Hackers and the Internet of Things

James Lyne, cyber security specialist, talks to the 2018 Winter Enrichment Program (WEP) audience about how to stay secure online.Photo by Asharaf K. AbdulRahman

-By Sonia Turosienski, KAUST News

Software update notifications and endless password creation are part and parcel of living in the modern world. According to cyber security expert James Lyne, these simple security measures may be more effective than it seems. Lyne enlightened the University's 2018 Winter Enrichment Program (WEP) audience about the newest hacking techniques and easy-to-implement strategies that can help defend against them. He was also interviewed live on Facebook before his keynote address.

Lyne is a self-professed "massive geek." He has given multiple TED talks and has appeared on CNN, NBC and BBC. He is the founder and director of Helical Levity, a high-end security research firm, works as the global research advisor at Sophos and is the head of research and development and cyberstart creator at the SANS Insititute.

Bringing humor to cyber security, Lyne took the audience through multiple live demonstrations of hacking and phishing attacks demonstrating the extent to which cyber criminals can wreak havoc on a user's personal information and security online. Lyne explained that by ignoring basic security measures and remaining unaware of hacking strategies, hackers can easily gain password information, watch screen and keyboard activity and even access your device's camera and microphone.

Internet users will be familiar with phishing attacks where hackers pretend that a wealthy relative has passed away and the victim will be the recipient of a large inheritance. However, Lyne explained that hackers are becoming more and more sophisticated in their technical and psychological strategies. Furthermore, he explained that cyber crime is going beyond fraud and stealing credit card details. The recent hacking attack on the National Health Service in the U.K. is an example of hackers leveraging more power.

The dark web is a layer of the internet where cyber criminals—whom Lyne referred to as "organized criminals"—do business. Lyne showed the WEP 2018 crowd a glimpse into this illicit marketplace, with Amazon-like seller reviews, price promotions and even marketing videos included in hacking applications to advise buyers on the features of their product. A product (or hacking application) that can pretend to be various devices, falsify locations, spoof phone numbers and circumvent banking fraud checks sell for about $300. Some products even offer a money-back guarantee in case the buyer encounters issues with government officials.

The mobile threat

Mobile devices are just as vulnerable to hacking attacks as computers. Users don't often think that they could be the target of a hack on their phones, which means that mobiles are more vulnerable to social engineering techniques than malicious code.

When asked about whether Android or iOS was more vulnerable, Lyne explained that Android is more prone to attacks, but there are also more steps that Android users can take to protect their devices. There are currently about 3 million malicious applications available for Android. Mimicking popular applications like Instagram and Facebook, they allow the hacker to hijack the phone, enabling the camera and microphone to be turned on as well as send messages to contacts without the user knowing.

James Lyne, cyber security specialist, receives a gift from the KAUST WEP team after his keynote speech on campus. Photo by Asharaf K. AbdulRahman

iOS users are still prone to what Lyne calls the "Typhoid Mary problem," meaning that while the iOS device or user may not be affected, the malicious code can be passed on to other devices or users. Lyne advises that all mobile users should apply the same security measures as they do on their computers—regularly run updates, configure mobiles to encrypt where possible and use strong passwords.

As users have become more wary of common hacking techniques, hackers have turned to what Lyne calls "social engineering" practices. These principles of persuasion, which are derived from psychological research, include borrowing credibility from authority by pretending to be a government entity and closely mirroring normal human behavior to decrease detection and increase trust. Lyne recounted an anecdote when he worked with a prominent law firm.

As a way of illustrating this principle to the firm employees, Lyne and his team arranged to send an email that could have contained malicious code from the head partner to all employees asking them to view the new security policy. Every employee—except for two—clicked on the email. The two who did not were on holiday. The take away is that "many large security breaches [happen because of] someone clicking on something they shouldn't," Lyne concluded.

Internet of things (IoT)

Increasingly, devices from coffee makers to vacuum cleaners are increasingly receiving WiFi upgrades. While this provides end users with many benefits, Lyne explained that there are associated risks with IoT devices. According to Lyne, regulators are in large part responsible for ensuring that IoT devices are protected, but users should treat their IoT devices similarly to mobiles and computers. Hackers are able to compromise one device in a network and then use that to "jump" to other devices in the same network, explained Lyne. He added that creating a guest network for IoT devices is a simple and proactive way to contain damage if this happens.

Cyber criminals employ complex strategies to compromise users' personal information and security. According to Lyne, the best way to combat this is to implement simple but consistent protective measures. Consistency is key as a seemingly harmless click can allow a small but easily exploited opening to do much more damage. Focusing on security now and "doing the basics" keeps everyone a little safer from cyber criminals, he said. Lyne advised that everyone should look up the top 10 simple hygiene practices for web security: use different, difficult passwords; perform regular software and browser updates and remain wary of "things that are too good to be true," Lyne advised in his concluding remarks.

Related stories: