Olympic competition heats up -- among elite hackers

There will be more than one Summer Olympic Games starting later this month in London.

The official one, which everybody knows about, is the competition among the elite athletes of the world. The other is one that UK officials hope nobody will notice: the competition among the elite hackers of the cyber world, with one side trying to protect the Games' vital computer systems while the other side tries to break into them and make mischief.

As UK officials have been saying since 2008, the country is expecting an unprecedented level of attacks during the two-plus weeks of the event.

[See also: Summer security concerns -- 4 warm-weather worries]

At the July 3 National Security 2012 conference, the nation's counter-terrorism department director, Richard Clarke, said the possible disruption from cyberattacks could rise to the level of physical threats at past games.

But the good guys say they are ready. And at least some security experts with government experience agree with them.

Joel Harding, a retired military intelligence officer and information operations expert and consultant said, "The security at the 2012 London Olympics is as tight as any Olympics -- ever."

That is the word from Atos, the lead technology company for the summer and winter Games since 2002. Patrick Adiba, Atos executive vice president for the Olympic Games and major events, told David Stringer of the Associated Press that he believes it will be virtually impossible for malicious hackers to achieve what would amount to a gold-medal attack - putting political messages on Olympic scoreboards.

"It is very unlikely, as it all operates on a very secure network. It would be quite complicated to get into this network without being detected," he said. "It can never be 100%, but it is close to 100%."

Joel Harding agrees. "The Olympics are going to attract a ton of attention, so of course hackers are going to try to put 'Go Our Country!' on the scoreboard," he said, since this would be worth a "lulz," the hacker reward for getting into a system and causing trouble.

"The more attention a hacker can cause, the more lulz and the greater the bragging rights," he said. "But we've already heard that [hacking the scoreboard) is going to be spectacularly difficult, so I tend to doubt we'll see that."

Gary McGraw, CTO of Cigital, said he thinks the worst that could happen would be that kind of "hacktivism." And while it might be embarrassing for the Olympics and cause some celebration among the black hats, "how much damage will it really do?" he asks.

There are bigger threats, Joel Harding said. "There are a ton of other things, such as schedules, transportation systems, water, physical security, telephones -- you name it -- all automated and networked. Those would be great targets and shutting down all the water would shut down the Olympics.

"Since all this attention is on London, however, making the London Eye Ferris Wheel stop or run backwards would be a worthy goal. The London Underground is an attractive target. The entire city is in the crosshairs," he said.

The competition between the white and black hats is expected to be fierce. Atos, which will be in charge of about 11,500 computers and servers across the UK, has done more than 200,000 hours of testing, including mounting simulated attacks, according to Adiba.

Harding said he thinks Atos is taking the right approach - more risk mitigation than risk avoidance. "They appear to be assuming that hackers are going to get into the system, so the security is oriented towards recognizing malicious behavior as soon as possible and avoiding a serious failure, a meltdown, if you will," he said.

"But, there is always someone with zero-day exploits, vulnerabilities that the computer security organizations of the world are not yet aware, and they will use them. Really elite hackers will attempt to make exploits on the fly, as the system responds and as they recognize new vulnerabilities, these folks will probably collect some lulz, but let's hope the response time for closing those backdoors is world-class also."

Gary McGraw said a better approach is to "do security analysis at the design level. When you build a system, don't design security flaws right into it," he said. "Think about possible attackers. Do a risk analysis and see if it is designed to resist attack. When you really want to be secure, you have to build it in. It does involve some penetration testing, but it doesn't rely only on that."

Joel Harding said he thinks both sides have some advantages. "White-hat hackers are every bit as good as black-hat hackers -- sometimes they're even better," he said. "Many white-hat hackers began their career doing network security, so they understand many of the basics that bad hackers might not."

But black-hats don't worry about obeying the law. "They have access to repositories of code, which are often freely shared to save time when building new tools," Harding said. "They often have access to the latest network monitoring tools, which by their very nature, can be used offensively.

"The really bad news for the defenders is that may well be very nearly overwhelmed with the sheer volume of attempts to penetrate their systems," Harding said. "With all that noise from inexperienced or unskilled hackers, the really good ones will operate quietly and probably not attract enough attention to stop them until it's too late. Those are the dangerous ones. They have experience, patience and skills."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place