tag:theconversation.com,2011:/ca/topics/computer-security-242/articlesComputer security – The Conversation2023-11-22T17:05:13Ztag:theconversation.com,2011:article/2165812023-11-22T17:05:13Z2023-11-22T17:05:13ZThe vast majority of us have no idea what the padlock icon on our internet browser is – and it’s putting us at risk<figure><img src="https://images.theconversation.com/files/559630/original/file-20231115-15-zfe1h.jpg?ixlib=rb-1.1.0&rect=50%2C0%2C5568%2C3692&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The padlock icon which appears in most internet browser address bars. </span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/web-browser-closeup-on-lcd-screen-1353121223">Robert Avgustin/Shutterstock</a></span></figcaption></figure><p>Do you know what the padlock symbol in your internet browser’s address bar means? If not, you’re not alone. <a href="https://www.tandfonline.com/doi/full/10.1080/10447318.2023.2266789">New research</a> by my colleagues and I shows that only 5% of UK adults understand the padlock’s significance. This is a threat to our online safety. </p>
<p>The padlock symbol on a web browser simply means that the data being sent between the web server and the user’s computer is encrypted and cannot be read by others. But when we asked people what they thought it meant, we received an array of incorrect answers.</p>
<p>In our study, we asked a cross section of 528 web users, aged between 18 and 86 years of age, a number of questions about the internet. Some 53% of them held a bachelor’s degree or above and 22% had a college certificate, while the remainder had no further education. </p>
<p>One of our questions was: “On the Google Chrome browser bar, do you know what the padlock icon represents/means?” </p>
<p>Of the 463 who responded, 63% stated they knew, or thought they knew, what the padlock symbol on their web browser meant, but only 7% gave the correct meaning. Respondents gave us a range of incorrect interpretations, believing among other things that the padlock signified a secure web page or that the website is safe and doesn’t contain any viruses or suspicious links. Others believed the symbol means a website is “trustworthy”, is not harmful, or is a “genuine” website. </p>
<figure class="align-left ">
<img alt="A symbol of a circle next to a straight line over a straight line and a circle." src="https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559903/original/file-20231116-19-zm7pen.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Google’s new ‘tune icon’ which replaces the padlock icon in Chrome’s address bar.</span>
<span class="attribution"><a class="source" href="https://blog.chromium.org/2023/05/an-update-on-lock-icon.html">Google Chromium</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Not understanding symbols like the padlock icon, can pose problems to internet users. These include increased security risks and simply hindering effective use of the technology.</p>
<p>Our findings corroborate research by <a href="https://support.google.com/chrome/thread/222182314/the-lock-icon-replaced-with-a-tune-icon-in-the-google-chrome-address-bar?hl=en">Google</a> itself, who in September, replaced the padlock icon with a <a href="https://www.thesslstore.com/blog/google-to-replace-the-padlock-icon-in-chrome-version-117/#:%7E:text=But%20that's%20about%20to%20change,to%20have%20HTTPS%20by%20default.">neutral symbol</a> described as a “tune icon”. In doing so, Google hopes to eradicate the misunderstandings that the padlock icon has afforded. </p>
<p>However, Google’s update now raises the question as to whether other web browser companies will join forces to ensure their designs are uniform and intuitive across all platforms.</p>
<h2>Web browser evolution</h2>
<p>Without a doubt, the browser, which is our point of entry to the world wide web, comes with a lot of responsibility on the part of web companies. It’s how we now visit web pages, so the browser has become an integral part of our daily lives. </p>
<p>It’s intriguing to look back and trace the evolution of the web’s design from the early 1990s to where we are today. Creating software that people wanted to use and found effective was at the heart of this <a href="https://www.interaction-design.org/literature/topics/human-computer-interaction">evolution</a>. The creation of functioning, satisfying, and most importantly, consistently designed user interfaces was an important goal in the 1990s. In fact, there was a drive in those early days to create web interface designs that were so consistent and intuitive that users would not need to think too much about how they work. </p>
<p>Nowadays, it’s a different story because the challenge is centred on helping people to think before they interact online. In light of this, it seems bizarre that the design of the web browser in 2023 still affords uncertainty through its design. Worse still, that it is inconsistently presented across its different providers. </p>
<p>It could be argued that this stems from the <a href="https://www.investopedia.com/ask/answers/09/browser-wars-netscape-internet-explorer.asp">browser wars</a> of the mid-1990s. That’s when the likes of Microsoft and former software company, Netscape, tried to outdo each other with faster, better and more unique products. The race to be distinct meant there was inconsistency between products. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/LOWOLJci8d8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The rise and fall of Netscape and the browser wars of the 1990s.</span></figcaption>
</figure>
<h2>Internet safety</h2>
<p>However, introducing distinct browser designs can lead to user confusion, misunderstanding and a false sense of security, especially when it is <a href="https://www.interaction-design.org/literature/article/principle-of-consistency-and-standards-in-user-interface-design">now widely known</a> that such inconsistency can breed confusion, and from that, frustration and lack of use. </p>
<p>As an expert in human-computer interaction, it is alarming to me that some browser companies continue to disregard <a href="https://www.nngroup.com/articles/ten-usability-heuristics/">established guidelines</a> for usability. In a world where web browsers open the doors to potentially greater societal risks than the offline world, it is crucial to establish a consistent approach for addressing these dangers. </p>
<p>As a minimum, we need web browser companies to join forces in a concerted effort to shield users, or at the very least, heighten their awareness regarding potential online risks. This should include formulating one unified design across the board that affords an enriched and safe user experience.</p><img src="https://counter.theconversation.com/content/216581/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Fiona Carroll does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The padlock symbol simply means that the data being sent between the web server and the user’s computer is encrypted and cannot be read by others. But many people don’t know that.Fiona Carroll, Reader in Human Computer Interaction, Cardiff Metropolitan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1896682022-09-01T12:24:13Z2022-09-01T12:24:13ZDid Twitter ignore basic security measures? A cybersecurity expert explains a whistleblower’s claims<figure><img src="https://images.theconversation.com/files/482153/original/file-20220831-4904-oaolcz.jpg?ixlib=rb-1.1.0&rect=0%2C26%2C4500%2C2964&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Peiter "Mudge" Zatko was Twitter's security chief. What he claims he found there is a security nightmare.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/peiter-zatko-who-is-also-known-as-mudge-poses-for-a-news-photo/1242680586">Photo by Matt McClain/The Washington Post via Getty Images</a></span></figcaption></figure><p>Twitter’s former security chief, Peiter “Mudge” Zatko, <a href="https://www.washingtonpost.com/technology/interactive/2022/twitter-whistleblower-sec-spam/">filed a whistleblower complaint</a> with the Securities and Exchange Commission in July 2022, accusing the microblogging platform company of serious security failings. The accusations amplified the ongoing drama of Twitter’s <a href="https://theconversation.com/elon-musks-plans-for-twitter-could-make-its-misinformation-problems-worse-181923">potential sale to Elon Musk</a>.</p>
<p>Zatko spent decades as an <a href="https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/">ethical hacker, private researcher, government adviser and executive</a> at some of the most prominent internet companies and government offices. He is practically a legend in the cybersecurity industry. Because of <a href="https://slate.com/technology/2022/08/twitter-whistleblower-peiter-mudge-zatko-elon-musk-bots.html">his reputation</a>, when he speaks, people and governments normally listen – which underscores the seriousness of his complaint against Twitter.</p>
<p>As a former cybersecurity industry practitioner and current <a href="http://www.csee.umbc.edu/%7Erforno/">cybersecurity researcher</a>, I believe that Zatko’s most damning accusations center around Twitter’s alleged failure to have a solid cybersecurity plan to protect user data, deploy internal controls to guard against insider threats and ensure the company’s systems were current and properly updated. </p>
<p>Zatko also alleged that Twitter executives were less than forthcoming about cybersecurity incidents on the platform when briefing both regulators and the company’s board of directors. He claimed that Twitter <a href="https://abcnews.go.com/Business/whistleblower-alleges-twitter-deceived-regulators-security-spam-twitter/story?id=88748290">prioritized user growth over reducing spam</a> and other unwanted content that poisoned the platform and detracted from the user experience. His complaint also expressed concerns about the company’s business practices.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/7OD9T5bX2LU?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">CNN interviewed Twitter whistleblower Peiter “Mudge” Zatko.</span></figcaption>
</figure>
<h2>Alleged security failures</h2>
<p>Zatko’s allegations paint a disturbing picture of not only the state of Twitter’s cybersecurity as a social media platform, but also the security consciousness of Twitter as a company. Both points are relevant given Twitter’s position in global communications and the ongoing struggle against <a href="https://cops.usdoj.gov/RIC/Publications/cops-w0741-pub.pdf">online extremism</a> and <a href="https://www.science.org/content/article/fake-news-spreads-faster-true-news-twitter-thanks-people-not-bots">disinformation</a>.</p>
