WAHckon Manipulation of small amounts of data among huge data sets could be an unrecognised threat to scientific organisations, security man Craig Searle says.
Searle is founder of Melbourne-based security consultancy Hivint and says altering a few data points inside important databases - say those held by meteorological organisations - could be an overlooked objective of state-based attackers, who aim to skew subsequent scientific projections.
Searle posits that hacking teams could engage in exploits like stealing credentials, with that activity drawing defenders' attention to mask subtler attacks that aim to alter key data points. With the statistical well poisoned, governments will rely on dud data potentially impacting decision-making and ultimately prosperity.
“It may seem odd that attackers would go after oceanographic data – what would they want with it – but they use the data to make critical projections,” Searle told the WAHckon security conference in Perth, Saturday.
“You only need to change a few things while causing a distraction over there.
“What then are the options? You might be able to restore from backups, or compare data for changes, but that’s probably not feasible.”
Craig Searle. Image Darren Pauli, The Register.
Fellow security researchers at the conference say manipulation of data may not be found during post-breach forensic investigations, since there are many variables that impact the ability to determine what hackers have stolen or altered.
Scientific bodies, including meteorological organisations, are more attractive targets than is immediately apparent, since some are responsible for national response to critical incidents. The value of that kind of information is probably better understood by the belligerent nation than by the world at large.
In December last year the Bureau of Meteorology was found to have suffered a major security breach that unnamed insiders blamed on China. ®