Vulnerable to a hack: The daily risk we take to be connected in a digital world

"We are 100% vulnerable."

Megan Lynch
May 30, 2019 - 9:00 pm
Categories: 

ST. LOUIS (KMOX) — We're a long way from the days of dial-up internet connections. We have an almost endless choice of devices — devices that can connect us instantly to the world. However, the innovation enhancing our lives can also be an achilles heel ... vulnerable to a hack.

What can be hacked? The simple answer — anything and everything. 

We've reached an age where business and government rely on technology and computer networks. And consumer access to internet connected devices is exploding. 

First, it's important to understand the real level of threat. It's basically off the charts.

"The consequences for modern society are potentially catastrophic," said Joe Scherrer, the Executive Director of Professional Education in the McKelvey School of Engineering and the Director of the Cybersecurity Strategic Initiative at Washington University in St. Louis. 

Scherrer spent more than two decades in the U.S. Air Force. While serving at the Pentagon he was architect of the first national military strategy for cyberspace.

"We have cyber criminals all across the globe that it's a 9 to 5 job, and they're buying and selling access, and they're exploiting vulnerabilities that really boils down to our inability — the humans' inability — to do what needs to be done to make ourselves a harder target"

Experts say we let hackers get a foot in the door ... without much effort on their part.

At the recent Gateway to Innovation Conference in downtown St. Louis, I spoke with IT professionals between sessions. I asked about their biggest security worries. People falling prey to phishing emails topped the list.

These tactics are called "social engineering." Using simple psychological manipulation, cybercriminals get people to cough up confidential information or trick them into opening a file or clicking links containing malware.

Every year Verizon releases a Data Breach Investigation Report. Email is once again a top concern.

Verizon's investigation revealed attacks against company executives spiked in the past year. Top executives especially ... they're 12 times more likely to be the victim of an email attack.  

2019 Data Breach Investigations Report by EntercomSTL on Scribd

Bad guys aren't just going after the biggest corporations. Nearly half of all data breaches involved small businesses.

At SpearTip in St. Louis, cybersecurity experts in the operations center monitor banks of displays watching for attempts against clients. Those clients come from a broad range of industries including manufacturing, finance and health care.

"Security events that we see day to day range anywhere from a thousand to 10,000," SpearTip's Director of Security Operations, Jonathan Tock said.

Cyber criminals have a variety of motives, use a wide range of tools and try to get access any way they can.

Tock said hackers try the easy way in first. "Default credentials or weak passwords."

Cybersecurity firms are also seeing continued use of malware.

A recent threat assessment found that 71% of attacks against companies are for financial gain. One cyber gang is believed to have made $6 million from ransomware attacks alone.

Symantec's annual threat report found that one in ten cyber attack groups use malware to try and disrupt business operations — that's a 25% increase from 2017.

As SpearTip's Tock points out, one malware attack can have multiple motives.

"A lot of times we see a company get maybe one machine that was ransomed. So one machine that was encrypted. And they write it off as we stopped it, at least it didn't get anywhere," Tock said. "What they don't realize is all of the passwords, all of the information that was pulled before that encryption started."

Outside of the office, our society is rapidly embracing a connected lifestyle. We have smart phones, smart watches, smart homes, even smart toys for our kids. Soon we'll have smart cars that do all the driving for us.

All of these things are part of the rapidly expanding IoT — the Internet of Things. They can interact with other devices and be remotely monitored and controlled. Experts say they're all vulnerable to a hack.

"When we move into IoT the initial focus is going to be on functionality and cost and at times those decisions and the tradeoffs are made where security takes a secondary role," said Michael McGlynn, Vice President for Security Solutions at St. Louis-based World Wide Technology. "We're going to need to see a shift, particularly as we migrate to 5G and we migrate to a much more interconnected world, security has got to be part of that foundational design and development process."

5G aka 5th generation cellular network technology. It's better, faster access to broadband. That also creates a bigger attack surface.

