How safe are we online? The past, present and future of online safety



How widespread is cyber-crime? And how concerned should we be about our computers getting hacked? We asked the experts to give us their take on the rise of cyber-crime and bring you their top tips for staying safe online.

 

Ashley Madison. eBay. Sony PlayStation. Barely a week goes by without media reports of a new major company hack. And, as cyber-crime continues to soar, it’s not just customers’ credit card details and personal information that’s getting stolen. Government departments and even defense systems are coming under attack.

So, how widespread is cyber-crime? And how concerned should we be about our computers getting hacked? We asked the experts to give us their take on the rise of cyber-crime and bring you their top tips for staying safe online.

Biggest hacks of all time

 

Cyber attacks in focus

1988 - The Morris Internet Worm

The Morris Internet Worm

The Morris Internet Worm, released in November 1988, was one of the first computer worms to be distributed via the internet. It was written and released by Cornell University graduate student, Robert Tappan Morris. According to the creator, the worm was originally designed to map the internet but instead, it rendered the host computer unusable. Through self-replication on the host system, the worm was allowed to infect it multiple times, slowly using all the resources available.

At the time of the worm’s release, there were only around 60,000 computers that existed. Through propagation, the worm infected approximately 6,000 of these, including military and government systems. It caused an estimated $100,000 to $10,000,000 in losses due to its disruption of internet access.

The worm was designed to exploit vulnerabilities in the host computer system and to take advantage of weak, and default passwords. It also exploited known vulnerabilities in Unix sendmail, Finger and rsh / rexec e password, when trying to access the system. Subsequent review of the code did not identify any malicious elements, so this supports Morris’ claim that the worm was designed without malicious intent.

Eventually, Morris was arrested and became the first person to be convicted under the new US Computer Fraud and Abuse Act. He was fined $10,050 and sentenced to 400 hours of community service and three years’ probation.

In 1988, the internet and computer systems were generally open door machines with little or no consideration of secure coding or security mechanisms. Many believe that, thanks to Morris’ actions, cybersecurity awareness increased, and software developers and administrators were forced to consider the security aspects of their systems.

Emlyn Butterfield

2010 - Stuxnet

Stuxnet

Attacks on power plants and other areas of national infrastructure have gained significant attention in the media over the past few years. Probably the most widely publicised attack was that on Iran's nuclear facility in Natanz, in 2010.

The Stuxnet attack used a USB drive, introduced by a member of staff, to infiltrate the Natanz plant. Once inserted, the malicious code could spread between the systems unknown to the employee and undetected by any security devices protecting the infrastructure.

In this attack, a sophisticated malware targeted the systems of the industrial equipment, damaging centrifuges used to enrich uranium. This is a good example of poor situational awareness benefitting the attacker. The operator saw nothing wrong with the centrifuges, when in fact they were spinning too quickly, leading to a loss of enriched uranium and damage to physical equipment. 

The virus spread by exploiting many weaknesses in the system. Its main goal was to locate a particular model of programmable logic controller (PLC) controlling the centrifuges. The PLC software that the virus was searching for was Siemens SIMATIC WinCC/Step 7. This suggests the attacker had a very in depth knowledge of industrial control systems and that a large amount of testing was carried out beforehand to successfully execute the attack.

Whilst attacks against critical national infrastructure is clearly a serious concern for governments, the connectivity of smart devices and wearable computing to large networks is a growing concern for the population as a whole.

 

Helge Janicke

2015 – US Office of Personnel Management

OPM Hack

In June 2015, the social security numbers of over 21 million people were stolen when the US Office of Personnel Management (OPM) was hacked.

The cyber-attack against the OPM was significant for a number of reasons. The government department, which houses federal employee data, was hit with a massive breach that resulted in the loss of over 21.5 million federal records and over five million fingerprint scans.

The records stolen included social security numbers, residency, educational and employment history, information about personal and business acquaintances, health records, criminal records and even financial history.

The sheer scale of the attack is astounding and its ramifications continue to have an effect today. It finally made the Obama Administration take note that cyberattacks are a clear and present danger for US institutions.

Of course, Obama and every other president before him have been aware of the consistent cyber espionage operations against the US from foreign states including China, Russia and Iran. (Although let’s not forget the US remains far from innocent in this respect). Yet this incident appeared to be slightly different. It was brash, it was vast in scope and it was viewed as overstepping the espionage boundaries into something more aggressive.

Suddenly, even the FBI director could be personally affected by a cyber-attack – as became clear when director James Comey claimed his details were among those stolen in the breach.  

Following the incident, which has since been blamed on Chinese hackers, Obama upped his rhetoric when it came to cyber-crime. And, only a few months later, a so-called cyber peace treaty was agreed with the Chinese government. Of course, it is likely the deal is political manoeuvring, and little more, but nevertheless, it signals a degree of progress.

The OPM hack, alongside others at Target, United Airlines, and Ashley Madison, not only indicates a rise in aggressive cyber-attacks, but also highlights the weaknesses in many of the computers systems we assume to be secure.

I believe the OPM hack has made a huge impression on many high profile political figures in the States. As we watch the development of numerous cyber security bills currently being crafted, I believe this fear of attacks will have a direct impact on how the US legislates – which will undoubtedly be harshly.

For US businesses, governments and corporations the question is no longer if they will get breached, but when?

Jason Murdock

2015 - Ashley Madison

Ashley Madison

As someone who has researched social aspects of information technology, and the responsibilities of providers, consumers, and other stakeholders, the recent Ashley Madison hack has been fascinating to observe. On the face of it, this is clearly illegal activity and the usual public response to such hacks (generally informed by the media) is that the perpetrators are criminals and should be brought to justice.

 

However, given the nature of the site, and therefore the perceived morality of its customers, we have ended up with a far more wide-reaching debate. This has questioned the right to anonymity, the morality of some online services, the attractiveness of personal data to hackers and the potential to extort as a result. It also generated debate on the extremely grey area surrounding whether the hackers did a good thing, and whether those who had their data leaked, deserved it.

 

However, what is clear is that given the nature of the data hosted by this site, Ashley Maddison should have expected such attacks to occur. Yet they don’t seem to have invested much in effective security infrastructure.

 

What the Ashley Madison hack did cause was a great deal of public awareness around the potential hazards of entrusting your data to someone else. Given we are increasingly encouraged to “move into the cloud”, I expect to see more public demand for service providers taking on more responsibility for protecting the data they hold.

 

Alongside this, the public is calling for legislators to pile the pressure on data providers so that data protection and security is taken more seriously. There are also calls for “due diligence” to be demonstrated rather than, as is often the case, providers cutting back on security because the fines are less costly than implementing measures in the first place!

Andy Phippen

How to stay safe online

We asked the UK Safer Internet Centre to share their top tips for staying safe online. Here’s their advice for keeping your information out of the hands of hackers.   

  • It may be difficult, but do read terms and conditions of the services and apps you use, especially if they are 'free' - remember there is no such thing as 'free'.
  • Actively review the privacy settings made available to you by apps and login services you may use.
  • Think about what you put online and who you are sharing it with - remember that your device may be actively sharing data too, for example location, contact details etc.

 Safer Internet Centre

 

Looking for more ways to stay safe online? Then check out Currys great range of McAfee anti-virus and internet-security software. The products work across a number of different devices and offer effective protection from harmful viruses and hackers.