18th August 2020
Loose Clicks Sink Ships (5)
While the title of this article may seem like an exaggeration, reflecting on my time at sea I recall full well that anything that impacts the safe operation of a vessel has the potential to pose grave mortal danger. Unlike the relatively safe shoreside office environment, vessels operate in a continuous state of peril and the performance of the equipment and the vigilance of the crew are vital to maintain safe conditions for the ship, the crew and the cargo.
Cybersecurity threats are just another maritime hazard along with bad weather and sea conditions, groundings, collisions or allisions, piracy and now of course pandemics!
Luckily there are many safeguards that can help protect your vessel from being impacted by a cyber-attack. Users of premium maritime email packages, like those produced by GTMaritime, can be quite certain no malware is reaching the ship within the emails they receive. End point protection on network workstations can be updated daily to detect the latest virus signatures.
But as valuable as these technology solutions are, there is no justification for complacency. As vessels become more and more connected to the world via the internet and maximize the value of digitalization, the threat profile of the ship increases.
The first and last line of defense of the vessel to all threats physical and cyber will always be the crew.
There are several things to keep in mind when you are reading email or browsing on-line, to make sure you are protecting yourself and your shipmates from cyber-attacks. It all comes down to – STOP and THINK!
1. Be wary of pop-up, emails, websites and social media links asking for sensitive information
There are many forms of phishing attacks. Highlighted by these five.
a. Email phishing – traditionally delivered as a generic email sent on a fake domain, which often involves a character substitution. A favorite one in the rnaritime business is to use an r and an n to make an “m”. Can you spot that in my spelling of maritime above?
As a general rule, always check the real email address of a message asking you to click here, download an attachment or take any responsive action.
b. Spear phishing – these are campaigns targeting you as an individual, they will have your name and email address, and perhaps your company, your title and could have gathered other relevant personal data. The request may appear to come from a friend or colleague and may recommend a website for you or ask you some personal question to gain further information in follow-up emails. In the end you will get stung. People have lost thousands of dollars and jobs because many companies have lost significant amounts to this type of attack and they will find the one to blame for certain.
c. Whaling –targeting senior executives, this form of spear phishing is the most convincing and subtle attack. Once the ‘Whaler’ has caught their executive, the result can be a wide-spread attack on the full organization with more well-informed spear phishing attacks to follow.
d. Smishing and vishing – Replacing email delivery with SMS Text messaging and with voice calling. Follow the same cautions advised for email phishing.
e. Angler phishing – A relatively new attack vector, social media offers many ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks. Be aware of what you post on social media and how that can expose you or your vessel to risks. There is a documented case of a Chief Officer on a Container ship who regularly posted his routing information on social media, and that was proven to have been used by pirates who attacked the ship.
2. Be suspicious of shortened URLs
For example, links that look like this: “bit.ly/8u544X” (this is an invalid link for safety sake)
Bit.ly itself is a company that sells shortened URL links. There are many shortened URL companies, others like tinyurl.com have been around quite a while. It’s that little hash after the domain name where the trouble starts. It may lead to a malvertisement or an infection engine. And since you are going through a link shortening service, you do not know where you will end up until after you click the link. Best practice is to treat all shortened links as suspicious.
3. Never accept a file from an unknown source.
Even when a known person sends you anything out of the ordinary, double check with them before accessing it because it may not be what it seems!
4. Think before you click!
Always be suspicious of links and attachments especially any file with “.exe”, “scr” or “.bin” extensions. This is where I think the cyber criminals will meet their match. I have always found sailors to be very savvy in general. Once they know what trouble looks like they will be hard to fool.
So please review these rules on clicking! And be sure to follow along with the rest of the tips in the Cybersecurity Scuttlebutt – Educational series. Remember as the crew, you are the first and last line of defense to protect yourself, your shipmates, and your vessel against these cyber thugs.
Wishing you a safe voyage and a happy journey home.
Mike McNally, Global Commerciall Director