A devastating data breach can be as simple as an unsecured endpoint leading to security incidents. With the ever-growing threats to cybersecurity in today’s evolving digital world, it is important for us all to educate ourselves and take the necessary actions to protect our personal data and the data of our customers.
Data has become a highly sought-after and valued currency used throughout the political and technological spheres in which we all live and work, so why is it that the protection of data is often a second thought at home and at the office? When data is stolen by hackers and cybercriminal groups, it can be exploited and manipulated in many ways with devastating results.
This article will highlight 5 unique security incidents that exemplify just how important endpoint security really is, and the potential consequences of a poorly secured endpoint.
The most common way for data to be stolen is through endpoints. But, what exactly is an endpoint?
In short, an endpoint is one end of a communication channel used throughout computing systems and networks to relay messages and information at great speeds. Some of the most commonly known and used endpoints include laptops, web servers, and portable hard drives.
Most people have become accustomed to these sorts of devices, using them regularly throughout our day to day lives. But what many often overlook is the vulnerability of these devices and the consequences that their usage can have when endpoint security is neglected.
A a group of hackers hit a different kind of jackpot in 2017 when they gained access to a casino’s database through a smart thermometer. This security incident was made possible through an IoT thermometer that was kept in the casino’s aquarium. The thermometer was connected to a networked PC that regulated the water temperature, food dispensary, and the cleaning cycle of the large tank.
If you’ve been paying attention to the IoT security space, you know what happens next. Having an unsecured IoT device on the same network that sensitive data is stored on is a recipe for disaster.
Hackers used the thermometer’s internet connectivity to maneuver through the casino’s wider network without any alert. Eventually, they were able to retrieve 10GB of what some suspect to have been information and data of the casino’s most cherished customers – the highrollers. The data was then sent to a server located in Finland back through the fish tank thermometer.
Help Net Security’s 2017 report of the incident does not mention the name of the North American casino that fell victim to this sophisticated cyber attack, nor does it go into details about the types of data that was stolen (Zorz).
Instead, the report and the many articles covering the event raise awareness as to just how devastating lax network security can be when managing a large volume of internet of things (IoT) devices. Even something as inconspicuous as a fish tank thermometer can become a weapon for hackers when it is connected to the internet and not properly secured.
In today’s office environments where an endless number of smart devices are connected to the internet to create a large IoT network, it is important for all company members to understand just how vulnerable these seemingly harmless pieces of technology can be.
Whether it be a smart speaker used for conference calls, a series of smart light switches used to remotely control ambiance, or a simple USB stick, whenever a device is connected to the internet it can become a resource for hackers to infiltrate the company network.
IoT devices pose a threat to security and privacy at home as well, as a family in the United States quickly learned when their baby monitor device was hacked in 2018 (Green). The baby monitor, connected to the internet, was used by the hacker to release sexual expletives through its speaker. The attack obviously frightened the parents deeply and raised concerns over these types of devices, their vulnerabilities, and what other security incidents were possible.
In Finland, a country well known for its long cold winters, a cyber attack was executed through an apartment building’s IoT thermometer that allowed the hackers to have control over the heating and hot water controls (Matthews). Residents of the apartment were left in freezing conditions until the DDoS attack was finally isolated and resolved, which required a major system reboot of the HVAC system.
The rise of home security systems have also brought forth their own cases of IoT drama. In February of 2019, James Griffiths of CNN released a detailed article on how internet-connected cameras and surveillance equipment in homes around the world were being accessed and broadcasted for nearly anyone to see (Griffiths).
The IoT equipment, with little to no security, was found through Shodan, a search engine used to find and explore internet-connected devices. With cameras showing children playing in Indonesia, a man getting ready for bed in Moscow, and the everyday activities of a family in Australia, the worldwide attention that the CNN article garnered led the government of Japan hack its own citizens through IoT devices in order to demonstrate to them just how vulnerable these cameras and other pieces of technology truly are.
