August 23rd 2021
The Rotary Club, Dublin
Founded, 22nd February 1911
‘All the news that’s fit to print’
President: Alexander Kopf VOLUME 28 ISSUE 7 Editors:
Hon. Sec.: Tony McCourt Alan Harrison
Telephone: 087 241 7185 August 23rd 2021 Frank Bannister
www.rotarydublin.ie David Booth
Our speaker today is President Alexander Kopf on Rotary Fellowships and Action Groups
Forthcoming Speakers and Events
Aug 30th Return to the Grand Canal
Sep 6th Business Meeting
Sep 12th Annual Duck Race on River Dodder at Milltown.
Sep 13th Paddy Furey, Croquet (that ancient Irish game)
President Alexander was in the Chair last week.
Visitors and Apologies
We had 15 members at the meeting. President Alexander (in Hon Sec’s absence) gave apologies for Ton McCourt, Mary O’Rafferty, David Booth, Tom O’Neill, David Horkin,
Bernadette Mulvey welcomed guests to the meeting: Vasily Ogievsky, (soon to be inducted as a member) Cormac Trant, Marie Mueller
Rotary Rangers’ Schedule
Aug 31st Carraig Gollergan, Shankill.
Thought for the day
Bernadette Mulvey gave the thought of the day, noting that the 16th August was the anniversary of the death of Elvis – who sang “home is where the heart is” In the last 18 months for most of us it has been great to be at home but spare a thought for those who had to stay at home and were not in a safe place and were not able to escape. Women’s Aid is there for them – please continue to contribute to them in the next week.
President Alexander told the club that it is still the intention to return to physical meetings next month.
Members wishing to speak
No members had any announcements, so we proceeded straight to Frank’s presentation.
Last Week’s Meeting
Our speaker last Monday was our own member, Frank Bannister, who stepped in at short notice to talk about the growing problem of cyber security.
Frank started with a few caveats, the first of which was that, while he knew quite a bit about this subject, he was not an expert on it nor was he a security engineer. Secondly, cyber security is an extraordinarily complicated topic as well as a vast one. In twenty-five minutes or so it is only possible to look at a few key aspects of the subject. His aim was to help people understand the scale of this problem and some of the threats it poses to business, to society and to each of us as individuals.
On May 14th last, a HSE employee found that he was having difficulty accessing data from his computer. Following a help message link he found himself in communication with someone or something that told him that the HSE’s data had been both stolen and encrypted. If the HSE wanted their data back, a ransom of $20 million would have to be paid.
Overnight, many Irish people who had hitherto paid little or no attention to cyber security or cyber threats, were suddenly and unpleasantly confronted with one of its implications as medical appointments and long awaited operations were cancelled. As the scale of the disaster sank in, the government made a decision that it would not pay out and to the best of our knowledge, it has stuck to this decision.
It is useful to think of cyber threats using two categorisations. One is to differentiate between targeted attacks, i.e. attacks aimed a specific organisation or government agency (or rarely at an individual) and untargeted attacks whereby a piece of malware is let loose in the wild so to speak and can affect anybody. The second categorisation is to divide cyber threats into vandalism, cyber warfare and cybercrime.
Starting with the latter, vandalism, the hi-tech equivalent of going around slashing tyres, was common in the early days of the Internet. Today while not unknown, it is rare. The weaknesses in computer systems used in cyber-attacks are too valuable to waste on simply causing mayhem for the hell of it. The real threats comes from cyber warfare (which may surprise some people) and cybercrime. These attacks can cause enormous financial, physical and human damage. Frank showed us a number of examples of the estimated costs of targeted and untargeted attacks in the past two decades including untargeted malware such as MyDoom and WannaCry as well as the recent targeted attacks on the HSE, Colonial Pipeline and ACER.
He followed up with a whistle stop tour of the principal types of cyber threat. These include good, old-fashioned espionage, blackmail, collateral damage from cyber-wars, data theft, identity theft, extortion using encryption or denial of service and SCADA (Supervisory Control and Data Acquisition) attacks. The latter are attacks on the computer systems that control modern machines including many in almost every new car you buy today. He would return to this.
Frank illustrated the problem of collateral damage by telling us about the Danish company Maersk, the world’s largest container shipping company, when it got caught in the crossfire of a nasty little cyber war between the Russian Federation and Ukraine a few years ago. A piece of Russian malware named NotPetya (so-called to distinguish it from another virus named Petya) was loaded on a popular piece of Ukrainian tax reporting software, MeDoc. Though notionally ransomware, the purpose of NotPetya was not to make money, but to gum up computer systems and networks all over Ukraine. By misfortune, a copy of the malware found its way onto Maersk’s computer network via its Kiev office and within a short time most of their 80,000 plus employees were shut out of their systems. Suddenly, they could no longer keep track of where any of their 600 or so ships (and heaven knows how many containers) were. Worse still - Maersk had no plan B. They only escaped total disaster by an amazing stroke of luck – there had been a power outage in Nigeria that morning and the computers in their Lagos office were off line and thus not affected. They were able to use the data from this to rebuilt their system. It is estimated that the attack cost Maersk of the order of €250 million. Many other companies were also affected by NotPetya, though none as badly (as far as we know!).
