Recently, a nuclear power plant was hacked. According to Reuters, the director of the International Atomic Energy Agency said the attack “caused some problems” and the plant had to “take some precautionary measures.” Given the increased prevalence of internet-enabled applications, how vulnerable are we to cyber-attacks and what can be done to prevent them? We are looking for the most well thought out answer to this question in up to 150 words: use the comment feature below the blog and please feel free to promote your research! The winner will receive an Amazon gift certificate worth £50 and a bag full of Mendeley items; competition closes November 23.
Hacking – Not Just for PCs Anymore
The arrival of the Internet of Things has meant that our lives are more networked than ever before; the internet isn’t merely on a computer stuck in the corner, it’s connected to our phones (which track our every movement), it’s embedded into our appliances and vehicles, it’s wired up to security cameras and to life support machines. However, this widespread connectivity also is indicative of a just as widespread vulnerability: our personal data, our public services, and even our cars could be hacked.
The head of the International Atomic Energy Agency said a nuclear plant had been hacked. While he didn’t fully spell out the risks, he noted that the security breach had “caused some problems” and “some precautionary measures” were required.
And Continuing Vulnerabilities
On October 11, Symantec revealed that hackers had attacked users of the SWIFT financial transfer network. The goal was to use “malware to hide customers’ own records of Swift messages relating to fraudulent transactions”.
What Can Be Done?
It’s been projected that “$1 trillion will be spent globally on cybersecurity from 2017 to 2021”; but is this expenditure in vain? Can our data, our banks, and our public services be truly protected? What can be done enhance security? Tell us!
About Mendeley Brainstorms
Our Brainstorms are challenges so we can engage with you, our users, on the hottest topics in the world of research. We look for the most in-depth and well thought through responses; the best response as judged by the Mendeley team will earn a prize.
Cybersecurity Ventures. (2016). The Cybersecurity Market Report covers the business of cybersecurity, including market sizing and industry forecasts, spending, notable M&A and IPO activity, and more. [online] Available at: http://cybersecurityventures.com/cybersecurity-market-report/ [Accessed 11 Oct. 2016].
PEYTON, A. (2016). Symantec reveals more hack attempts on Swift network. Banking Technology. [online] Available at: http://www.bankingtech.com/606802/symantec-reveals-more-hack-attempts-on-swift-network/ [Accessed 13 Oct. 2016].
SHARWOOD, S. (2016). Nuke plant has been hacked, says Atomic Energy Agency director The Register. [online] Available at: http://www.theregister.co.uk/2016/10/11/nuke_plant_has_been_hacked_says_atomic_energy_agency_director/ [Accessed 11 Oct. 2016].
15 thoughts on “Mendeley Brainstorm: Hacking – How Secure Are We?”
I think a good way to stop cyberattacks would be to insert analog disruptions in digital systems and thus interrupt the digital flow of information.
It may feel counterintuitive at first, but to slow down or disrupt the fast flow of data could be used as a defense against such hacks.
Like in the example of the recent US Office of Personnel Management hack (https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/), the office has made the “physical possession of a chip-enhanced ID card that correlates with username and password” mandatory. The physical chip is much harder to hack and is personalized.
This is one way to implement such approach, however an even stronger approach would be inserting physical cues in the workflow that would require a physical human to do it personally. An example could be as simple as turning a knob or pushing a key. This could be done better by requiring to enter biological information like scanning a hand or fingerprint.
Human behavior is an easy way to hack computer system. We know that people don’t change their passwords, or they use simple ones. Password software to manage sophisticated password for us. Great! But why will you change your account password every month or so if you keep the original IP address and password for all your hardware like router or PLC devices? That information is freely available in online user’s manual or directly written on the device itself. Even worst, many device like router allow brute force password trial without locking up. So do we really have safe?
There are so many security measures implemented and available to the public to use (such as SSL, encryption standards, hashing, etc.), that the easiest way to hack someone is to abuse the fact that everyone is human. By this, I mean that the easiest, and probably most used way, is through phishing. Hacking/cracking someones account/password takes very long, but just “asking” them what it is is trivial. So basically, it boils down to two rules:
1. Create a password that is difficult to guess
2. KEEP IT SECRET (use common sense to avoid falling for phishing scams)
If a hacker acquires the credentials of anyone (especially someone in upper management or on the network team) in any company, the company and it’s data is compromised.
A systematic negligence to security has let to the current state of affair. It is especially apparent for big names providing closed source proprietary software, which beyond the better/worse argument is just hard/impossible to audit. Password are just a small fraction of security. People need to be educated and common ill practices in the industry cease to exist. None of which I expect to happen at the needed scale. People dont want to be bothered and they expect to simply swallow the magic pill. On the other side, security is hard to sell so companies still have little incentive to push harder.
Dual authentication is needed to protect from security breeches available as an option to users that want a more secure experience. Your key changes every sixty seconds and is only linked to a singe device.
I think first and foremost we should know the meanings of virus, Trojan, worms and codes beyond dictionary meanings. And equally we should know who is a hacker and what he is capable of doing. Moreover, what are systems and machines?
