Cybersecurity worries at the Olympics range from personal phones to public water supplies


Image: iOS App Store

Using a burner phone at the 2022 Winter Olympics is one way athletes, coaches and fans can protect themselves from spying. This tactic is certainly inconvenient and potentially expensive but it is doable. Cybersecurity experts also are worried about Internet of Things attacks that could reach well beyond individual concerns and solutions.

Olympic organizers have faced cyberattacks for years, with London and Rio dealing with IT problems in 2012 and 2016 respectively. One of the most dramatic attacks was in 2018. Hackers launched an attack during the opening ceremonies at the Winter Games in Pyeongchang, South Korea. In a 2019 Wired article, Andy Greenberg described the attack on an IT infrastructure that included “more than 10,000 PCs, more than 20,000 mobile devices, 6,300 Wi-Fi routers, and 300 servers in two Seoul data centers.” The attack started by “shutting down every domain controller in the Seoul data centers,” which meant that Wi-Fi didn’t work, internet-linked TVs in the Olympic facilities went down along with every RFID-based security gate and the Olympics official app, according to the Wired article.

This year, the app athletes have to use for health checks and other tasks presents a serious security risk for losing personal data, according to researchers at Toronto’s Citizen Lab. Also, Beijing recently won fourth place in Juniper Research’s list of smart cities worldwide. Smart city infrastructure can make life more convenient for residents. City leaders have to balance those benefits with the increased security risks of connecting transportation, communication, water and waste processing treatment plants and other critical infrastructure to the internet.

Here’s a look at cybersecurity risks at the current games for both individuals and the entire community.

Personal cybersecurity risks for athletes

James Carder, chief security officer at LogRhythm, sees a real risk for hackers breaching the accounts of visiting athletes’ accounts and using emails or texts for blackmail.

“When I travel for work and as a regular person, if I go to China or a country that may be less sensitive to my privacy, I don’t carry my corporate laptop or cell phone,” he said. “I use burners.”

Ben Cody, SVP of product management at SailPoint, said that athletes should use Bluetooth only when absolutely needed, and VPNs should be mandatory regardless of whether a person is using Wi-Fi or a cellular connection.

See also  Asana vs Planner | Project Management Software Comparison

“Consider logging out of corporate applications on your phone,” he said “Inquire about your identity profile and consider a ‘least privilege’ approach to application entitlements while away at the games.”

Carder said athletes should be aware of their physical security as well as cyber risks.

“Understand there are people who want to spy on you, and don’t make it easy on them to get what they need,” he said.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

MY2022 app has data security problems

These security concerns are in addition to vulnerabilities in the app that athletes have to use. Researchers with Toronto’s Citizen Lab project did an extensive evaluation of MY2022, an app that athletes have to use to share medical information related to COVID-19. The flaws are significant:

  • Encryption protecting a user’s voice audio and file transfers can be bypassed
  • Health customs forms with passport details, medical and travel history are vulnerable
  • Server responses can be spoofed

In the report, Cross-Country Exposure: Analysis of the MY2022 Olympics App, researchers stated that “the app’s security deficits may not only violate Google’s Unwanted Software Policy and Apple’s App Store guidelines but also China’s own laws and national standards pertaining to privacy protection … .” The vendor who built the app did not respond to these security disclosures, according to the lab. The Beijing Organizing Committee for the 2022 Olympics built the app. Beijing Financial Holdings Group, a state-owned company, is listed as the seller of the app in the App Store.

The researchers found two vulnerabilities in data transmission: a failure to validate SSL certificates and a lack of encryption when sending data. The security experts found five SSL connections that are vulnerable, which could allow an attacker to “read a victim’s sensitive demographic, passport, travel and medical information sent in a customs health declaration or to send malicious instructions to a victim after completing a form. As another example, since the app does not validate the SSL certificate for “tmail.beijing2022.cn”, an attacker may use the same methods to read victims’ transmitted voice audio or file attachments.”

