From Funny to Chilling: a Chapter of Notorious Cybersecurity Debacles
From a federal office to baby monitor — this post deals with all of notorious cybersecurity debacles over the years.
Join the DZone community and get the full member experience.Join For Free
No one could deny cybersecurity is in a critical state. Not a day passes without a cyber attack, security breach, or the release of yet another security vulnerability fortunately unearthed by a white hacker. The attacks are far and wide, hitting local municipal councils, hospitals, IoT devices, factories, utilities, or consumer accounts such as Reddit, British Airways, Sony Entertainment, and Equifax. The impacts range from inconvenient to financially devastating and can even lead to death. The motivations can be financial, competitive, political, or just the thrill of a challenge.
The vast majority of cyber attacks, vulnerabilities, and infections are never revealed publicly. Many are detected prior to causing real damage and others are addressed by fast-acting security experts. But then there are the attacks that go public — and give the media a field day. Some are weird and some are funny — and you just can't help wanting to write about them. Here are just a few examples, some with just a touch of schadenfreude:
The Prodigious Office Porn Watcher (November 2018)
Just this month, the US Department of the Interior’s inspector general revealed that a US Geological Service (USGS) network at the Earth Resource Observation and Science Center had been infected with malware by a civil servant watching porn on his workplace computer. The man visited some 9,000 adult video sites and investigators discovered that many of the pornographic images were stored in an authorized USB device and on a personal Android operating mobile phone, which was connected to the government computer.
There's not much that could be more embarrassing than being caught watching porn on your workplace computer than being responsible for infecting a government office. I hope his successor got a new chair.
Ashley Madison (July 2015)
Ashley Madison was a website platform for married people to meet other married people to have affairs without getting caught by their respective spouses. In July 2015, a group calling itself "The Impact Team" stole the user database of over 35 million people. Because of the site's policy of not deleting users' personal information – including real names, home addresses, search history, and credit card transaction records – many users feared being publicly shamed.
Ashley Madison's company required the owner of the email account to pay money to delete the profile, preventing people who had accounts set up against their consent (as a prank or mistyped email) from deleting them without paying. The database was released on the dark web, revealing not only everyday people but politicians, priests, and celebrities. Predictably, the resulted in multiple divorces and heartaches but also far darker consequences from suicides to addresses of Saudi Arabians, a country where adultery can be punished with death.
In July 2017, parent company Avid Life Media (renamed Ruby Corporation) agreed to settle two dozen lawsuits stemming from the breach for $11.2 million.
Baby Monitor (2013 Onwards)
Having to care for a small child would be stressful enough without discovering that hackers have been watching and talking to your child at night, like something out of horror movie.
2015 kicked off with a number of reported cases of parents discovering hackers watching and talking to their children at night, and the New York City Department of Consumer Affairs launched an investigation into the security of baby monitors, issuing subpoenas to four manufacturers of baby video monitors as part of an investigation into the security vulnerabilities of the devices. The Federal Trade Commission followed suit with a page of warnings on their website.
However, reports of baby monitor hacking are not something new, with security issues being raised as early as 2013. News reports pointed fingers at Shodan, a search engine launched in 2013, which can be used to find Internet of Things (IoT) connected devices around the world. Shodan scours the Web for devices that use Real Time Streaming Protocol (RTSP port 554) that are left open without basic password protection — or only the default password settings — in place, taking a photograph of what can be seen. Hardly the fault of Shodan but rather the devices (and their owners) with only default password settings.
Rock and Roll Power Plant (2010)
Stuxnet is possibly the worm that made the world realize the vulnerability of large infrastructure. Between 2009 and 2010, it was used to attack the centrifuge controls in Iran's Natanz nuclear facility, altering their operation and apparently breaking over 1,000 of the 9,000 machines. The malware was first reported in 2012, did the expected things like shutting down monitoring stations and other hardware. But it also had an attack with a difference.
At random times during the night, it would activate workstations and make them play "Thunderstruck," a song by Australian rock band AC/DC at maximum volume. Under Iranian censorship laws, only Iranian folk, classical, or pop music are allowed, so the music must have been a bit baffling, yet another example of the attackers flexing their might.
Birdsong Can Hack Amazon's Alexa (2018)
Owning a bird and an Alexa may be an interesting experience if you're trying to protect your home security. This year, researchers at the Ruhr-Universität Bochum in Germany discovered a way to hide inaudible commands in audio files — commands that, while imperceptible to our ears, can take control over voice assistants. The attack will sound just like a bird’s call to our ears, but a voice assistant would “hear” something very different.
Attacks could be played over an app, for instance, or on a TV commercial or radio program, to hack thousands of people — and potentially make purchases with or steal their private information.
“[In] a worst-case scenario, an attacker may be able to take over the entire smart home system, including security cameras or alarm systems. A virtual assistant that can carry out online orders is one of many examples where such an attack could be exploited,” says Thorsten Holz. “We could manipulate an audio file, such as a song played on the radio, to contain a command to purchase a particular product.”
Similar attacks, known as adversarial examples, were already described a few years ago for image recognition software. They are more complicated to implement speech signals as the meaning of an audio signal only emerges over time and becomes a sentence.
A Chilly Attack (2017)
In 2017, residents in two apartment buildings in the Finnish town of Lappeenranta were subject to a DDoS attack that battered an unprotected building management system.
In an attempt to fight back the cyber attacks, which lived for a short time, the automated systems rebooted — and unfortunately got stuck in an endless loop, which restarted repeatedly and eventually shut down heating systems for more than a week, which is potentially problematic when you consider the freezing temperatures that hit Finland. Fortunately, things were resolved quickly, but the tale reminds me of the Amazon review post titled:
"She took the house and the dog and the 401k, but I still control the thermostat."
In it, the writer contends that:
"Since this past Ohio winter has been so cold I’ve been messing with the temp while the new lovebirds are sleeping. Doesn’t everyone want to wake up at 7 AM to a 40-degree house? When they are away on their weekend getaways, I crank the heat up to 80 degrees and back down to 40 before they arrive home. I can only imagine what their electricity bills might be. It makes me smile. I know this won’t last forever, but I can’t help but smile every time I log in and see that it still works. I also can’t wait for warmer weather when I can crank the heat up to 80 degrees while the lovebirds are sleeping. After all, who doesn’t want to wake up to an 80 degree home in the middle of June?"
It's a modern version of the shrimp in the curtain rod!
Opinions expressed by DZone contributors are their own.