Yacht Security

Turns out, multi-million dollar yachts are no more secure than anything else out there:

The ease with which ocean-going oligarchs or other billionaires can be hijacked on the high seas was revealed at a superyacht conference held in a private members club in central London this week.

[...]

Murray, a cybercrime expert at BlackBerry, was demonstrating how criminal gangs could exploit lax data security on superyachts to steal their owners' financial information, private photos ­ and even force the yacht off course.

I'm sure it was a surprise to the yacht owners.

Posted on May 15, 2017 at 6:02 AM • 20 Comments

Comments

WinterMay 15, 2017 6:58 AM

I have always been curious about the reasons behind spending hundreds of millions on a yacht which spends most of its time lying in a harbor. For that money you can buy a palace and a plane to get tot and from it.

The only thing I could think of was extraterritoriality. On the high seas, you are your own kink.

But would that be real?

Papers, please.May 15, 2017 7:26 AM

All experience of mankind hath shewn that persons of such wealth who traverse the high seas in a vessel small enough to be called a "yacht" are usually trafficking in some highly profitable cargo which they do not necessarily wish to clear through an official port of entry, as the manifest for said cargo is either missing or does not match the bill of lading.

stineMay 15, 2017 7:45 AM

Christopher, I think you'll find that the demographic that can afford such a yacht can also afford bodyguards with weapons.

RichardMay 15, 2017 8:14 AM

The purchase of luxury boats may be an index of uncertainty amongst the wealthy, especially in Europe, Africa, and Asia. Expensive boats are mobile real-estate. In times of political instability or exchange rate fluctuation they represent real wealth that can be moved to a different location. It may also be easier to leave a country or a region quickly by boat. This is one reason for the presence of such yachts in Adriatic harbors like Split, Croatia. By the way, the yearly rental of a berth for your 30 meter yacht in Split will cost you a cool 20,000€.

TatütataMay 15, 2017 8:26 AM

Oliver Blanchet, head of yacht financing for the French bank BNP Paribas, said his bank had calculated that there were more than 100,000 people in the world who could afford a superyacht, but only 5-7% of them had bought one – so there was plenty to play for.

What a beautiful way start to start the week, by seething at the obscenity of bank(st)ers. And that's even before I got my daily ration of Trumpian insanity, followed by the standard cr*p.

If the main issue is about staff betraying the position of the yacht to the wider world, then they needn't worry. Yachts are certainly large enough to be mandated to carry an operational AIS transponders, which broadcast the current position alongside with ancillary information. There are several services that allow you to track practically any ship in the world. I wouldn't be surprised to learn that Red-Sea pirates use AIS to track their prey.

I would be more worried about the safety of large vessels carrying valuable and/or dangerous cargo. Bridges are often manned by only one person for large portions of the day, and run on auto-pilot. Would it be too Cusslerian to imagine a scenario where a ship is veered off-course by GPS/navsat spoofing, and driven ashore, or into an area where pirates could work in peace before rescue forces arrive? Even simple jamming in the middle of the night might be able to force a ship to come to a halt before all officers are summoned up the bridge and figure out what's going on.


PeteMay 15, 2017 8:27 AM

There are lots and lots of people with vast wealth who like having ships. A friend helps design and sail them. Oh the stories he tells. The number of super yachts are limited, so usually a newly built one is sold quickly for a nice profit after 1 or 2 trips with the owner and their family/entourage. My friend picks the electronics based on features, not security. He isn't a computer guy at all. They usually put in high end home-business gear, but don't have anyone patch or maintain it.

For many people, yachts are like motor homes. It is nice to sleep in your own bed, not have to deal with luggage, have your own entertainment waiting, and have a status symbol that everyone can see.

They are also fun for entertaining others or having business meetings where you know being bugged isn't an issue.

Most super-yacht owners don't actually travel on the ships. They send the ship ahead to the location and fly in, knowing all their stuff is already at the yacht club, waiting. That's how the wealthy travel internationally with just a tiny carry-on, nothing more. Or they have new clothes waiting at the destination, handled by some assistant.

It also removes any issues with getting the "presidential suite" at the hotels during high season for that location. Want to be in Rio for Marti Gras? Can't get a hotel, then you need a yacht. Want to be in Hong Kong for Chinese New Year, then you need a yacht. There are world-events happening all sorts of places where a yacht is very convenient.

