Cyber Threats; Like Monsters in the Dark

Child lying bed just before bedtime: I’m afraid of the dark

Father: Well, think of it this way kiddo, if it’s really dark, the monsters will have more trouble finding you.

(source: http://www.savagechickens.com/2017/02/the-dark.html)

While the internet has many dark places where monsters lurk, it seems they are on the move into all sectors of the Internet. Some monsters make the Hydra of myth seem tame. Mirai is malware that lurks in the shadows and hunts the internet for IoT devices that are connected to the Internet and configured with default passwords. These devices are marshalled into a many headed attack on some hapless website of the bad guy’s choosing. These simple devices used in a mass are capable of inflicting considerable damage in the form of preventing even powerful websites from being accessed. Much in the sense that one bird hitting a plane is not fatal but a flock of birds in front of a plane can bring it down, DDoS attacks using tens or hundreds of thousands of simple devices can bring almost any entity to its knees. And now this articlediscusses how a new Trojan is used to compromise Windows machines that are connected to the internet to then find IoT devices on the LAN that are not directly connected to the internet and infect them with Mirai and then use them as needed. Thus, even devices NOT on the ‘net are vulnerable if configured with default passwords.

Perhaps less invasive but no less pernicious are chatbots. Chatbots are programs that emulate conversations that you might have on a web site with other like-minded users. This article discusses some of the lessons learned in the Ashley Madison breach.  From the article:

We humans are suckers for flattery. As automated software-based “bots” become easy for scammers to create and deploy, people are going to be deceived by them much more often. Bots are the future, and they are already creating problems. Dating site Tinder has been doing its best to stamp out the scourge of online bots that are attempting to flatter users into downloading apps and providing credit card information. Even bots deployed with the best of intentions are unpredictable. Microsoft’s automated chat bot Tay all too quickly reflected the worst parts of the social Internet. A Dutch man was questioned by police after a Twitter bot he owned autonomously composed and tweeted a death threat.

The bots on the AM site were there to convince paying customers that there were others online interested in making a connection and to continue their membership. The Tinder bots were more malicious. As the programming gets better, it will be harder to tell if you are conversing with a person or not. Depending on the situation the distinction can lead to a broken heart or a drained bank account.

Sometimes the monster turns out to be a faithful companion (say a mobile phone)  that suddenly does something that really causes a problem. This article and its French source describe the situation of a Frenchman suing Uber because their app has a bug in it that let his wife know some information about his Uber ride. There are no details on the destination involved but currently the wife is suing for divorce. Apparently he used her phone to order a ride. He logged out of the Uber app, but it kept sending status messages to her phone. He is suing Uber for 45 million euros (approximately $48 million). No matter how it turns out, there is a lot of pain involved for these two people as a result of an app misbehaving, monstrously, you might say.

How about your Fitbit? Do you trust it? Keeping in mind how simple devices can be compromised when connected to the internet or even if they are not connected but on the LAN with some other device, this article discusses how wearables will be part of the attack surface going forward. Along with thermostats, light bulbs, baby monitors and other IoT devices, we are creating a system of simple devices that have little or no protection against attack. While changing passwords helps, most of these devices will never be updated for security vulnerabilities and will just provide jumping off points for attacks on other networks. Also with ransomware becoming an growing issue, the above article cites this scenario:

Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017. Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says.

Smart TVs have already been infected with ransomware. Many experts are pointing to ransomware as the next wave of problems for businesses and individuals. Individuals will probably suffer from this the most as they are less likely to have a good backup available or the necessary security resources to help mitigate the problems.

Monsters are a pain. They come out in the dark but if you turn the light on they can see you. When children worry about monsters, you need to help them realize why they are afraid and how to cope with those fears. The monsters on the internet unfortunately are very real. You can protect yourself if you become an informed user and realize that security needs to be a much higher priority than ever before.  Contact Ashton for help because it’s easier to defeat monsters when you have good help.