CYBERSECURITY: The Greatest Hurdle of the 2016 Olympic Games INTRODUCTION 1 Every two years, the world turns its collective attention to an event that has come to epitomize “International Olympic Committee Marketing Report: London 2012,” a rare moment in international co-existence. Underneath jerseys and face paint indicating Olympic Committee, 2012. Link national allegiance is an appreciation for talent and hard work, regardless of state origin. Amid the fiercest competition in the world emerges a sense of humanistic unity in both athletics and beyond. For seventeen days this August, Olympic fervor will begin all over again. Preparing for an event that attracts 7.5 million ticketed spectators and 3.5 billion television viewers1 is no small feat for any city, even for highly industrialized hosts such as London and Beijing. As the first South American country to host an Olympic Games, Brazil carries the reputation of an entire region on its shoulders. Amid this pressure, Brazil is also faced with a host of internal issues. Rampant corruption, economic collapse, and the Zika virus threaten to launch Brazil into utter chaos. Amid these immediate and pressing challenges, however, lies a more covert concern. Brazil’s insufficient cybersecurity infrastructure, coupled with the world’s attention, make the 2016 Rio de Janeiro Olympic Games a perfect target for cybercriminals. graquantum.com infograquantum.com This paper explores Brazil’s existing cyber landscape, including its status both regionally and globally. It will begin by examining the history of cybercrime in Brazil and its existing Internet infrastructure. It will then contextualize Brazil’s unique cyber landscape in the context of the Olympic Games, including comparisons with previous and future host countries, and efforts to secure Brazil’s cyber architecture specific to the games. Finally, it will provide recommended “next steps” for what can and should be done to ensure the future security of Brazil’s evolving cyber landscape. Ultimately, this paper illustrates the ways in which a multitude of cyber threats may prove to be the greatest hurdle of the Summer 2016 Olympic Games. 3 graquantum.com infograquantum.com MAPPING BRAZIL’S CYBER LANDSCAPE 2 Despite its size and regional status, Brazil faces relatively few external geopolitical enemies. “Hackers target Brazil’s World Cup for cyber attacks,” Reuters, The government has therefore had little incentive to develop its cyber defense capabilities.2 26 February 2014. Link Moreover, in the face of widespread traditional crime, poverty, and social inequality, government 3 resources have been allocated elsewhere. In fact, cybersecurity programs in Brazil were “Brazil and Cybersecurity in the virtually non-existent until 2013, when the Snowden leaks sparked a cybersecurity dialogue Aftermath of the Snowden Revelations” Link that had been absent from earlier discourse.3 4 Cybercriminals are no stranger to Olympic-size breaches. The official site of the London “Hackers target Brazil’s World Cup for cyber attacks,” Reuters, Olympics was hacked more than 2.2 million times in 2012. Most of these attacks were ticket 26 February 2014. Link fraud or denial-of-service attacks; more than 700 of these attacks warranted thorough 5 investigation. In all, French information security company ATOS detected approximately “Beaches, carnivals and 255 million “security events” during the London Games.4 cybercrime: a look inside the Brazilian underground,” Kaspersky Lab, 11 November The potential to cause a disruption on the Olympic stage is only furthered by Brazil’s internal 2015. Link economic and social circumstances. The country’s threat landscape reflects both Brazil’s inadequate financial infrastructure, as well as its ongoing internal unrest. These factors combine to create one of the most unique cyber landscapes in the world—one that can only be understood by assessing Brazil from the inside out.5 4 graquantum.com infograquantum.com Brazen Hackers & Vulnerable Wi-Fi Brazil’s financial sector has been and will continue to be its most vulnerable industry. Online 6 “Kaspersky Security Bulletin banking is hugely popular in Brazil, with more than 50 million Brazilians using Internet-based 2014. Overall statistics for banking systems daily. In all, 40 percent of all bank transactions occur online. Hackers have 2014,” Kaspersky Lab. 8 December 2014. Link taken notice. Nearly 300,000 Brazilian users suffered from financial malware in 2014, making Brazil the most dangerous country in the world for financial cyberattack.6 These numbers 7 “Beaches, carnivals and are on the rise; bank fraud increased in Brazil by 40 percent in 2015.7 cybercrime: a look inside the Brazilian underground,” Although tourists are unlikely to utilize Brazil’s online banking systems while in country Kaspersky Lab, 11 November 2015. Link for the Games, the prevalence of financial crime largely defines Brazil’s landscape. In all, cybercrime constitutes 95 percent of all losses