The Future of Ransomware

Ransomware isn’t new, but it’s increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It’s extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it’s a profitable one.

The ransomware that has affected systems in more than 150 countries recently, WannaCry, made press headlines last week, but it doesn’t seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: It’s based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA’s code was, in turn, stolen by an unknown hacker group called Shadow Brokers ­ widely believed by the security community to be the Russians ­ in 2014 and released to the public in April.

Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organizations that don’t regularly patch their systems. This allowed whoever wrote WannaCry ­– it could be anyone from a lone individual to an organized crime syndicate — to use it to infect computers and extort users.

The lessons for users are obvious: Keep your system patches up to date and regularly backup your data. This isn’t just good advice to defend against ransomware, but good advice in general. But it’s becoming obsolete.

Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.

It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.

This isn’t just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you’ll get the message on the smartphone app you control it from.

Hackers don’t even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets Internet-enabled Samsung smart televisions.

Even worse, the usual solutions won’t work with these embedded systems. You have no way to back up your refrigerator’s software, and it’s unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data.

These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer.

What happens when the company that made our smart washing machine — or just the computer part — goes out of business, or otherwise decides that they can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so.

That won’t happen with low-cost IoT devices.

Those devices are built on the cheap, and the companies that make them don’t have the dedicated teams of security engineers ready to craft and distribute security patches. The economics of the IoT doesn’t allow for it. Even worse, many of these devices aren’t patchable. Remember last fall when the Mirai botnet infected hundreds of thousands of Internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the Internet? Most of those devices couldn’t be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one.

Solutions aren’t easy and they’re not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical IoT devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop.

I know this all sounds politically impossible right now, but we simply cannot live in a future where everything — from the things we own to our nation’s infrastructure ­– can be held for ransom by criminals again and again.

This essay previously appeared in the Washington Post.

from The Future of Ransomware

With EMV Taking Off in the US, Fraudsters Are Shifting their Sights to Exploit the Digital Channel

The EMV chip card standard has been rapidly gaining market share in the U.S. since its adoption began in earnest in the third quarter of 2015. While only 300,000 merchants accepted chip-enabled cards in September of that year, the number has since surged, according to a report from Visa, to over two million today. It’s […]… Read More

The post With EMV Taking Off in the US, Fraudsters Are Shifting their Sights to Exploit the Digital Channel appeared first on The State of Security.

from With EMV Taking Off in the US, Fraudsters Are Shifting their Sights to Exploit the Digital Channel

Women in Information Security: Kelly Shortridge

Cybersecurity isn’t just for guys! It’s crucial to highlight the important work that women and non-males are doing in the information security field. Previously I spoke with Thais, a Brazillian woman in Germany who’s doing some intriguing malware research. This time, I’ve had the honor of speaking to Kelly Shortridge. She went from high finance […]… Read More

The post Women in Information Security: Kelly Shortridge appeared first on The State of Security.

from Women in Information Security: Kelly Shortridge

Recent events

Am a little behind on posting on some very recent events.Last week I was at the NIST Cybersecurity Workshop.  Lot of interesting things there.  Further, the prior week Trump signed an Executive Order on Cybersecurity that has an impact on thi…

from Recent events

IoT Raises The Pot

Setting aside all of the national security issues surrounding the Shadow Brokers leak of the hacking tools developed by the NSA that resulted in last week’s global cyberattacks, an even larger issue looms. The distinction between cyber and physical attacks is blurring. Instead of just interrupting personal computers and corporate networks used for accounting and […]

The post IoT Raises The Pot appeared first on Netswitch Technology Management.

from IoT Raises The Pot

Angry About WannaCry?

You’re yelling at the wrong people. Following the leak of NSA spying tools by Shadow Brokers in April, the bad guys took that code and modified it slightly to create this variant called WannaCry and spread it to computers around the world. It is simply one of many forms of malware, and in its present […]

The post Angry About WannaCry? appeared first on Netswitch Technology Management.

from Angry About WannaCry?

Silicon Valley Young Coders Club

Earlier this year, I was approached by the organizers from Silicon Valley Young Coders Club (SVYCC), regarding an opportunity to mentor a program for youth. The program is to create opportunities for Silicon Valley youth to launch start-up ventures by enabling hands-on learning, along with exposure to technological innovation and industry perspective.   The locations […]

The post Silicon Valley Young Coders Club appeared first on WhiteHat Security.

from Silicon Valley Young Coders Club