MUNICH: Afraid of the dark? Perhaps you should be afraid of the lights. That's the twisted future envisioned by light bulb-wielding Fujitsu chief technology officer Joseph Reger.
Patrolling the floors of the Fujitsu Forum in Germany, Dr Reger explained to onlookers how one of the most innocuous objects in your house could become part of a global attack.
The Internet of Things, perhaps one of the most highly-talked about technologies nobody in the real world actually uses, is expected to take hold within the next decade, and with it will inevitably come cyber threats, as with any new technology. Reger chose to use intelligent light bulbs as an example:
"I'm not concerned about someone hacking into your home and turning off your lights," he said. We at V3 are very concerned about that, for the record. "What I'm talking about is that someone hacking into your home and looking at the usage pattern of your light bulbs and determining whether you're on vacation. And when it might be a good time to break in."
Such concerns have been voiced before with Philips' Hue lightbulb singled out as a cause for concern by security researchers. Reger went further, though, to envision a world of slave lightbulbs run by some sort of domestic super villain.
"If this light bulb is a little bit more intelligent, if they're intelligent enough, you can inject malicious code into the bulb itself if it's not protected properly. What's the problem with that? All of a sudden I have an army of attackers I've just programmed and I can launch a denial of service attack on anybody using billions of soldiers."
We've heard this described before in the form of toaster armies mining the currency Bitcoin - and perhaps the metaphors are getting out of hand - we're sure Reger knows this, and we have to say we enjoyed his demonstration.
The real point here is that we haven't moved on from this novelty, this funny notion of light bulbs stealing your lunch money and laughing at you. In the world of business and industry, machine-to-machine communication is commonplace. That's not to say it isn't serious either - a recent UK government report highlighted the notion of a need for a ramping up of security among connected machines.
So, who to believe? It's very difficult to know exactly how much of a threat these things are, especially because the amount of people with intelligent light bulbs in there home is so low crooks probably couldn't even DDoS your mum's laptop.
Until there's more of this stuff out there, we can't know for sure what possibilities - positive or negative - IoT can offer.
By V3's Michael Passingham, whose army of fridges is coming along nicely
HELSINKI: The humble toaster could become a security threat in the future due to the virtual currency Bitcoin.
For the uninitiated, Bitcoins are a cryptography-based digital currency, which allows users to send and receive money with a degree of anonymity without using traditional commerce networks, in effect cutting out middlemen such as banks. Many governments are also wary of their use as Bitcoin value is determined separately from them. Their uptake has rocketed over the past few years.
While hanging out in Helsinki with F-Secure, the firm's chief research officer Mikko Hypponen, never one to mince his words, said that the increasing value of Bitcoins is enticing criminal gangs to rework traditional malware targeting businesses to turn infected machines into Bitcoin mines.
Bitcoin mining refers to the way Bitcoins are actually earned. In a normal situation, a user runs an algorithm on their computer to authenticate transactions on the Bitcoin platform. This is legal and the person running the process is rewarded with Bitcoins for their trouble. However, turning hoards of machines into your own army to generate huge numbers of Bitcoins is not. As such the crooks love it, as Hypponen explained.
"Bitcoins have been skyrocketing in value. At the moment the value per Bitcoin is currently $134. As this started happening and people started realising there's actual money in Bitcoin, people started mining them pretty seriously," he said.
"A big deal about crypto currency [such as Bitcoin] is the mining part. You can actually use other computers to mine and because of this, botnet-based mining is becoming a real problem. About a year ago we spotted a botnet not spreading malware or phishing, it was just mining bitcoins."
Hypponen went on to explain that Bitcoins' financial allure has already made established cyber criminals rethink their strategies and adapt some of the biggest, most dangerous botnets in the world to mine Bitcoins.
"ZeroAccess used to monetise itself with click fraud. They got on the machine and made it click on adverts to earn money. They changed their tactic in spring and went fully into Bitcoin mining. Some of our estimates suggest it is earning $58,000 a day. That's real money and something they will want to move to the real world," he said.
This is where the toaster idea comes in. Hypponen added that many of the gangs are so enthralled by Bitcoin's potential they've started experimenting with the idea of turning non-traditional devices into mines.
"[When mining Bitcoins] the user is irrelevant, it's the GPU, the computer and the network connection they need. This is especially interesting when you look at automation. I have a pebble watch, it has a GPU, it could mine Bitcoins, so does my fridge and my toaster – these are going to be used to mine Bitcoins," he said.
"We accepted toasters would eventually have computers, but didn't think it would be a problem – who would want to write malware for a toaster right? Well now they have a reason."
This may be a far-fetched example of how far the threat could go, but as recent hacks of IP-based lightbulbs have shown, the home of the future could be open to all kinds of attacks, even burnt toast.
