Scary Security Stories to Tell in the Dark

In honor of today being the spookiest day of the year, we decided to share some especially scary stories from the cybersecurity crypt. Some of these stories reflect the work our consultants have performed, and some are growing threats that the security community is currently monitoring. But, either way, they’re unsettling – and unlike a creepy girl crawling out of your TV screen, they could happen.

If you’re in the mood for a (plausible) scare – read on. Just make sure your lights are on, and that your password isn’t … “12345” …

Security Story #1: The Legend of the Hacked Metro

Every day, millions of Americans depend on mass transit to get from Point A to Point B. But what if that mass transit suddenly stopped working for several hours… or even days? The impact may not equate a Godzilla-level catastrophe, but the inconvenience to countless citizens (and by extension, businesses) would be something of a terror in itself.

From our experience, it is possible for hackers to bring transit to a standstill. Recently, during a client engagement, our security consultants gained access to the internal network of a transportation system for a major metropolitan area. Once in, they extracted the credentials of administrators who had access to the network. In the wrong hands, this access could be used to halt trains and buses, hijack CC-TV in the mass transit offices, and – in a worst-case scenario – essentially shut down a metropolitan area.

In 2016, in a slightly more innocuous instance, a hacker attacked San Francisco’s public transit – encrypting data on the transit’s computer system and demanding a bitcoin ransom in return for decryption. For riders, it worked out: It was a weekend of free fare. The San Francisco Municipal Railway, however, took a financial hit. Though they refused to pay off the attacker, two days of lost revenue over Black Friday weekend is nothing to scoff at.

DON’T GET TOO SPOOKED: Though ransomware attacks have become more frequent in recent years, with targets ranging from entities like Muni to, most recently, the city of Johannesburg, if you take the right precautions, they can be avoided. It all boils down to security best practices – backing up your data, continuously patching and updating your systems, segmenting your networks, creating a strong password policy, implementing multi-factor authentication, and not opening attachments from senders you don’t know or trust, no matter how much the Prince of Nigeria needs you. For a full list of security tips, check out the U.S. Cert here.

Still scared?: Some mass transit mobile applications aren’t safe, either. Read some of our advisories by Priyank Nigam for more mass transit scares.

Security Story #2: The Tale of the Deepfake

Imagine you wake up one morning to find a YouTube video of yourself circulating, engaging in the unthinkable. You are humiliated and horrified, but you also realize the person in the video is not actually you. They may resemble you, but as you stare into the soulless eyes of your doppelganger, a realization dawns upon you. It’s a creepy product of deepfake technology. Unfortunately for you, the rest of the world can’t tell.

What once was the stuff of science fiction has become an increasing presence in our reality. If you caught 2016’s “Rogue One” and saw a young Carrie Fisher at the end, you’ve witnessed deepfake technology in action. But deepfake technology isn’t always used to make “Star Wars” more awesome. Thanks to open source software that makes it accessible to everyone, it has increasingly been used to manipulate individuals into seeing and hearing what isn’t real. And where there’s manipulation, there’s opportunity for social engineering. Today, phishing is a major security threat to both organizations and individuals. Empowered with deepfake technology, an avid phisher can now mimic the voice of a business’s IT lead and convince unsuspecting employees to share their credentials or impersonate the CEO and convince accounting to wire them thousands of dollars.

DON’T GET TOO SPOOKED: Although it sounds frightening, don’t let deepfake technology keep you up at night. Technology leaders like Amazon, Facebook, and Microsoft, are fighting back against deepfakes, building innovative AI-based tools to detect manipulated media.

But in the meantime, if you’re worried about being duped by a deepfake, this article lists red flags for detecting one. And if you’re frightened that you may be a deepfake target – lock down your social media accounts to the best of your ability (see this piece by Wired for ideas).

Security Story #3: The Haunted Smart House

You’re sleeping in your home, and you decide to get up during the night for a glass of water. It’s dark, but you feel safe, knowing that your home is protected by the latest security technology. You enter your kitchen, turn on a light, and find yourself face to face with a stranger. You lock eyes with each other and cue your own personal horror movie.

It doesn’t make sense, right? You have the latest alarm technology installed. You should be safe. Think again.

It’s uncommon now to find a house where smart technology isn’t everywhere. Whether it’s an Alexa taking music requests, a smart refrigerator that knows when you run out of milk, or a smart washing machine … that, uh, washes clothes … smart appliances and devices are the new normal. Unfortunately, smart doesn’t always mean safe.

At Black Hat and DEF CON this year, Bishop Fox researchers demonstrated just how not safe your smart home is. Targeting door and window sensors using an “ACK Attack,” our researchers exploited a Zigbee wireless network vulnerability, disabled the home alarm system, and walked into a house undetected (you can watch the attack in action here.)

And those smart washing machines? They seem so harmless. Yet on a recent client engagement, our consultants used the machine’s mobile application to gain entry to the client’s internal network. So even though the device wasn’t the culprit, its app still posed a risk – not to end-users, but to the company itself.

DON’T GET TOO SPOOKED: Fortunately, there are some things you can do to protect yourself from hackers compromising your smart devices. Mentioned previously, network segmentation is the silver bullet of security defenses; having a segmented network will ensure your smart washing machine or alarm system isn’t in danger because of other devices.

Ensure you change the security settings on your devices after you purchase them – do not leave them on the default settings, as they can be easy to bypass. Ensure your devices are receiving regular updates, and it’s not a bad idea to peruse the news to see if any of your smart devices were found vulnerable to something.

Lastly, in the case of some smart devices, it’s a good idea to weigh whether you really need the smart version. Some devices are better left off not digitalized.

Sleep Well Tonight!

We wish, dear reader, we could say that’s all and that we live in a perfectly secure world, but we absolutely do not. The Bishop Fox research team is currently working on a few projects that would send chills down your spine if you knew. And, in due time, you will!