Of course, I've only experienced a smallish yacht (160ft) for a few days in the Mediterranean, because my Captain friend was showing the boat for potential buyers. The crew treated me like the owner, for fun. "Would you like your cocktail in the hot tube, Mr, Smith or in the media room?" Yelled as I was walking down to the berth, loud enough for everyone on shore to hear.

TatütataMay 15, 2017 9:21 AM

Yelled as I was walking down to the berth, loud enough for everyone on shore to hear.

That's SO nouveau-riche!

I was a guest for exactly two nights on a similar yacht. I didn't enjoy the experience at all, I found this embarrassing, but it was a lesson.

It was certainly no Jordan Belfort rig. The language used on the bridge was Greek, the crew and servants communicated in Arabic, and in the salon the lingua-franca was French. I suspect however that under their genteel veneer my hosts were probably as ferocious as the Wolf of Wall Street.

The only drugs you would have found there were of the geriatric type. No Qualuuds or that funny sniffing powder.

EdwardMay 15, 2017 10:52 AM

For what it is worth, Sargon of Akkad featured a video on child molestation rings where he pointed out that some of the inhabitants of the rings were too high up in British society to be brought to justice. I suspect that some these super-yachts are the venue for their little "parties." What could be more private? It would be nice if some cyber-criminal with a semblance of a conscience would use his/her hacking ability to out these scumbags in such a way (Facebook or Twitter) that it could no longer be covered up by them putting pressure on the authorities.

HillaryMay 15, 2017 12:04 PM

@Tatütata - the steamship lines actually have contingencies for this. There's a limit to where hazmat can be loaded on the vessel and how much can go on, depending on the UN number and packing class. (coming from someone who's had containers rolled because there was too much hazmat that week and we turned in our container late)

They also don't accept the worst stuff anymore, there are some products it's now basically impossible to ship internationally via common carrier.

Clive RobinsonMay 15, 2017 5:28 PM

@ Bruce,

I'm sure it was a surprise to the yacht owners.

It would have been a real suprise to me with my first yacht[1]... It was only 17ft long and the only electrical systems on it was a riding light, tri colour light and a stern post light running from dry cells. The only other electrical system that it got was a longwave radio...

A later yacht was thirty foot and had a bit more in the way of electronics, but not much. I still dead recon and take sun and star sights, because you realy don't know when a touch of St Elmo's will take out your electrics for good or just something break a wire or blow a fuse... Then that glorified PC navigation system is not going to be of much use, not even as "a boat anchor".

[1] In Britain we call all sorts of "sail boats" yachts and those that sail them yachters, and those floating "gin palaces" motor boats. Those that putell around in motor boats often assume they have a sense of humour, hence one boat I pass quit often is named "Cirrhosis of the river"...

Clive RobinsonMay 15, 2017 6:58 PM

@ Chris Abbott,

Why no post about the weekend ransomware attack on NHS and Telefonica?

hen all is said and done there's realy not much to say on the NHS Net/Digital and it getting hit be the ransom ware.

Put simply, a UK Prime Minister Tony Blair decided to "go digital" for various reasons. Some of the largest ICT contracts ever were involved with NHS net and it became the worlds largest single owner distributed network. Part of that was computers used for everything and many ended up being XP bassed with the minimal hardware it needed... Fast forward and Microsoft decided to dump XP and similar OS's and anounced an end of support date that got extended. However because Tony Blair and later wanted to hide Government spending they went down the Private Finance Initiative (PFI) or Public-Private Initiative(PPI) that put the entire NHS in so much debt that hospitals were laying off staff playing around with their working hours and all sorts of other quite nasty things which still goes on to this day, to turn a Public Institution that was once the envy of the world into a carcass for venture capital vulrures to pick over. So there was no money to upgrade the hardware to upgrade to the next Micro$haft OS or to keep up with other security norms. Micro$haft axed XP from it's normal support and wanted upwards of three hundred pounds per seat to provide XP support. At some point unknown it's presumed the NSA discovered a bug in the base SMB / CIFS protocol and then they weaponised it and presumably used it occasionaly. Back in 2015 Microsoft wanyed the equivalent of less than 9pence per, year for each user of the NHS services. The then Minister of State for Health Jeremy Hunt MP decided it was an exprnse that was not needed so did not agree. Nor did Jeremy Hunt put any further spending into the NHS network or it's security, in fact some say he took an axe to such budjets. So the NHS had all these PCs that could not run anything above XP that were not ever going to be upgraded just replaced if and when they died if at all. But worse it had a lot of quite expensive medical equipment that also used XP behind the interface and likewise that was never going to be patched or upgraded. Then the NSA lost it's little hord of exploits... They became public but only after Microsoft had been given time to fix all there OS's. But to get the patches you had to have a support licence for XP that Jeremy Hunt MP decided he would not pay for even though his private wealth increased by several times the value of the contract in the same time.

