Cyberspace was once a way to communicate. Now it carries the lifeblood of commerce, societal administration, and the trail of individual existence.
Where there is blood, certain entities with disgusting eating habits soon appear on the scene. Yet vampires and their ilk always leave behind a trace of their visits. Once noticed, everybody knows how to put a stop to their activities – a midnight opening of their coffin and the plunging of a wooden stake into the evildoer’s heart. The problem, though, is which tomb to open? Where exactly is Dracula hiding?
On a summer afternoon in the mid-2000’s I was sitting in a Manhattan wine bar with a relative who was ex-Israel Special Forces. We got into a discussion on the subject of Iran’s nuclear ambitions. I contended that notwithstanding the concerns of its neighbours (especially Israel) and of the major Western powers, there seemed to be no realistic way to impede Iran’s progress.
My cousin casually remarked that taking actual control of the operation of Iran’s facilities would certainly slow them down. I scoffed at the notion as a James Bond fantasy. He mused that it could be achieved by inserting pre-programmed devices embedded and hidden in the equipment being delivered to the facilities, to be activated at an appropriate time. I protested “Who could possibly get in and do that?” He just grinned and said “People like I used to be.”
A few years later, in 2010, “Stuxnet” became front page news – a computer malware which had taken over the control of the centrifuges deep inside some of Iran’s nuclear facilities, and caused them to spin to self-destruction. This was the first publicized act in what was named as international cyberwarfare. The Iranians had just been savaged by one of Them. Dracula had ripped with his nails and created material mayhem. The vampire had left his traces, but had long since fled to another tomb – a cave in Transylvania? A well-know Agency’s campus in Maryland, USA? A bunker under the Negev Desert? Who can say? There are plenty of well informed guesses, all met with “No comment”
There is much current debate between military and civilian security experts (e.g. see BBC News online, 6 May 2015) as to whether recent highly publicized cyber assaults on government and business sites constitute acts of cyber warfare, or even if such attacks could ever be implemented and coordinated on a scale which would justify the term “warfare”.
However, we have seen in Part 1 of this article that less dramatic assaults by web vampires can lead to commercial disruption and personal misery. Sometimes there may be not material damage after a visit by Them.
A stunning example of commercial disruption occurred in August 2012. The world’s largest oil producer, Saudi Aramco, had no warning that approaching vampires were riding the miasma as it drifted in from the Arabian Sea and silently passed over the Saudi realm. Nobody would even guess for a while that anything out of the ordinary had happened. The wells were still pumping, and in the company offices some 30,000 computers sat bright and glowing at employees’ work stations.
But vampires always leave a trace. And in this instance it was eventually realized they had eviscerated the cyber entrails of each computer, sucking them dry and leaving the empty carcasses physically unchanged but operationally useless. The company had to totally isolate its electronic networks while tracing and fixing the damage.
Personal misery may strike when the Living Dead creep into a computer and leave ransomware in place. This is a type of malicious software designed to block access to a computer system until a sum of money is paid. The victims are typically individuals. The archetypical victim is a grandma whose only experience of backing up was watching a delivery van back into her driveway to drop off her household furniture forty years ago, and who now faces a demand for a thousand dollars or she’ll never see her un-backed-up files of family pictures and mementos again.
Ransomware typically propagates as a trojan, much like a computer worm. It may enter a system through, for example, a downloaded file, or it may find a vulnerability in a network service. In some instances security software might not detect a ransomware payload, or may detect it only after encryption is underway or complete.
One of our co-authors, CDS Marine, quotes a case in which they were called in after a ransomware infection of a yacht’s systems. By then 5 years’ worth of data had been destroyed. During an early June conversation with Craig Boddington of CDS in which he referred to this case of an anonymous client, he recommended that yachts take particular precautionary measures for dealing with ransomware. Software or specific security policies may block known payloads from launching. Offline backups of data should be stored in locations which are inaccessible to this malware.
CDS quote another case of a compromised system on a yacht being used to send thousands of SPAM emails per day, thereby becoming part of a botnet (a network of computers, the owners of which have no idea that their devices have been infected with malware and may be used to distribute further malware or illegal content).
In a further incident, a guest’s compromised device brought down a yacht’s entire system, even disabling door security controls. The guest’s device had been infected with malware which gave Them (you know who) remote access to any network the device was connected to.
CDS damage control was effective in the three cases quoted above, and tight lips on board have maintained the anonymity of the clients. However, other security companies can quote a similar case or two, which means that although nothing has yet emerged to grab the attention of the tabloid press, the Draculian community is now alert to our existence and is sampling the menu.
We may rest assured that they will be studying the cyber-body parts on which they will feast. These body parts consist of all the onboard systems.
CDS point out that today these are mostly all connected, logically separated by switch VLANs. In most cases they run through the same internet entry/exit point such as VSAT, 3/4G etc. With all internet traffic going through the same portal, any unauthorised access to a machine via a malicious email or attachment thereto puts the entire network at risk. VLANs, if improperly configured or running on outdated, un-patched hardware would offer little protection at this point.