In response to these concerns, the International Olympic Committee said it had not identified any critical vulnerabilities. A Beijing official told journalists during a press briefing that the app had been validated by both the Android and Apple app stores. The Citizen Lab researchers created an account in the iOS version of the app but were unable to do the same with the Android version.

See also  Monday.com vs Jira | Project Management Software Comparison

How to improve app security 

Carder said the security flaws in the MY2022 app make him question how much the Olympic committee invested in the security of the application itself.

This kind of security review is important for any app that collects personal information, such as COVID-19 tracking and voting apps.

“A lot of companies, even if they have an app security focus when going through development, the security team doesn’t see the app until the very end of the product development process,” he said. “If you have to choose between making the app secure or getting it out on time, companies will always choose to release a feature on time.”

Carder said he has reorganized software operations at his company to remove the need to choose between security and on-time delivery.

“We build a ton of automation and integrations between testing tools and repositories where developers drop code,” he said. “When code gets checked in by a developer, it goes straight to get checked by security.”

This approach reduces the chances for remediation work at the end of the development process, Carder said.

There are several steps that corporations and governments can take to set higher cybersecurity standards, including:

  1. Establishing stronger government regulation
  2. Higher standards from customers to increase security in software
  3. A global code of conduct that sets consequences for hacking

Carder suggested that customers make security reviews part of the due diligence process of negotiating a contract to improve overall cybersecurity and reduce third-party security risks.

“If a company is not getting the business it’s used to getting, they are going to take notice, such as giving up $50 million in business due to not solving a $2 million problem,” he said.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Timed attacks on critical infrastructure

This increased due diligence extends to IoT installations as well, particularly those that connect to transportation systems, public facilities and utilities. In 2018, the Olympics IT team worked through the night to repair the damage from the cyber attack. The impact reached into the community also including an IT services provider in France and two ski resorts.

Claroty CISO and chief product officer Grant Geyer said there is no shortage of critical infrastructure related to the Olympics that creates a huge target for bad actors. Claroty is a cybersecurity company that specializes in IoT security for industrial, healthcare and enterprise environments.

See also  Alienware Aurora 2019: Key Features

The goal may be to put decision-makers in a challenging and high-pressure situation, Geyer said, which can result in emotion-driven decisions.

Geyer said the threat surface increases with every new infrastructure element that is connected to the internet. Claroty’s IoT risk assessment from the second half of 2020 identified increased risks in critical manufacturing systems, water and waste treatment plants and public facilities, such as hotels.

“A lot of these systems have a myriad of backup systems and resilience controls yet the more cybersecurity planning takes into account cyberattacks that hit physical systems, the better prepared they will be,” he said.

Geyer said any smart city has a very broad attack surface area, regardless of the domestic policies of the host nation.

“Regardless of how restrictive the internet access policy is, that’s a vast attack landscape,” he said.

According to Geyer, manufacturing leaders face three different headwinds when it comes to improving cybersecurity:

  1. Cultural: “In asset-intensive environments, there’s an aversion to change and sometimes to patching vulnerabilities.”
  2. Long depreciation timelines: “It’s not unusual to walk into a factory and see Windows XP or Windows 7.”
  3. Competing priorities: “In production environments people need to be focused on process and safety, so cyber is a secondary or tertiary duty for an operator.”

Also, because safety is the top priority at hospitals and power plants, updates and changes are done only during specific downtime windows, which may come at three-month intervals, he said.

The IT team that managed the infrastructure for the 2018 Olympics started planning and preparing in 2015, which is the kind of lead time Geyer recommends for cybersecurity preparations.

Organizations should take these steps to prepare for cyberattacks during big events such as the Olympics:

  1. Ensure critical assets are segmented off from other network elements to reduce the attack surface area.
  2. Conduct tabletop exercises and drills to understand how to respond and recover from an attack.
  3. Establish lines of communication to make it easy for all entities affected by an attack to share information across countries and organizations.

