a pack of gum, called PegLeg, serves as a combined wireless router and hard drive. That doesn’t sound weird, until you learn that the device is meant to be surgically inserted into your leg. Any Wi-Fi enabled device can access it, and the device can store hundreds of gigabytes of data, stream movies or music, or smuggle encrypted files across international borders. It raises a thorny question: Who is responsible for the data stored in someone’s body?

Still think flying monkeys are the weirdest thing in this article? 

Okay, let’s switch gears from “stories,” to “Confessions from Hackers,” and what you can do to create some cyber sanity in an insatiable cyber attack reality. 

In a PHENOMENAL article by RD.com hackers wrote, We send incredibly personal emails.

Spear phishing, the act of sending targeted emails to get you to share financial information or passwords, can be exceptionally sophisticated. “The old-style ones had spelling and punctuation errors, but today, it has really become an art,” says Mark Pollitt, PhD, former chief of the FBI’s computer forensic unit. “They may call you by name, use your professional title, and mention a project you’re working on.”

Outsmart us: Spot phishing emails by looking for incorrect or unusual URLs (hover over links to see the actual URL address), requests for personal information or money, suspicious attachments, or a message body that’s actually an image. Unless you’re 100 percent confident that a message is from someone you know, don’t open attachments or click links. Here’s how to avoid the most common online scams.

We’ve got all the time in the world

Hackers have programs that systematically test millions of possible passwords. “They go to sleep and wake up in the morning, and the program is still going, testing one password combination after another,” says Peter Fellini, a security engineer with Zensar Technologies, an IT and software services firm. Look out for these signs your password could get hacked.

Outsmart us: Instead of a password, try a passphrase. Use letters and characters from a phrase and include special characters, numbers, and upper- and lowercase letters (Mary had a little lamb could become mh@Ll, for example). Or consider a password manager that generates and remembers random, difficult-to-crack passwords. (Even then, some experts recommend unique passphrases for financial accounts in case the password manager gets hacked.) Not even the real world is safe from fraud–watch out for this new mail scam that targets pregnant women. 

We love your Bluetooth headset

If you leave the Bluetooth function enabled after using a hands-free headset, hackers can easily connect to your phone, manipulate it, and steal your data.

Outsmart us: Always turn Bluetooth off after you use it. Set your visibility to “off” or “not discoverable,” and require a security code when you pair with another Bluetooth device. Want to avoid public wifi? Learn how to set up a mobile hotspot with these quick tricks.

We sneak while you surf

A growing number of cyberattacks are arriving via “drive-by download,” says Giovanni Vigna, PhD, a computer science professor at the University of California at Santa Barbara and co-founder of anti-malware provider Lastline Inc. “You visit what looks like a perfectly harmless website,” he says, “but in the background, you are redirected to a series of other sites that send you an attack.” Often even the website’s owner doesn’t know the site has been compromised. Although search engines keep blacklists of known malicious sites, the bad sites are continuously changing.

Outsmart us: Make sure you install all available updates to your browser or use a browser that automatically updates, like Firefox. Vigna’s research has found that Internet Explorer users are most vulnerable to these attacks. Learn more about your computer–your “private” browser may not be so private. 

We can infiltrate your baby monitor or smart TV 

Remember, your smart device is essentially a computer—and chances are, it’s not a particularly secure one. Anything in your house that’s connected to the Internet, from your smart fridge to your climate-control system, can be hacked. In several recent incidents, hackers were able to hijack a baby monitor and yell at a baby. Experts have also shown how hackers can turn on a smart TV’s camera and spy on you.

Outsmart us: When setting up smart devices, always change the default password. Most of these devices work from your wireless router, so password protecting your Wi-Fi can also help. Keep up with firmware updates; many devices will inform you when there’s an update available. Otherwise, look for an Update Firmware option in the main menu or settings. Keep in mind these are more red flags someone is spying through your devices.

We eavesdrop on free public Wi-Fi networks

Even if you’re connected to a legitimate public network, a “man-in-the-middle” attack can allow hackers to snoop on the session between your computer and the hot spot.

Outsmart us: Avoid public Wi-Fi if possible, especially unsecured networks without passwords, advise security experts at MetLife Defender, a personal data protection program. Instead, set up your smartphone as a secure hotspot or sign up for a VPN (virtual private network) service. If you must use public Wi-Fi, avoid financial transactions and consider using a browser extension like HTTPS Everywhere to encrypt your communications. Here’s what URL actually stands for.

We lure you with “shocking” videos on Facebook

A friend just posted a video of an “unbelievable animal found in Africa.” If you click to watch, you’re asked to download a media player or take a survey that will install malware on your computer, says Tyler Reguly, manager of security research at the cybersecurity firm Tripwire. It also shares the video with all your friends.

Outsmart us: Type the video’s title into Google and see if it’s on YouTube. If it’s a scam, someone has probably already reported it. Be aware of these other clear signs you’re about to be hacked.

We take advantage of your typos

Fake sites with slightly altered URLs like micrososft.com or chse.com look surprisingly similar to the real site you meant to visit, but they’re designed to steal your data or install malware on your computer.

Outsmart us: Double-check the site’s address before logging in with your name and password, especially if the home page looks different. Check for https in the address before typing in your credit card information.

