Towards the end of last week, three different oil companies from Germany, Belgium, and the Netherlands suffered from a cyber attack. The companies worked to use their backups in an effort to stay operational. All three companies were able to keep most of their operations running, but at a limited capacity. The article also mentions the cyber attack against the United States’ pipeline last year and notes the similarities between the attacks. Officials, however, are reluctant to officially claim the attacks are related to the growing tensions between Ukraine and Russia.

There is a growing trend of attacks against critical infrastructures such as the Oil industry. This is a problem because attacking critical infrastructure can severely impact the way a nation is able to function. For instance, we saw last year when the pipeline was attacked people did not have access to gas and struggled getting fuel for their cars. Security for the critical infrastructures need to be increased so nations decrease the risk of losing key functions.

The article mentions that they are unsure if the attacks are connected. I think the attacks on these three oil companies could have simply been an attack of opportunity. Similar companies may fall victim to similar forms of social engineering attacks which makes it easier for attackers to target many companies. In any case, companies that support critical infrastructure should be better at avoiding attacks.

Source: https://www.bbc.com/news/technology-60250956

In class, we have been discussing how much data their is about our lives. Everything we do on the internet is logged by our browsing history or from organizations such as Facebook. An article from Cybernews discusses how online trackers know 80% of a person’s browser history. They go on to mention that after a browser history is deleted, it takes a few hours for the online tracker to rebuild a person’s online identity. Having access to this much data makes phishing scams much easier, because attackers know what people like to search for and click on. The same article argues that phishing scams are higher during tax season because scammers can give victims an urgent reminder to pay taxes by clicking on a link.

The more data that exists about a person the easier it is to attack that person. This is because attackers can learn what a person likes to click on and then created tailored attacks. To combat this users should use search engines that do not track a person’s data. An example of this is duckduckgo.com. Additionally, users should be aware of the data that is being tracked so they do not fall for the tailored scams. Another factor that users should be aware of are emails asking for immediate or urgent action. Scammers give their victims a sense of urgency to make the victim act without thinking. Even if the victim realizes after the attack that they should not have typed out their social security number, its too late.

I think that there is nothing a normal user can do about the amount of data that is collected about them. Companies have polices that collect data to use for advertisements. Users do not pay for services like Facebook or Youtube, so users do not have the authority to ask those companies to not collect data on them. Users can, however, not click on the “suggested for you” or not click on the advertisements. This will effect the algorithms used to created targeted advertisements and make them less accurate.

Source: https://cybernews.com/privacy/some-online-trackers-know-up-to-80-of-a-users-browsing-history/

This article from BCC describes how a women lost about 1,000 pounds after her Instagram account hijacked and used as part of a fraud scheme. The women, Nicole Reeves, found a video of her friend claiming he profited from taking apart of an investment opportunity. From that video, she learned how to contact the people running the investment opportunity. Reeves sent 1,200 pounds to an account by the end of the scam. She trusted legitimacy of the online interactions because she saw the video from her friend and had been messaging the account running the scam. In addition to the money, Reeves also sent her Apple ID and password. This resulted in Reeves losing access to her phone and Instagram account.

After reading this article, I realized how easily people trust the interactions they have online. Reeves feel for this scam because she was messaging the scammers account on Instagram and they did a good job at making it seem real. The scammer was able to get 1,200 pounds from Reeves because they exploit Reeves’ trust in people. If Reeves had been more skeptical of who she was sending money to online, she may have not fallen for this social engineering trick. I think Reeves, and the other people who feel for this same scam should receive training to learn about scams over the internet.

This article also makes me question if social media platforms can be doing something different to lessen the amount of scams that take place on their platforms. Instagram, for example, displays ads on user’s feeds. They could create some of those ads to show messages about not trusting everything you see online. Ads that show the dangers of trust and social media can teach users not to send money to people they do not know and also to never send passwords. One of the easiest ways to combat social engineering attacks like this one, is to raise awareness of the attacks themselves. If social media platforms started to do that, the amount of people that are victims to scams would decrease significantly.

Source: https://www.bbc.com/news/uk-england-bristol-60072911

Recently, a vulnerability was discovered in Log4j that allows hackers to take control of the vulnerable systems. Log4j is a open source Apache logging software used to log activity in an application (Newman, 2021). To exploit the vulnerability, hackers send malicious code to Log4j 2.0 or higher versions. CISA put out an alert for the vulnerability. Organizations are working to patch their vulnerable software, however since Log4j is a logging software, a patch that breaks the logging capabilities, will create more serious implications for companies.

In my opinion, the biggest issue with the Log4j vulnerability is that many different organizations rely on Log4j for logging purposes. Finding the true impact and damage of this vulnerability is going to be very difficult since there are so many organizations that use Log4j. There are some companies that will work to patch their systems running Log4j as quickly as they can. But some companies will lack the ability to patch their systems, leaving their systems vulnerable to attack.

Parallels from this vulnerability can be drawn from the SolarWinds attack. In both cases, a supply chain software was used as a vector to target different organizations. From both these attacks one can question if using widely distributed software is too risky, especially if that software is being used with sensitive data. Although widely distributed software is convenient to use, there seem to be trends of attacks against supply chain software.

Source: https://www.wired.com/story/log4j-flaw-hacking-internet/