Did he or didn’t he?

That’s the question exercising IT and cyber anaylsts over the claims by hacker Chris Roberts that he accessed in-flight entertainment and flight systems from his seat. The claims have been derided by Boeing and aviation experts.

Whatever the outcome, it highlights that this is a major security concern. This hacker claimed to have gained control from his passenger seat; but many airlines have now introduced wifi to their aircraft too, a service that is gradually rolling-out globally. So could someone hack into an airliner’s controls from the ground via wifi? Or on-board the aircraft as claimed by Mr Roberts?

I’ve worked in software all my life, and my view is that any system can be hacked. We tend to think of software-based systems as something operated by computers, electronic devices, microprocessors etc. Thinking this way can lead us to lose sight of the fundamental fact that all systems are designed and built by human beings, and therefore subject to human error and oversight. Airliners have proved all-too horrifically to be one of the terrorist’s weapons of choice.

New aircraft designs use TCP/IP technology for the main aircraft backbone, connecting flight-critical avionics and passenger information and entertainment systems in a manner that virtually makes the aircraft an airborne, interconnected network domain server.

There are and should be very real security concerns with this. One key to mitigating the threat will be ensuring that all systems related to flying the aircraft are an “island” – i.e. completely isolated from the non-essential flying systems.

Although Mr Robert’s claims have been dismissed, it seems he may have highlighted a very real achilles heal in the systems. If he is to believed, the IES was in fact connected to the avionics. If that is the case, then a way-in could be found.

Advertisements

PHISHING ALERT – BVI BEING TARGETED

There is presently a targeted E-Mail Phishing campaign against the British Virgin Islands with someone using LIME as the mechanism. They have cloned the Lime Email login site.

The actual website that users get sent to is hosted in Greece and they are harvesting email and password information from users that log in.

The picture below shows what the email looks like. If you receive an email like this DO NOT CLICK ANY LINKS! Delete it immediately.

Lime Phishing Email

The following pictures show the source code being used in the attack and the email script.

Lime Phishing

This is the Source Code:

Lime Phishing Source

As ever, remain vigilant. If you have even the slightest doubt over the veracity of an email, delete it and contact the company directly.

We’re under ever-increasing attack

Regular readers will recognise Cyber Security as a common theme of my blogs. Without wishing to sound shrill it is getting worse – attacks are becoming more frequent, more sophisticated and more successful. Worse, this is no longer limited to major retailers and banks (eg Target), but small businesses and individuals are falling victim to cyber attack. On this blog I can provide three examples that have occurred in the BVI in the past week. Read on….

1) Our client called us in because they were having non-specific IT and email problems. On investigation we found their email had been hacked, giving access to all their past and current emails to the hacker. However, what had happened next was scary.

The hacker, with access to their previous emails, posed as a regular supplier based in the US. They sent utterly convincing emails to our client, culminating in a “change of bank account” email. All of this was highly authentic, with the only clue to the scam being the server account the emails were sent from. Our client understandably trusted the emails and duly changed the bank account. Only after several thousand dollars were transferred to it did they discover the scam, by which time of course it was too late.

One way to have averted this was to spot that the emails were from a different server – not easy in these days of “name only” emails. The other was to change their own email address entirely after the initial hack, and inform known suppliers and customers of the new email address. Of course they would have needed to realise the hack had taken place to do this….

2) A client received a “Phishing” email purportedly from Amazon.com. Again, very convincing, it looked exactly like an email you would receive from Amazon. This one was an order acknowledgment which included a “click this link” if you had’t placed the order. The client had not placed the order, clicked the link and BAM! – malicious software was uploaded to their computer and all their online accounts were immediately compromised. Fortunately we spotted it before the attackers were able to make any monetary gain.

3) I personally received a “change of password” notification to one of my email accounts. This included a link to click in the event that I had not actually changed my password, so my email provider could investigate. Not having changed my password, my finger was poised on the mouse about to press the link when alarm bells went off in my head. Rather than click, I hovered over the link so the address would pop-up. Sure enough it was an address unrelated to my email provider – it was a phishing email. I was millimeters from clicking a link which would have downloaded malicious software to my computer, with all the misery that would then follow.

Was I pleased with myself for not clicking the link? Not really. I was relieved at such a close call. But then I thought about it – I write about cyber security almost every day on social media and blogs. Yet I had almost fallen foul. People with less awareness, or more likely busy people simply trying to get through their emails, could easily fall victim.