<p>Perhaps the most significant of Zatko’s allegations is his claim that nearly half of Twitter’s employees have direct access to user data and Twitter’s source code. Time-tested cybersecurity practices don’t allow so many people with this level of <a href="https://www.ssh.com/academy/iam/root-user-account#what-is-a-root-user?">“root” or “privileged” permission</a> to access sensitive systems and data. If true, this means that Twitter could be ripe for exploitation either from within or by outside adversaries assisted by people on the inside who may not have been properly vetted.</p>
<p>Zatko also alleges that Twitter’s data centers may not be as secure, resilient or reliable as the company claims. He estimated that <a href="https://twitter.com/kimzetter/status/1562038809646092289">nearly half</a> of Twitter’s 500,000 servers around the world lack basic security controls such as running up-to-date and vendor-supported software or encrypting the user data stored on them. He also noted that the company’s lack of a robust business continuity plan means that should several of its data centers fail due to a cyber incident or other disaster, it could lead to an “<a href="https://www.cnn.com/2022/08/24/tech/twitter-whistleblower-takeaways/index.html">existential company ending event</a>.”</p>
<p>These are just some of the claims made in Zatko’s complaint. If his allegations are true, Twitter has failed Cybersecurity 101. </p>
<h2>Concerns over foreign government interference</h2>
<p>Zatko’s allegations might also present a national security concern. Twitter has been used to spread disinformation and propaganda in recent years during global events like the <a href="https://help.twitter.com/en/rules-and-policies/medical-misinformation-policy">pandemic</a> and <a href="https://blog.twitter.com/en_us/topics/company/2017/Update-Russian-Interference-in-2016--Election-Bots-and-Misinformation">national elections</a>. </p>
<p>For example, Zatko’s report stated that the Indian government forced Twitter to hire government agents, who would have access to vast amounts of Twitter’s sensitive data. In response, India’s at-times hostile neighbor <a href="https://thewire.in/south-asia/pakistan-concern-against-india-twitter-whistleblower-allegations">Pakistan accused</a> India of trying to infiltrate the security system of Twitter “in an effort to curb fundamental freedoms.”</p>
<p>Given Twitter’s global footprint as a communications platform, other nations such as Russia and China could require the company to hire its own government agents as a condition of allowing the company to operate in their country. Zatko’s allegations about Twitter’s internal security raise the possibility of criminals, activists, hostile governments or their supporters seeking to exploit Twitter’s systems and user data by recruiting or blackmailing its employees may well present a <a href="https://www.fbi.gov/investigate/cyber/partnerships">national security concern</a>. </p>
<p>Worse, Twitter’s own information about its users, their interests and who they follow and interact with on the platform could facilitate targeting for <a href="https://www.nytimes.com/2022/08/31/technology/pew-misinformation-major-threat.html">disinformation campaigns</a>, blackmail or other nefarious purposes. Such foreign targeting of prominent companies and their employees has been a major counterintelligence worry in the national security community for decades. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a line of men wearing beige berets in the foreground holds back a crowd of young men shouting and waving banners" src="https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=418&fit=crop&dpr=1 600w, https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=418&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=418&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=525&fit=crop&dpr=1 754w, https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=525&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/482154/original/file-20220831-4904-4d9zno.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=525&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Opposition party members in India protest Twitter’s temporary ban of their leader. The whistleblower’s allegations include Twitter acquiescing to Indian government demands that the company employ government agents.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/indian-youth-congress-party-workers-hold-placards-during-a-news-photo/1234588037">Anadolu Agency via Getty Images</a></span>
</figcaption>
</figure>
<h2>Fallout</h2>
<p>Whatever the outcome of Zatko’s complaint in Congress, the SEC or other federal agencies, it already is <a href="https://www.nytimes.com/2022/08/30/business/musk-twitter-legal.html">part of Musk’s latest legal filings</a> as he tries to back out of his purchase of Twitter. </p>
<p>Ideally, in light of these disclosures, Twitter will take corrective action to improve the company’s cybersecurity systems and practices. A good first step the company could take is reviewing and limiting who has root access to its systems, source code and user data to the minimum number necessary. The company should also ensure that its production systems are kept current and that it is effectively prepared to contend with any type of emergency situation without significantly disrupting its global operations.</p>
<p>From a broader perspective, Zatko’s complaint underscores the critical and sometimes uncomfortable role cybersecurity plays in modern organizations. Cybersecurity professionals like Zatko understand that no company or government agency likes publicity for cybersecurity problems. They tend to think long and hard about whether and how to raise cybersecurity concerns like these – and what the potential ramifications might be. In this case, <a href="https://www.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html">Zatko says his disclosures</a> reflect “the job he was hired to do” as head of security for a social media platform that he says “is critical to democracy.”</p>
<p>For companies like Twitter, bad cybersecurity news often results in a public relations nightmare that could affect share price and their standing in the marketplace, not to mention attract the interest of regulators and lawmakers. For governments, such revelations can lead to a lack of trust in the institutions created to serve society, in addition to potentially creating distracting political noise. </p>
<p>Unfortunately, how cybersecurity problems are discovered, disclosed and handled remains a difficult and sometimes controversial process, with no easy solution both for cybersecurity professionals and today’s organizations.</p><img src="https://counter.theconversation.com/content/189668/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem.</span></em></p>Former Twitter security chief alleges in a whistleblower complaint gross security malpractice, with many employees having access to the social media platform’s code as well as user data.Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1786022022-04-25T12:13:15Z2022-04-25T12:13:15ZHow do keys open locks?<figure><img src="https://images.theconversation.com/files/456980/original/file-20220407-14-jtyn21.jpg?ixlib=rb-1.1.0&rect=9%2C36%2C6029%2C3965&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The depths of the valleys on a key act like a code that must match the lock.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/close-up-of-key-in-lock-royalty-free-image/139625036">Robin Smith/The Image Bank via Getty Images</a></span></figcaption></figure><figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=293&fit=crop&dpr=1 600w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=293&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=293&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=368&fit=crop&dpr=1 754w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=368&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/281719/original/file-20190628-76743-26slbc.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=368&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p><em><a href="https://theconversation.com/us/topics/curious-kids-us-74795">Curious Kids</a> is a series for children of all ages. If you have a question you’d like an expert to answer, send it to <a href="mailto:curiouskidsus@theconversation.com">curiouskidsus@theconversation.com</a>.</em></p>
<hr>
<blockquote>
<p><strong>How are keys made, and how do they open locks? – Noli, age 12, Wisconsin</strong></p>
</blockquote>
<hr>
<p>Have you ever wondered how keys work? <a href="https://scholar.google.com/citations?user=s2Jfd_EAAAAJ&hl=en">I</a> teach a course in computer security where we learn how locks function – and also how they can be broken or bypassed. We do this because locks teach important principles about security in general.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A ruler is next to a key. Red arrows show how the key's intendations are evenly spaced." src="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=447&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=447&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=447&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=562&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=562&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457014/original/file-20220407-21-9gtzft.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=562&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The spacing of the valleys is key.</span>
<span class="attribution"><span class="source">Scott Craver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>If you look closely at a key, you’ll see its top edge has a bunch of V-shaped valleys. If you inspect the key more closely, perhaps with a ruler, you’ll notice the bottoms of these valleys are equally spaced. The depth of the valleys encodes a sequence that is accepted by the lock, with each valley contributing one value to the combination. </p>
<p>Inside the lock is a cylinder – the part that moves when you stick your key in and turn it. The key can turn only if all its valleys are the right depth for your particular lock.</p>