We crack your password on “easy” sites

A 2014 study found that about half of us use the same password for multiple websites, making a cybercrook’s job easy. “A hacker will break into a soft target like a hiking forum, get your email address and password, and then go to your email account and try to log in with the same password,” says Marc Maiffret, chief technology officer at BeyondTrust, a security and compliance management company. “If that works, they’ll look to see if you have any emails from a bank. Then they’ll go to your bank account and try that same password.”

Outsmart us: Use two-factor authentication, a simple feature that requires more than just your username and password for you to log on. In addition to your password, for example, a site may require you to enter a randomly generated code sent to your smartphone to log in. Many companies—including Facebook, Google, Microsoft, Apple, and most major banks—now offer some form of this safeguard. (For a list of companies that offer it, visit twofactorauth.org and click Docs under your provider to learn how to set it up.) Know these 9 ways your password is probably weak, and correct them.

We can easily break into routers that use WEP encryption 

Many older routers still rely on a type of encryption called WEP (Wired Equivalent Privacy), which can easily be cracked with a widely available software program that anyone can download.

Outsmart us: Make sure your router uses WPA2 (Wi‑Fi Protected Access 2), the most secure type of encryption, or at least WPA. Click your computer’s wireless network icon to check the security type. If your router doesn’t give you one of those choices, call your router manufacturer to see if you need to do a firmware update—otherwise, plan to get a new router. Don’t forget to change your preset Wi-Fi password, since any good hacker knows the default passwords for all major routers.

We impersonate trustworthy companies

You may get a fake financial warning from your bank or credit card company, order confirmation from a retailer, or social networking invitation.

Outsmart us: Remember, most companies never ask you outright for your account information. You can sometimes spot this type of scam by hovering over the address in the From field or by hitting Reply All and looking for misspellings or strange addresses. Also, check to see that the email was sent to you and only you. If you’re not sure it’s legit, call the company instead.

We debit tiny amounts—at first

Cyberthieves may test-drive a stolen card number by running a small charge under $10 to see if anyone notices.

Outsmart us: Check your transactions online regularly—even daily. If you spot a charge you don’t recognize, report it immediately to your card issuer. To prevent hackers from getting your card information, remember these 10 times you should never pay with a credit card.

We hacked that ATM you just withdrew cash from

Crooks install cleverly disguised “skimmers” to steal your card information, while a hidden camera or a thin skin over the keypad captures your PIN. Now, scammers even have a way of targeting ATMs remotely.

Outsmart us: Try to use ATMs inside banks, where it’s tougher for criminals to install these devices, and inspect the machine carefully before you use it. “Whenever I use an ATM, I give the area where you insert the card a little tug to make sure it’s secure and is really a part of the machine,” Fellini says.

We count on your downloading our free, fake versions of popular apps

These apps steal confidential information or bypass your phone’s security settings and subscribe you to premium services. “You choose the free version of a game, it asks for all sorts of access, and you say ‘yes, yes, yes’ to all the permissions,” Vigna says. “The next thing you know, it’s sending premium SMS text messages and stealing your money.”

Outsmart us: Before installing an app, check the ratings and number of people who have installed it—hackers can fake positive ratings, but they can’t stop other posters from warning that the app is a trick. Most fake apps have to be downloaded straight from a website, so make sure you always download from an official market like Google Play or Apple’s App Store.

We love that you always leave Wi-Fi on

Though it’s convenient to leave Wi-Fi turned on while traveling with your laptop, tablet, or smartphone, your device will constantly try to connect to known networks. Connecting to open WiFi can be risky since attackers can identify those networks and set up rogue networks that impersonate them.

Outsmart us: Get in the habit of turning off your Wi-Fi every time you leave your home.

We fool you with bogus software updates

You know you’re supposed to update your software to protect it, but hackers may send you fake updates that actually install malicious backdoor programs on your computer.

Outsmart us: If you get a pop-up message about an update, go to the software provider’s actual website and check to see if it’s real. You can also try closing your browser to see if the pop-up disappears—if it does, it may be a fake.

We can crack supposedly safe retailers

Experts say big brands will continue getting hacked until retailers can better protect their data. Hackers sell your information on the black market, and other criminals then use it to make counterfeit cards that can be used for shopping.

Outsmart us: Don’t save your financial information when you shop online—check out as a “guest” when you can. If you fall prey to an attack, ask your bank to issue you a new credit card, take advantage of any credit monitoring that’s offered, and scrutinize your statements. Stay safe with these 10 ways to protect yourself online.

Safety in real life

Readers who recovered from or prevented a cybercrime share their advice:

Try not to apply for credit cards online—credit card companies require your Social Security number. Once you put that out there, it’s out there forever.  —Christine Mumper, via email

Avoid debit cards—they allow hackers much easier access to bank accounts than credit cards do. Also, when logging in to an online account, never check the box that says “Remember me.” It takes only a couple of seconds to type in your username and password each time, and you don’t want that information “remembered.” —Rick Kane, Collettsville, North Carolina     

Consider freezing your credit with the three credit bureaus and simply thawing your file when you need to open a new account. Keep the passwords you need to thaw the account in a safe place. This is free or inexpensive in most states. —Frank Coulman, via email

At Adaptive Office Solutions cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime. 

To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca