We live in a world where people and businesses are more aware of, and more concerned about, cyber security than ever. And that general vigilance we see worldwide is critically important, because with new and more sophisticated threats emerging all the time, malicious and criminal activity can and will still happen.
Nonetheless, even in 2018, organisations and individuals alike still often fail to follow even the most basic principles or put in place the simplest of safeguards. And the implications of these failings can affect huge numbers of innocent people, or cause an organisation untold financial damage.
To demonstrate the impact of poor security, we’ve picked out five unlikely and bizarre examples of security breaches, staff blunders and malicious activity from around the world. All of them occurred within a two-month period (December 2017 and January 2018) and all of them show just how easily things can go wrong.
A WiFi double-cross
In an effort to demonstrate weaknesses in cyber security practice, the youth wing of a Swedish political party set up a fake wireless network at the ‘Folk och försvar’ security conference. The network was deliberately made to look like the event’s real network, and approximately 100 delegates – among them politicians, reporters and cyber security experts – connected to the fake network. Incredibly, the same people performed the same stunt at the same event in 2015, with a similar impact.
Those behind the incident explained that their intentions were good; they wanted to show how easy delegates and data on their internet usage and interactions could be exposed in a potentially malicious way. It displayed all too well how even the slightest lapse in vigilance can allow major threats to gain traction.
Winning the malware prize
Perhaps the least likely place you’d expect to receive malware would be when dealing with national authorities. But that’s exactly what happened to the winners of a cyber security quiz at an expo held by the Presidential Office of Taiwan late last year.
The 250 quiz winners each received an 8GB USB stick as a prize, but it soon transpired that 54 of these sticks contained a malicious file. The infection was later traced to a computer which was used to check the USB sticks for their capacity, and had spread the file to the sticks.
Thankfully for the recipients of the sticks, the malware was related to a European fraud ring that had already been shut down and therefore had no effect. If the file had still been active, the consequences could have been severe – not just for the users, but for the Taiwanese authorities, too.
For sale: a billion identities for $8
Sometimes, you can take all the precautions you possibly can, and still end up dealing with the aftermath of a security breach if untrustworthy staff indulge in rogue behaviour.
But how much damage could this realistically cause? It could be reputational harm to a company or the theft of millions of euros, but either of these are nothing compared to the leaking of access to the personal data of around 15 per cent of the world’s population.
The Tribune newspaper in India has recently alleged that it was able to gain access to data on the Aadhaar national identity database for just USD$8 (€6.50, £5.70). Names, phone numbers, postcodes and email addresses of over a billion people were therefore all available to the reporters, thanks to their contact with former Aadhaar staff that were still able to access the database. As a result of this gap in protecting the database against ex-employees, the vast majority of the Indian population could be susceptible to identity theft.
Penny pinching at the pumps
As we featured on this site late last year, security of devices connected to the Internet of Things is a particularly hot topic at the moment. Just about every connected device you can think of is a possible target, including (apparently) the pumps in car refuelling stations.
Across stations in southern Russia, fraudulent employees had been installing software into pumps to make them deliver up to seven per cent less fuel to customers than they’d actually paid for. The undelivered fuel was automatically collected and held in a separate tank, from which it could be collected and then sold on illegally.
The hacker responsible for creating the well-hidden software, Denis Zayev, was arrested on January 20. He’s believed to have set up a profit-sharing arrangement with the employees distributing the software, a set-up worth hundreds of millions of rubles. The case shows that even the most unlikely of machines can be used for cybercriminal activity.
One of the first security lessons we all learn is to make sure our important passwords aren’t something so obvious that they could be guessed. And yet somehow, it would seem that the message didn’t get across to one of the biggest financial stock markets in the Middle East.
It’s emerged that for several months, the username and password for one of the routers at the Muscat Securities Market in Oman were both set as ‘admin’. This was despite the fact that a security researcher warned bosses on several occasions of the risk to the market, and how easily a hacker would therefore be able to obtain the access needed to take control of devices.
At some point, probably in early January, the credentials were quietly changed to strengthen the security before the flaw became common knowledge. The impact of a breach for an exchange with a total market value of around €23billion could have sent financial shockwaves across the globe.
The key takeaway
Now, let’s not pretend that there is some sort of magic fix that can prevent all of these kinds of incidents taking place. Humans will make mistakes, new threats will take us by surprise, and weaknesses in systems will be exploited.
As a service provider, what you can do is make every effort to give your client the best protection imaginable. That can range from robust proactive security based on predictive analytics and artificial intelligence, through to enabling cultural change in workforces as their technological partner. It won’t protect them from absolutely everything, but every attack and threat you can shield their data from is a financial or reputational loss prevented.
You can help protect your clients’ data, both on-premise and on the move, with MaaS360 when you partner with IBM.