Cybersecurity gets more sophisticated – but so does hacking


Just when you thought you had the ultimate password to foil hackers, along come new cyberthreats that make you WannaCry.

Meet the new cyberthreats, in many cases driven by artificial intelligence (AI). Fortunately, the new countermeasures are starting to deploy AI as well.

“What we have seen in the last while is that passwords have kind of broken down. Weak passwords – that’s what’s behind a lot of the recent breaches we have seen,” says Deepak Dutt, founder and chief executive officer of Zighra, a Toronto-based cybersecurity company. Zighra uses biometrics, such as fingerprints, to authenticate users of computers and mobile devices.

Mr. Dutt says that someone’s weak password may have even helped to trigger the recent WannaCry ransomware virus that spread worldwide, hobbling Britain’s National Health Service, government and office computers in Canada and around the world in May.

Last year, as part of his company’s own research, Mr. Dutt visited a site called Have I been pwned?, which allows users to see if their own e-mail has been breached and also indicates how many accounts have been compromised worldwide.

“At that point they had announced 300 million plus breaches, and all these user names and passwords that were available on account of these breaches,” he says.

“Fast forward to today, and it’s 3.3 billion breaches,” he says. (Actually, by the end of May, the site indicated more than 3.7 billion breaches.)

According to a report by the consulting firm Risk Based Security, more than 4.2 billion records were exposed in 2016, 3.2 billion more than had been revealed three years earlier.

Exposure, where anyone can see your information if they look, led to more than 4,000 actual security breaches, which meant that in all those cases, people’s e-mail addresses, passwords, social insurance information, bank and credit card information and even health records were out there to view.

Adding even more of a threat, AI has become a powerful new hacking tool.

Using AI, hackers “are automating the entire process, with millions of attacks happening in a single minute. They take millions and millions of passwords, try different websites, and see what actually gets through,” Mr. Dutt explains.

“Once they get through that, they can spawn their attacks. And then they can move into mobile devices,” he adds.

Last October, then-U.S. President Barack Obama warned about the dangers of new AI-driven cyberbreaches.

“There could be an algorithm that said, ‘Go penetrate the nuclear codes and figure out how to launch some missiles,’” Mr. Obama said in an exclusive interview with Wired magazine editor-in-chief Scott Dadich and MIT Media Lab director Joi Ito.

“If that’s its [AI’s] only job, if it’s self-teaching and it’s just a really effective algorithm, then you’ve got problems.”

Perhaps chillingly, Mr. Obama also noted that everyone should “worry about the capacity of either non-state actors or hostile actors to penetrate systems.

“In that sense it is not conceptually different than a lot of the cybersecurity work we’re doing. It just means that we’re gonna have to be better, because those who deploy these systems are going to be a lot better now,” Mr. Obama said.

Fighting back

Mr. Dutt and others are fighting back with AI. IBM has deployed its supercomputer Watson – the one that crushed Jeopardy – to read tens of thousands of security research reports, to “learn” about new breaches and assist some of the company’s select customers.

Simple countermeasures also help, Mr. Dutt says.

“You should use some sort of password management tool. These tools can help you manage your passwords and generate new ones,” he advises.

He also recommends using multifactor identification. After you sign in you are sent a second log-in code on another device such as your phone.

“It’s simply an additional layer that lets hackers know not to bother with you,” Mr. Dutt says.

People should also now be especially wary of potential phishing and spear-phishing attacks, Mr. Dutt says.

“They’re at a different level of sophistication. Previously, phishing e-mails were full of spelling mistakes and not properly formatted. Now, they look really professional,” he explains.

Think twice before opening any e-mail if the subject line or the request seems unusual.

“It’s hard from a single look to tell whether it’s real or an imitation. So don’t click unless you’re absolutely sure,” Mr. Dutt says.

While AI and biometric-based protections like Zighra or another Canadian company called BioConnect can also help beef up cybersecurity, Mr. Dutt also recommends considering contracting with a data recovery company and purchasing cyberinsurance to cover security-related losses.

While cyberinsurance is relatively new, insurers are all predicting exponential growth in coverage between now and 2020.