darkhotel cyber attack

Traveling business executives have been falling prey to cybercriminals acting through hotel Internet networks since at least 2009. In an ongoing, sophisticated “espionage campaign” nicknamed “Darkhotel,” thousands of people traveling through Asia have been targeted and hacked through infected hotel WiFi, cybersecurity company Kapersky Lab reported Monday. About two-thirds of the attacks took place in Japan, while others occurred in Taiwan, China and other Asian countries.

“For the past few years, a strong actor named Darkhotel has performed a number of successful attacks against high-profile individuals, employing methods and techniques that go well beyond typical cybercriminal behavior,” said Kurt Baumgartner, principal security researcher at Kaspersky Lab. “This threat actor has operational competence, mathematical and crypto-analytical offensive capabilities, and other resources that are sufficient to abuse trusted commercial networks and target specific victim categories with strategic precision.”

So strategic, in fact, that the hackers appear to know the names, arrival and departure times, and room numbers of the targets. While maintaining an intrusion on hotel networks, the hackers used this information, waiting until the victim checked in and logged on to the hotel Wi-Fi, then submitting their room number and surname to log in. When the hackers saw the victim on the network, they would trick the executive into downloading and installing a “backdoor” with the Darkhorse spying software disguised as an update for legitimate software like Google Toolbar, Adobe Flash or Windows messenger. Once installed, the backdoor can be used to download other spying tools, such as an advanced keylogger and an information-stealing module.

“These tools collect data about the system and the anti-malware software installed on it, steal all keystrokes, and hunt for cached passwords in Firefox, Chrome and Internet Explorer; login credentials for Gmail Notifier, Twitter, Facebook, Yahoo! and Google; and other private information,” Kapersky explained. “Victims lose sensitive information likely to be the intellectual property of the business entities they represent.”

While the company has identified the means of attack and many of the victims, the hackers carrying them out remain active, the company warned. The attackers did leave a footprint in part of the malicious code—two Korean characters—but, while the cryptographic skills suggest there may be a government entity behind it, some elements of the attacks could be performed by the most basic cybercriminals, and no one has been identified.

Kapersky Lab offered tips to guard against Darkhotel and other cybersecurity threats targeting travelers:

When traveling, any network, even semi-private ones in hotels, should be viewed as potentially dangerous. The Darkhotel case illustrates an evolving attack vector: individuals who possess valuable information can easily fall victim to Darkhotel itself, as it is still active, or to something similar to a Darkhotel attack. To prevent this, Kaspersky Lab has the following tips:

  • Choose a Virtual Private Network (VPN) provider—you will get an encrypted communication channel when accessing public or semi-public Wi-Fi
  • When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor
  • Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection

{ 0 comments }

Selling Enterprise Risk Management

There have been many discussions around the value of enterprise risk management as of late. Some individuals may feel as if having a risk manager on board checks the box, meeting the company’s obligations. Others may feel that enterprise risk management is the start and end to all their challenges and, if things do not work out as expected, the risk manager is to blame. So where does that leave the risk manager?

In order to have a healthy enterprise risk management program, risk managers should think like salespeople. Risk management professionals tend to be very passionate about their vocation, but not everyone may be buying into the ERM process. The first step to selling your risk program is to find a champion. This person should be on your executive team—preferably the CEO.  You need a strong voice in your organization that will support the change that an enterprise risk management program can bring. It is also a good idea to have support from the board of directors and, if applicable, the internal auditor. When building your risk team, keep in mind that the end goal is to have all employees of the organization support and apply risk management to their day-to-day challenges. The more risk champions you can find, the better your program will be advocated and supported.

Once you have completed your public relations campaign by finding your risk champion, the next step is finding a common language everyone can understand. It is particularly helpful to ensure that the risk terminology used within your organization is consistent and understood. Once people begin to speak the same language, conversations should begin to flow.

The third step is to make sure you have a sound product. Building a comprehensive risk framework and process that fits your culture is a valuable selling point. There are many frameworks to choose from such as the Australian model, COBIT and COSO. One size does not always fit all, however.  Use the components from the models that best suit the culture of your company. Be sure that you gain approval from both the executive team and your board when you introduce your framework and process.

Finally, it is time to make the sale. Have a risk workshop with your executive, but be sure to come prepared. It is critical to have a thorough understanding of the company’s strategic objectives, as the risks identified through your process should align with the company’s overall goals.

Conducting risk scenarios can also help sell ERM, further embedding risk management practices into the organization. Creating a scenario that requires the application of the risk management process really helps bring the theory to life. It also allows the participants to learn together as they work together, building knowledge while strengthening the program and its support throughout the company.

