You can fight back against cyberattacks | Science News for Students

You can fight back against cyberattacks

Cybersecurity experts protect computer systems — and they want your help
May 9, 2019 — 6:45 am EST
an photo of hnds using a smarphone with an illustration of data floating above the screen

“There is no 100-percent-secure software,” says Craig Williams. “It does not exist.” He is one of many cybersecurity experts working to protect people’s data and devices. But everyone should take steps to protect themselves.

PeopleImages/E+/Getty Images

“Grant? How can you hear me?” The voice came through Grant Thompson’s iPhone. The 14-year-old had FaceTimed his friend Nathan to ask if he wanted to play the game Fortnite. But Nathan didn’t answer right away. So Grant swiped to add another friend to a group FaceTime call. All of a sudden, he could hear Nathan and Nathan could hear him. But Nathan had never tapped to answer the call. Both of their phones showed the call still ringing.

This happened on January 19, 2019. Grant, a high school freshman in Arizona, could have shrugged off the strange glitch and spent the evening playing Fortnite. But that’s not what he did. He told Nathan to hang up and called him again. He wanted to see if he could get the call to connect again without Nathan answering. “We tested it for like half an hour,” Grant says. “It worked every single time.”  

a photo of Grant Thompson
As a freshman in high school, Grant Thompson discovered a major bug in his iPhone’s software. He says everyone should “pay attention to what’s going on in their phones.” More bugs likely exist that no one has found yet.
M. Thompson

Feeling shocked and concerned, Grant went to find his mom, Michele Thompson, and tell her what had happened. She decided to test the problem herself. She asked Grant to try to FaceTime her from a different room. When he did, she didn’t answer. Meanwhile, Grant swiped to add his sister to the call. He was too far away to hear his mom’s voice normally. But through his phone, he heard her quietly singing the ABCs.  

Grant and his family had discovered a major mistake, also called a bug, in the iPhone’s software. This bug let a person listen to someone else without their permission or knowledge.

Grant’s mom is a lawyer at Udall Law Firm in Tucson, Ariz. She regularly handles privacy issues in her practice, so she knew the bug was a big deal. She reported it to Apple, the maker of the iPhone. “Honestly, I thought it was going to be fixed the next day,” she says. But it wasn’t. For almost two weeks, she tried to get the attention of the right people at Apple.

Meanwhile, others discovered this bug existed. Soon, the cyberbug hit the news and Apple shut down group FaceTime. The bug earned the clever nickname “Face palm.”

On February 7, the company released a software update that fixed the problem. Apple also rewarded Grant. He had been the first person to report the bug. “They gave a gift towards my education,” he says.

The experience taught him to be careful with technology. He also learned that anyone can discover a major security problem. “I stumbled upon this by accident,” he says. “There are probably more glitches like this out there that people haven’t found yet.”

Fighting off black hats

Glitches and bugs can show up in any new piece of software or software update. Lots of people spend their days searching for them. Some of those people are analysts and engineers who focus on cybersecurity. They look for bugs and problems so that they can fix software and protect computer systems. Also on the lookout are cybercriminals, also known as black-hat hackers. They seek bugs that will let them weasel into computer systems, often to wreak havoc.

In this video, cybersecurity expert Melanie Teplinsky at American University’s Washington College of Law, explains what a zero-day is and how it can allow a hacker access to people’s data without them knowing.
Christian Science Monitor/YouTube

Cybercrime is a global problem. “The threat is absolutely growing,” says Robert M. Lee. He’s a cybersecurity expert and founder of Dragos, Inc. in Hanover, Md. Some cybercriminals take advantage of bugs to break into a system. If they use a new, unknown bug, it’s called a zero-day attack. Other times they break in using known bugs that some people haven’t bothered to “patch,” or fix. And many cyberattackers simply trick people into handing over passwords or installing harmful software, called malware.

Most cybercriminals target individuals or companies. They may steal money or company secrets. But in rare cases, a cyberattack targets a larger group — say, a whole country. Information and privacy aren’t the only things at risk. Some attacks spread chaos and destruction. If one country directs an attack like this at another nation, that’s an act of cyberwarfare.

Heather King once worked on the National Security Council staff at the White House in Washington, D.C. Part of this group’s job is preparing for cyberwarfare. Now she’s the chief operating officer at a company called Cyber Threat Alliance in Arlington, Va. There, King continues to help protect people from cyberattacks. “Our biggest concerns,” she says, “are attacks on systems we all rely on most.” Attackers may target any system that connects to a computer network. That includes infrastructure, such as the power grid, banking systems, water distribution, satellite networks, air traffic control and more. Attacks like this have already happened.

