HELSINKI: The humble toaster could become a security threat in the future due to the virtual currency Bitcoin.
For the uninitiated, Bitcoins are a cryptography-based digital currency, which allows users to send and receive money with a degree of anonymity without using traditional commerce networks, in effect cutting out middlemen such as banks. Many governments are also wary of their use as Bitcoin value is determined separately from them. Their uptake has rocketed over the past few years.
While hanging out in Helsinki with F-Secure, the firm's chief research officer Mikko Hypponen, never one to mince his words, said that the increasing value of Bitcoins is enticing criminal gangs to rework traditional malware targeting businesses to turn infected machines into Bitcoin mines.
Bitcoin mining refers to the way Bitcoins are actually earned. In a normal situation, a user runs an algorithm on their computer to authenticate transactions on the Bitcoin platform. This is legal and the person running the process is rewarded with Bitcoins for their trouble. However, turning hoards of machines into your own army to generate huge numbers of Bitcoins is not. As such the crooks love it, as Hypponen explained.
"Bitcoins have been skyrocketing in value. At the moment the value per Bitcoin is currently $134. As this started happening and people started realising there's actual money in Bitcoin, people started mining them pretty seriously," he said.
"A big deal about crypto currency [such as Bitcoin] is the mining part. You can actually use other computers to mine and because of this, botnet-based mining is becoming a real problem. About a year ago we spotted a botnet not spreading malware or phishing, it was just mining bitcoins."
Hypponen went on to explain that Bitcoins' financial allure has already made established cyber criminals rethink their strategies and adapt some of the biggest, most dangerous botnets in the world to mine Bitcoins.
"ZeroAccess used to monetise itself with click fraud. They got on the machine and made it click on adverts to earn money. They changed their tactic in spring and went fully into Bitcoin mining. Some of our estimates suggest it is earning $58,000 a day. That's real money and something they will want to move to the real world," he said.
This is where the toaster idea comes in. Hypponen added that many of the gangs are so enthralled by Bitcoin's potential they've started experimenting with the idea of turning non-traditional devices into mines.
"[When mining Bitcoins] the user is irrelevant, it's the GPU, the computer and the network connection they need. This is especially interesting when you look at automation. I have a pebble watch, it has a GPU, it could mine Bitcoins, so does my fridge and my toaster – these are going to be used to mine Bitcoins," he said.
"We accepted toasters would eventually have computers, but didn't think it would be a problem – who would want to write malware for a toaster right? Well now they have a reason."
This may be a far-fetched example of how far the threat could go, but as recent hacks of IP-based lightbulbs have shown, the home of the future could be open to all kinds of attacks, even burnt toast.
By V3's Alastair Stevenson
The state of Texas and its government haven't traditionally been seen in the best light by the rest of the world.
The people that brought us George W Bush have taken the heat for everything from immigration policy to science curriculum. The state is routinely seen as backwards and misguided, particularly in Europe.
In one case, however, Texas seems to be ahead of the rest of the US and much of Europe when it comes to protecting user privacy.
Earlier this week the state legislature passed a bill that would place the nation's strongest restriction on law enforcement collecting data from email service providers. The bill, which has yet to be signed by governor Rick Perry, would terminate any provisions in which investigators will be able to access data without first obtaining a warrant.
Such protections would provide a valuable safeguard for citizens online. Such warrantless collection of data is often seen as a central component of covert data snooping programmes such as PRISM, which has been brought to light in recent weeks. The rule would require investigators to stand before a judge and provide just cause each and every time they want a service provider to hand over user data.
If the bill is signed, users in Texas will have greater protections from online eavesdropping than those in such progressive havens as San Francisco, Boston, New York City and Seattle. As unlikely as it may be, in this case Texas is setting the standard for electronic policy and user rights.
06 May 2013
The Syrian Electronic Army has hacked the Twitter account of satirical news website the Onion.
Early reports had the hack pegged as a bit of satirical comedy from the site. However, a picture from the Syrian Electronic Army seems to validate reports that the Onion was indeed hacked.
Among the villainy performed by the hackers was a picture of the group's logo posted on the Onions Twitter page. The Syrian Electronic Army also tweeted out a slew of tweets displaying Onion articles before their actual posting.
The Onion being the comedy site that it is took the hack in good fun. Following the hack, the site posted stories recommending the best practices to avoid getting hacked and a reminder that the firm had changed its password.
"Reduce interest in your website by cutting down on stories about very popular subjects, such as Syria," read one of the websites anti-hacking tips.
Hacks on Twitter have led to calls for two-factor authentication on the social networking site. Following the requests, Twitter has been said to be working towards bringing the feature into the fold later this year.
