The total records breached in the USA to date are over 900,000,000 – nearly 1B at this time, according to PrivacyRights.org. Recent breaches you should remember include 100m records at TJMAXX, 80m records at Anthem and 22m records at OPM.gov to name a few. These breaches cost the banks, credit unions, credit card authorization companies and ultimately those who lost the records – the victimized record holder. In TJMAXX case, they spent over $225,000,000 USD to hand the cost of damages and reparations. This gets passed on to their customers – they have to make it up somehow to their shareholders, so if they tighten their belts, layoff employees or raise the prices on the cost of their retail goods, it helps them offset the loss. Yes, a breach is very costly. In fact it will put you out of business if you cannot weather the damages.
(Source: RSA Cost of Cybercrime, 2016)
The key to cyberterrorism is to cause the most harm or damage so the focus will be on critical infrastructure or important government and business executives. Yes, when you heard recently that someone smashed into Russian President Putin’s limo, killing his favorite limo driver, what you didn’t get were all the details. What if any car could be targeted or victimized remotely. One car loses steering and braking while it accelerates for a head on collision with another that also is remotely controlled, taking away the driver’s ability to move out of the way. Is this a futuristic scenariou? Not according to Wired Magazine and this story, here: https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/ or the Car Hacker’s Handbook, found here: https://www.nostarch.com/carhacking
But what about planes, trains, electricity, water supply and other critical infrastructure?
Boeing received a waiver for a critical vulnerability on their new 777’s from the FAA – similar story to Hacking Cars, whereby the passenger entertainment system is on the same network as the avionics, see: https://www.federalregister.gov/documents/2013/11/18/2013-27343/special-conditions-boeing-model-777-200–300-and–300er-series-airplanes-aircraft-electronic-system – A hacker proved this and was arrested when the plane landed. The full story on this is found here: http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/
So the real problem, is that critical infrastructure has moved to TCP/IP (internet protocol). This is a big mistake because encryption and system hardening were not thought about before this shift took place. From Airline Scheduling, to Airplane and Car Entertainment & Controls, Train Track Scheduling to Electricity/Power Grid to Water Supplies, even Your New Refrigerator, Baby Monitor and Google Nest, all easily exploited as Internet (TCP/IP) Protocols not designed for security.
Then, you have incredibly powerful smartphones roaming around the hallways of government and business – with the careless insider not knowing their favorite apps are spyware for various governments and cyber criminals. I’ve discovered hundreds of millions of downloads on just a small number of apps – Emoji Keyboards, VPNs, Alarm Clocks and Audio Players, all of which can run in the background on an iPhone – so NO, your iPhone is not secure. On Android, it’s a free for all with any app able to spy on any other app. Yes, your smartphone is already spying on you, whether you believe me or not. Here’s a recent story I did with my friends at CBS: http://www.cbsnews.com/news/mobile-phone-apps-malware-risks-how-to-prevent-hacking-breach/ and here’s one I did a while ago with Bret Baier at Fox News: https://youtu.be/Q8xz8xKEFvU and this one at ABC’s Good Morning America: https://gma.yahoo.com/video/smartphone-apps-may-traps-set-120043340.html yet these apps remain in iTunes and Google Play with continued millions of downloads and many more interviews with my warnings, found here: https://www.snoopwall.com/press-center/. The only answer I can think of is a state of apathy or cognitive dissonance.
First, most citizens, business people and government employees are clueless when it comes to understanding the TCP/IP protocol stack they are now betting their lives on. Second, because the internet is so enabling, everything we think of is moving to the internet – from baby monitors to the avionics on airplanes. The world of the Internet of Things (IoT) is not coming – it’s here. So if those who make decisions on the quality of products don’t understand vulnerabilities in software, computers and networking, they leave the doors wide open to the risk of cybercrime, cyberterrorism and cyberespionage. There is a National Vulnerability Database found at http://nvd.nist.gov and if you don’t know that your refrigerator has a remotely exploitable vulnerability, don’t be surprised when all your food inside it is spoiled because it was remotely shut off. Everything being built to leverage the Internet needs to be hardened against exploitation. One method is to remove the Common Vulnerabilities and Exposures (CVEs) so there are no front doors, backdoors or windows left open that could cause exploitation. The second method is to use encryption everywhere. The third is to learn that most exploitation includes social engineering – which most of us are not trained to be on guard against – hence so many successful spear phishing attacks with downloadable remote access Trojans (RATs) and/or ransomware. If we don’t start pushing for all those around us to be more vigilant, we will all continue to be victimized in an insecure Nation. The price we pay will be lost jobs, increased costs of goods and loss of life. It’s time to take this seriously.
Doesn’t the FBI need backdoors in our Smartphones and the rest of the Internet of Things? How many times have I argued for strong encryption? Is it falling on deaf ears? Read this: https://www.linkedin.com/pulse/privacy-matters-counterveillance-imperative-2016-gary-miliefsky and this: https://www.linkedin.com/pulse/apple-vs-fbi-strong-encryption-good-thing-what-gary-miliefsky and this: https://www.linkedin.com/pulse/should-apple-backdoor-iphones-us-government-gary-miliefsky it’s time to understand that asking for weaknesses and backdoors is harmful to National Security. And, for those who swore an oath to defend the US Constitution, one thing I’ve learned in life, is that bad karma comes to those who break their oaths. Attempting to force Apple to weaken the security and encryption in their smartphones is a violation of the following amendments:
Forcing programmers to change their speech
Forcing programmers to provide unwarranted access to their encryption and proprietary code
Forcing programmers to ‘speak’ bad code against their will (easily used by cybercriminals, making them an accomplice – self incrimination)
And I cannot say it more clearly, weak encryption means:
Take the FBI.gov, State.gov, Whitehouse.gov, OPM.gov and Anthem.com breaches – common thread – no Strong Encryption.
It is time for the US Government to stand up for strong crypto and you should request they do it, here: https://savecrypto.org/
The US Government Likes Strong National Security, so:
If there ever were a time to take National Cyber Security seriously, now is that time. It’s simple:
If you believe they are driven by GREED, dry their well and they will listen…that means put your money where you mouth is – support those and buy products from those that agree with this philosophy.
You probably don’t believe that one person can make a difference when it comes to such a big and serious issue. That’s not true. Look Closely at the story of www.FoodBabe.com
Emulate her best practices and we win!
What would the side effect be, if we make these changes?
In addition, the NSA, CIA, FBI and others might realize that their current tactics (weak encryption, vulnerabilities, backdoors) harm America and weaken National Security! Honoring their Oath is the way to go!
About The Author
Gary Miliefsky, fmDHS, CISSP®, CEO, SnoopWall, Inc.
Gary is the CEO of SnoopWall, Inc. and a co-inventor of the company’s innovative breach prevention technologies. He is a cyber-security expert and a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber-crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the INFOSEC arena, most recently as the Editor of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Email him at email@example.com.
Learn more about SnoopWall’s cybersecurity expert CEO at: http://www.snoopwall.com/media/
For CEO interviews and Press Inquiries Contact:
News & Experts
727-443-7115 Ext: 221