Tag Archives: human-error

How to Picture the Future of Driverless

Picture this:

The year is 2025. A call comes to the police station—someone has broken into a local home. A drone is deployed to the address and arrives within five minutes. The drone feeds video to the station and to the closest autonomous (driverless) police vehicle. The drone guides the police car to the location. The officer in the car (we’ll assume he’s human, for now!) isn’t actually driving; he’s an occupant, watching the drone’s video feed. He can see the suspect fleeing, and he researches other crimes in the neighborhood along with potential suspects. The drone estimates the perp’s height and weight, and the officer can see his clothing and a possible gun in his belt. The police officer communicates with other officers in the area to coordinate the capture. As the suspect runs, his description and location is fed constantly to all nearby police vehicles, and he is surrounded within 15 minutes of the initial call.

This is far from fiction. The international consulting firm Frost and Sullivan predicts that 180,000 driverless cars will hit the U.S. market in 2020. That’s less than 1% of today’s annual new car market, but that’s just the beginning!

Just about every major car manufacturer (as well as Google, of course) is developing autonomous vehicles, and the competition is getting  more intense as the demand for collision avoidance features grows. Just as drones are spreading (if not yet regulated), driverless cars will become widely accepted. Americans love to drive, but there are too many undeniable advantages to autonomous cars.

The first one is safety. According to the U.S. Insurance Institute for Highway Safety  (IIHS), 94% of all car accidents are caused by human error. Nearly two million crashes could be avoided if human error were eliminated. That’s not to say that driverless vehicles won’t crash, but, as the technology improves, crash rates will drop like a rock. In 2025, if our roads are still packed with commuters, the occupants of many vehicles will be reading, answering emails, video conferencing and browsing the web. In other words, they’ll be working. A recent Morgan Stanley report predicted that driverless cars could add $5.6 trillion (yes, with a ‘T’) to the global economy because of the combination of a steep reduction in accidents and the dramatic increase in productivity. It is estimated that in 2035 autonomous cars will account for 25% of all cars.

Back to the police force. As driverless cars evolve, routine traffic monitoring will drop, high-speed chases will slowly decline (with drone help) and smaller police forces will focus on more serious crime. Cameras will capture everything—both from the ground and the sky. Officers will become highly trained in electronic law enforcement. Efficiency will rule!

Of course, these are just predicted outcomes. This policing panacea isn’t all roses; it will not eliminate the need for community relationships, direct contact with neighborhoods and personal contact in law enforcement. Furthermore, while vehicle collisions will fall, the cost and maintenance of autonomous cars will remain extremely expensive in the near future. Currently, it costs about $150,000 to equip a driverless car. But that cost will drop to $7,000 by 2030 and to $3,000 by 2035.

Nothing’s perfect. Every emerging concept or technology brings unexpected challenges and unintended consequences. But it appears that autonomous automobiles will emerge soon, and it’s likely that some day we’ll say they are “here to stay.”

For today, I guess I’ll have to drive myself home. What a chore.

The New Cyberthreat You Face at Work

The latest greatest swindlers in the cybercrime racket know you’re onto their digital three-card monte, and they’ve made a few adjustments, putting yet another wrinkle in the corporate-hacking game by targeting top-level employees for major profits.

These hackers appear to be based in North America or Western Europe, and they know a great deal about the companies and industries they’ve been cracking. They could be “white-collar hackers” or just good studies of character. It really doesn’t matter. Here’s what counts: They are hatching cyberthreats so nuanced you may not see the hack that takes out your company ’til the smoke clears.

These hackers may have worked for your company, or one like it. They are going to know how your teams communicate. They’ll use the lingo and shorthand that you see every day. Emails may be super simple, like, “I need another pair of eyes on this spreadsheet about [term of art only people in your business would know].” They may know what you are likely to be talking about after certain kinds of industry news releases, and they’ll have a good idea of what times of day get busy for you so that you are more distracted and less likely to think before you click.

“The attacks are becoming much more sophisticated than anything we’ve seen before,” says Jen Weedon, a threat intelligence officer at the Silicon Valley-based cybersecurity firm FireEye.

The New York Times reported about one such group of hackers targeting senior executives at biotech companies with a goal of garnering insider information to game the stock market.

FireEye has been tracking the group, which the company calls Fin4, for a year and a half. (The “Fin” designation is assigned by the company to indicate groups where the main goal is to monetize proprietary information.)

“Fin4 has reached a threshold of capability that sets them apart,” Weedon told me during a phone conversation. “They are very thoughtful about who they target. They go after specific companies and are a lot more scoped in their approach.”

Attacks of this kind may start with the studied e-impersonation of trusted colleagues, business associates or anyone from a constellation of contacts—compliance officers, regulators, legal or financial advisers—with the single purpose of getting someone in a senior position to personally, unwittingly hand over the keys to the castle. Once Fin 4 is in, sensitive—potentially lucrative—information can be accessed and put to use.

“They will send a very convincing phishing email,” Weedon said. “It may prompt a link that looks just like Outlook.” The target enters her credentials to see the attachment, not realizing that she was not in Outlook at all. There may even be a legitimate document on the other side of that fake login page, but it’s a trap. Once the hacker gets into a key person’s inbox, Outlook settings have been reset to send any messages containing the words “hacked” or “malware” directly to the user’s trash folder, thereby giving the cyber-ninja more time in the system to collect information about mergers and acquisitions, compliance issues, press releases, non-public market-moving information—anything that can be used to make a smarter stock market trade.

According to Weedon, the group has been able to infiltrate email accounts at the CEO level.

Once they’ve gained access, the hackers may simply collect everything in the CEO’s inbox or take an attachment found there and plant malware that then spreads throughout the company, thereby exposing still more information. The difference here is that the hack relies on legitimate credentials to gain access, so it’s a much lighter touch with potentially much more information being compromised. If the hackers forgo malware, there aren’t necessarily any traces at all of the compromise.

The “old” way these breaches worked—one still very much practiced by Chinese and Russian groups—involved the use of general information, kinda-sorta knowledge of the target’s business and hit-or-miss English. Because there is often less specificity and more variables in these kinds of softer attacks, the dodge is easier to spot. It’s more likely to find a lower-level employee falling for it. In most cases, these targets don’t have the kind of access to information that can cause major damage. Having gained whatever access is possible through their mark, old-school hackers move laterally into the organization’s environment, whether by recording keystrokes to exploit privileged employee credentials or blasting a hole in the company firewall. They might as well be Bonnie and Clyde robbing a bank. The goal is to siphon off information that can be turned into an easy profit, but the process leaves traces.

What’s so worrisome about Fin4 is that the hackers can come and go—gaining access to everything and anything pertaining to your company—and you may never know it. For the numerous healthcare and biotech companies that they targeted, the only real-life consequence could be an advantageous trade that somehow anticipated the announcement of a new drug, or shorted a stock associated with a failed drug trial.

If you are the target of choice, you will have to be exceptionally well trained by a cutting-edge information security professional and completely tuned in to the subtleties of your workflow to avoid getting got. These fraudsters will have at their fingertips the kinds of information that only an insider should know, and the bait they dangle in front of you will be convincing.

While the art is very different, the basic mechanism is the same. Company-killing compromises require human error. While more common hacks rely on a weakest link that can be exploited, the more hackers evolve, the more we all must evolve with them.