While two-factor authentication is a good option, we don't think the Onion will mind going without for a few months. The satirical news site seems like a terrible company to go after with a hack. The Onion, more than any other site, seems capable of turning a cyber attack to its advantage.
Following the high-profile compromise of the Associated Press Twitter account, the microblogging service is said to be mulling some major security changes.
According to a Wired report citing company sources, Twitter is now working to introduce a two-factor authentication option which can help to prevent account theft from phishing attacks. After hearing how the AP incident occurred, such protections are more than welcome.
In the aftermath of the breach, which resulted in fraudulent claims that the White House had been bombed and president Obama had been injured, staffers reported receiving some suspicious emails which were later found to be connected to a phishing attack.
It seems that the Syrian Electronic Army used a series of targeted phishing emails to harvest the credentials of AP staffers and eventually gain access to the company's main Twitter account. The stolen password was then used to access the account and launch a hoax that managed to temporarily disrupt the stock market.
If the reported series of events is true, then the AP hack could have been easily thwarted, and if reports on new developments are to be believed, it soon will be.
Wired has posted a report which claims that Twitter will soon be launching a two-factor authentication platform. The site uncovered a job report from earlier this year which would suggest that additional protections would soon be arriving.
Why is that so important? Two-factor authentication ties the account credentials and log-in to actual holder. The platform not only requires a username and login, but also a numerical code which is randomly generated and then sent to a user's mobile phone for one-time use.
It's not easy to see how this can help to protect users. Even when a username and password are harvested, the attacker would have to steal the mobile device of a user in order to access an account. This can dramatically reduce the number of attacks, especially high profile breaches, which result from phishing.
Of course, in order to be effective, these efforts have to be put in place. Corporate accounts will have to identify a single manager who can receive and provide the one-time credentials for protected accounts, and that may prove to be another headache for corporate marketing and public relations teams who share an 'official' Twitter feed.
McAfee recently announced that it has begun to work with the National Institute of Standards and Technology (NIST) to strengthen cybersecurity infrastructure. The move is another reminder of public and private groups' efforts to shore up cybersecurity together.
The partnership along with enterprise support of the revised CISPA bill is another sign that private industry is willing to work with the government to slow cyber attacks.
Over the last few years, it has become clear that cyber security isn't just an enterprise issue. With news of the Chinese military perpetrating a variety of attacks on private industry, it is now obvious that many cyber threats effect both governments and corporations.
Both hackers large and small are now using the same methods for hacks. The recent Mandiant report on Chinese military hackings outlined the fact that military actors were using the same tactics as cyber criminals.
Through social engineering and patience Chinese military hackers were able to get inside over 140 private enterprise systems. Those sorts of tactics are also used by independent cyber crooks.
The widespread use of advanced tactics is a key reason why companies and the government are finding it necessary to begin working together on the issue of cyber security. By partnering on the issue they can share information and work together to decipher potential threats.
However, the cross-industry work may also cause some privacy concerns for end users. Privacy advocates have continuously questioned CISPA because of its ability to let personal data get into the hands of government agencies without proper oversight.
According to advocates, the ability for companies to hand over data to government officials without any sort of oversight could cause problems on the privacy front.
On one hand, the unfiltered sharing of data between government and enterprise would drastically help the fight against cyber security. However, on the other hand, the open sharing could lead to data being used for the wrong reasons.
Both sides share fair points on the issue. And overtime, hopefully, they will be able to come to a compromise that increases cyber security while addressing potential privacy concerns.
Unfortunately, the cyber attacks don't look like they will go away anytime soon. Cyber-espionage is only expected to grow over the years and hackers will continue to get more sophisticated over time.
Something will need to change to promote a stronger sense of information sharing. At the same time, hopefully, advocates will continue to fight for online privacy and stand their ground in the face of growing support in Silicon Valley.
17 Apr 2013
Twitter hacking is a serious issue. Take for instance, the recent hack of National Public Radio's (NPR) Twitter account. NPR's account was hacked and erroneous tweets were sent out following the attack.
The slew of hacks makes it obvious that something needs to be done. Twitter called on its users to create stronger passwords in February, but that isn't enough. The company needs to take action and implement two-factor authentication for those that want to use it.
It's not a ground-breaking idea. Security experts have called on the firm to implement authentication for the last couple of years. Other companies like Microsoft even plan to use multi-factor authentication later this year.
Yet, Twitter has failed to get the memo (tweet?). At a time when more and more businesses begin to use Twitter for PR, something has got to be done. Enterprise can't have hackers getting a hold of their feeds and sullying their names. It's bad for business, both Twitters and the users.