“Because the ground is moving under our feet, that increases the need for situational awareness as we go into the final stretch before an event,” he said.



Source link

istanbul escort aksaray escort arnavutköy escort ataköy escort avcılar escort avcılar türbanlı escort avrupa yakası escort bağcılar escort bahçelievler escort bahçeşehir escort bakırköy escort başakşehir escort bayrampaşa escort beşiktaş escort beykent escort beylikdüzü escort beylikdüzü türbanlı escort beyoğlu escort büyükçekmece escort cevizlibağ escort çapa escort çatalca escort esenler escort esenyurt escort esenyurt türbanlı escort etiler escort eyüp escort fatih escort fındıkzade escort florya escort gaziosmanpaşa escort güneşli escort güngören escort halkalı escort ikitelli escort istanbul escort kağıthane escort kayaşehir escort küçükçekmece escort mecidiyeköy escort merter escort nişantaşı escort sarıyer escort sefaköy escort silivri escort sultangazi escort suriyeli escort şirinevler escort şişli escort taksim escort topkapı escort yenibosna escort zeytinburnu escort porno 1080p porno izle 4k porno izle 720p porno izle abella danger alman alman porno alman porno izle aloha tube porno amatör amatör porno amatör porno izle anal anal porno anal porno izle arap porno asa akira porno asyalı porno bangbros porno bangbros porno izle banyoda sikis başörtülü porno beeg porno izle beyaz tenli porno izle biseksuel porno izle bisexsuel porno brandi love porno brazzers brazzers porno izle canli porno canli porno izle çinli porno çinli porno izle ensest porno ensest porno izle ensest seks erotik porno erotik porno izle esmer porno esmer porno izle etek altı fake agent fake taxi fake taxi porno fantazi pornoları fantezi porno izle fetiş porno fetiş porno izle fetish fransız porno fransız porno izle full hd hg porno izle gangbang porno genç kız porno izle genç kız sikişi genç teen porno izle gizli çekim porno gizli çekim pornosu grup pornosu grup porno grup porno izle hd pornolar hd porno hd porno izle hemşire porno hemşire pornosu hizmetçi porno hizmetçi porno izle ingiliz porno japon pornoları japon porno kızlık bozma kızlık bozma porno izle konulu porno konulu porno izle koreli porno köylü pornoları kumral porno kumral porno izle latin pornoları latin porno latin porno izle lezbiyen pornoları lezbiyen porno lezbiyen porno izle lisa ann porno liseli pornoları liseli porno liseli porno izle manken porno manken porno izle masaj porno izle masturbasyon porno izle masturbasyon pornoları mature porno mia khalifa porno mia malkova porno milf porno izle mobil porno mobil porno izle öğrenci porno izle öğretmen porno izle okul porno izle olgun kadın pornosu olgun porno oral porno oral porno izle oral seks porna izle pornhub pornhub porno izle porno film izle porno indir porno izle porno resimler porno star porntube porno izle redtube redtube pornoları riley reid porno rokettube rus pornoları rus porno rus porno izle sakso blowjob porno izle sarışın pornoları sarışın porno sarışın porno izle sarışın pornoları sekreter porno shemale sikiş sikiş sikiş izle şişman porno siyahi pornoları suriyeli pornoları swinger porno tecavüz porno teen porn türbanlı pornoları türbanlı porno türk pornoları türk porno türk porno izle türkçe altyazılı porno türkçe altyazılı porno izle xhamster pornoları xhamster porno xhamster porno izle xnxx xnxx porno xnxx porno izle xvideos xvideos porno izle yaşlı porno yeşilçam porno izle youjizz youporn youporn porno izle zenci porno güvenilir bahis siteleri bahis siteleri casino deneme bonusu casino siteleri deneme bonusu para yatırma bonusu bahis siteleri casino siteleribahis sitesi para yatırma