Securities, encryption, decryption and passwords (secrets) are all helping factors to curbing the menace of Hacking, but not strong enough to stop it in totality. New inventions always give rise to new generation of hackers. It is just like a question and it’s answer. Each and every question must have an answer/ solution provided the question is right, depending pn time….#This is a fact
We will never stop cyberthreats, by the simple reason it is intrinsic to the technology development process. It is similar to what happens in other domains, like automobiles – we developed amazing fast machines, wonderful roads… that can also provoque serious injuries; but nowadays we learned who to live with that risk and, above all, we developed a learning system and regulations, enough to make roads a space as safe as possible.
What I am trying to say, in this new cyberspace we need also to create rules and promote education in a way everyone can evaluate the risk and assume its own responsibilities. And this applies to all players: users, technology providers, infrastructures providers and regulators (at national and international level).
We are increasingly see IoT devices (including toothbrushes?!) which a little investigation reveals is just using the default user name and password. Many problems are announced on https://cve.mitre.org/ and people reporting vulnerabilities they observe is vital. You then need a way to automatically monitor your machines; not everyone will have a home network set up to keep an eye on their fridge or kettle or toothbrush.
I found the recent “nematode” (anti-worm worm) amusing; http://www.theregister.co.uk/2016/10/31/this_antiworm_patch_bot_could_silence_epic_mirai_ddos_attack_army/ though it suggests a way to use offense as defence. A combination of proactively looking for problems, being aware of sensible measures like not using default or crack-able passwords, and also being more pro-active will help.
In the long run, whatever you do to secure machines will be insufficient; in some ways it’s an arms race between sides. The trick is to catch problems early before any damage is done.
Most of the attacks do not rely on exploiting exotic software vulnerabilities. Instead, they take advantage of human error. The major vectors of attack have solutions that should be more widely implemented.
1. Phishing attacks on users
Users can be fooled into giving up their credentials to website URLs that look similar to the real thing. These tricks can be prevented by using a 2-factor authentication method that verifies the exact address of the site the user is logging on to, such as a physical U2F key that interacts with the browser or a SQRL program running on a smart phone.
2. Social engineering against companies
Customer service reps can be tricked into “resetting” login credentials at the request of someone who is not the real user. There should be mandatory waiting periods when credentials are reset in that way, during which time the real user is notified about the attempt to reset and has a chance to block it. Also, users who suspect they are being targeted should be able to completely disable over-the-phone resets.
3. Insecure default settings in IoT devices and routers
This needs to be fixed with better industry standards and/or legislation. There should be a regulatory body that gives a seal of approval to products that meet simple standards for security and privacy, and there should be consequences for companies that are negligent.
Hacking unfortunately is inevitable and no matter how you secure a system there is always a possibility of getting hacked. Therefore, being as safe as possible can only be achieved if the hacker loses incentive to hack. A computer program is a representative of its engineer’s knowledge and capabilities. Just like we need constant modification and adjustment in any field we relate to, so that we grow and sharpen our knowledge in that field, the program, representing its creator’s capabilities, also needs modification. There is no better way of modifying than being challenged with problems and fixing them after finding the root of the mistake. So major and important companies should do what Google recently did, challenge others to hack them, and offer money for information about a flaw in the program. Given the incentive, areas that need fixing will be revealed.
News reports of hacked organisations give the impression that computers are insecure. Yet billions use computers every day without problems, in home appliances, smartphones and workplace devices. Computers are, as Mark Weiser envision in 1991, ubiquitous, successfully running the modern world. However, computers are inherently insecure by their nature because they are a programmable general purpose machine, their malleability being their Achilles’ heel, and hacking has been around as long as the computer. Cliff Stoll’s book The Cuckoo’s Egg covered catching a hacker in the 1980’s. The question is not one of security but of trustworthiness. Do you trust the device and the software it is running? Trustworthiness is undermined by the true causes of security problems, humans. They design systems that are intrinsically insecure. The Cyber-security Group at Coventry University believes that a new class of designs will be trustworthy, otherwise cyber-security will remain computer science’s greatest failure.
First we have to acknowledge that as strong and tall that we make our cyber walls our routines and habits can and will be traced, measured and predicted by someone intelligent and who has an interest upon us to just take advantage of. That makes us hackable on and off-line.
On top of that we’re experiencing an explosion on the creation and use of software and digital strategies made to capture the information of the user (apps, mail lists, big data, etc.) which exposes us a lot more.
I think good ways to prevent cyber-breaches for organizations are: having specialized personnel to keep sharp firewalls, software code (so there are no exploits) and access codes. And for the normal user could be having a list of strong passwords which should be changed periodically and also having a strong antivirus besides not leaving your e-mail everywhere! Using common sense works too.
Throughout modern times where computers came to emerge, encryption technology has kept pace with the increases in computing power. When encryption technology is utilised in the right way, it could well deter hackers and the mathematical odds of a brute force attack is unlikely. However, with the emergence of quantum computing, how secure would our information be in the future? Hackers may well have an upper hand against society if they manage to harness the powers of quantum computers.
The ongoing competition between officials and criminal groups renders the situation cumbersome. Arguably one of the most efficient solutions could be to “recruit” top criminal hacker communities to work with official agencies to reveal hidden threats. Political will is at the center so that “special agent forces” could be formed.
Thank you to all who entered this competition; apologies for the slight delay due to the Thanksgiving break. The team will examine the entries and come back with a winner as soon as possible.
Comments are closed.