Blackout

In the middle of the afternoon one late December day in 2015, over 200,000 people lost power in western Ukraine, a nation in Eastern Europe. Almost exactly one year later, a December blackout hit the capital city of Kiev. It plunged part of the city into darkness for more than an hour. These blackouts were no accident. It wasn’t a snowstorm, fire or other disaster that damaged the wires. In both cases, someone had hacked into the system of stations and control systems that bring electricity to homes and businesses, known as the power grid.

an aerial image of the city of Kieve, Ukraine at night
Kiev is the capital city of Ukraine. The country has been the victim of several serious cyberattacks. Many experts suspect that Russia is behind these attacks, which would constitute cyberwarfare. The two countries have been involved in a conflict since 2014.
tomch/iStock Unreleased/Getty Images

Experts believe the same team carried out both attacks. Most likely, this team works for Russia. Russia has been in a conflict with Ukraine since 2014. The two countries disagree about who owns a territory called Crimea (Kry-ME-uh). Both nation’s armies have clashed on the ground, in the air and at sea. At the same time, a battle has raged in cyberspace. 

The 2015 cyberattack was the first in the world to take down part of a power grid. Lee responded to the incident as a lead investigator. His job was to figure out how the attack happened.

First, the attackers needed a way into the computer system that controlled the power. So they had sent emails to people who worked at several power companies in Ukraine. These emails had Word documents attached to them. Some employees opened the documents. Then, some clicked to allow the documents to run programs called macros. This secretly installed malware on their computers. The malware gave the attackers a way into the system, also called a back door.

The attackers “fooled the users,” Lee says. In cybersecurity, tricking people into handing over access is called phishing.

For six months, the attackers went undetected as they slipped in and out through the digital back door. They spent this time studying the computer networks that controlled the power grid. They learned the system so well that they could “make it do things it wasn't designed to do,” notes Lee. Finally, when they were ready, the attackers shut the power down at 67 substations. These are parts of the power grid that divvy out electricity and change its voltage as needed.

a photo of a power substation at sunset
All around the world, substations like this one help deliver power to homes and businesses. Computer systems make sure the right amount of electricity goes to the right places at the right time. In 2015 and 2016, hackers broke into substations in Ukraine, triggering power blackouts.
Yelantsevv/iStock/Getty Images Plus

In 2016, the attackers upped their game. They targeted and shut down a single, larger substation. Imagine the electrical grid like the network of vessels carrying blood through the human body, Lee says. The 2015 attack hit tiny veins in the fingers. In contrast, the 2016 attack shut down a huge artery.

There was one more important difference between the two blackouts. In 2015, around 20 people were needed to manually type in a series of commands that shut down the power at each substation. By 2016, the group had written malware to automatically mess with the power. It took just one person’s keyboard tap to run it. Lee’s team nicknamed the malware CrashOverride.

By itself, CrashOverride can’t knock out power to an entire country, or even a large city. People still need to hack into each substation in an electrical grid, one by one. And the grids in different countries use different software systems. But the Ukraine attacks “still concern countries,” says Lee. Through their attacks, the hackers learned skills and techniques that would make it easier for them to assault other types of infrastructure.

An ominous ransom note

A cyberattack doesn’t have to directly target infrastructure to spread chaos and disrupt society. In late June 2017, computer systems failed at dozens of companies around the world. One of them was the drug company Merck. Without its computers, Merck could not manufacture medicines. It had to delay delivery of some drugs. Another victim was the shipping company Maersk. It couldn’t get cargo containers onto the right ships or trucks. Crates of perishable food, machine parts and other goods were stranded — in some cases for months.

The companies’ infected computers displayed an ominous message. It began, “Ooops, your important files are encrypted.”

a screenshot of a ransom note sent by hackers to infected computers
During the NotPetya cyberattack of 2017, infected computers displayed this ominous message. The ransom note made it sound like people could get their files back. But in reality, the files had been destroyed.
Cisco Talos Intelligence Group

It was a ransom note. It meant hackers had locked down that machine. They demanded payment in bitcoin, a type of untraceable online currency. Supposedly, if you paid, you’d get your files back. But that was a lie. “There was no chance to get anything back,” says Craig Williams. The malware had actually wiped the computer clean.

Williams is a cybersecurity expert at Cisco in Austin, Texas. Like King and Lee, his job is to watch out for cyberattacks and respond to threats. He was part of the team that unraveled the story behind the June 2017 attack, nicknamed NotPetya. (Wondering where that weird name comes from? At first, the attack seemed like a variation of Petya, ransomware that emerged in 2016 and got its name from the weapon in a James Bond movie. But experts soon realized this new attack was not Petya at all — it was something much more devastating.)

“It was the worst cyberattack ever,” says Williams. “It was so fast and widespread.” At first, most people assumed it had spread through email. Some companies even shut down their email servers, says Williams. But that wouldn’t have protected them. This time, the attackers had entered another way.

