INTERPOL cyber security expert Christian Karam discusses the ways cyber criminals conduct their business. (Image via Antoine Abou-Diwan)
Cyber crime is a problem for startups throughout MENA, but one that is often ignored in Lebanon according to INTERPOL cyber security expert Christian Karam.
Karam, lead cyber threat researcher for INTERPOL’s Cyber Research Lab, said during a security talk at the UK Lebanon Tech Hub on Wednesday that online crime in Lebanon remained largely unreported.
“Attacks on all kinds of businesses are not being reported in Lebanon,” Karam said. “In the region, yes. Middle East, yes…In Lebanon the state of cyber security is developing.”
Businesses don’t want to be associated with crime, or they don’t want their clients or potential investors to know about it, Karam noted.
Furthermore, priorities in Lebanon are skewed. Most people are reporting ‘sextortion’ - situations in which sexual images of a person are used for blackmail - which Karam does not deem to be cyber crime.
But the dangerous cyber criminals are going after much bigger and lucrative targets, things that tech companies large and small are producing in massive quantities: data.
“Cyber criminals do not want your money. They want your data,” Karam said. “Data is the new currency of exchange.”
Though the value and uses of stolen financial information and credit card numbers are obvious, the way cyber criminals are using stolen data is much more insidious.
“This whole database was sold for less than a hundred thousand dollars on the darknet,” Karam said of the Ashley Madison affair. “But the extortion behind it, the information behind it - you have CEOs of companies, you have a lot of people who are politicians and big business - this is where the information becomes critical. This is how they can monetize it to get bigger amounts of money.”
Playing cat and mouse
Karam and his colleagues at INTERPOL’s cyber command center in Singapore spend a lot of time reverse engineering emerging technology to see how it works, and to anticipate attacks. They did some work on the Boeing 777; they’ve worked on connected cars which have become targets of malicious hackers; they’ve examined turbines, industrial controls and more, all with the purpose of keeping up with, or one step ahead of organized criminals.
And as technology progresses and converges, new entry points for hackers emerge: smart cities in particular are full of tantalizing targets for cyber criminals.
“The first thing you can hack is a power plant, or actually the water,” Karam said. “With no water, hygiene is down,” Karam said. “With no electricity hospitals are down. People are dying if you don’t have backups for them. Basically you can cripple a whole city if you don’t put the right measures in place.”
The Internet of Things, the networking and interconnection of everyday objects and tools, will soon be another front that cyber security officials will have to defend.
“If we’re talking about Internet of Things, as of now we haven’t reached a maturity level,” Karam said. “Because you have a fitbit, a smart band... it talks to you. It talks to your smart phone. What it doesn’t talk is to another app. It doesn’t talk to your system at home.”
But on the horizon are platforms and systems that allow all these different unrelated devices to communicate with one another.
“This is when you start worrying about attack vectors,” Karam continued. “Because your fridge will become the entry point to get your information. It will become the entry point to infect your kids, your office, and you will not be able to secure all of those vectors. You will have to make choices and assume risks.”