<p>But how does your lock detect whether your key’s valleys have the right sequence of depths?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A lock with its inner-workings exposed. Labeled are the shafts, pins and cylinder." src="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=357&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=357&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=357&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=449&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=449&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457015/original/file-20220407-12027-bkwz1e.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=449&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A peek at the parts inside a lock.</span>
<span class="attribution"><span class="source">Scott Craver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Inside the lock are vertical shafts, one over each valley of the key. In each shaft is a pair of metal pins that can freely slide up and down. Depending on where the pins are, they can block the cylinder from turning and <a href="https://www.youtube.com/watch?v=smIdInCQ-kU">prevent the lock from opening</a>. This happens whenever a pin is partially sticking into or out of the cylinder.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Side by side photos showing the inside of a lock. The left image shows pins that are too high and too low. The right image shows the pins aligned." src="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=201&fit=crop&dpr=1 600w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=201&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=201&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=252&fit=crop&dpr=1 754w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=252&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/457017/original/file-20220407-24242-o5etcs.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=252&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For a lock to open, all the pins must be aligned.</span>
<span class="attribution"><span class="source">Scott Carver</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>When you stick a key in the lock, the pins fall into the valleys. If a valley is too high, it causes a pin to stick out and jam the cylinder. If a valley is too low, the pin sinks too low and the pin above it will sink into the cylinder and jam it. However, if the right key is inserted with the valleys at just the right depths, none of the pins get in the way. </p>
<p>Keys are made by <a href="https://www.youtube.com/shorts/bGIWwMQb4yk">placing a blank key into a grinding machine</a> that is programmed to carve out the exact valleys that are needed. A locksmith can also change a lock by removing its pins and fitting it with new ones to match a chosen key. </p>
<p>In computer security, we say that security relies on “something you know, something you have or something you are.” A password is an example of something you know. A key is an example of something you have. A fingerprint would be an example of something you are. But as you can see, a key is also very much like a password, except it is encoded by grinding a piece of metal. </p>
<p>For this reason, you shouldn’t ever post a picture of your house key on the internet. That would be like posting a picture of a credit card or a password – someone could use the photo to duplicate the key. </p>
<p>It is also possible to unlock or <a href="https://home.howstuffworks.com/home-improvement/household-safety/lock-picking1.htm">“pick” locks without a key</a>. By sliding a thin piece of metal into the cylinder and gently pushing the pins to the correct height one by one, locks can be opened. However, it takes a great deal of skill and practice to do this. </p>
<p>What does this teach us about security? First, we must make keys secret by making a very large number of possible keys, so that the right one is hard to guess or build. It’s the same for passwords. Second, it’s important to engineer a lock or computer program that requires every bit of the key or password to be exactly correct. </p>
<p>It’s important to study the inner workings of locks and computer programs to understand how their design might allow someone to break them.</p>
<hr>
<p><em>Hello, curious kids! Do you have a question you’d like an expert to answer? Ask an adult to send your question to <a href="mailto:curiouskidsus@theconversation.com">CuriousKidsUS@theconversation.com</a>. Please tell us your name, age and the city where you live.</em></p>
<p><em>And since curiosity has no age limit – adults, let us know what you’re wondering, too. We won’t be able to answer every question, but we will do our best.</em></p><img src="https://counter.theconversation.com/content/178602/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Craver does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A computer security expert explains how keys work – and how they are like passwords.Scott Craver, Associate Professor of Electrical and Computer Engineering, Binghamton University, State University of New YorkLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1802892022-04-11T12:17:35Z2022-04-11T12:17:35ZMismanaged cloud services put user data at risk<figure><img src="https://images.theconversation.com/files/457188/original/file-20220408-21-kraluf.jpg?ixlib=rb-1.1.0&rect=30%2C5%2C3425%2C2332&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cloud services that aren't properly managed can 'leak' data into the wrong hands.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/illustration/hacker-finding-data-with-unsafe-cloud-royalty-free-illustration/1287194449">id-work/DigitalVision Vectors via Getty Images</a></span></figcaption></figure><p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take about interesting academic work.</em></p>
<h2>The big idea</h2>
<p>Organizations’ failure to properly manage the servers they lease from cloud service providers can allow attackers to receive private data, <a href="https://www.ieee-security.org/TC/SP2022/program-papers.html">research</a> my colleagues and I <a href="https://arxiv.org/abs/2204.05122">conducted</a> has shown.</p>
<p>Cloud computing allows businesses to lease servers the same way they lease office space. It’s easier for companies to build and maintain mobile apps and websites when they don’t have to worry about owning and managing servers. But this way of hosting services raises security concerns.</p>
<p>Each cloud server has a <a href="https://us.norton.com/internetsecurity-privacy-what-does-an-ip-address-tell-you.html">unique IP address</a> that allows users to connect and send data. After an organization no longer needs this address, it is given to another customer of the service provider, perhaps one with malicious intent. IP addresses change hands as often as every 30 minutes as organizations change the services they use.</p>
<p>When organizations stop using a cloud server but fail to remove references to the IP address from their systems, users can continue to send data to this address, thinking they are talking to the original service. Because they trust the service that previously used the address, user devices automatically send sensitive information such as GPS location, financial data and browsing history.</p>
<p>An attacker can take advantage of this by “squatting” on the cloud: claiming IP addresses to try to receive traffic intended for other organizations. The rapid turnover of IP addresses leaves little time to identify and correct the issue before attackers start receiving data. Once the attacker controls the address, they can continue to receive data until the organization discovers and corrects the issue.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nHJZHWVgxU8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Poorly managed cloud services are another opportunity for attackers to steal data. Video by Penn State.</span></figcaption>
</figure>
<p>Our study of a small fraction of cloud IP addresses found thousands of businesses that were potentially leaking user data, including data from mobile apps and advertising trackers. These apps initially intended to share personal data with businesses and advertisers, but instead leaked data to whoever controlled the IP address. Anyone with a cloud account could collect the same data from vulnerable organizations.</p>
<h2>Why it matters</h2>
<p>Smartphone users share personal data with businesses through the apps they install. In <a href="https://www.usenix.org/conference/soups2018/presentation/votipka">a recent survey</a>, researchers found that half of smartphone users were comfortable sharing their locations through smartphone apps. But the personal information users share through these apps could be used to <a href="https://www.usenix.org/conference/usenixsecurity21/presentation/mayer">steal their identity</a> or <a href="https://www.usenix.org/conference/woot18/presentation/smith">hurt their reputation</a>.</p>
<p>Personal data has seen <a href="https://www.nytimes.com/2018/05/24/technology/europe-gdpr-privacy.html">increasing regulation</a> in <a href="https://www.nytimes.com/2019/12/29/technology/california-privacy-law.html">recent years</a>, and users may be content to trust the businesses they interact with to follow those regulations and respect their privacy. But these regulations may not sufficiently protect users. Our research shows that even when companies intend to use data responsibly, poor security practices can leave that data up for grabs.</p>
<p>Users should know that when they share their private or personal data with companies, they are also exposed to the security practices of those companies. They can take steps to reduce this exposure by reducing how much data they share and with how many organizations they share it.</p>
<h2>What other research is being done in this field</h2>
<p>Academics and industry are focusing on responsible collection of user data. A <a href="https://blog.google/products/android/introducing-privacy-sandbox-android/">recent push by Google</a> aims to reduce collection of users’ personal data by mobile advertisements, ensuring that their security and privacy is protected.</p>
<p>At the same time, <a href="https://research.samsung.com/blog/Automatically-Explaining-the-Privacy-Practices-in-Mobile-Apps">researchers are working</a> to better explain what applications do with the data they collect. This work aims to ensure that the data users share with applications is used how they expect by matching permission prompts with how the apps actually behave.</p>
