It’s easy to become blasé about cybersecurity issues. Maybe you treat the topic the same as technology itself. From the time we awaken to the moments when rapid eye movement sleep begins calming our constitutions technology keeps us company. I refer to REM sleep because in fact technology pollutes our sleep in non-REM phases if we crash out with an iPad, TV, or laptop on in the background. We’re so enveloped in the conveniences of technology that it tends to be submersed within our workaday and we don’t actively consider it. Similarly we don’t expressly kick back at various times of the day to celebrate breath, pulse, and proper organ functionality. These things, tech included, are simply part of life.
Don’t do that with cybersecurity. Don’t become so familiar with, or just overwhelmed by, the darker forces of technology that they are ignored like a prop buried deep into the stage of life. It’s important for the clock on the set of a Dickens play to not be digital, so attention must be given to it. But from the audience’s view you’re not likely to home in on every stage detail before enjoying the show. On the cybersecurity front, however, vigilance in observation is required. Things are happening my technology consuming friends and they’re not always benefitting you. You can’t be a casual audience member. Rather, you need to be present, aware, cautious. The attackers zealously lick their lips at the notion that you’re blasé about security. Every simpleton’s password affords great opportunity. It’s clear that opportunities aren’t waning for the thieves plying their trade with ones and zeroes.
How about a simple Week in the Life of cybersecurity to illustrate? And, believe me, my research into a week’s cybersecurity activity can only scratch the surface, a surface limited to incidents we know about. It’s like discussing the most recent snowflake that landed atop the iceberg’s tip. Last week, the five days of a traditional work week, which was February 3 to 7, was just like any other week in this information security realm of life. Honestly (and this comment remained, true as it turned out, from my very first draft of this piece) I suspect that there’s no way to even catalog the headlines from all of the week’s cybersecurity news in this relatively short space, but here goes.
Last Monday, February 3, it was reported that a malware (“malicious software”) Trojan named TrickBot continued its devious evolution by becoming even more elusive in the Windows 10 environment. Back in 2016 TrickBot began its life as a banking hack meant to steal login credentials. Since then it was named top business threat in 2018, it’s compromised 250 million email accounts, and it’s now considered a model to be built upon by new criminal ventures.
In 2002 the Canadian company Ashley Madison was born. I know, I know … you’ve never even heard of this. Basically, it was a company and then app that promoted cheating. It’s slogan was not subtle, “Life is short. Have an affair.” For the millions of people who joined the website, whether for actual results or, as the SNL skit quipped, “Honey, I was just curious.”, their identities were not kept sacrosanct. In 2015 a group of criminals saw the potential bounty in hacking into Ashley Madison’s systems to get members’ identities toward extorting cash from them. That was five years ago. Ashley Madison still operates. And, so do the criminals. Last week, yet again, hundreds of those initial 32 million hacked account holders are still paying for their [ah-hem] sins. A new extortion plot unveiled itself and it was highly focused and personal this time. Victims of the so-called sex-tortion crime received emails demanding over $1,000, in Bitcoin of course, else their secrets get published. You might call that “comeuppance.” I call it cybercrime (but join in your position, too).
How about our friend Elon Musk and the super-techie Tesla? Hackers chomp at the bit to infiltrate Tesla. It’s a worldwide brand with daily news attention. It’s on the forefront of technology with its electric propulsion system and pioneering self-driving vehicle technology. It’s a company worth billions, some days scores of billions and others hundreds of them. It’s a target on any day, and last week we learned that researchers were able to fool Tesla’s autopilot systems by introducing fake images that represent obstacles in the road. The test Tesla “saw” the fakes and suddenly braked or steered away from them (and into ___?). They modeled a cyberattack that could do the same. One research summed it up with, “[The attack] is very simple and does not require any specific effort.” Really?! Thank you for giving the hackers notice and inspiration. Moving on….
Another type of malware hit the presses again: AZORult. Terrible name, yes? This software steals login credentials and credit card details from online transactions. How novel. Like TrickBot, AZORult is not new, and has been evolving and morphing into more effective and efficient operations. A path that if criminals would take with more honest endeavors would actually help things, of course. In its years of development it snagged passwords from internet traffic. It lifted data from Bitcoin and other cryptocurrency users. The newer version added theft of browser history information, and is now quite invisible to many cyberdefense systems.
As I predicted, I can’t share the entire week’s cybersecurity incidents and threat reports. In fact, I didn’t even get to Tuesday, February 4, by covering these four. It’s continually threatening us, and we cannot get complacent. Recall also that I admitted to being only capable of the tippity-tip-top of the iceberg. Thanks to threatpost.com for serving as one of hundreds of clearinghouses of cybersecurity news. Imagine if I could touch on them all, if just for one day of intelligence.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.