Anytime we see a password in our collections we substitute the word "redacted".
I queried one data set only. This specific dataset goes back to only April of last year. In that dataset, the word "redacted" appears 650,472 times and was recorded in 11,227,687 records of attempted uses, meaning, someone tried to log into something with the credentials and we recorded data about the attempt.
Figure 1 - Victim Counts, Government and Logistics |
This year, I'm going to update the victim count. Figure 1 shows the victim counts in the government and logistics sectors from the data set I mentioned above. They are not on the top of the victim count list, but certainly they're high on that list. By way of reference, the entire list in Figure 1 represents 3779 victims -a small fraction of the total 650,472, but remember, they are already victims. It starts with one and spreads.
Now consider this.
Figure 2 - Victim Counts, Totals |
Of that list 650,472 mentions of the word 'redacted' and 11,227,687 records of attempted uses, there are several that we have not been able to characterize by industry or type, but of those that we can, the top four are Email, Search Engines, Social Networking and Financial Management. Yahoo email accounts alone account for 38,764 compromises in our data set. How many of those are used from ships at sea? That's a great question.
But wait, there's more. 3854 victims appear from free email services (Yahoo, Gmail, Hotmail, AOL, etc.), accounting for over 3,562,444 records (recorded uses) in this one, singular, dataset. So what? 32% of the victims came from free email services.
We keep chasing the really hard stuff… we're going to hear talks of advanced persistent threats, fighting through the cyber, and talks about why this stuff is really hard —and it is really hard, but there's also easy stuff.
Why are ships at sea allowed to use free email services? And if they want to allow them (there are probably many reasons why they would —crew changes, shared computers, etc.), why not do so on machines not connected to other devices? Why are these same computers used for email, surfing porn (yes, we see a ton of that too), shipboard logistics, and communicating between the ports, masters, agents, etc.?
Don't get me started in minimum manning, integrated bridge systems connected to engineering, and the push toward both connected and autonomous ships? This scares the heck out of me.
A much simpler concept. Free email systems are not secure. This is easy button stuff folks.
There are plenty of reasons why commercial logistics operators would want a free email system —crew changes make it impossible to keep up with the moves, adds, and changes or new crews and the required provisioning. These email accounts are used to connect with the wife and kids, surf porn for those lonely guys/gals, and buy Christmas presents on Amazon. I get it all. But, when one infected user on a shared computer onboard ship gets infected, they all get infected.
Do I care that 3 billion yahoo accounts were stolen? You bet I do, but in every place where I've worked, where they take security seriously, one of the top things that they all do is block free web based email systems.
I've not discussed search engines, social media use, or financial, but you get the point. One user spreads to many compromises. In one (a story I'm going to tell next week), we authored a report in which one compromised payment processor had over 35 pages of transaction records —each record per transaction. Why? Because a shared machine was compromised.
OK folks. My family will be up soon and I'm behind on posting. I hope to see you in St. Louis next week. Stop by and buy me a beer! :)
Have a great weekend!
Jeff