A CBC (Canadian Broadcast Corporation) report in June of 2018 writes about a security incident where a laptop that contained personal information of more than 33,000 Canadian residents was stolen in the nation’s capital city of Ottawa (Brockman).
The report goes on to shockingly reveal that none of the data stored on the laptop was encrypted, leaving only the computer password to keep the thief from accessing the data.
The data, collected legally through the Canadian Public Health Act, contained the names, addresses, birth dates, and the health history of Canadians living in the Northwest Territories (NWT).
The fact that the sensitive data was left unencrypted and that the laptop was carelessly left in a vulnerable vehicle rang alarm bells throughout the cyber security world and especially throughout the Canadian government.
Bruce Cooper, the Northwest Territories’ deputy minister, voiced his concerns over the issue and promised that the lackadaisical security measures would be improved after being briefed on the incident.
Unfortunately for residents of the NWT, this incident was only one of many in recent years, creating an increasing concern amongst the public of the security systems in place.
Elaine Keenan-Bengts, the territory’s information and privacy commissioner, stated that health information officials were “far from compliant” with the Canadian Public Health Act. In fact, all of the devices supported by the NWT’s Technology Services Centre are supposed to be encrypted, which was not the case for the laptop stolen in Ottawa.
In 2014, a doctor in the NWT capital of Yellowknife lost a USB drive containing the names, healthcare numbers and other personal medical information for more than 4,000 patients, further demonstrating how easy it is for portable devices to lead to a data breach.
For any entity responsible for personal data, whether a private company or a governing body, endpoint security should be at the forefront of a strong security plan. Securing endpoints will ultimately decrease the chances of a data breach and other security incidents.
Need to secure your endpoints? Try a free trial of CurrentWare’s user activity monitoring, web filtering, and device control software solutions.
This next security incident demonstrates how critical it is to lockdown endpoints, even for trusted users.
When portable storage devices aren’t blocked, insider data theft is as simple as sneaking in a USB flash drive—or in this case, a floppy disk.
It’s worth noting that this security incident occurred in 2007. At this time only 2% of computers sold in stores contained built-in floppy disk drives. This is a prime example of how “security through obscurity” simply isn’t a viable cybersecurity strategy.
Now onto the data theft story…
Jeffrey Delisle is a former Sub-Lieutenant for the Royal Canadian Navy who, in October of 2012, pleaded guilty to breach of trust and two counts of stealing and passing secret information to a foreign entity. His case is an extreme and notorious example of how poor endpoint security can lead to severe and irreparable damage for those dealing with sensitive information and data.
In 2007, after over a decade of service, a maritally disgruntled and financially distressed Delisle walked into the Russian Embassy in Ottawa and offered to sell the foreign representatives top-secret classified information for $10,000 (Strickland).
The information that Delisle controlled was quite simply collected by him sharing the classified material from his Navy-distributed work computer onto an integrated floppy disc. The information was later transferred from the floppy disc to a USB drive, which was then shared with the Russian spy agency GRU in exchange for the cash payment.
As a high-ranking naval officer, Delisle regularly accessed and handled highly sensitive and classified information. This included access to the highly coveted database Stone Ghost which was shared between the Five Eyes alliance of Canada, the United States, Great Britain, Australia and New Zealand.
His relationship with GRU continued for years, and it is reported that he would regularly share classified data with the Russians at a cost of $3,000 per month (Puddicombe).
When the news broke of his arrest in 2011 and after learning that Delisle was able to steal and share the data over an extensive period of time, military and cybersecurity experts were astonished by the relative ease in which he was able to execute this devastating espionage act.
Despite the Canadian Navy stripping apart and rebuilding the infrastructure and framework in which Delisle operated and exploited, his ability to pull this off was notably a result of very poor endpoint security management. Had there been endpoint security systems in place (such as device control software to block data transfers to portable storage devices), the espionage crimes committed by Jeffrey Delisle would have been far more difficult to pull off.