<h2>What’s next</h2>
<p>We’re conducting research into new technologies on smartphones and devices to ensure they protect user data. For instance, <a href="https://petsymposium.org/2022/files/papers/issue2/popets-2022-0034.pdf">research led by a colleague of mine</a> describes an approach to protect personal data collected by smart cameras. Our vantage point on traffic in the public cloud is also enabling new studies of the internet as a whole. We are continuing to work with cloud providers to ensure that user data stored on the cloud is secure, and are introducing techniques to prevent businesses and their customers from being victimized on the cloud.</p><img src="https://counter.theconversation.com/content/180289/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eric Pauley receives funding from the National Science Foundation Graduate Research Fellowship Program under Grant No. DGE1255832. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.</span></em></p>Cloud services are convenient, but if an organization isn’t careful about how it uses them, the services can also give data thieves an opening.Eric Pauley, PhD student in Computer Science and Engineering, Penn StateLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1738962021-12-22T13:12:26Z2021-12-22T13:12:26ZWhat is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what’s at stake<figure><img src="https://images.theconversation.com/files/438734/original/file-20211221-50538-11x1tn8.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3796%2C2475&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A vulnerability in Log4j, a humble but widespread piece of software, has put millions of computers at risk.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/in-this-photo-illustration-apache-log4j-logo-of-a-java-news-photo/1237323278">SOPA Images/LightRocket via Getty Images</a></span></figcaption></figure><p>Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems. </p>
<p>Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the <a href="https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security-flaw-is-the-most-serious-shes-seen-in-her-career.html">most serious vulnerability</a> she’s seen in her career. There have already been hundreds of thousands, perhaps millions, of <a href="https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/">attempts to exploit the vulnerability</a>.</p>
<p>So what is this humble piece of internet infrastructure, how can hackers exploit it and what kind of mayhem could ensue?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a woman with long dark hair wearing eyeglasses speaks into a microphone" src="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=421&fit=crop&dpr=1 600w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=421&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=421&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=529&fit=crop&dpr=1 754w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=529&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/438728/original/file-20211221-23072-c1m3fb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=529&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Cybersecurity & Infrastructure Security Agency director Jen Easterly called Log4Shell ‘the most serious vulnerability I’ve seen.’</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/jen-easterly-nominee-to-be-the-director-of-the-homeland-news-photo/1322884747">Kevin Dietsch/Getty Images News</a></span>
</figcaption>
</figure>
<h2>What does Log4j do?</h2>
<p>Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s <a href="https://www.businessinsider.com/what-is-open-source-software?op=1">open-source software</a> provided by the <a href="https://apache.org/">Apache Software Foundation</a>.</p>
<p>A common example of Log4j at work is when you type in or click on a bad web link and get a 404 error message. The web server running the domain of the web link you tried to get to tells you that there’s no such webpage. It also records that event in a log for the server’s system administrators using Log4j. </p>
<p>Similar diagnostic messages are used throughout software applications. For example, in the online game Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console.</p>
<h2>How does Log4Shell work?</h2>
<p>Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.</p>
<p>Unfortunately, this kind of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server. </p>
<p>It is relatively simple to exploit Log4Shell. I was able to reproduce the problem in my copy of <a href="https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-j3xg-fc2p-4jc4">Ghidra</a>, a reverse-engineering framework for security researchers, in just a couple of minutes. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it. </p>
<h2>Log4j is everywhere</h2>
<p>One of the major concerns about Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes <a href="https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html">Log4j very widespread</a>. In addition to popular games like Minecraft, it’s used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of programs from <a href="https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)">software development tools</a> to <a href="https://github.com/NationalSecurityAgency/ghidra">security tools</a>. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/SpeDK1TPbew?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Open-source software like Log4j is used in so many products and tools that some organizations don’t even know which pieces of code are on their computers.</span></figcaption>
</figure>
<p>This means hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers. So while big companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that will take longer to patch their systems, and some that might not even know they need to.</p>
<h2>The damage that can be done</h2>
<p>Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions. </p>
<p>These instructions can create a <a href="https://www.acunetix.com/blog/web-security-zone/what-is-reverse-shell/">reverse shell</a>, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a <a href="https://www.howtogeek.com/183812/htg-explains-what-is-a-botnet/">botnet</a>. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.</p>
<p>A <a href="https://www.akamai.com/blog/security/threat-intelligence-on-log4j-cve-key-findings-and-their-implications">large number of hackers</a> are already trying to abuse Log4Shell. These range from <a href="https://www.crn.com/news/security/ransomware-gang-hijacking-log4j-bug-to-hit-minecraft-servers">ransomware gangs locking down minecraft servers</a> to <a href="https://www.silentpush.com/blog/log4shell-a-threat-intelligence-perspective">hacker groups trying to mine bitcoin</a> and hackers associated with <a href="https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/">China and North Korea</a> trying to gain access to sensitive information from their geopolitical rivals. The Belgian ministry of defense reported that its computers were being <a href="https://www.wsj.com/articles/hackers-exploit-log4j-flaw-at-belgian-defense-ministry-11640020439">attacked using Log4Shell</a>.</p>
<p>Although the vulnerability first came to widespread attention on Dec. 10, 2021, people are still identifying <a href="https://www.theregister.com/2021/12/17/cisa_issues_emergency_directive_to/">new ways</a> to cause harm through this mechanism.</p>
<h2>Stopping the bleeding</h2>
<p>It is hard to know whether Log4j is being used in any given software system because it is often <a href="https://deps.dev/maven/org.apache.logging.log4j%3Alog4j-core/2.16.0">bundled as part of other software</a>. This requires system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it’s that much harder to eradicate the vulnerability.</p>
<p>Another consequence of Log4j’s diverse uses is there is no one-size-fits-all solution to patching it. Depending on how Log4j was incorporated in a given system, the fix will require different approaches. It could require a wholesale system update, as done for <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-log4j-qRuKNEbd#vp">some Cisco routers</a>, or updating to a new version of software, as done in <a href="https://www.minecraft.net/en-us/article/minecraft-java-edition-1-18-1">Minecraft</a>, or removing the vulnerable code manually for those who can’t update the software.</p>
<p>Log4Shell is part of the software supply chain. Like physical objects people purchase, software travels through different organizations and software packages before it ends up in a final product. When something goes wrong, rather than going through a recall process, software is generally “<a href="https://www.techopedia.com/definition/24537/patch">patched</a>,” meaning fixed in place. </p>
<p>However, given that Log4j is <a href="https://unit42.paloaltonetworks.com/apache-log4j-vulnerability-cve-2021-44228/#affected-software">present in various ways in software products</a>, propagating a fix requires coordination from Log4j developers, developers of software that use Log4j, software distributors, system operators and users. Usually, this introduces a delay between the fix being available in Log4j code and people’s computers actually closing the door on the vulnerability. </p>
<p>[<em>Over 140,000 readers rely on The Conversation’s newsletters to understand the world.</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-140ksignup">Sign up today</a>.]</p>
<p>Some estimates for time-to-repair in software generally range from <a href="https://www.rapid7.com/blog/post/2018/08/22/whats-going-on-in-production-application-security-2018/">weeks to months</a>. However, if past behavior is indicative of future performance, it is likely the Log4j vulnerability <a href="https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everything-you-need-to-know-about-the-heartbleed-vulnerability/">will crop up for years to come</a>.</p>