With 4G, roughly 2,000 devices can be connected within a square mile. 

With 5G? It can connect a million. 

"This is like cybercriminal in a candy store!" explained Ladi Adefala is Security Strategist with FortiGuard Labs — the threat intellligence and research arm of Fortinet.

One of the most popular new IoTs: voice activated assistants.

When you talk to Alexa, it uses applications called "skills"— programmed to help the device respond to your voice commands. Adefala said malicious actors can use a technique called "skill squatting" to dupe users. 

"Skill squatting" is a technique researched by the University of Illinois in Champaign. Hackers have found a way to exploit the voice-recognition function. Anyone who's used virtual assistants knows they're not always perfect at interpreting what you say. 

Skill Squatting Attacks on Amazon Alexa by EntercomSTL on Scribd

That means that Alexa, Google Home, Siri, or Cortana — any of your virtual assistants can likely be fooled.

"I'm a cybercriminal. I will go write a custom skill, but I will give it a name that sounds like the name of a legitimate skill," said Adefala.

What if instead of Am-Ex for American Express, a hacker created a skill for the very similar sounding "em-ex?" If the device misinterprets what you've said, instead of being connected to your financial institution, you've been sent to a criminal organization.

The Internet of Things goes well beyond voice assistants, however. 

You can control your home through smart devices ... the lights ... thermostat ... even the aquarium.

Certainly your fish tank won't put you at risk? 

It did at one casino where hackers used the device to invade the main computer and pull off reams of information on casino patrons.

The average homeowner now has about 20 interconnected devices.

"It's projected to be 75 billion interconnected devices around the world by the year 2025," Suzanne Magee pointed out. She's the founder of two cybersecurity firms — TechGuard Security and Bandura Cyber. "That's just going to make it faster, more things possible ... but also give those same kinds of access and tools to the hackers."

Cyber criminals pose a grave risk to the world around us. We live in the spectre of an all out cyber war.

The security of our nation is vulnerable to a hack.

"Certainly in U.S. we have created military commands focused on cyberwarfare and cyberdoctrine, so I think that any strategy going forward in warfare is going to incur both," World Wide Technology's McGlynn said. "Cyberspace is now a contested domain." 

Brigadier General Rob Lyman pointed out that cyberspace is now just like air, space, land and sea. Lyman is Director of Command Control Communications and Cyber Systems at the U.S. Transportation Command based at Scott Air Force Base in Illinois. For U.S. Transcom in particular, the link to commercial contractors has to be absolutely secure. 

"You asked me specifically about threats, and a large amount of our transportation business is conducted with U.S. companies that are targetted everyday by ransomwear, advanced persistent threats and criminal activity," Lyman said. "It's a challenge for us because we're so heavily reliant on commmerical carriers."

That includes transportation service providers and software developers — making sure that security is built in to systems from the beginning.

Lyman told KMOX that there's been a definite shift as cyber security has become critical for daily operations. He pointed out that within the Department of Defense, there are now whole commands dedicated to cyberspace operations.

"We not only think about it from a security perspective but we have what we call cyberprotection and cybermission teams specifically designed to look for malicious actors in the cyberdomain and clear them out of friendly networks. So we're actually maneuvering, if you will, in that cyberdomain with a maneuver force."

Washington University's Scherrer noted that security begins and ends with us. Scherrer said the critical need in the cyberage is talent.

The cyber security talent gap is being called a crisis by some. A recent Forbes article warned there will be as many 3.5 million unfilled positions in the industry by 2021.

"The attackers attack at a very technical, specific, precise level and a precise manner and if we don't understand that ... it just makes it that much easier for malicious actors to take advantage of us."

Scherrer said we're vulnerable at every level of our society when it comes to our interconnected devices ... our systems and our security. "If you were looking for a hopeful answer, yes we are 100% vulnerable. I like to say there's a light at the end of the tunnel when it comes to cybersecurity, and it is indeed a train."

© 2019 KMOX (Entercom). All rights reserved.