Williams and his team discovered something in common among all the companies that had been infected in the first wave of the attack. They all used the same tax software, called M.E.Doc. This software helped companies file taxes in Ukraine.

But M.E.Doc wasn’t behind the attack. A team of hackers had broken into the company’s computers. Then they had inserted their own code into one of the company’s software updates. All software companies send out regular updates. These updates fix bugs, add new features and usually help to improve security. But in this case, the update opened a back door. Attackers used this back door to launch NotPetya. This malware could spread itself to other computers on the same network, even ones without the tax software.

“People don’t realize how much they depend on computers until they suddenly break,” says Williams. “Life can come to a screeching halt.” That’s exactly what happened for several days that June. Infected companies could not do business. The companies scrambled to rebuild their systems from backup data.

Once again, experts believe Russia was behind the attack. Russian hackers were likely targeting Ukraine, although other countries got caught in the cyber-crossfire. Most of the companies using M.E.Doc software were in Ukraine. The attack took down banks, the postal service, the main airport and many other major companies. All this happened the day before Constitution Day, a Ukraine national holiday. If Russia really is to blame for CrashOverride and NotPetya, then both acts constitute cyberwarfare.

a photo of a plane landing on a runway against a dark purple sky
If hackers were to break into the computer systems of an airplane or air-traffic-control tower, they might block communications or even grab control of a plane.  
Jevgenij Kulikov/iStock/Getty Images Plus

Bad guys vs. good guys

Experts say that we should prepare ourselves for more attacks like these in the future. Lee notes that this year, his team is tracking eight different teams of unknown black-hat hackers that have targeted factories and other industrial systems. They have broken into these systems hundreds of times. So far, these break-ins haven’t led to any disruptions or damage. But the attackers have stolen information, says Lee. They could be waiting for the right time to strike.

The good news is that people like Lee, Williams and King spend their days keeping watch for attacks. “It’s my job to be paranoid,” says King. As the bad guys up their game, the good guys do, too.

“Our ability to counter attacks will continue to increase,” says King. She is confident that in the United States, security officials are doing everything possible to prepare for the next big cyberattack. But everyone has a part to play in making sure technology stays secure — even teens.

“You have to constantly remain vigilant,” says Williams. Teens should never download or install anything unless they know exactly what it is and where it came from. Keeping devices updated also can prevent attacks. For example, the NotPetya attack could spread itself through networks thanks to a known bug in Windows software. Microsoft, the company that makes Windows, had released an update to fix the problem several months before the attack. But many people hadn’t gotten around to installing the patch yet.

Teens should also never ignore their instincts or underestimate their abilities. “I didn't expect that I was going to find a bug in a huge tech company,” says Grant Thompson. But he did. More importantly, he reported what he had found.

After Grant’s experience, he’s decided that he might want to pursue cybersecurity as a career. He even signed up to take a new IT course that his high school will offer in the fall.

Cyberattacks may seem scary. But they only work when they catch their targets off-guard. You are the defender of your own devices. Governments and cybersecurity experts are working hard to protect infrastructure and other important computer systems.

Williams, for one, loves his job. What could be better than chasing bad guys and solving problems? “Every single day is like playing a giant video game,” he says.

Power Words

(more about Power Words)

artery     Part of the body’s circulation system. There are several. Each is a major tube running between the heart and blood vessels that will move blood to all parts of the body.

back door      (in computing) A way to get into a computer program and execute changes that are unknown to any (or at least most) other individuals. Many computer software designers create such a back door so that they alone can circumvent the normal controls on entry to a program for quick and usually improper access. Hackers sometimes find an unintended and unknown entry to a program that allows them illegal access to mess with a system or program.

bitcoin     A type of digital currency, also known as cryptocurrency, created in January 2009. It works a bit like a dollar or euro, except that it’s value is not controlled by a central bank or regulated by some government’s agency (such as the U.S. Treasury). Its value can vary widely. And the currency can only be used for purchases that occur online. Each bitcoin transaction is securely recorded in a public ledger known as a blockchain.

blackout     (in energy) The loss of electric power to a broad area, and so named because all of the electric lights in the affected area will blink off when this occurs (unless they have a backup electric generator).

bug     The slang term for an insect. Sometimes it’s even used to refer to a germ. (in computing) Slang term for a glitch in computer code, the instructions that direct the operations of a computer.

code     (in computing) To use special language to write or revise a program that makes a computer do something. (n.) Code also refers to each of the particular parts of that programming that instructs a computer's operations.

currency     The money (coins, banknotes, etc.) that a country uses as a medium of exchange.

cyber     A prefix that refers to computers or to a type of system in which computerized or online communication occurs.