<p>As a user, you are probably wondering what can you do about all this. Unfortunately, it is hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software. However, you can help by heeding the common refrain from computer security experts: Make sure all of your software is up to date.</p><img src="https://counter.theconversation.com/content/173896/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Santiago Torres-Arias does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Log4Shell is the latest hacker exploit rocking the internet, and it’s arguably the worst yet. The vulnerability is in an obscure piece of software used on millions of computers.Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, Purdue UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1599902021-05-20T12:27:00Z2021-05-20T12:27:00ZShape-shifting computer chip thwarts an army of hackers<figure><img src="https://images.theconversation.com/files/401722/original/file-20210519-19-1m48kfo.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5656%2C3166&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Morpheus secure processor works like a puzzle that keeps changing before hackers have a chance to solve it.</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/TOOhhlGHOsQ">Alan de la Cruz via Unsplash</a></span></figcaption></figure><p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take about interesting academic work.</em></p>
<h2>The big idea</h2>
<p>We have developed and tested a <a href="https://doi.org/10.1145/3297858.3304037">secure new computer processor</a> that thwarts hackers by randomly changing its underlying structure, thus making it virtually impossible to hack. </p>
<p>Last summer, 525 security researchers spent three months trying to hack our Morpheus processor as well as others. <a href="https://spectrum.ieee.org/tech-talk/semiconductors/processors/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers">All attempts against Morpheus failed</a>. This study was part of a program sponsored by the U.S. Defense Advanced Research Program Agency to <a href="https://spectrum.ieee.org/tech-talk/computing/embedded-systems/darpa-hacks-its-secure-hardware-fends-off-most-attacks">design a secure processor</a> that could protect vulnerable software. DARPA <a href="https://www.darpa.mil/news-events/2020-01-28">released the results on the program to the public</a> for the first time in January 2021.</p>
<p>A processor is the piece of computer hardware that runs software programs. Since a processor underlies all software systems, a secure processor has the potential to protect any software running on it from attack. Our team at the University of Michigan first developed Morpheus, a secure processor that thwarts attacks by turning the computer into a puzzle, in 2019.</p>
<p>A processor has an architecture – x86 for most laptops and ARM for most phones – which is the set of instructions software needs to run on the processor. Processors also <a href="https://www.computerhope.com/jargon/m/microarchitecture.htm">have a microarchitecture</a>, or the “guts” that enable the execution of the instruction set, the speed of this execution and how much power it consumes.</p>
<p>Hackers need to be intimately familiar with the details of the microarchitecture to <a href="https://theconversation.com/microprocessor-designers-realize-security-must-be-a-primary-concern-98044">graft their malicious code, or malware, onto vulnerable systems</a>. To stop attacks, Morpheus randomizes these implementation details to turn the system into a puzzle that hackers must solve before conducting security exploits. From one Morpheus machine to another, details like the commands the processor executes or the format of program data change in random ways. Because this happens at the microarchitecture level, software running on the processor is unaffected.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a fan on top of a metal square in the middle of a computer circuit board" src="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=427&fit=crop&dpr=1 600w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=427&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=427&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=537&fit=crop&dpr=1 754w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=537&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=537&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The Morpheus computer processor, inside the square beneath the fan on this circuit board, rapidly and continuously changes its underlying structure to thwart hackers.</span>
<span class="attribution"><span class="source">Todd Austin</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>A skilled hacker could reverse-engineer a Morpheus machine in as little as a few hours, if given the chance. To counter this, Morpheus also changes the microarchitecture every few hundred milliseconds. Thus, not only do attackers have to reverse-engineer the microachitecture, but they have to do it very fast. With Morpheus, a hacker is confronted with a computer that has never been seen before and will never be seen again.</p>
<h2>Why it matters</h2>
<p>To conduct a security exploit, hackers use vulnerabilities in software to get inside a device. Once inside, they <a href="https://theconversation.com/guarding-against-the-possible-spectre-in-every-machine-89825">graft their malware</a> onto the device. Malware is designed to infect the host device to steal sensitive data or spy on users.</p>
<p>The typical approach to computer security is to fix individual software vulnerabilities to keep hackers out. For these patch-based techniques to succeed, programmers must write perfect software without any bugs. But ask any programmer, and the idea of creating a perfect program is laughable. Bugs are everywhere, and security bugs are the most difficult to find because they don’t impair a program’s normal operation. </p>
<p>Morpheus takes a distinct approach to security by augmenting the underlying processor to prevent attackers from grafting malware onto the device. With this approach, Morpheus protects any vulnerable software that runs on it. </p>
<h2>What other research is being done</h2>
<p>For the longest time, processor designers considered security a problem for software programmers, since programmers made the software bugs that lead to security concerns. But recently computer designers have discovered that hardware can help protect software. </p>
<p>Academic efforts, such as <a href="https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/">Capability Hardware Enhanced RISC Instructions</a> at the University of Cambridge, have demonstrated strong protection against memory bugs. Commercial efforts have begun as well, such as Intel’s soon-to-be-released <a href="https://newsroom.intel.com/editorials/intel-cet-answers-call-protect-common-malware-threats/">Control-flow Enforcement Technology</a>. </p>
<p>Morpheus takes a notably different approach of ignoring the bugs and instead randomizes its internal implementation to thwart exploitation of bugs. Fortunately, these are complementary techniques, and combining them will likely make systems even more difficult to attack.</p>
<h2>What’s next</h2>
<p>We are looking at how the fundamental design aspects of Morpheus can be applied to protect sensitive data on people’s devices and in the cloud. In addition to randomizing the implementation details of a system, how can we randomize data in a way that maintains privacy while not being a burden to software programmers?</p>
<p>[<em>Research into coronavirus and other news from science</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-corona-research">Subscribe to The Conversation’s new science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/159990/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Todd Austin receives funding from DARPA, which supported the development of the Morpheus secure CPU through DARPA Contract HR0011-18-C-0019. He owns shares in Agita Labs, which is commercializing a derivative of the Morpheus technology. </span></em></p><p class="fine-print"><em><span>Lauren Biernacki receives funding from DARPA, which supported the development of the Morpheus secure CPU through DARPA Contract HR0011-18-C-0019.</span></em></p>Most computer security focuses on software, but computer processors are vulnerable to hackers, too. An experimental secure processor changes its underlying structure before hackers can figure it out.Todd Austin, Professor of Electrical Engineering and Computer Science, University of MichiganLauren Biernacki, Ph.D. Candidate in Computer Science & Engineering, University of MichiganLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1366542020-05-15T12:13:16Z2020-05-15T12:13:16ZThe lack of women in cybersecurity leaves the online world at greater risk<figure><img src="https://images.theconversation.com/files/334516/original/file-20200512-82379-8phx6n.jpg?ixlib=rb-1.1.0&rect=494%2C213%2C4974%2C3549&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Women bring a much-needed change in perspective to cybersecurity.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/rear-view-of-female-computer-hacker-coding-at-desk-royalty-free-image/1159379067?adppopup=true">Maskot/Maskot via Getty Images</a></span></figcaption></figure><p>Women are highly underrepresented in the field of cybersecurity. In 2017, women’s share in the U.S. cybersecurity field was <a href="https://www.pwc.com/us/en/services/consulting/cybersecurity/women-in-cybersecurity.html">14%, compared to 48% in the general workforce</a>. </p>
<p>The problem is more acute outside the U.S. In 2018, <a href="https://www.nature.com/articles/d41586-018-03327-w">women accounted for</a> 10% of the cybersecurity workforce in the Asia-Pacific region, 9% in Africa, 8% in Latin America, 7% in Europe and 5% in the Middle East. </p>
<p>Women are even less well represented in the upper echelons of security leadership. Only <a href="https://www.fifthdomain.com/workforce/2019/01/18/how-more-women-on-cybersecurity-teams-can-create-advantages/">1% of female internet security workers</a> are in senior management positions.</p>
<p><a href="https://scholar.google.com/citations?user=Qx3YMi4AAAAJ&hl=en&oi=ao">I study</a> <a href="https://www.springer.com/gp/book/9783642115219">online crime</a> and <a href="https://theconversation.com/blockchain-voting-is-vulnerable-to-hackers-software-glitches-and-bad-id-photos-among-other-problems-122521">security</a> issues facing <a href="https://ieeexplore.ieee.org/document/9034675">consumers</a>, <a href="https://ieeexplore.ieee.org/abstract/document/8666661">organizations</a> and <a href="https://www.springer.com/gp/book/9783319405537">nations</a>. In my research, I have found that internet security requires <a href="https://link.springer.com/book/10.1057/9781137021946">strategies beyond technical solutions</a>. Women’s representation is important because women tend to offer viewpoints and perspectives that are different from men’s, and these underrepresented perspectives are critical in addressing cyber risks. </p>