By V3's Alastair Stevenson
Yahoo chief executive and generally smart person Marissa Mayer has made a rare slip-up, publicly admitting she doesn't have a passcode on her smartphone due to being too busy.
Mayer made the revelation during an interview at the TechCrunch Dispute conference, gleefully admitting her security no-no when asked for her thoughts on the new Apple iPhone 5S fingerprint scanner.
"It's funny because you mocked me once at TechCrunch, maybe it was at LeWeb, because Mike was making fun of me because I don't have a passcode on my phone," she said.
"And Mike was like ‘Are you crazy?', and I was like 'Look, I just can't do this passcode thing, like 15 times a day,' and then when I saw the fingerprint thing I thought now I don't have to. I was excited about that and think building some of these smart sensors into the phone is really exciting."
Following the admission the security community is up in arms, with many bemoaning the ex-Google vice president's apparent ignorance about even the most basic smartphone security. Independent security expert Graham Cluley went so far as to call the Yahoo chief a "twerp".
"Colour me unimpressed. There's really not any excuse for having even the weakest four-digit passcode on your iPhone (longer, more complex passwords are better and surprisingly easy to remember), and yet lots of people have none in place," he wrote.
"What's alarming is that Mayer is the CEO of a major internet company, who have a responsibility for protecting the privacy of hundreds of millions of net users. What kind of example is she setting by not having any form of login security on her smartphone? What a twerp."
However, the accusation may be slightly over the top. As Tim Cook noted during the iPhone launch event on Tuesday, many iPhone users follow Mayer's example in not bothering to turn on the passcode, hence Apple adding the fingerprint scanner.
F-Secure's security advisor Sean Sullivan also took a more lenient approach to Mayer's admission. "It seems to me that the 'blame the user' tech crowd is a bit too eager to pile on the abuse for her habits. Perhaps they just don’t want to admit their advice is a failure, which doesn’t really meet everybody’s real-world needs," he said.
"Context matters. Regular people are careless with their phones, so regular people should really consider using a password. Internet company CEOs who live in the penthouse of the Four Seasons aren’t regular folks, so the same advice just doesn’t apply."
We think if polled, most chief executives around the world would give the exact same – albeit slightly less gleeful – answer. As such, while it's fair to bemoan Mayer's security mishap, we should avoid reverting to finger pointing and instead take it as a sign we need to do more to educate people about the importance of robust cyber security, as the UK government is doing with its ongoing Cyber Strategy.
You can watch the whole interview with Mayer in the YouTube video below.
By V3's Alastair Stevenson
11 May 2013
Apple's iPhone has proven a hit with the general public, but the company's strong security protections are making the device less than popular with law enforcement agencies.
It seems that the encryption on the handset is proving to be so hard for authorities to crack that they have to petition Apple to manually unlock the handset by manually overriding the security controls and decrypting data needed for criminal prosecution.
Unfortunately, there are so many police asking for iPhone decryption that Apple has found itself with a backlog of requests. According to Cnet, law enforcement officials are being told that they must wait as long as two months to gain access to iPhone units that are connected to criminal investigations.
This is not the first time Apple's security protections have caught the eye of law enforcement agencies. Earlier this year the US Drug Enforcement Administration issued a warning to agents that messages delivered over Apple's Messages App – which sends data over secured HTTP connections – was all but impossible to eavesdrop in the course of investigations.
The issue rehashes an ongoing battle that has erupted between the need for law enforcement agencies to access data and the right for users to have their data protected from intrusion. Apple is not alone in being caught up in the crossfire. Blackberry has found itself in the crosshairs of government authorities over its strong security protections that can prevent government eavesdropping.
06 May 2013
The Syrian Electronic Army has hacked the Twitter account of satirical news website the Onion.
Early reports had the hack pegged as a bit of satirical comedy from the site. However, a picture from the Syrian Electronic Army seems to validate reports that the Onion was indeed hacked.
Among the villainy performed by the hackers was a picture of the group's logo posted on the Onions Twitter page. The Syrian Electronic Army also tweeted out a slew of tweets displaying Onion articles before their actual posting.
The Onion being the comedy site that it is took the hack in good fun. Following the hack, the site posted stories recommending the best practices to avoid getting hacked and a reminder that the firm had changed its password.
"Reduce interest in your website by cutting down on stories about very popular subjects, such as Syria," read one of the websites anti-hacking tips.
Hacks on Twitter have led to calls for two-factor authentication on the social networking site. Following the requests, Twitter has been said to be working towards bringing the feature into the fold later this year.
While two-factor authentication is a good option, we don't think the Onion will mind going without for a few months. The satirical news site seems like a terrible company to go after with a hack. The Onion, more than any other site, seems capable of turning a cyber attack to its advantage.
Following the high-profile compromise of the Associated Press Twitter account, the microblogging service is said to be mulling some major security changes.