{ 0 comments }

NASHVILLE—While a number of issues face the booming construction industry, one concern that has been discussed throughout the IRMI Construction Risk Conference here is the shortage of skilled workers. Projects are larger than ever, with technology and the global supply chain only adding to their complexity, making it even more difficult to find talent.

“The construction industry is absolutely in a war for talent,” said keynote speaker Dominic Casserley, chief executive officer of Willis Group Holdings. He cited a 2013 Willis survey that found 93% of respondents listed a “lack of skilled workers” as their biggest concern. He noted that many workers who left the construction industry during the financial crisis have since gained new skills in other areas and are not coming back.

An example, he said, is in his home, the United Kingdom, which decided in the last two years to return to building nuclear power stations. They had not done this for a number of decades and “quickly found that there were no engineers left. There was nobody capable of building a nuclear power station in the United Kingdom, so our new power station is being built by our great friends, the French. That’s what happens if you lose talent in an area of construction.”

Organizations are putting programs in place in the emerging markets to train talented resources “close to where the action is,” he said. Going forward, however, “We don’t see this challenge getting any easier.” Looking at millennials as a potential workforce, which represent 27% of the U.S. population, “you will see that they have some pretty interesting attitudes about work.”

Casserley noted that of millennials:

● four out of five feel they need to be recognized for their work and want regular feedback

● 72% would like to be their own boss

● 79% would like to have their boss serve as a coach or mentor

● 88% prefer a collaborative to a competitive work culture

● 88% want to integrate work and home life

● 74% want flexible work schedules

Asked how firms can bring millennials into their workforce and be flexible while still getting the job done, he said he views this as an opportunity for companies. “I think this is a very talented, aspirational, exciting generation. They are highly tech-savvy and have grown up in a global world.”

What employers will need to do, he said, is to “get their minds around how to harness that asset.” An interesting aspect about millennials, he noted, is their belief in having social value in what they do. “I can tell you, that for the generation entering the workforce today, that really matters. They want to work for a firm that means something to them so they can go home and feel proud of what they do.”

While all generations may feel this way, millennials are expressing it more openly. “And until you can get your mind around describing what [your industry] does and why it is important to the way the world goes around, I think we will struggle to attract and attain people, particularly that generation,” Casserley said, adding that if members of the industry don’t do this, “you are going to constantly lose people.”

Jack Gibson, president and CEO of the International Risk Management Institute (IRMI), agreed, noting that the construction industry is often viewed as a workplace where people are injured and the insurance industry is seen as a life insurance sales force. “Both industries do so much good, but we have not done a very good job of delivering that message,” he said. Gibson encouraged contractors to get involved in mentoring programs as well as the Insurance Industry Charitable Foundation (IICF), which has contributed more than $18 million in local community grants and more than 155,000 hours of volunteer service.

{ 0 comments }

Photo by Caroline McDonald

NASHVILLE–For David B. Walls, president and chief executive officer of Austin Industries, construction safety became a lifelong mission the day he had to answer to the father of a worker killed in an accident. “Why did you kill my son?” he asked Walls over and over.

“Those words haunted me,” Walls said during his keynote address at the IRMI Construction Risk Conference here. “Nothing I could do would bring him back.” Tragic events such as this are “defining moments,” he said. “But we need to get passionate about safety without experiencing a fatality.” Walls explained that the construction industry has a long way to go, with the worst record for fatalities, according to the U.S. Bureau of Labor Statistics.

Organizations, he added, should focus on the physical work environment and the company culture. They also need to realize that a world-class safety program leads to higher quality throughout the organization.

One prerequisite is strong leadership. A good leader takes the time to really listen to people, admits to making mistakes and shares recognition for a project well done with employees, he said. This person also should be consistent in addressing safety issues and assertive enough to stop workers from continuing on a job if unsafe conditions are evident.

An effective leader needs to be accountable and hold the entire team accountable when it comes to safety. For example, workers need to know that breaking certain safety rules could cost them their job. After all, he said, “you have a moral obligation to get employees home to their families each night in a safe condition.”

Walls recommended frequent discussions of company successes as well as failures. Weekly dialogues of near-misses, for example, can raise awareness about how they could have been prevented and encourage safe behaviors. Posting the safety records of contractors “makes them improve quickly,” he said. Walls advocates for both classroom and thorough on-the-job training.

Safety managers and employees also need to focus on what they might be overlooking, the “sins of omission.” For example, he said, “what are you not doing that you could be doing to save lives?” The litmus test, he added, would be for a manager to ask him or herself, “Would I let my child work here?”

Asked by an audience member how to get the necessary buy-in from a CEO, Walls advised, “Get the CEO to walk the job and see the hazards. Go to the job site and see where someone fell and where the accident took place. Two to three people a day are dying in this industry and it is unacceptable.”

{ 0 comments }