What to do? Well, remain vigilant.  If you do click a link and have even the slightest concern, call in your IT manager to review your computer. More proactively, you can take the following steps:

  1. Cyber training – user awareness training for you and your staff on what to do (and what not to do) in your daily computer usage
  2. Cyber review – have a cyber security expert review your IT systems for weaknesses, malicious software and hacks
  3. Penetration test – have a cyber security expert attempt to hack into your system remotely so as to expose any weaknesses and plug the gaps. Don’t kid yourself – a good expert will gain access. The question is how easily can they do so?
  4. Repeat regularly!

Sorry folks, there is no good news on this one. Today’s thief is unlikely to break into your home and steal the DVD player. They’re more likely to be thousands of miles away, want to steal your identity and then empty the contents of your bank account.

Cyber Security

Cyber security. Wow. Sounds like something from the latest James Bond movie right? Well, yes and no. I can’t promise this blog will be as exciting as watching Daniel Craig take on the bad guys. I can say that the type of sophisticated IT and cyber attacks on IT systems that we see in the movies and on TV shows isn’t as far fetched as we may wish to believe. What’s more, the modern-day hacker tends to be less interested in high-profile targets such as the US Defense Department – not least because of the draconian prison sentences that arise. They are for more interested in accessing data that is both easier to obtain and more profitable.

In other words they are coming after you, me and our businesses.

What are hackers doing?

So what are the hackers doing and what can we do to protect ourselves against it? Let’s start with what they are doing. Perhaps a good example is the recent illegal access that was made on the US retail giant Target. In mid-December, Target learned that criminals forced their way into their IT system, gaining access to guest credit and debit card information. The investigation determined that certain guest information was taken, included names, mailing addresses, email addresses and phone numbers. Target believed that up to 70 million – yes 70 million – people could have been affected.

This was a sophisticated attack and it subsequently came to light that it is believed that similar attacks have occurred across at least 5 other major US retailers. Clearly this was hugely damaging to Target and its business. So what lessons can be drawn?

Well, Target had reasonably sophisticated cyber-protection on its website and IT systems, but was still hit. If you are a small to medium sized business with little or no cyber-protection, it is a far simpler task for hackers to gain access to your confidential data. Typically hackers will target the following readily accessible areas:

  • Your website – they will harvest any available data from websites that can provide them with useful data
  • Social media profiles of your business and staff – This is critical. The amount of information available via social media is staggering. There are also documented instances of fake social media profiles being created and successfully used to obtain employment credentials from organizations!
  • Your wi-fi network – this is a direct route to your network. If it isn’t secured then everything on your IT networks is accessible. There have been recorded instances of IT networks being hacked via a photocopier that was connected to a wi-fi network but had not been secured.
  • Your IT systems – by harvesting data from your website, social media and wi-fi networks, hackers can find a way into your IT network. From there they can access confidential records, including customer data, financial records… pretty much everything you would not want someone getting their hands on.

What can I do about it?

The British Virgin Islands enjoy a very low crime rate, allowing us to enjoy a relaxed lifestyle that is unrecognizable in most major cities. However, the internet does not respect boundaries – if your business is online you are susceptible to cyber attack.

So, start with the basics. Many businesses still do not put the most basic levels of security protection in place. Here are some simple things you can do or check right now:

  • How “good” are your passwords? Have a look at this list of the top 25 most insecure passwords – do you recognize any? I was horrified to find one of my own passwords on the list… It is now changed and I’m not saying which one it was!
  • Is your wi-fi network secure? At the very least it should require a password for users wishing to use it. Additional security can be added.
  • How much information is available from your website? Even the most basic information can create vulnerabilities.
  • What information are your business and staff making available via social media? E-mail addresses can often be obtained from social media, providing hackers with a good starting point.

Given all of the above, I thoroughly recommend sending staff on basic cyber security training. They will learn about all of the above, as well as suspicious emails (a topic for another blog) and numerous other IT vulnerabilities. It is typically a lack-of-awareness rather than malicious behavior that leads to the majority of cyber attacks.

Please, spend 20 minutes just looking through some of the pointers above. When you’re done, do what James Bond would do and have a vodka-martini (or your favourite drink of choice). You will have earned it and may well need something to calm your nerves!

About Guy Phoenix

Guy Phoenix has been in the BVI for four years and is a shareholder in Fresh Mango Technologies. He is also managing partner of Phoenix Caribbean, providing marketing services and software distribution across the Caribbean region. At Phoenix Caribbean he has carved a niche in inbound marketing methods across the Caribbean. He has a background in IT, Power Generation and Marine Power.