According to a Wired report citing company sources, Twitter is now working to introduce a two-factor authentication option which can help to prevent account theft from phishing attacks. After hearing how the AP incident occurred, such protections are more than welcome.
In the aftermath of the breach, which resulted in fraudulent claims that the White House had been bombed and president Obama had been injured, staffers reported receiving some suspicious emails which were later found to be connected to a phishing attack.
It seems that the Syrian Electronic Army used a series of targeted phishing emails to harvest the credentials of AP staffers and eventually gain access to the company's main Twitter account. The stolen password was then used to access the account and launch a hoax that managed to temporarily disrupt the stock market.
If the reported series of events is true, then the AP hack could have been easily thwarted, and if reports on new developments are to be believed, it soon will be.
Wired has posted a report which claims that Twitter will soon be launching a two-factor authentication platform. The site uncovered a job report from earlier this year which would suggest that additional protections would soon be arriving.
Why is that so important? Two-factor authentication ties the account credentials and log-in to actual holder. The platform not only requires a username and login, but also a numerical code which is randomly generated and then sent to a user's mobile phone for one-time use.
It's not easy to see how this can help to protect users. Even when a username and password are harvested, the attacker would have to steal the mobile device of a user in order to access an account. This can dramatically reduce the number of attacks, especially high profile breaches, which result from phishing.
Of course, in order to be effective, these efforts have to be put in place. Corporate accounts will have to identify a single manager who can receive and provide the one-time credentials for protected accounts, and that may prove to be another headache for corporate marketing and public relations teams who share an 'official' Twitter feed.
What would anger you more? A few phone calls that were silent when you answered and then went dead or your medical records being leaked online, or left in a skip, or stored on an unencrypted CD that disappears, never to be recovered?
Fair to say it is probably the latter, the type of incidents that regularly force the Information Commissioner’s Office (ICO) to issue fines of anywhere between £70,000 and £375,000 to NHS Trusts, police forces, councils, and the occasional private sector firms.
On many, many occasions it has been argued that while, obviously, no organisation wants to lose money for data protection lapses, the fines on offer are just not high enough to really act as a strong enough incentive to force the issues to the top of the agenda.
This argument took on further merit when communications regulator Ofcom was able to levy a fine of a staggering £750,000 against telecoms firm TalkTalk for making a few nuisance calls.
Ok, not a few, actually 9,000, but while this is no doubt annoying for those affected, it is clearly ridiculous that bugging a few people with some cold calls should land you with a bigger fine than losing personal, sensitive data entrusted by a customers or patient.
No doubt Christopher Graham, huddled in newspaper and warming his hands over a bin of burning debris, watched on in despair as he learnt the folks at Ofcom, in their glass-fronted waterside offices were issuing such a large fine for, by comparison, such a menial offences.
If businesses are to take data protection seriously they are going to have to fear the wrath of the ICO far more. The ability for higher fines – as set out in the draft Data Protection Directive that’s currently being debated, and watered down, in Europe – is a must.
McAfee recently announced that it has begun to work with the National Institute of Standards and Technology (NIST) to strengthen cybersecurity infrastructure. The move is another reminder of public and private groups' efforts to shore up cybersecurity together.
The partnership along with enterprise support of the revised CISPA bill is another sign that private industry is willing to work with the government to slow cyber attacks.
Over the last few years, it has become clear that cyber security isn't just an enterprise issue. With news of the Chinese military perpetrating a variety of attacks on private industry, it is now obvious that many cyber threats effect both governments and corporations.
Both hackers large and small are now using the same methods for hacks. The recent Mandiant report on Chinese military hackings outlined the fact that military actors were using the same tactics as cyber criminals.
Through social engineering and patience Chinese military hackers were able to get inside over 140 private enterprise systems. Those sorts of tactics are also used by independent cyber crooks.
The widespread use of advanced tactics is a key reason why companies and the government are finding it necessary to begin working together on the issue of cyber security. By partnering on the issue they can share information and work together to decipher potential threats.
However, the cross-industry work may also cause some privacy concerns for end users. Privacy advocates have continuously questioned CISPA because of its ability to let personal data get into the hands of government agencies without proper oversight.
According to advocates, the ability for companies to hand over data to government officials without any sort of oversight could cause problems on the privacy front.
On one hand, the unfiltered sharing of data between government and enterprise would drastically help the fight against cyber security. However, on the other hand, the open sharing could lead to data being used for the wrong reasons.
Both sides share fair points on the issue. And overtime, hopefully, they will be able to come to a compromise that increases cyber security while addressing potential privacy concerns.
Unfortunately, the cyber attacks don't look like they will go away anytime soon. Cyber-espionage is only expected to grow over the years and hackers will continue to get more sophisticated over time.
Something will need to change to promote a stronger sense of information sharing. At the same time, hopefully, advocates will continue to fight for online privacy and stand their ground in the face of growing support in Silicon Valley.