sustained by Brazilian banks.8 8 “Cybercrime Scheme Uncovered in Brazil,” The New York Times, 2 July 2014. Link 9 These numbers are on In all, cybercrime “3.75 Billion ‘Boleto’ Fraud in Brazil Exposes the Rise of the rise; bank fraud 40% 95% constitutes 95 percent Global Cybercrime Threats,” increased in Brazil by of all losses sustained Association of Certified Financial Crime Specialists. Link 40 percent in 2015.7 by Brazilian banks.8 Without deterring legal consequences, cybercriminals feel free to flaunt their cyber loot online. Without fear of punishment, Brazilian hackers post photographs of their earnings, exchange “best practices” on online hacking forums, and even upload videos bragging about their hacking skills. One prominent video, entitled Rap dos Hackers, has received over 200,000 views. The hacker proclaims: “I’m a virtual terrorist, a criminal On the internet, I spread terror Have nervous fingers I’ll invade your PC, so heads up You lose playboy Now your passwords are mine.”9 5 graquantum.com infograquantum.com Network Attack 10 Wi-Fi networks in São Paulo “Data Are at High Risk of Theft Via Wi-Fi, Europol Warns,” The Wall Street Journal, 7 March 2014. Link Completely Could be hacked in open networks a matter of minutes 11 “Cybercriminals Ramp up Activity Ahead of 2014 World 26% 12% Cup,” SecurityWeek, 11 June 2014. Link 12 “Pineapple: An overview of Wi-Fi Pineapple Mark V,” Volkan Paksoy Blog, 25 February 2015. Link Spectators looking to document their Olympic experiences online must also be wary of network attacks. Due to the cost and relative inaccessibility of 3G networks in Brazil, visitors typically depend on Wi-Fi. Popular applications such as WhatsApp and other Wi-Fi-dependent, international messaging applications will also encourage tourists to turn to Wi-Fi when in Brazil. After searching for a connection, spectators are likely to connect to the first open network they see. However, public Wi-Fi connections—such as those available at coffee shops, hotels, and restaurants—are typically unencrypted, enabling cybercriminals to access a victim’s device with minimal effort. A hacker needs only a simple, inconspicuous, and inexpensive device to intercept signals from a victim’s computer or install malware. All information accessed on an insecure network, including passwords and credit card numbers, is fair game. This information may then be used to perpetrate offline crime, such as identity theft or credit card fraud.10 The headache associated with the aftermath of these crimes is only exacerbated when abroad. Vulnerable Wi-Fi networks are prevalent everywhere, and Brazil is no exception. A Kaspersky Lab assessment of Wi-Fi networks in São Paulo found 26 percent of networks are completely open, while an additional 12 percent could be hacked in a matter of minutes.11 Perhaps most insidious is the creation of fake Wi-Fi networks, often designed to resemble hotel or airport networks. In order to carry out what is often termed a “man-in-the-middle attack,” a hacker needs only a device known as a Wi-Fi pineapple. The pineapple effectively fools wireless devices into connecting to the pineapple ahead of existing, legitimate networks. The unsuspecting victim therefore believes he or she is connecting to a reputable network, but instead relays his or her personal information directly to the hacker.12 6 graquantum.com infograquantum.com Cybercriminals can obtain a Wi-Fi pineapple with relative ease, and may place the pineapple 13 “DarkHotel: A Sophisticated New at a café, hotel, or business with public Wi-Fi in a matter of seconds. Once the pineapple is Attack Targets High-Profile in place, the cybercriminal has the ability to install malware on a victim’s computer or dump Hotel Guests,” WIRED, 10 November 2014. Link the victim’s hard drive. If the victim visits online banking sites or enters a password, that information is readily accessible, too. When a user joins public Wi-Fi via a pineapple, he or she hands the keys to his or her personal information directly to a cybercriminal. Spectators looking to regale their Olympic experiences to friends and followers online must remain vigilant. While the Rio 2016 Olympic Committee has made private Wi-Fi networks available at Olympic venues, Brazil’s other attractions remain vulnerable. Brazil’s beaches deployed free and public Wi-Fi ahead of the World Cup, and the same infrastructure will be in place for this summer’s Olympics. As tourists bask in Brazilian sunshine between volleyball matches, they may be in inadvertently sharing personal data with malicious actors. Even the confines of a luxury resort are not safe. For example, a 2014 Kaspersky Lab report revealed that an attack known as DarkHotel had compromised the personal data of international executives at five-star hotels around the world for at least seven years.13 With millions of preoccupied tourists set to descend on Rio, cybercriminals will undoubtedly take advantage of the influx of lucrative and easy-to-access data.