Information Security and The Rio Games: Was Brazil Ready?
On Friday August 5th, the Rio Olympics kicked off and millions of eyes eagerly anticipated the start of the games. In the eyes of information security, a tentative breath was held to see if a major security incident would affect the opening ceremony or any subsequent events.
Large sporting events are increasingly becoming an attractive target for hackers and for good reason. Phishing and scam attacks offer counterfeit tickets for sale, reaping a quick and easy reward. The increase in mobile network traffic due to live events make for a central target large enough for hackers to attack. And “behavior blending,” an infiltrate, wait, then attack, method of compromising a system is effective when there is a swell in mobile network usage due to an increase in population.
Most importantly, the Rio Games holds data that is very important for malicious actors to capture. Not only is the sensitive information of high-performance athletes, team leaders, and coaches valuable, any information pertaining to an event or a team, such as undisclosed injuries or internal strategies become extremely valuable to anyone who has a lot of stake in the outcomes of an event.
In this article, we’ll look at how the Rio Games planned to combat hackers and what the security looks like for its most involved organizations – their sponsors.
Brazil’s Technical Operations Centre: The First Line of Defense
We can look to this year’s most recent major athletic events to have a better understanding of the kind of security issues that may pop up during the Rio Games. The 2016 Eurocup saw an increase in malicious websites accessed by mobile devices and SmartWire Labs team found that the Fan Guide app developed for the event had a number of security flaws and leaked data, a dangerous finding given that the app was downloaded over 100,000 times.
Wimbledon also saw an increase in malicious attacks and sites either impersonating ticket selling sites or selling counterfeit tickets had increased immensely from the year before. IBM, the security partner for the event, reported a 302% increase in security incidents and attacks year over year
Brazil may be particularly susceptible to security incidents compared to other countries due to their lack of priority on bolstering Cybersecurity. Brazilian businesses have cyberattacks as their 23rd most pressing concern compared to 1st for US businesses and 2nd for UK businesses.
However, it doesn’t mean the Rio Games has been sleeping on the job. Its Technology Operations Centre (TOC) is, among other things, responsible for information security and responding to any incidents or attacks. An RCR Wireless in-depth look at the TOC notes that they’ve already detected millions of incidents without problems in their preparation for the Games. During their last technical rehearsal, the TOC had prepared for over 1,000 predefined scenarios. It’s this kind of preparation that allows an event like the 2012 London Olympics to experience 165 million security events but only have 97 turn into security incidents and only 6 of those be defined as major.
The TOC has made all the preparation it could to prevent any attacks from delaying or interrupting any of the events. But what about the general population and Brazil as a whole? Is Rio prepared for an increased hacker presence?
The Rio Games’ Security Rating
In order to get a better sense of the security posture of the Rio Olympics overall, we looked at the security ratings of the the major 11 Worldwide Olympic Partners in our platform through the month of July to see what security looked like leading up to the start of the Olympics. Sponsorship includes a variety of different involvement in the games. On of the sponsors, for example, will be providing IT systems for the Rio Games, implementing IT security and infrastructure support.
Overall, they don’t look stellar in terms of security, with less than 30% of the sponsors having an A security rating. However, there is some solace given the fact that there are no D’s or F’s. Taking a deeper look into the company’s factor grades, we can start seeing some trends among the sponsors.
Well-performing factors among the sponsors include Hacker Chatter and Application Security. Social Engineering was the most polarizing factor, having the biggest discrepancy in grades between the sponsors. On the whole, however, over 50% of the companies received an ‘A.’ The Social Engineering and Hacker Chatter are especially important factors to look at given the time-frame we were checking. Because phishing is one of the major attack methods that increase during an event, this is a good sign that the sponsors aren’t being targeted by concerted hacking efforts.
The Olympic sponsors struggled with the Patching Cadence and DNS Health factors, indicating a lack of consistent security upkeep among the sponsors. These are the kinds of issues that pose a long-term threat to companies. Patching Cadence is a topic we’ve covered before and a slow patching cadence is a threat that’s ever compounded as more (Common Vulnerabilities and Exploits) CVEs are published each day. That problem is even worse if an End-Of-Life product is in use by the organization.
The DNS Health factor represent issues with email and domain configurations. A low DNS health indicates that an organization is at risk for email spoofing and that IP addresses are potentially being used for a botnet.
Both these issues are especially pressing during the Olympics due to an increased focus by hackers. As more attention is levied on these organizations, it is likelier that their vulnerabilities, either due to existing CVEs or improper configurations, will be found by malicious actors.
How to Protect Yourself In Rio
The US-CERT has issued an alert regarding cybersecurity at the Rio Games and offers some basic tips towards securing your information with a focus on mobile devices. CIO has also published a detailed look into the specific types of attacks and methods being used as a lead up to the game. We have some security advice for anyone who’s in Rio or planning to attend one of the events.
Be suspicious of webpages. Like CIO mentioned, a large number of malicious URLs that end in gov.br have been discovered. While the URL address looks legitimate, be on the lookout for warning signs that may give its illegitimacy away. Off-brand copy, strange logos, and an outdated look are dead giveaways.
Only buy tickets to events through authorized resellers. Many malicious websites are set up to sell fake tickets in order to steal your financial information. If you’re not sure of the website you’re making a purchase from, you can find a list of official Authorized Ticket Resellers for the Rio Games here.
Be wary of the official app. Like we mentioned earlier with the Eurocup’s designated app, it was not built with security in mind and the same is likely for the Rio Games’ app. Even if the app was developed with a focus on security, no app is 100% secure and it provides a central point of focus for any hackers. If you’re going to be using the app, make sure it’s over a secure connection and that the app doesn’t have any of your sensitive information.
Do not connect to public wi-fi. This is advice we can all follow regardless of where we are. By definition, public wi-fi is not secure because it is public. While there are tools and software designated to protect your information and visibility over public wi-fi, it’s best not to take any chance and keep your remote connections private.
The London Games had its fair share of security incidents and they were able to handle it fairly well. Time will tell how the Rio Games will fare. Until then, make sure you’re following the basics and keeping yourself safe from attackers.