Gone are the days of just protecting the perimeter, installing your firewall to protect the network from the outside in and forgetting about it. This is simply no longer an effective strategy in today’s digital world. Wireless networks are a fine case in point. If the access points are poorly configured, without adequate encryption and access control, it would be a trivial task to identify the network, even with the SSID
A malevolent hacker would at this stage access the system in one of two ways. A “brute force attack” uses a rapid sequence of possible solutions to crack a relatively short password. For longer passwords a “dictionary attack” is often resorted to, based on trying a series of variants on commonly used words or simplistic passwords. Either method may take many hours out of a day, but time is not a concern for Them, they have plenty of it and you are not going away.
With the password once breached, the invisible stalker would be on the inside of the yacht’s network, effectively bypassing any perimeter security you may have in place. All of this could be done from a nearby café without alerting any crew or physical security personnel that anything untoward was happening.
As illustrated by CDS’s third case history, the threat posed by unsanitized devices brought on board is very real. A guest device may have been tainted by their naïve response to a phishing email, or when downloading some free software.
An irony about these free software trojans is that the user of a device has to dig his/her own grave. A trojan does not install itself, a user has to do the work and install the programme. And then if it’s a keylogger trojan, the user’s cyber intestines are being sucked up with each touch on the keypad.
Other infections which may be imported via crew or guest personal devices are viruses, which can be delivered through innocent-looking emails and can be spread by reading the infected device’s address book; and worms, which look for a specific security hole, insert themselves and then start replicating. There are many other variations on the malware theme.
Craig B. notes that USB devices should not be overlooked either: they can poise a risk to all a yacht’s systems once plugged into a network-connected device, it is not far fetched that a crew member might be caught off guard in a bar and accept a stick with the latest movies or music on it only to find that when plugged in, it came with little bit more than had been bargained for! Even a job seeker’s USB stick with their CV on it carries a risk of infection unless and until positively screened for reading.
Apart from a yacht’s WiFi system, other onboard vulnerabilities are:
*Mac complacency – the false assumption that Mac devices are free from cyber attacks;
* unencrypted emails;
* unencrypted files – the Home Depot chain in the USA regrets this lapse
* lax web filtering – resting on one’s laurels after closing access to unapproved websites, overlooking the fact that malware can and does affect legitimate websites;
* faulty firewall;
* mobile negligence – particularly (but not exclusively) Android devices.
Having looked at the modus operandi of the unseen enemies, and some of the vulnerabilities which allow them to pass through walls, the next step is to review the lines of defence. Even if you can’t find the location for the fatal thrust of the wooden stake, at least you can learn how to string the deterrent wreaths of cyber garlic which keep Dracula and cohorts temporarily at bay.
At this point two separate but complimentary dimensions to security come together, namely technical factors and human factors.
Our other co-author, Allmode, likes to use an anecdote to illustrate this
In 1941, The British Army was locked in high intensity combat with German forces in the North African desert. Over thecourse of the campaign, they were continuously being outfought and outmaneuvered by the smaller, more agile “Afrika Corps” under General Erwin Rommel.
One of the key disadvantages was their inability to pre-empt the plans and movements of the German forces due to their use of the fiendishly complex “Enigma Code” to transmit their information. However, a small group of well selected and motivated individuals were brought together at the UK’s code breaking facility at Bletchley Park to attempt to break the code.
After months of failure, a window of opportunity presented itself: one particular German signals operator, sitting in a very quiet section of the line in a desert outpost, had been continually sending the following message:
[Date], [Time], “Nothing Significant To Report”
It was the predictability of this message (and other cases of what Bletchley Park termed “operator error”) that led to the breaking of the Enigma Code, which was considered by western Supreme Allied Commander Dwight D. Eisenhower to have been "decisive" to the Allied victory
In fact, the Enigma Code was only “broken” in a purely TECHNICAL sense - i.e. without recourse to human error - by a supercomputer in Berlin….. in 2006.
James Kellet of Allmode emphasizes that, as described in this example, your technical prowess can be unmatched, but human thoughtlessness and fragility (coupled with the “enemy’s” human cunning and ingenuity) will be able to do you harm, unless the risk is mitigated by training, education and awareness of the human element of cyber security.
Your technical countermeasures may be like an ultra-sophisticated bank vault, with no expense spared. Your untrained people, however, will be like the security guard who leaves the key in the lock and falls asleep…..
When it comes to the dark powers you are preparing to encounter in cyber space, you need to remain alert even when asleep. Just know that the miasma cannot enfold you as long as your protective garlic wreath remains intact. To this end, CDS and Allmode offer their own guidelines to wreath-stringing.
One point on which both these security consultancies are very firm is the need to establish, implement and enforce policies regarding cyber security. Effective enforcement can only happen with strict discipline regarding online activity, which is likely to meet with resentment and resistance on the part of crew members.
Counter Through Education
The best way to counter this is by education. With a small crew, Teddy Roosevelt’s maxim “Speak softly and carry a big stick” would be appropriate: informal discussion around the cyber policy parameters, with regular reminders, may suffice.
With a bigger yacht and a bigger crew, the stakes become exponentially higher as the increasing value of lost data and personal records means higher recovery costs and potential penalties. In these cases, captains and managers will have existential concerns about their careers, were they ever to be held liable for the outcome of a breach of cyber security.