<h2>Perception, awareness and bias</h2>
<p>The low representation of women in internet security is linked to the broader problem of their low representation in the science, technology, engineering and mathematics fields. Only <a href="https://www.nsf.gov/news/news_summ.jsp?cntn_id=190924&WT.mc_id=USNSF_51&WT.mc_ev=click">30% of scientists and engineers in the U.S.</a> are women.</p>
<p>The societal view is that internet security is <a href="http://genderandset.open.ac.uk/index.php/genderandset/article/view/449">a job that men do</a>, though there is nothing inherent in gender that predisposes men to be more interested in or more adept at cybersecurity. In addition, the industry mistakenly gives potential employees the impression that <a href="https://www.shrm.org/resourcesandtools/hr-topics/talent-acquisition/pages/women-working-cybersecurity-gender-gap.aspx">only technical skills matter in cybersecurity</a>, which can give women the impression that the field is overly technical or even boring. </p>
<p>Women are also generally not presented with opportunities in information technology fields. In a survey of women pursuing careers outside of IT fields, <a href="https://www.computerweekly.com/news/450420822/PaloAlto-Networks-partners-with-US-Girl-Scouts-on-security-skills">69% indicated that</a> the main reason they didn’t pursue opportunities in IT was because they were unaware of them.</p>
<p>Organizations often fail to try to recruit women to work in cybersecurity. According to a survey conducted by IT security company Tessian, <a href="https://www.helpnetsecurity.com/2020/03/12/cybersecurity-gender-gap/">only about half of the respondents</a> said that their organizations were doing enough to recruit women into cybersecurity roles. </p>
<p>Gender bias in job ads further discourages women from applying. Online cybersecurity job ads <a href="https://www.csoonline.com/article/3490417/gender-diversity-in-cybersecurity-matters-to-the-business.html">often lack gender-neutral language</a>. </p>
<h2>Good security and good business</h2>
<p>Boosting women’s involvement in information security makes both security and business sense. Female leaders in this area tend to prioritize important areas that males often overlook. This is partly due to their backgrounds. Forty-four percent of women in information security fields <a href="https://www.nature.com/articles/d41586-018-03327-w">have degrees in business and social sciences</a>, compared to 30% of men. </p>
<p>Female internet security professionals put a <a href="https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/wp-content/uploads/2019/03/Women-in-the-Information-Security-Profession-GISWS-Subreport.pdf">higher priority on internal training and education</a> in security and risk management. Women are also stronger advocates for online training, which is a flexible, low-cost way of increasing employees’ awareness of security issues. </p>
<p>Female internet security professionals are also <a href="https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/wp-content/uploads/2019/03/Women-in-the-Information-Security-Profession-GISWS-Subreport.pdf">adept at selecting partner organizations</a> to develop secure software. Women tend to pay more attention to partner organizations’ qualifications and personnel, and they assess partners’ ability to meet contractual obligations. They also prefer partners that are willing to perform independent security tests. </p>
<p>Increasing women’s participation in cybersecurity is a <a href="https://www.scmagazine.com/home/sc-corporate-news/help-sc-honor-women-and-diversity-in-cybersecurity-with-your-recommendations/">business issue</a> as well as a gender issue. According to an Ernst & Young report, by 2028 women will control <a href="http://www.ey.com/GL/en/Issues/Driving-growth/Growing-Beyond---High-Achievers---Women-make-all-the-difference-in-the-world">75% of discretionary consumer spending worldwide</a>. Security considerations like encryption, fraud detection and biometrics are becoming important in <a href="http://www.itproportal.com/2016/05/11/high-profile-data-breaches-affecting-consumer-trust-in-big-brands/">consumers’ buying decisions</a>. Product designs require a trade-off between cybersecurity and usability. Female cybersecurity professionals can make better-informed decisions about such trade-offs for products that are targeted at female customers.</p>
<h2>Attracting women to cybersecurity</h2>
<p>Attracting more women to cybersecurity requires governments, nonprofit organizations, professional and trade associations and the private sector to work together. Public-private partnership projects could help solve the problem in the long run. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/334520/original/file-20200512-82383-19c1j21.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A computer science teacher, center, helps fifth grade students learn programming.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Girls-Tech-Scores/f038776721b740dcb797dce201f86061/10/0">AP Photo/Elaine Thompson</a></span>
</figcaption>
</figure>
<p>One example is Israel’s <a href="https://www.rashi.org.il/cybergirlz">Shift community</a>, previously known as the CyberGirlz program, which is jointly financed by the country’s Defense Ministry, the Rashi Foundation and Start-Up Nation Central. It identifies high school girls with aptitude, desire and natural curiosity to learn IT and and helps them develop those skills. </p>
<p>The girls participate in hackathons and training programs, and get advice, guidance and support from female mentors. Some of the mentors are from elite technology units of the country’s military. The participants learn hacking skills, network analysis and the Python programming language. They also practice simulating cyber-attacks to find potential vulnerabilities. By 2018, <a href="https://www.jta.org/2018/09/26/israel/new-program-recruiting-israeli-girls-cyber-warfare-high-tech-futures">about 2,000 girls participated</a> in the CyberGirlz Club and the CyberGirlz Community. </p>
<p>In 2017, cybersecurity firm Palo Alto Networks <a href="https://www.computerweekly.com/news/450420822/PaloAlto-Networks-partners-with-US-Girl-Scouts-on-security-skills">teamed up with the Girl Scouts of the USA</a> to develop cybersecurity badges. The goal is to foster cybersecurity knowledge and develop interest in the profession. The curriculum includes the basics of <a href="https://www.nbcnews.com/tech/tech-news/girl-scouts-fight-cybercrime-new-cybersecurity-badge-n852971">computer networks, cyberattacks and online safety</a>. </p>
<p>Professional associations can also foster interest in cybersecurity and help women develop relevant knowledge. For example, <a href="https://www.wics.es/proyectos/mentoring/">Women in Cybersecurity of Spain</a> has started a mentoring program that supports <a href="https://www.bbva.com/en/female-cybersecurity-experts-take-the-floor-at-bbva/">female cybersecurity professionals early in their careers</a>.</p>
<p>Some industry groups have collaborated with big companies. In 2018, Microsoft India and the Data Security Council of India launched the CyberShikshaa program in order to create <a href="https://cybersecurityventures.com/women-in-cybersecurity/">a pool of skilled female cybersecurity professionals</a>. </p>
<p>Some technology companies have launched programs to foster women’s interest in and confidence to pursue internet security careers. One example is <a href="https://www.forbes.com/sites/georgenehuang/2016/10/04/why-women-in-tech-should-consider-a-career-in-cybersecurity/#59522d033e6f">IBM Security’s Women in Security Excelling program</a>, formed in 2015. </p>
<p>Attracting more women to the cybersecurity field requires a range of efforts. Cybersecurity job ads should be written so that female professionals feel welcome to apply. Recruitment efforts should focus on academic institutions with high female enrollment. Corporations should ensure that female employees see cybersecurity as a good option for internal career changes. And governments should work with the private sector and academic institutions to get young girls interested in cybersecurity. </p>
<p>Increasing women’s participation in cybersecurity is good for women, good for business and good for society.</p>
<p>[<em>Insight, in your inbox each day.</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=insight">You can get it with The Conversation’s email newsletter</a>.]</p><img src="https://counter.theconversation.com/content/136654/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Women are underrepresented in technology fields, but especially so in cybersecurity. It’s not just a matter of fairness. Women are better than men at key aspects of keeping the internet safe.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1017652018-09-06T10:45:30Z2018-09-06T10:45:30Z4 ways to defend democracy and protect every voter’s ballot<figure><img src="https://images.theconversation.com/files/233981/original/file-20180828-86123-bdmwev.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4297%2C3047&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">How confident should voters be that their ballots will be counted accurately?</span> <span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Florida-Primary/0b1cdb68c2b5403fb0b1884673e55b55/12/0">AP Photo/Wilfredo Lee</a></span></figcaption></figure><p>As voters prepare to cast their ballots in the November midterm elections, it’s clear that <a href="https://www.technologyreview.com/s/611830/hackers-are-out-to-jeopardize-your-vote/">U.S. voting is under electronic attack</a>. <a href="https://theconversation.com/how-the-russian-government-used-disinformation-and-cyber-warfare-in-2016-election-an-ethical-hacker-explains-99989">Russian government hackers</a> probed some states’ computer systems in the runup to the 2016 presidential election and are <a href="https://theconversation.com/securing-americas-voting-systems-against-spying-and-meddling-6-essential-reads-99986">likely to do so again</a> – as might <a href="https://www.nytimes.com/2018/08/21/technology/facebook-political-influence-midterms.html">hackers from other countries</a> or nongovernmental groups interested in sowing discord in American politics.</p>