It's becoming clear that something is wrong. Even the words "#IveBeenHacked" have become something of a meme on the micro-blogger site.
Luckily, something may be on the horizon. Earlier this year, a Twitter job posting popped-up calling for a software engineer to build multi-factor authentication.
The job posting looks to be leading to some sort of security update. Hopefully, it comes sooner rather than later.
12 Apr 2013
The Cyber Intelligence Sharing and Protection Act (CISPA) is back again. Rising from the ashes of a failed Senate vote, the bill has found renewed life thanks to the House Intelligence Committee.
Committee members approved the bill by an 18 to two vote. This go-around includes amendments which supporters say resolve issues with the bill.
Of course, opponents once again disagree. Advocacy groups and the White House continue to express alarm over the bill's failure to address privacy concerns.
Opponents' issues with the bill are the same ones they had last year when the original CISPA bill died on the Senate floor. They fear that a lack of governmental oversight will cause defence agencies to use personal user data for the wrong reasons.
The issues remained unresolved because of proponents of CISPA who say the government needs to be able to handle whatever data they do receive with as little bureaucratic interference as possible.
Both sides have their points and both sides will be fighting for a compromise. CISPA, or something like it, will keep cropping up because both the government and private enterprise have too much riding on some sort of data-sharing initiative.
With reports of state-sponsored cyber-attacks on the rise and the constant threat of local hackers, CISPA is an important piece of legislation for the tech lobby.
Unlike SOPA, which didn't have the support of Silicon Valley, CISPA is technology company approved. SOPA was made for the entertainment industry and its bid to fight piracy. CISPA (and new-CISPA) isn't really about piracy. It's about cyber attacks.
The bill lays the ground work so private industry can share cyber-threat intelligence without the possibility of getting sued. With CISPA, Facebook can send data about a local cyber-attack to the DOD so it can be informed and alert other tech companies of the threat.
In its current form, the DOD can also use that data in broad strokes. For example, it can pick up personal information that was received from a Facebook security data dump and use it for non-cyber threat purposes.
New-CISPA discourages that sort of tactic. However, what exactly constitutes a cyber-threat is currently an expansive definition.
The bill is making its rounds to Congress next week. It may get passed their but will most likely fail in the Senate. From that point it will either revive itself with amendments or its ideas will be reinterpreted in another bill.
Some sort of data-sharing act will keep coming and with the right opponents may come out with stronger privacy protections. How a data-sharing bill turns out will be determined by who ends up fighting for and against it.
Over the course of the coming year it will be interesting to see how bills like CISPA evolve. It will be interesting to see how the public debate grows and changes. Theirs no telling how it's going to turn out, but its becoming obvious that it isn't going away.
Hackers are consistently breaching enterprise's systems by going after the end user through the use of things like phishing attacks. Even as security technologies are getting smarter hackers are going after the one thing that hasn't improved: The end users' security knowledge.
Even the major attacks on Apple and Facebook last month started because of a human error. High-value users were sought out by hackers and attacked through clever social engineering.
No matter how good cyber security tools get, a lack of education for the end user will mean that attacks never dissipate. Attacks will always exist but better education will at least make it harder for hackers to get the job done.
During this year's RSA conference, security researchers repeatedly called out hackers as "lazy". Meaning, in essence, that a hacker will use the easiest and most efficient methods to get what they want.
In the case of enterprise security, the easiest method to get what they want is a social engineered attack on an end user. The only way to at least slow down these "lazy" hackers is to train an end user about what not to do on the web.
A recent Microsoft study highlighted the issue of end-users downloading their own software on business computers. According to the study, 57 percent of end-users download software on company systems.
If those end users don't have some kind of grasp on cyber security they are likely to download dangerous software. A figure backed up by the fact that those end users who downloaded software ended up putting malware on company computers 21 percent of the time.
That is an alarming statistic. Not just because end users were putting bad software on company machines, but because they had no idea they were doing it.
This idea that a firewall and frequent updates will save a company from cyber attack is now dead. Hackers are smarter and end users have stayed the same. The time has come for companies to get serious about security training.
That doesn't mean some handbooks and an educational video. To really train end-users companies need to get involved, create periodic education labs, and implement programs that constantly keep users aware of the threats they face.
An educated person should be able to spot a phishing attack. An educated person should be able to know the difference between bad software and clean software. But today's end users are not educated about cyber security.
It's time for enterprise to stop focusing on the latest attacks and the newest security tools. To really get ahead of hackers in the cyber security war, enterprise needs to fortify its systems at their base by educating its employees.