Cybercrime: How to protect your yacht against 21st century pirates
Written by Kate Lardy
How many different networks are on board your yacht? Are they isolated to stop any access from the guest wifi to a sensitive network such as the CCTV or navigation? How many suppliers and manufacturers have remote access to your yacht? And are their passwords something other than 0000? Are your crew trained to spot and not click on suspicious links? What devices on board require connection without security, like toys, lamps, cameras, watches? Your captain and officers should be able to answer all of these questions.
“Yachts have what all hackers love: money, secrets, negotiations for deals, reputations, famous people…” says Alexandre Bayeux, founder of Xperys, which specialises in yacht cyber security. Cybercrime is big business that’s getting ever more sophisticated. For instance, as of 2020, mercenary hackers with skills that used to be reserved for government agencies have been available for hire for targeted attacks, says Bayeux. Read more…
What you must know and do about Pegasus, over 50 000 exposed people have been targeted worldwide
2021, July 25th
What Pegasus is, born in 2016
Pegasus can allow spies to gain access to an infected phone’s memory and view photos, videos, emails and texts, even on encrypted applications such as Signal or WhatsApp. The software can also let spies record conversations made on or near a phone, use its cameras and locate users. The first famous version of Pegasus was discovered by Lookout and Citizen Lab in 2016. It was used against a rights activist in the United Arab Emirates and a journalist in Mexico. A new version was used against J Bezos in 2018, through WhatsApp. Pegasus has been designed by the NSO Group, a major Israeli cyber-surveillance company. Since 2016, NSO has been constantly developing new versions of Pegasus to use unknown breaches in iOS or Android systems: “zero day” vulnerability.
The latest update in July 2021
The journalist consortium “Forbidden Stories” has listed more than 50,000 mobile numbers from more than 50 countries that appeared to be infested by Pegasus. The list contains the numbers of hundreds of journalists, media proprietors, government leaders, opposition politicians, political dissidents, academics and rights campaigners.
Could you be a target?
For years, the global spyware industry has operated in the shadows, exposed only by human rights organizations and journalists. The industry claims it’s in the business of fighting crime and terrorism. But many users have other goals. The first motivation for cybercrime is money, far ahead of political activism. Criminal organizations offer their services commercially to attack individuals or businesses. Therefore, people with financial, business or political responsibilities are prime targets for smartphone spyware and hacking. People are still very naïve regarding data protection. Daily cyber behaviors provide criminals with so many opportunities.
How to protect?
Awareness first. Exposed people need to be aware of they’re always targets. Xperys has been developing in 2021 specialized programs and training to develop people awareness and reaction and to make organizations resilient to cyber threats. Xperys has an advanced expertise in protection of companies (large and small exposed companies) and families’ interests (family members protection, family officers, yacht crew…). IT tools are needed too. Pegasus is very sophisticated. Some specialized IT security companies (ex: Lookout) have been focusing on Pegasus since 2016, and can deliver appropriate protection. Yet, Pegasus is only 1 type of malware among thousands. Keep operating systems (OS) updated. Xperys can coach your organization to select the appropriate tools and to develop a culture of cybersecurity within your people, including your external key partners.
Information about Xperys ’services: firstname.lastname@example.org
The simplest hack of WhatsApp accounts, and exceptionally effective
2021, August 20th
Have you ever received a message saying “you’ve mistakenly received a text with a 6-digit code, please send it to me”? That’s someone has been trying to hack your WhatsApp account (or Facebook… same tactic).
Why is it so simple? Because WhatsApp needs easy enrollment process be globally adopted by anyone.
WhatsApp enrollment process
When you install WhatsApp on a new phone, the platform asks for the phone number of the account, which you enter, and then it sends an SMS one-time code to that number. This confirms you have the number in your possession. Once you enter the right code, the phone starts to receive WhatsApp messages for that account.
How hackers hack
The hacker just needs to install WhatsApp on a new device, registering the phone number of the target he wants to hack. WhatsApp automatically sends a 6-digit code to the owner of the phone number. The Hacker just has to send a text message like “you’ve mistakenly received a text with a 6-digit code, please send it to me”. If you send back the code, your account is hacked.
This practice is even more effective if the attacker uses an already hijacked account to contact a victim’s friends. In their message, the attacker tells the victim’s friend they are having issues receiving a six-digit code, and so had it sent to their friend instead — « please send it back”.
No IT skill required for this exceptionally effective practice. Easy also to protect, just awareness and common sense.