<p>Fortunately, there are <a href="http://homepage.divms.uiowa.edu/%7Ejones/voting/">ways to defend elections</a>. Some of them will be new in some places, but these defenses are not particularly difficult nor expensive, especially when judged against the value of public confidence in democracy. I served on the Iowa board that examines voting machines from 1995 to 2004 and on the <a href="https://www.eac.gov/about/technical-guidelines-development-committee/">Technical Guidelines Development Committee</a> of the <a href="https://www.eac.gov/">United States Election Assistance Commission</a> from 2009 to 2012, and <a href="https://www.theatlantic.com/magazine/archive/2017/12/guardian-of-the-vote/544155/">Barbara Simons</a> and I coauthored the 2012 book “<a href="https://www.press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html">Broken Ballots</a>.”</p>
<p>Election officials have an important role to play in protecting election integrity. Citizens, too, need to ensure their local voting processes are safe. There are two parts to any voting system: the computerized systems tracking voters’ registrations and the actual process of voting – from preparing ballots through results tallying and reporting.</p>
<h2>Attacking registrations</h2>
<p>Before the passage of the <a href="http://legislink.org/us/pl-107-252">Help America Vote Act of 2002</a>, voter registration in the U.S. was largely decentralized across 5,000 local jurisdictions, mostly county election offices. HAVA changed that, requiring states to have centralized online voter registration databases accessible to all election officials.</p>
<p>In 2016, <a href="https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election">Russian government agents</a> allegedly tried to access <a href="https://www.washingtonpost.com/news/the-fix/wp/2017/09/23/what-we-know-about-the-21-states-targeted-by-russian-hackers/">voter registration systems in 21 states</a>. Illinois officials have <a href="http://www.govtech.com/security/Hacked-Voter-Records-in-Illinois-Soar-to-Half-a-Million.html">identified their state</a> as the only one whose databases were, in fact, breached – with <a href="http://www.govtech.com/security/Hacked-Voter-Records-in-Illinois-Soar-to-Half-a-Million.html">information on 500,000 voters</a> viewed and potentially copied by the hackers. </p>
<p>It’s not clear that any information was corrupted, changed or deleted. But that would certainly be one way to interfere with an election: either changing voters’ addresses to assign them to other precincts or simply deleting people’s registrations.</p>
<p>Another way this information could be misused would be to fraudulently request absentee ballots for real voters. Something like that happened on May 29, 2013, when Juan Pablo Baggini, an overzealous campaign worker in Miami, <a href="https://www.nbcmiami.com/news/local/After-Raid-at-Home-of-Campaign-Worker-Mayoral-Candidate-Francis-Suarez-Says-No-Election-Laws-Were-Violated-211516981.html">used his computer to file online absentee ballot requests</a> on behalf of 20 local voters. He apparently thought he had their permission, but <a href="https://www.miamiherald.com/news/local/community/miami-dade/article1952450.html">county officials noticed the large number of requests</a> coming from the same computer in a short period of time. Baggini and another campaign worker were <a href="https://www.miamiherald.com/news/local/community/miami-dade/article1954359.html">charged with misdemeanors and sentenced to probation</a>.</p>
<p>A more sophisticated attack could use voters’ registration information to select targets based on how likely they are to vote a particular way and use common hacking tools to file electronic absentee ballot requests for them – appearing to come from a variety of computers over the course of several weeks. On Election Day, when those voters went to the polls, they’d be told they already had an absentee ballot and would be prevented from voting normally.</p>
<h2>Two defenses for voter registration</h2>
<p>There are two important defenses against these and other types of attacks on voter registration systems: provisional ballots and same-day registration.</p>
<p>When there are questions about whether a voter is entitled to vote at a particular polling place, federal law requires the person be issued a <a href="http://www.ncsl.org/research/elections-and-campaigns/provisional-ballots.aspx">provisional ballot</a>. The rules vary by state, and some places require provisional voters to bring proof of identity to the county election office before their ballots will be counted – which many voters may not have time to do. But the goal is that no voter should be turned away from the polls without at least a chance their vote will count. If questions arise about the validity of the registration database, provisional ballots offer a way to ensure every voter’s intent is recorded for counting when things get sorted out.</p>
<p>Same-day voter registration offers an even stronger defense. <a href="http://www.ncsl.org/research/elections-and-campaigns/same-day-registration.aspx">Fifteen states</a> allow people to register to vote right at the polling place and then cast a normal ballot. <a href="http://www.pewtrusts.org/%7E/media/legacy/uploadedfiles/pcs_assets/2009/uwisconsin1pdf.pdf">Research on same-day registration</a> has focused on turnout, but it also allows recovery from an attack on voter registration records.</p>
<p>Both approaches do require extra paperwork. If large numbers of voters are affected, that could cause long lines at polling places, which <a href="https://www.eac.gov/documents/2017/02/24/waiting-in-line-to-vote-white-paper-stewart-ansolabehere/">disenfranchise voters who cannot afford to wait</a>. And like provisional voting, same-day registration may have more stringent identification requirements than for people whose voter registrations are already on the books. Some voters may have to go home to get additional documents and hope to make it back before the polls close.</p>
<p>Further, long lines, frustrated voters and frazzled election workers can create the appearance of chaos – which can play into the narratives of those who want to discredit the system even when things are actually working reasonably well.</p>
<h2>Paper ballots are vital</h2>
<p>Election integrity experts agree that <a href="https://www.wired.com/story/defcon-election-threat-funding/">voting machines can be hacked</a>, even if the devices themselves are <a href="https://www.theregister.co.uk/2012/12/14/first_virus_elk_cloner_creator_interviewed/">not connected</a> <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">to the internet</a>. </p>
<p>Voting machine manufacturers say their <a href="https://www.wsj.com/articles/tensions-flare-as-hackers-root-out-flaws-in-voting-machines-1534078801">devices have top-notch protections</a>, but the only truly safe assumption is that they have not yet found additional vulnerabilities. Properly defending voting integrity requires assuming a worst-case scenario, in which every computer involved – at election offices, vote-tallying software developers and machine makers – has been compromised.</p>
<p>The first line of defense is that in most of the U.S., <a href="http://www.pewresearch.org/fact-tank/2016/11/08/on-election-day-most-voters-use-electronic-or-optical-scan-ballots/">people vote on paper</a>. Hackers can’t alter a hand-marked paper ballot – though they could <a href="https://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144">change how a computerized vote scanner counts</a> it, or what <a href="https://www.pbs.org/newshour/nation/an-11-year-old-changed-election-results-on-a-replica-florida-state-website-in-under-10-minutes">preliminary results are reported on official websites</a>. In the event of a controversy, paper ballots can be recounted, by hand if needed. </p>
<p><a href="http://www.pewresearch.org/fact-tank/2016/11/08/on-election-day-most-voters-use-electronic-or-optical-scan-ballots/ft_16-11-07_votingtechnology/"><img width="640" height="600" src="http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology.png" class="attachment-large size-large" alt="" srcset="http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology.png 640w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-300x281.png 300w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-200x188.png 200w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-260x244.png 260w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-432x405.png 432w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-50x47.png 50w, http://assets.pewresearch.org/wp-content/uploads/sites/12/2016/11/07164119/FT_16.11.07_votingTechnology-160x150.png 160w" sizes="(max-width: 640px) 100vw, 640px"></a></p>
<h2>Conduct post-election audits</h2>
<p>Without paper ballots, there is not a way to be completely sure voting system software hasn’t been hacked. With them, though, the process is clear.</p>
<p>In a growing number of states, paper ballots are subject to routine statistical audits. In California, post-election audits have been required <a href="https://www.eac.gov/assets/1/28/AUDIT%20PILOT%20FINAL%20REPORT%20TO%20EAC%20FINAL.pdf">since 1965</a>. Iowa allows <a href="https://www.legis.iowa.gov/docs/code/50.50.pdf">election officials who suspect irregularities</a> to initiate recounts even if the result appears decisive and no candidate asks for one; these are called <a href="https://www.eac.gov/assets/1/28/recounts.pdf">administrative recounts</a>. </p>
<p>Based on that experience, some election officials have told me that they suspect the current generation of scanners may be misinterpreting 1 vote in 100. That might seem like a small problem, but it’s really way too much opportunity for error. Voting simulations show that changing <a href="https://doi.org/10.1145/1022594.1022621">just one vote per voting machine</a> across the United States could be enough to allow an attacker to determine which party controls Congress.</p>
<p>Recounts are expensive and time-consuming, though, and can create illusions of disarray and chaos that reduce public confidence in the election’s outcome. A better method is called a <a href="https://doi.org/10.1109/MSP.2012.56">risk-limiting audit</a>. It’s a straightforward method of determining how many ballots should be randomly selected for auditing, based on the size of the election, the margin of the initial result and – crucially – the statistical confidence the public wants in the final outcome. There are even <a href="https://www.stat.berkeley.edu/%7Estark/Vote/auditTools.htm">free online tools</a> available to make the calculations needed.</p>
