The Security Threat On Your Desk

Image (c) Shutterstock/Benoit Daoust

By Rich Madden,

Cyber-security issues onboard your typical merchant vessel would seem to be fall into one of two categories – acts of omission or criminal intent.  Acts of omission are those errors that we make ourselves that might leave us open to nefarious deeds.  Criminal intent is pretty self-explanatory.  For whatever the gain – financial, social or security-wise – there is a determined effort to gain access to or information from a computer or network.

Acts of omission are those acts that leave us open to fraud, abuse or other dirty deeds due to our own errors or lack of care.  Whether it is printing out your bank statement and leaving it on the printer, saving the password to your email account or leaving your favorite internet shopping website open to your account, there are any number of ways that we leave ourselves vulnerable to the opportunistic criminal.

Saved passwords

Pick your program or website and it will ask to (or automatically) save your user name and password.  It’s all in the spirit of making it easier for you to return there and conduct your business, but it can leave you vulnerable.  When sharing a computer, such as on a ship, this is certainly a poor practice.  Even when you are in a lofty enough office to  get your own computer, you never know who will be there while you are on watch, ashore or on vacation.

Password sheets next to or under the keyboard

Yes, it is difficult to remember all the passwords required – maintenance program, payroll, email, your frequent flyer account – it all piles up.  Unfortunately, listing these passwords – especially in a public place is yet another invitation to the opportunistic (or dedicated) criminal.

Less than robust passwords are yet another path to unsecured data.

Whether it is the ship’s SMS program, payroll or your bank’s website, leaving the default password (i.e. “password”, “123” or “admin”) leaves your data open to theft and mis-use.  While certainly easier for accounts that have frequent turnover – the Master’s payroll program for instance – is the ease of use worth the potential problems?

Social media – everyone wants to know where you are, correct?

That’s why websites/apps such as FourSquare exist.  Checked in at the Dubai Mall?  Well, we know you’re not at home and you have a really nice flat screen TV.  Arriving in Singapore this afternoon and everyone is getting paid off?  Easy translation to : The captain’s safe is full of greenbacks.  Whether we know it or realize it, the information we provide on social media can have serious security repercussions.  Reflecting back to WWII, loose lips sink ships.

…and the omission doesn’t necessarily have to be on the part of the crew.

Many companies, in the quest for better customer service, have started putting a tremendous amount of information on the web.  Ranging from the performance and crewing capabilities of a particular ship to the actual position of that ship, any information that a customer might find important is out there.  From a criminal standpoint, knowing how many people are onboard at a particular time or exactly where that ship might be is incredibly useful information.  There’s a term for this – it’s called operational security (OPSEC in military-speak).  Unfortunately, by turning a blind eye to cyber-security, operational security is affected.

While not necessarily an act of omission, the publishing of Automatic Identification System (AIS) positions on the internet has a serious effect on the security of a vessel.  Whether the determined and technologically savvy pirate or one of the slew of extremists around the world, target acquisition is key.  With the right ship, a pirate might triple their take – from the safe or from the ransom.  With the right ship, an attack by an extremist group might be front page news or not even make the news – it all depends on what they are carrying and what flag they are flying.  And all of this data is available for the low, low price of free – just check Marinetraffic.com or Vesseltracker.com.  It doesn’t take a genius to see how these websites might be used for no-good.

Criminal intent is tough to overcome.

Whether the criminal is out for financial gain or making the headlines, deterring the committed individual is difficult.  All of the security lapses noted above in acts of omission play into the hands of those with criminal intent.

With your birth date, social security number and a few other crucial pieces of data, identity theft becomes a very real reality.  With your password and email information, fishing scams can be perpetrated on your loved ones.  Left your credit card number on the computer?  You might just have something being ordered online and not delivered to you.  Or worse, that credit card information gets sent ashore and all of a sudden you have thousands of dollars charged before you know it.

Even if you follow all the rules and try to safeguard your data, there is technology out there to defeat you.  Just recently a number of department stores foiled attempts to gain credit card and personal data through the use of key loggers.  These small innocuous devices can be inserted between the keyboard and computer, allowing all keystrokes to be saved and then analyzed.  Perfect for the enterprising thief.

Viruses

Perhaps it’s simply the joy of writing a good piece of code for the criminal involved or perhaps they have extracted some personal information from you.  Either way, viruses on computers seem to be all too commonplace.  And they spread like wildfire.  As email attachments or portable media (i.e. USB thumb-drives, portable hard drives, camera cards, etc.) these viruses worm and weasel their way into your life.  Sometimes they lead to dramatic computer failures, but more frequently are simply a hassle with which to deal.  Getting rid of them almost seems easier (sometimes) than not getting them.  For instance, are you going to tell the cargo planner that you can’t use his USB drive on your computer?   Probably not, but you will want some robust anti-virus software.

We stand our pirate watches.

We are on the lookout for surveillance in ports.  We check the seals on the containers.  We do stowaway searches.  It’s time to turn our eyes inward now.  Unfortunately, our good friend the computer – or smart phone – or tablet – might be our next security issue.  Does it have the immediate threat of a pirate coming over the rail or the sinking feeling of seeing the bosun’s stores broken into?  No, but the long term and cumulative effect of information ill-gotten may be on a par – or worse.

Additional reading :

Analysis of Cyber Security Aspects in the Maritime Sector : ENISA (European Network and Information Security Agency) : November 2011

Security in Dangerous Waters : Pirates and Cybercrime : Transaction World Magazine : February 2013

Maritime Cyber Security : Survival At Sea : Maritime Reporter and Engineering News : July 2012

Captain Richard Madden is an actively sailing mariner and SUNY Maritime graduate with over 20 years of industry experience.  He holds a USCG Unlimited Master and Master of Towing Vessels  license, having sailed on government vessels, offshore and coastal towing vessels, tankers and container ships.  The views and opinions expressed here are entirely his own and do not reflect the views or opinions of any company, union or organization for which Captain Madden has worked.