Visitors to the Sochi Olympics face an array of cyberthreats so serious they should think twice before taking a laptop, smart phone, tablet, or other Internet device with them. If they brought such objects to the Games before learning of the threats, they should think seriously about not even turning them on, US cyberthreat authorities say.
Although undoubtedly less serious than physical threats of terrorist attack, a phalanx of cybertraps, Internet-based attacks, and surveillance awaits visitors to these Olympics. Some digital dangers extend even to virtual visitors in the United States and elsewhere just trying to keep up with the action.
Whether it is the hunt for event tickets, event video replays, or simply look-ups of medal statistics, anyone pursuing Olympics information online needs to be alert to visit only a few trusted websites – studiously avoiding fake websites that appear to offer official Olympic news or coverage, cyber experts say.
Even a fleeting visit to a fake site can result in malicious software being installed onto devices (including mobile phones) that steals personal information, the US Computer Emergency Readiness Team (US-CERT) said in a warning Tuesday.
But that’s just the beginning, agree US-CERT, State Department, and cybersecurity experts agree. Among the multiple threats they cite: state surveillance, cybercriminal activity, and hacktivist attacks.
To be sure, the Internet at the Sochi Games will be faster and more widely available than at any previous Olympics, and it’s free for visitors. However, visitors shouldn’t assume that anything they communicate over any of the networks is private, US-based experts say.
(Many visitors to America feel similarly threatened by US intelligence gathering, some cyber experts acknowledge, although US laws and Congress do attempt to protect privacy.)
Unlike any other Olympics, including in Beijing and London, digital and other communications transmissions during the Sochi Games are expected to be virtually transparent to Russian intelligence, these cybersecurity experts say.
Russia allows lawful interception of all electronic communications. Its recently installed System of Operative-Investigative Measures, or SORM, allows the state intelligence service, the FSB, to monitor, intercept, or block any communication sent via cellphone, land line, or the Internet, US-CERT warns.
“The system in Sochi is capable of capturing telephone (including mobile phone) communications; intercepting Internet (including wireless/Wi-Fi) traffic; and collecting and storing all user information and data (including actual recordings and locations),” the State Department concurs. “Deep packet inspection [of Internet traffic] will allow Russian authorities to track users by filtering data for the use of particular words or phrases mentioned in emails, web chats, and on social media.”
What about those savvy travelers, expecting to connect via a hotel Internet connection and encrypted virtual private network to the home office?
“Forget it,” says Drew Porter, senior security analyst with Bishop Fox, a US-based corporate cybersecurity consulting firm. “It might work, depending on how it’s set up. But the networks there should be assumed to be compromised and because of that, there’s no way to ensure privacy.”
Visitors should likewise assume that all phone calls and really just about any other conversation are being monitored.
“It’s not ‘if’ your conversation is being monitored. It definitely is – so be wise what you say over the phone,” Mr. Porter says. “Remember that your conversations over phones and Internet-connected devices are no longer private.”
If you do take electronic equipment, you should take company loaner machines that have no personal information. Do not take a personal machine because all those passwords, credit cards and other persona information, Porter says. But there are other reasons, too - like getting your machine home.
Other significant threats highlighted by US-CERT, the State Department, and cybersecurity experts include:
• Exit problems. Taking laptops and other devices into Russia is unrestricted. However, software may be inspected when visitors leave. So, without advance permission, “any computer or software containing sensitive or encrypted data may be confiscated by Russian authorities when individuals depart from the country,” US-CERT reports.
• Hacktivists. Companies should be aware that a hacktivist (hacking) group calling itself Anonymous Caucasus has threatened "cyberwar" against the Sochi Olympics. Any company that finances or supports the Games, along with any websites of organizations that the group believes financed Olympic-related activities, could be targeted for denial-of-service attacks, US-CERT warns.
• Fake websites. Events that draw public interest and heavy media coverage are likely to become subject lines in spam or spear-phishing campaigns, which lure the unwary to fake websites. Those websites will appear to be official Olympic-related sites, but are used instead to install malware onto devices.
NBCUniversal won exclusive coverage of the Games. So NBC and its websites – including for NBCSN, MSNBC, USA Network, and corresponding Twitter, Facebook, and Instagram accounts – are safe. But viewers should be cautious of other sources claiming live coverage, US-CERT warns.
• Ticket purchases for events. Visa is the only card accepted for purchasing tickets and merchandise at the Games, US-CERT reports. Also, tickets can be purchased only through authorized ticket resellers (ATR). But it gets complicated.
An individual can check out the authenticity of an ATR by using the “website checker” tool available on the official Sochi website. For the US, the official ATR is CoSport. Individuals making purchases through CoSport may pick up their tickets only at CoSport’s Host City Collection Center in Sochi, US-CERT notes.
Any ticket offer from a site not recognized as an ATR, or one that accepts payment other than Visa, is “likely fraudulent and should be met with skepticism,” US-CERT says.
On top of Internet-based security hurdles is the lack of privacy, propelled in part by the hunt for possible terrorist actors.
“Visitors to Sochi may also experience other types of surveillance and should have no expectation of privacy in public or private locations,” the State Department reports. “Hotel rooms, meeting rooms, offices, residences, cars, and taxis may be monitored on site or remotely, and personal belongings left unattended, including computers and other electronic devices, may be searched without consent or knowledge by the owner.”
It takes only moments out of an owner’s possession for a computer to have malware installed on it, whether or not the machine is password-protected, Porter notes. Even security bag checks are a potential installation point, he says.
“It only takes about 30 seconds at a security checkpoint or some other place for someone to distract your attention – while someone else installs malware onto your computer, tablet, or phone,” he says.
“If you made the mistake of bringing a computer or smart phone with you and you’re reading this right now, just jot down the essential phone numbers you need – and then turn it off. Go straight to a prepaid phone kiosk and buy a phone for the rest of the time there.”
Once visitors get their laptops home, it’s a good idea to let security professionals examine the items thoroughly for spyware or crimeware.
As far as that smart phone you bought in Sochi, it’s simple what to do.
“Before you return home, be sure to throw it away,” Porter says. “Remember, it’s pre-compromised right out of the box.”