cybersecurity     A type of investigative field, sometime in law enforcement, that works to scout threats to computer systems and/or ways to thwart attacks.

cyberspace     A slang term for the internet.

cyberwarfare      An attack by government agents against computer systems in another nation for the purpose of spying on that nation, causing financial problems to companies in that nation, or crippling the actions or infrastructure of the targeted nation.

digital     (in computer science and engineering)  An adjective indicating that something has been developed numerically on a computer or on some other electronic device, based on a binary system (where all numbers are displayed using a series of only zeros and ones).

disrupt     (n. disruption) To break apart something; interrupt the normal operation of something; or to throw the normal organization (or order) of something into disorder.

electricity     A flow of charge, usually from the movement of negatively charged particles, called electrons.

engineer     A person who uses science to solve problems. As a verb, to engineer means to design a device, material or process that will solve some problem or unmet need.

grid     (in electricity) The interconnected system of electricity lines that transport electrical power over long distances. In North America, this grid connects electrical generating stations and local communities throughout most of the continent.

hack     (in computing) To get unapproved — often illegal — access to a computer, usually to steal or alter data or files. Someone who does this is known as a hacker.

high school     A designation for grades nine through 12 in the U.S. system of compulsory public education. High-school graduates may apply to colleges for further, advanced education.

infrastructure     The underlying structure of a system. The term usually refers to the basic physical structures and facilities on which a society depends. These include roads, bridges, sewers, drinking water supplies, electrical power grids and phone systems.

information technology (or IT)     A term that often refers to the department within an organization charged with keeping computers and software working and up-to-date.

macro     (antonym: micro) An adjective that means on a big or broad scale. (in computing) Computer code to execute a single instruction, which in turn directs the computer to use some preset instructions to perform a particular, desired task.

malware     Computer programs meant to disrupt the normal operation of a device. It is loaded onto computers without their owners’ permission. Examples include computer “viruses” and spyware. Some programs may cause a computer to crash. Others may allow spies to view — and possibly control — a computer user’s online activities. Some malware can even steal personal information.

network     A group of interconnected people or things. (v.) The act of connecting with other people who work in a given area or do similar thing (such as artists, business leaders or medical-support groups), often by going to gatherings where such people would be expected, and then chatting them up. (n. networking)

online     (n.) On the internet. (adj.) A term for what can be found or accessed on the internet.

paranoia     To show an excessive and generally unwarranted distrust of others, such that this person feels nearly everyone is “out to get him.” Affected people may feel they are being spied upon or that no one trusts, believes or respects them. Someone who expresses this behavior may be described as paranoid and feel intense anger, hatred or a sense of betrayal.

phishing      (v. phish) A play on the term “to fish” in which someone writes an email program, hoping to hook someone into replying and sharing private information. Someone does this by suggesting they are a friend, close acquaintance or trusted organization. They may fraudulently use another’s name, apparent email address or “story” that suggests they are trustworthy. In fact, they are seeking to extract information that can be used (such as a password, credit card number, social security number, or other information) to impersonate the person who is phished.

risk     The chance or mathematical likelihood that some bad thing might happen. For instance, exposure to radiation poses a risk of cancer. Or the hazard — or peril — itself. (For instance: Among cancer risks that the people faced were radiation and drinking water tainted with arsenic.)

satellite     A moon orbiting a planet or a vehicle or other manufactured object that orbits some celestial body in space.

server     A term for a computer — and especially the software on it — that provides services (hence, the name server) to other computers. A server computer program, for instance, stands ready to fulfill requests by its clients (which are other computer programs). For instance, a web server pulls up website pages or other files upon request. The web browser that you use on your computer to find things on the internet is one type of client. It calls up files from a web server.

society     An integrated group of people or animals that generally cooperate and support one another for the greater good of them all.

software     The mathematical instructions that direct a computer’s hardware, including its processor, to perform certain operations.

substation     (in energy) A small, local facility whose primary function is to step down the voltage of current moving through high-voltage power lines. The new voltage — now less than 10,000 volts — can be distributed to homes and businesses.

technology     The application of scientific knowledge for practical purposes, especially in industry — or the devices, processes and systems that result from those efforts.

vein     Part of the body’s circulation system, these tubes usually carrying blood toward the heart.

vigilant    (n. vigilance) The act of being intensely observant and careful. 

voltage     A force associated with an electric current that is measured in units known as volts. Power companies use high-voltage to move electric power over long distances.

zero day     (in computing) A vulnerability in a computer program that is not yet recognized by its designers or cybersecurity companies. If criminals find it, they can use it to take over the program and use it to wreak havoc (such as to shut down the power grid or to steal data, such as people’s banking information).

Citation

Report:CrashOverride: Analyzing the Threat to Electric Grid Operations.” Dragos, Inc. June 12, 2017. 

Further Reading