They then need to look to Napoleon Bonaparte’s maxim “Put your iron hand in a velvet glove.”
The education needs to be addressed in smaller groups, involving the IT and Security Officers: this is the velvet glove. The bigger the asset, the higher the profile of the owner, the more forcefully the message about cyber discipline has to be drilled in to all crew members. The CDS examples show what is at stake.
The iron fist is revealed at the time of reading and signing the SEA, which contains a clause with the first and only warning about infringement of the yacht’s cyber security policies. One strike and you’re out, and don’t expect to hide from any contingent costs.
Craig B. asserts that day-to-day good practice requires that all cyber defences and systems be regularly tested and assessed to ensure they are still fit for purpose. Failure to maintain a regular checking routine means exposing the yacht (and the data held within it) to unnecessary risk due to misconfiguration or the operation of vulnerable unpatched systems and software.
If a yacht has as yet no definitive cyber security regime in place, James K. suggests the following actions to be taken while a yacht-specific policy is being drafted:
* All sensitive documents should be stored on a removable HDD, and not on the network.
* Ensure virus protection is up to date and fit for purpose on all devices that connect to the network.
* Limit personnel using operational computers for personal use.
* Have certain websites blocked (porn etc.) as if hacked then can be damaging to client/owner.
* Educate crew on the potential risk of posting on social media.
* Educate crew on the potential risk of online banking.
* No USB or removable HDD drives to be connected to the network without prior consent.
* When online in a public space, never trust your neighbours (see footnote 1)
* When in addition, he draws attention to the following guidelines regarding social media:
Think about your account security, who can see your account? Security settings can be adjusted on all major social media networks to allow you more privacy and protection. Don’t post personal details such as your address, telephone number, bank details as these may make you, your family and friends a target. Without the correct security settings in place you are opening up anything you post to everyone – from journalists to criminals or even terrorists. It may not just be friends and family reading your updates.
* When using social media you are an ambassador for your company, you therefore should think about what you are about to post and ensure that it is correct and non-damaging.
* Make sure that your family and friends are also aware of the risks by posting information about you, your movements and company.
* You should not promulgate any document or information dealing with any of the affairs of the Company, Vessel, passengers, visitors, guests or its clients.
* You should refer all press or media inquiries to the Master/ CSO/Press Office. You shall use your best endeavour’s to prevent any unauthorized press release or media exposure without prior written approval
Remember - What you say online stays online forever!
Urgent as it may seem, the cyber gap in the ISPS Code will not be imminently plugged by the IMO (see footnote 2). Regular breaches of cyber security are public knowledge. Accordingly, you have a duty of care in this area without waiting for a lead from the IMO or anybody else. You should be aware that delinquency in the ethereal cyber realm can soon result in exposure to the physical risks to persons and property which the ISPS Code was written to protect against. It’s like a double jeopardy.
Accordingly, for your own security and peace of mind, first string up your garlic. Then, depending on your level of temptation to Them, assess the cost/benefit of calling in security specialists to probe your defences, clean up any deficiencies, and help beef up your onboard integrated cyber/ISPS policies and routines. Today it seems there is more focus on the performance of cinema systems and onboard entertainment than cyber security on yachts, even though these fun items are often gaping windows which the miasma of evil can drift through.
Never forget that it’s not your good looks that are so attractive to Them, darling. it’s your fascinating cyberself that is so irresistible to Them, darling. And they want to lick you all over, darling, and when they’ve done you’ll have nothing left but a sagging empty skin, darling.
So even after you’ve used your own on-board IT expert or have brought in a specialist consultancy, and you have your garlic draped all around, don’t relax, darling. Never stop checking or implementing. You are still so tasty and yummy, darling, that they’ll be back. And next time, no more Mister Nice Guy.
Related Articles in the Series:
*Footnotes to Part 2
1) BBC News online, 22 June 2015, reported on an experiment by students at Tel Aviv University, they monitored the radio signals given off by laptops when their central processing unit is crunching data. The team discovered that many different operations in a computer, such as playing a game or decrypting a file, had a characteristic pattern of radio activity.
The differing power demands a CPU made as it worked gave rise to these telltale signals. By monitoring these signals when the computer was decrypting a specific email message sent to it by an attacker, it became possible to work out the key being used to secure data, they said.
After demonstrating that the attack worked in the lab, the group created a mobile version they dubbed the Portable Instrument for Trace Acquisition (Pita), which they managed to conceal inside a piece of pitta bread.
Using their technique, the researchers were able to grab keys used in several widely used encryption programs and algorithms to protect data. At present the technique combined with the Pita device works only at short range in the laboratory. But it is indicative of another threat to cyber security which will need guarding against.
2) It is widely bemoaned that there are as yet no established good practice guidelines from a recognized body such as the IMO regarding the cyber threat against the maritime industry. The ISPS Code is hopelessly out of date without including cyber security. Absent current action at governmental level, one training centre is taking the initiative into its own hands. Bluewater, as from the coming Autumn, will include a session on cyber security in its ISPS and PDSD courses, even though it is not part of the mandatory syllabus.