South Korea Winter Olympics: Cyber lessons from the past

South Korea Winter OlympicsThere is little doubt that guns, gates, and guards will be on full alert in Pyeongchang, South Korea as the nation readies itself for the 2018 Winter Olympics, which begin Feb. 9. In concert with feats of strength, dazzling stadiums and piping national anthems, the threat of cyberattacks looms large at the Olympic Games.

The 2014 Winter Olympics in Sochi, Russia and the 2016 Summer Olympics in Rio de Janeiro, Brazil taught us that prior planning is critical for countries and companies alike who are working to support the festivities and prevent debilitating cyberattacks.

Large worldwide events like the Olympic Games offer a first-class opportunity for cybercriminals to achieve notoriety and profit. The 2014 World Cup, hosted by Brazil, was the first to experience a barrage of cyberattacks during the event. Organizers and participating parties of the Sochi and Rio Olympic Games were more prepared and less affected, however, the risk remained high for individuals and companies who are involved with the events.

Members from our team had the opportunity to work with companies like NBC and Gannet during the Games in Sochi and Rio to prepare and secure their networks, and we have grown to accept that cyber threats will be present and attacks accomplished.

The following are the most popular methods for hackers to gain access to individual or company information at large-scale events. It is most likely that officials in Pyeongchang have set aside many hours to determine how best to protect against these unsavory threats. We also learned some inordinately difficult lessons from this work – and would like to share them with you.

Phishing

Phishing scams have been around since the 1980’s, and yet they still represent one of the most effective methods for hackers. Everyone attending the Olympic Games in Pyeongchang, whether working, or competing, are targets. Due to the number of financial transactions taking place, and the amount of promotions surrounding the event, there are likely to be many opportunities to fall for “free/discounted tickets” or “special events” that are simply disguised phishing scams aimed at obtaining access to a user’s device, credentials, and personal information.

Lessons learned: Companies should conduct additional cybersecurity awareness training with their teams – both local, and abroad – to help mitigate falling victim to a scam.

Wi-Fi security

With the explosion of social media, the volume of posting is expected to reach an all-time high in Pyeongchang which will have people searching for available WiFi hotspots in order to save on data charges. Hackers capitalize on this by creating bogus Wi-Fi hotspots and intercepting browsing activities. Attacks are focused on acquiring credit card information, passwords, or personally identifiable information.

Connecting to public Wi-Fi also opens up the chance for a bad actor to gain access to devices and hide out until the device is taken back to its home country and to companies and networks where hackers can expand their efforts. Attendees are warned to avoid unofficial Wi-Fi hotspots, or those that promise higher speeds or require strange logins.

Lessons learned: Maintain and inspect your network often. Be sure to encrypt your data. Use burner phones and/or laptops. If you use personal devices, at least make sure they have any and all software updates installed.

Fake news

The political drama surrounding South Korea has been high. With the world’s eyes on it, there is a risk of nation-state hackers attempting to use the spotlight to create confusion. Fake news could spread about anything ranging from drug use by athletes, false competition results, fictitious incidences, phony quotes, etc.

Below is an example of a bot Twitter account called Rule 40. Rule 40 is meant to prevent anyone who is not a direct sponsor of the United States Olympic Committee (USOC) or the International Olympic Committee (IOC) from tweeting or posting about the Olympics. This bot claimed to provide “automated alerts for infringement of official Olympic guidelines” during the Rio Olympics. In fact, its sole purpose was to reply to just about anyone who used any Olympic-related hashtags and warned them that they were violating Game rules. Both Donald Trump and Pope Francis were caught in the fray.

South Korea Olympics cyber lessons

Lessons learned: For attendees and viewers alike, it is important to take source into account when considering whether news, or accusations are valid.

DDoS attacks

DDoS attacks aim to overload a service provider’s system in order for it to fail at executing the functions it is meant to provide. This can be incredibly disruptive with the potential to pose a threat to providers at the Olympic Games ranging from banks, healthcare providers, or the cable networks providing coverage of the Games.

Lessons learned: Implement a solution that protects against network-based and application-based DDoS attacks. Use burner phones and/or laptops, that are not connected to corporate networks. Call your ISP provider to see if they can detect DDoS attacks and re-route your traffic in the event of an attack (when choosing an ISP, inquire whether any DDoS protective services are available).

Tricking online users

Fake giveaways, contests, prizes, tickets, etc. were all being touted at the 2014 World Cup. The purpose of such campaigns was to get unsuspecting users to pay for the fake promotions. To mitigate threats like this, users must practice caution when evaluating such campaigns. Security professionals must diligently hunt for threats like this and make the public aware of them.

Lessons learned: Companies should conduct additional cybersecurity awareness trainings to mitigate such problems.

Physical security threats

Mobile devices are crucial for many people while they travel. Hackers take advantage by using USB charging spots to infect users’ mobile devices and steal confidential data. This does not mean that people should never charge their devices when away from home, but following these simple rules will help protect their devices from this kind of attack:

1. Always use your own charger and avoid buying one from unknown sources.
2. Use the power outlet instead of USB socket when using an unknown charging point.
3. Don’t use the charging cables at a public charging spot.

ATM skimmers are another popular attack vector used in many countries. It is relatively easy to plant an attack at a global event such as the Olympic Games.

Lessons learned:

1. Check if the green light on the card reader is on. If an ATM is replaced, those versions will likely not have a light like this.
2. Before starting the transaction, check if there is anything suspicious on the ATM such as missing or badly fixed parts.
3. Hide the keypad while typing your password.

The moral of the story is similar to many cautionary cyber-tales: prior planning prevents poor performance. Although this list of threats and lessons is daunting, it is important to keep one’s wits about them when engaging with content online or connecting to a network while at a large sporting event. Thanks to the planning and trials of companies and individuals who have battled these threats since the World Cup in 2014, we are all better positioned for optimal performance at the 2018 Olympic Games in South Korea and beyond.