Hollywood’s depiction of a robotic future can scare people, but there are very real threats that aren’t science fiction at all — and many of them are rooted in the past.
While not as sexy as killer robots, pieces of bad code, unpatched software, weaponized malware and aging technology can have a real — and detrimental — impact.
This week’s malware outbreak and last month’s WannaCry ransomware attack are just the latest examples.
“We have the sci-fi depictions of sentient networks that will turn against us, but the problem is, we’ve already built something way too complex for us to be able to manage as a society,” according to Wendy Nather, principal security strategist at Duo Security. “This is a very shaky foundation that we have to clean out and redo.”
Critical systems at risk
Both of the recent attacks exploited unpatched holes in some Microsoft products. Microsoft released patches in March, but companies often fail to install them because of the cost, lack of control over upgrades or outdated hardware on legacy networks.
WannaCry kicked off its global crawl by attacking a network of hospitals in the UK, which had to turn patients away while they grappled with computers taken over by the ransomware.
Tuesday’s attack affected major businesses, including banks, the Maersk global shipping company, FedEx and multinational law firm DLA Piper. It was designed to cause damage, not make money, government officials and researchers have learned.
Movies like Terminator or Minority Report describe what our dystopian future could look like if technology backfires. But contemporary attacks don’t need fictional antagonists.
“This idea that [hackers] could have a material impact on critical infrastructure, whether it’s the banking systems, hospitals, or the power grid, is not theoretical science fiction anymore,” according to Eric Chien of Symantec Security Response. “That’s here today.”
For example, in 2015 and 2016, Russian hackers took down Ukraine’s electric grid, plunging people into darkness. At the RSA security conference in February, expert Jeanie Larson said she once observed children connected to EEG machines that were infected with malware. Disconnecting them to update the software would have disrupted the children’s care. And then on Tuesday, the cyberattack forced the Chernobyl nuclear power plant to disconnect its computers and monitor radiation manually.
Last year’s Mirai botnet used connected home devices to launch a distributed-denial-of-service attack. Failure to properly secure these devices led to Netflix, Twitter, Reddit, and other major sites being down for a long period of time.
Hidden security threats
Petya, Mirai and WannaCry were widespread and made headlines around the world, but many attacks are much more under the radar. In fact, the Justice Department said over 4,000 ransomware attacks occurred every day last year.
According to a survey by threat intelligence firm Farsight Security, 49% of cybersecurity professionals say they have experienced a frantic security incident like WannaCry that the public never heard about. Of those, 79% said it had happened three times in the last year.
With the recent malware, hackers leveraged a leaked tool called EternalBlue that was purported to belong to the NSA. The leak also contained other tools that could be used by hackers, like a backdoor called DoublePulsar. Even though Microsoft issued patches for both, about 12,000 services are still infected with DoublePulsar, according to Shodan, a database of internet-connected devices.
That number has fallen since WannaCry hit, when upwards of 100,000 services were vulnerable.
But it’s not just government-grade tools that pose a threat. Tuesday’s attack leveraged two legitimate Windows administration features that businesses use to send data to a lot of computers on one network. But if a network is compromised, hackers could use them, too. Digital forensics expert Lesley Carhart wrote that she’s surprised these methods hadn’t been used in a widescale attack before Tuesday.
What’s being done
The good news is, there are things you can do to protect yourself like keeping computers up-to-date, changing default passwords and using two-factor authentication.
The government is increasingly focused on cyber hygiene. In 2015, the FTC began hosting workshops to help businesses boost security efforts. Last week, the Senate and House Small Business Committees introduced legislation to help small businesses improve their cyber defenses. Legislators have also proposed a bill to modernize federal information technology to ensure agencies upgrade outdated systems.
In January, former Secretary of Homeland Security Jeh Johnson designated election infrastructure as “critical” in order to prioritize cybersecurity in the wake of the 2016 election hacks. In President Trump’s proposed budget for 2018, a number of federal cybersecurity programs would get a significant funding boost.
Fixing the security holes won’t be easy. Nather, who helped with the FTC’s security program in Austin, says people and businesses are stuck with a patchwork of technology that needs to be overhauled, and soon.
“It’s not the unknown danger — we know exactly what it is,” Nather said. “That’s what’s really scary. You know something’s chasing you and you still can’t run? That’s where I think we are with tech right now.”