So the stage was set and had been for some time as Jeremy Hunt well knew because he had been repeatedly told that the NHS net and the computers connected to it were criminaly vunerable. And so it came to pass that somebody repurposed the NSA exploit / cyber-weapon and the NHS got mangled badly...

Then the fun started Jeremy Hunt was nowere to be seen or heard from he had to all intents and purposes disappeared of the face of planet earth. Instead we got the compleatly useless Amber Rudd Home Office minister blabing away on BBC Radio 4 compleatly showing her ignorance of everything as usuall amd to rub salt in the wound prattled on about how wonderfull GCHQ is... Even though they did nothing to stop the disaster, and may well have been responsible for it in the first place (the NSA and GCHQ have very close relationships and do technology swaps). But Amber Rudd usless as she maybe was not as useless as the idiot at the BBC interviewing her, who has known Tory sympathies, and his new boss is the previous editor of the Evening Standard who apparently nominated her replacment George Osborne MP who not so long ago was the Chancellor of the Exchequer (for whom many other MPs make jokes in public about his --supposed-- cocaine habit). It was George better known as "Giddiot" and his inability to actually manage a budjet, was perpetually pushing for austerity as he had no other idea in his head other than the bad old Thatcher mentality. Which may have well given Jeremy Hunt the idea to not take out the support contract with Microsoft, so as to look "on board"...

People are already coming up with figures of how much it will cost to sort out the problem but figures upwards of a hundred million are being talked about, even before you include the costs of early deaths and loss to economic activity of people who's critical medical records are now gone, thus opening up opportunities for negligence claims in court to make things worse...

The realy sad thing is how the UK MSM are almost all letting Amber Rudd and Jeremy Hunt get away with it, which just shoes the level of bias they are putting out before the general election in a few weeks.

I think that kind of covers what you need to know...

RatioMay 16, 2017 2:35 AM

budjet

That'd be a great name for a low cost, friendly airline. Slogan: flying high. %)

Clive RobinsonMay 17, 2017 4:19 AM

@ vas pup,

Do you think this concept of resilience bonds could be used for cyber attacks disaster recovery as well?

I think it's unlikely to work in the physical world let alone the information world.

Using a physical world example,

1, We build in the wrong places,
2, the wrong way and,
3, expect others to pay for,
4, our poor judgment,
5, indefinitely.

The reason this happens is in part because of need, but more so becsuse we see property as an investment, therefore property does not generaly devalue with age like other physical items like cars etc.

In essence when an asset becomes an investment for rent seeking the first trick the "smart investor" does is maximise profit. Which means less spent on maintaining it, minimising cost of producing it and most importantly treating risk as either something to externalise on others or to ignore in some way. As is the normal process of greed.

The point is insurance in it's many forms is in reality not a social good because of the cheaters in the game. Who unfortunately generaly take the majority of the pot because they can aford not just to fight for a bigger slice but likewise fight to pay less, whilst the majority can not and bear the brunt of the costs. An example of this was one of the 9/11 buildongs was grossely over insured.

Another example is companies insuring their employees against death or injury as an investment for the company rather than a benifit of the employees. It's got to the point where it's hidden from the employee so they do not know it's taking place. The problem is the companies get lower rates and higher yields than individuals who end up paying over the odds and are most frequently denied benifit. Worse most people see over insurance by companies as just playing safe but in individuals as at best greed at worst reason to convict for murder. So corporates get to use your mortality as an investment vehicle without causing concern whilst if you do it you are some kind of murderer to be...

The reason that the decision with regards the NHS for not taking out the support contract with Microsoft at the end of the day was a cold calculated decision by Jeremy Hunt to look good to his political master with little or no downside to either of them. Thus as with banking those who make the poor choices get the bonuses now whilst others bear any costs down the line, thus rational thinking ceases to apply and those poor choices get worse, a lot worse.

Nearly all modern investment is a "hot potato game" if you look at stocks and shares, the system has become optimized for short term gain long term loss. Thus those that jump around from one investment to another take much of the profit and little of the loss.

As long as these modes of operation are alowed to continue there is only one direction things will go and that is not good for society let alone mankind. We are in effect "strip and burn farming" with the way we currently do things and we know what the results of "strip and burn farming" does already.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.