The news broke of the now confirmed malware attack on the National Thermal Power Corporation (NTPC) in early May of 2020.
The NTPC, located in New Delhi, India, is a government electricity board engaged in the business of the generation of electricity and allied activities. When employees and users logged on to the NTPC website, they were shockingly greeted by a cryptic piece of text that indicated a major data breach had been successful (Strong).
Reports from Newsdesk and others claimed that the attack was perpetrated by a Chinese-backed hacking group known throughout the cyber-security world as RedEcho, a group of sophisticated Chinese tech wizards with a long history for such acts (Mihindukulasuriya).
With political tensions growing between the Chinese and Indian governments over border disputes, it was assumed that the attack was designed to cause major disturbances and concern throughout India’s national security department.
With up to a total of 10 reported incidents against India’s energy sector all traced back to RedEcho over a short period of time, the reason for concern was definitely real.
On February 28th of 2021, Recorded Future released a report that further confirmed the notion that the attacks were coordinated by the Chinese in collaboration with the RedEcho group (Ajmal).
The Massachusetts-based research and analysis organization led by Christopher Ahlberg dug deep into how and why the attack happened, concluding that the incident was a prototypical malware attack carried out by state-of-the-art trojan technology known as ShadowPad.
ShadowPad is a modular backdoor tool used by the RedEcho hacker group to infiltrate cyber networks through widely used software components, much like more traditional trojan technology but far more difficult to detect.
First known reports of the ShadowPad technology were documented in 2017 when the malware technology had been injected into software updates provided by NetSarang, a legitimate software company with headquarters in the United States and South Korea (Kaspersky).
NetSarang was unaware that its software had been infected with the malicious code of ShadowPad and had distributed its updates to users around the world.
The ShadowPad technology is so advanced and effective due to its ability to steal data from multiple computers and servers while automatically communicating with the hacker’s computer. The ShadowPad can relay information and data from the victim’s PC back to the hacker’s at a frequency of once every 8 hours. The rate at which the data is stolen and shared is largely unprecedented, making this hacking technology one of the most feared pieces in cyber security history.
Later in October of 2020, another known cyber attack was committed against India’s energy sector which caused a major power outage in the populous city of Mumbai. This attack has been confirmed by Recorded Future to have been another one of the 10 major attacks led by RedEcho on India that used the ShadowPad malware technology.
The advanced malware and its incredible evasiveness of security detection has spiked major concerns for security experts of all levels and industries. Experts are now – more than ever – calling for companies to be extremely diligent when distributing and installing software.
Likewise, the software developers themselves, such as NetSarang, are working tirelessly to ensure that their tech does not fall victim once again. But the threat of an attack remains at large.
Software has long been used as an entry point for cyber criminals to attack endpoints such as workstations and laptops in order to infiltrate networks and steal data. For all companies across every industry, it is important to always screen and assess all software that is used throughout the company in order to decrease the threat of an attack.
The more that various pieces of software are being installed and used across a company, the higher the chances that a malware attack can happen. It is up to cyber security professionals employed or hired by the company to determine which pieces of software are safe and necessary for the organization.
As you now know, the ways that endpoints can be attacked by hackers to steal data are seemingly endless as the resources and technology at their disposal continues to adapt to modern security systems.
No matter how innocent an internet-connected device may seem, it is likely vulnerable to an endpoint attack. Whether at your home or within your company, establishing and managing a secured network starts with your endpoints.
Learn how CurrentWare’s products can protect your data against theft and high-risk user activities by contacting us today.
Get started today—Download the FREE template and customize it to fit the needs of your organization.
Brockman, Alex. https://www.cbc.ca/news/canada/north/nwt-health-data-breach-laptop-stolen-1.4726891.
Green, Emily. https://nordvpn.com/blog/baby-monitor-iot-hacking/.