There are different types of bad actor out there. Bad actors include the classic teenager is his (or less likely her) bedroom, hacker groups, terrorists and political activists. However, the main danger comes from rogue states and criminal gangs and in the case of some countries, the lines between these two groups are blurred. It is widely believed that the Russian government turns a blind eye to the activities of WizardSpider, the Russian group that attacked the HSE, as well as other groups based in the country, on the understanding that they do not attack sites with Russia itself. Other states that are of concern include China, North Korea and Iran, though we should not assume that Western democracies are lily white in this regard. Like espionage, cyber warfare is a dirty business of smoke and mirrors. There are almost certainly undeclared cyber wars going on in the world at the moment with one country aiming to plant malware in another country’s systems for future use or to cause low level, non-attributable damage.
The HSE attack was a standard contemporary ransomware and data theft attack, an increasingly common form of cyber-crime that combines both extortion and blackmail – the latter taking the form of a threat to sell the HSE’s data on to other criminals. While ths was the first time an entire state agency in Ireland had been attacked this way, two weeks earlier, on May 7th, the US company Colonial Pipeline had been the victim of a similar attack. The latter effectively cut off gasoline and jet fuel supplies to a large part of the eastern United States. Within a few hours, Colonial paid out $4.4 million to the attackers, but not before panic induced queues had formed at filling stations and the Federal Motor Carrier Safety Administration (yes there is such a body) declared an emergency in 17 states. The ransom was paid in the Bitcoin cryptocurrency, $2.3 million of which was later recovered. As of the end of May, 82 such attacks had been recorded in 2021 alone.
Another growing worry is SCADA attacks – attacks on the electronic monitoring units and programmable logic controllers (PLCs) on which so much machinery now depends. The average family car now has been 30 and 50 computers on board; upmarket cars can have up to a hundred. In some models, your car connects to the Internet as soon as you turn on the ignition. In a really scary story, Frank said that it had been demonstrated that it was possible to hack into a car’s systems (via the sound system!) and take it over the drive control computer so that the driver has no longer command of the vehicle. Until recently, this would only have been found in science fiction movies or the novels of Dan Brown. Unless you take precautions, criminals (and others) can use any device that is connect to the Internet not just to get into your car, but into your house wi-fi and thus potentially into any of the computers in your home.
However, the real concern with SCADA attacks is less attacks on any of us as individuals, than an attack on any of the networks on which we depend for the normal functions of our daily lives, things like electricity, gas, railways switching systems, air traffic control. The most famous PLC attacks is Stuxnet, the Israeli/US attack on an Iranian nuclear processing plant in 2010 that succeeded in destroying several centrifuges (devices used in making material for nuclear weapons). Stuxnet is still out there. In February of this year, hackers had tried to poison customers in a Florida town by tampering with the water supply system. Cyberthreats are like living with a never ending Y2K problem.
Frank gave us a list of simple dos and don’ts at a personal level (an extended list of these can be found in The Dubliner for May 24th).
Looking to the future, Frank said that cyber warfare and cybercrime are part a continuing hi-tech arms race between countries, criminals and security forces. Part of him felt optimistic that, as operating and server operating systems get patched and mature, the number of remaining weaknesses or so-called zero day exploits should decline. But new tools and techniques are continually being developed, increasingly driven by artificial intelligence. As the environment in which we live and the technologies on which we depend become more and more complicated, our vulnerabilities increase. It is another cost of progress. We must continue to act to protect ourselves, as individuals and as societies. Unfortunately, the price of safety in cyberspace, is eternal vigilance.
Paul Martin asked whether updates could be a potential risk – in other words something malicious pretending to be an update for your computer. Frank noted this could be possible – as always check the source of the update. If concerned you can refuse the update and then go into your computer settings which should have a list of updates – installing from there will reduce this risk.
Tony Keegan asked about why the “good guys” don’t try to disable the “bad guys.” Frank responded that counter attacks are valuable and are “one use” options – since once they are used the other side will quickly adjust and they cease to be effective.
Ted Corcoran asked if there was any way to stop the fake amazon calls. Frank thought that there would be a way to stop them – if service providers took action. One example would be to place a small cost increase in a way that doesn’t really affect the genuine user, but someone doing millions of calls would then be affected.
Mariandy Lennon asked about changing passwords and explained her recent need to change all her passwords. Frank replied that there were applications that store passwords for you.
Dermot Knight asked about fraudsters using Rotary (which has trust/credibility associated with it) either by pretending to be from other clubs (many clubs simply use gmail accounts) either to circulate links to our members or asking to be put in touch with other people. We would be more likely to do this if we thought it was coming from a rotary club. Frank responded that this is not unique to cyber crime – but cyber crime makes it more effective – further thoughts on this issue could be the subject of a Dubliner article.
Paul Martin noted he had stopped answering calls from numbers not in his contacts – and instead would listen to voicemails or be sent emails if it were urgent.
Frank finished his very interesting talk on a different subject – following on from his recent mention in the Financial Times on the subject of how many pages do you have to read in a book before deciding it was not worth continuing. A reader had published a response: An algorithm based on having less time to waste: Subtract your age from 100 and that should be the number of pages needed to justify discontinuing the read!
President Alexander thanked Frank for the very informative presentation.