Griffiths, James. https://edition.cnn.com/2019/02/01/asia/japan-hacking-cybersecurity-iot-intl.
Heisler, Jay. https://www.voanews.com/americas/impact-canadian-spy-case-resonates-10-years-later.
Matthews, Lee. https://www.forbes.com/sites/leemathews/2016/11/07/ddos-attack-leaves-finnish-apartments-without-heat/?sh=638417dc1a09.
Puddicombe. https://www.cbc.ca/news/canada/nova-scotia/jeffrey-delisle-navy-russia-espionage-documents-spying-1.3514194.
Strickland, Dale. https://jaxenter.com/cybersecurity-modern-warfare-167878.html.
Zorz, Zeljka. “An Internet-connected fish tank let hackers into a casino’s network.” An Internet-connected fish tank let hackers into a casino’s network, https://www.helpnetsecurity.com/2017/07/27/internet-connected-fish-tank-hackers/
Cookie | Duration | Description |
---|---|---|
__cfruid | session | Cloudflare sets this cookie to identify trusted web traffic. |
cookielawinfo-checkbox-advertisement | 1 year | Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category . |
cookielawinfo-checkbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checkbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
JSESSIONID | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
LS_CSRF_TOKEN | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
OptanonConsent | 1 year | OneTrust sets this cookie to store details about the site's cookie category and check whether visitors have given or withdrawn consent from the use of each category. |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
Cookie | Duration | Description |
---|---|---|
__cf_bm | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
_zcsr_tmp | session | Zoho sets this cookie for the login function on the website. |
Cookie | Duration | Description |
---|---|---|
_calendly_session | 21 days | Calendly, a Meeting Schedulers, sets this cookie to allow the meeting scheduler to function within the website and to add events into the visitor’s calendar. |
_gaexp | 2 months 11 days 7 hours 3 minutes | Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in. |
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
_ga_GY6RPLBZG0 | 2 years | This cookie is installed by Google Analytics. |
_gcl_au | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
_gid | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
CONSENT | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
Cookie | Duration | Description |
---|---|---|
_opt_expid | past | Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected. |
IDE | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
NID | 6 months | NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads. |
test_cookie | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
YSC | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
yt-remote-connected-devices | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt-remote-device-id | never | YouTube sets this cookie to store the video preferences of the user using embedded YouTube video. |
yt.innertube::nextId | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
yt.innertube::requests | never | This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen. |
Cookie | Duration | Description |
---|---|---|
_dc_gtm_UA-6494714-6 | 1 minute | No description |
_gaexp_rc | past | No description available. |
34f6831605 | session | No description |
383aeadb58 | session | No description available. |
663a60c55d | session | No description available. |
6e4b8efee4 | session | No description available. |
c72887300d | session | No description available. |
cookielawinfo-checkbox-tracking | 1 year | No description |
crmcsr | session | No description available. |
currentware-_zldp | 2 years | No description |
currentware-_zldt | 1 day | No description |
et_pb_ab_view_page_26104 | session | No description |
gaclientid | 1 month | No description |
gclid | 1 month | No description |
handl_ip | 1 month | No description available. |
handl_landing_page | 1 month | No description available. |
handl_original_ref | 1 month | No description available. |
handl_ref | 1 month | No description available. |
handl_ref_domain | 1 month | No description |
handl_url | 1 month | No description available. |
handl_url_base | 1 month | No description |
handlID | 1 month | No description |
HandLtestDomainName | session | No description |
HandLtestDomainNameServer | 1 day | No description |
isiframeenabled | 1 day | No description available. |
m | 2 years | No description available. |
nitroCachedPage | session | No description |
organic_source | 1 month | No description |
organic_source_str | 1 month | No description |
traffic_source | 1 month | No description available. |
uesign | 1 month | No description |
user_agent | 1 month | No description available. |
ZCAMPAIGN_CSRF_TOKEN | session | No description available. |
zld685336000000002056state | 5 minutes | No description |