<p>Preliminary experiences with risk-limiting audits are <a href="https://www.eac.gov/assets/1/28/AUDIT%20PILOT%20FINAL%20REPORT%20TO%20EAC%20FINAL.pdf">quite promising</a>, but they could be made even more attractive by <a href="https://www.usenix.org/legacy/events/evt07/tech/full_papers/calandrino/calandrino_html/">small changes to ballot-sheet scanners</a>. The main problem is that the method is based in math and statistics, which many people don’t understand or trust. However, I believe relying on verifiable principles that any person could learn is far better than believing the assurances of companies that make voting equipment and software, or <a href="https://triblive.com/news/allegheny/11013043-74/machines-election-county">election officials who don’t understand</a> how <a href="https://www.fastcompany.com/40448876/how-hackers-are-teaching-election-officials-to-protect-their-voting-machines-learned-from-hackers-to-improve-security-for-future-elections">their machines</a> <a href="https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html">actually work</a>. </p>
<p>Elections must be as transparent and simple as possible. To paraphrase Dan Wallach at Rice University, <a href="https://www.cs.rice.edu/%7Edwallach/pub/texas-senate-state-affairs-15oct08.pdf">the job of an election is to convince the losers that they lost fair and square</a>. The declared winners will not ask questions and may seek to obstruct those who do ask. The losers will ask the hard questions, and election systems must be transparent enough that the partisan supporters of the losers can be convinced that they indeed lost. This sets a high standard, but it is a standard that every democracy must strive to meet.</p><img src="https://counter.theconversation.com/content/101765/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Douglas W. Jones was a co-principal investigator in the National Science Foundation funded ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections) project. He was a co-founder of the Open Voting Consortium, but is not currently affiliated with that group, and he is a registered Democrat.</span></em></p>Ensuring the integrity of democratic elections from hackers and electronic tampering, and boosting public confidence in democracy, isn’t very difficult, nor expensive.Douglas W. Jones, Associate Professor of Computer Science, University of IowaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/924812018-03-01T21:18:01Z2018-03-01T21:18:01ZWhen the Internet goes down<figure><img src="https://images.theconversation.com/files/208575/original/file-20180301-152555-3lxx00.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Servers hosting your favorite websites may be subject to denial-of-service attacks.</span> <span class="attribution"><a class="source" href="https://visualhunt.com/photo/11661/protection-symbol-on-computer-screen/">Visualhunt</a></span></figcaption></figure><p>“A third of the Internet is under attack. Millions of network addresses were subjected to distributed denial-of-service (DDoS) attacks over two-year period,” reports Warren Froelich on the <a href="http://ucsdnews.ucsd.edu/pressrelease/a_third_of_the_Internet_is_under_attack">UC San Diego News Center</a> website. A DDoS is a type of denial-of-service (DoS) attack in which the attacker carries out an attack using many sources distributed throughout the network.</p>
<p>But is the journalist justified in his alarmist reaction? Yes and no. If one-third of the Internet was under attack, then one in every three smartphones wouldn’t work, and one in every three computers would be offline. When we look around, we can see that this is obviously not the case, and if we now rely so heavily on our phones and Wikipedia, it is because we have come to view the Internet as a network that functions well.</p>
<p>Still, the DDoS phenomenon is real. Recent attacks testify to this, such as the attack by the <a href="https://www.corero.com/resources/ddos-attack-types/mirai-botnet-ddos-attack.html">botnet Mirai</a> on the French web host OVH and the American web host DynDNS. The websites owned by customers of these servers were unavailable for several hours.</p>
<p>What the <a href="https://conferences.sigcomm.org/imc/2017/papers/imc17-103.pdf">source study</a> really looked at was the appearance of IP addresses in the traces of DDoS attacks. Over a period of two years, the authors found the addresses of two million different victims, out of the 6 million servers listed on the web.</p>
<h2>Traffic jams on the information superhighway</h2>
<p>Units of data, called packets, circulate on the Internet network. When all of these packets want to go to the same place or take the same path, congestion occurs, just like the traffic jams that occur at the end of a workday.</p>
<p>It should be noted that in most cases it is very difficult, almost impossible, to differentiate between normal traffic and denial of service attack traffic. Traffic generated by “flash crowd” and “slashdot effect” phenomena is identical to the traffic witnessed during this type of attack.</p>
<p>However, this analogy only goes so far, since packets are often organized in flows, and the congestion on the network can lead to these packets being destroyed, or the creation of new packets, leading to even more congestion. It is therefore much harder to remedy a denial-of-service attack on the web than it is a traffic jam.</p>
<figure class="align-right ">
<img alt="" src="https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=844&fit=crop&dpr=1 600w, https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=844&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=844&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1061&fit=crop&dpr=1 754w, https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1061&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/198810/original/file-20171212-9410-309bv0.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1061&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Diagram of a denial-of-service attack.</span>
<span class="attribution"><a class="source" href="https://fr.wikipedia.org/wiki/Attaque_par_d%C3%A9ni_de_service">Everaldo Coelho and YellowIcon</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>This type of attack saturates the network link that connects the server to the Internet. The attacker does this by sending a large number of packets to the targeted server. These packets can be sent directly if the attacker controls a large number of machines, a botnet.</p>
<p>Attackers also use the amplification mechanisms integrated in certain network protocols, such as the naming system (DNS) and <a href="https://en.wikipedia.org/wiki/Network_Time_Protocol">clock synchronization</a> (NTP). These protocols are asymmetrical. The requests are small, but the responses can be huge.</p>
<p>In this type of attack, an attacker contacts the DNS or NTP amplifiers by pretending to be a server that has been attacked. It then receives lots of unsolicited replies. Therefore, even with a limited connectivity, the attacker can create a significant level of traffic and saturate the network.</p>
<p>There are also “services” that offer the possibility of buying denial of service attacks with varying levels of intensity and durations, as shown in an investigation Brian Krebs carried out after his own site was attacked.</p>
<h2>What are the consequences?</h2>
<p>For Internet users, the main consequence is that the website they want to visit is unavailable.</p>
<p>For the victim of the attack, the main consequence is a loss of income, which can take several forms. For a commercial website, for example, this loss is due to a lack of orders during that period. For other websites, it can result from losing advertising revenue. This type of attack allows an attacker to use ads in place of another party, enabling the attacker to tap into the revenue generated by displaying them.</p>
<p>There have been a few, rare institutional attacks. The most documented example is the attack against Estonia in 2007, which was attributed to the Russian government, although this has been impossible to prove.</p>
<p>Direct financial gain for the attacker is rare, however, and is linked to the ransom demands in exchange for ending the attack.</p>
<h2>Is it serious?</h2>
<p>The impact an attack has on a service depends on how popular the service is. Users therefore experience a low-level attack as a nuisance if they need to use the service in question.</p>
<p>Only certain large-scale occurrences, the most recent being the Mirai botnet, have impacts that are perceived by a much larger audience.</p>
<p>Many servers and services are located in private environments, and therefore are not accessible from the outside. Enterprise servers, for example, are rarely affected by this kind of attack. The key factor for vulnerability therefore lies in the outsourcing of IT services, which can create a dependence on the network.</p>
<p>Finally, an attack with a very high impact would, first of all, be detected immediately (and therefore often blocked within a few hours), and in the end would be limited by its own activities (since the attacker’s communication would also blocked), as shown by the old example of the <a href="https://en.wikipedia.org/wiki/SQL_Slammer">SQL Slammer</a> worm.</p>
<p>Ultimately, the study shows that the phenomena of denial-of-service attacks by saturation have been recurrent over the past two years. This news is significant enough to demonstrate that this phenomenon must be addressed. Yet this is not a new occurrence.</p>
<p>Other phenomena, such as routing manipulation, have the same consequences for users, like when Pakistan Telecom hijacked YouTube addresses.</p>
<h2>Good IT hygiene</h2>
<p>Unfortunately, there is no sure-fire form of protection against these attacks. In the end, it comes down to an issue of cost of service and the amount of resources made available for legitimate users.</p>
<p>The “big” service providers have so many resources that it is difficult for an attacker to catch them off guard.</p>
<p>Still, this is not the end of the Internet, far from it. However, this phenomenon is one that should be limited. For users, good IT hygiene practices should be followed to limit the risks of their computer being compromised, and hence used to participate in this type of attack.</p>
<p>It is also important to review what type of protection outsourced service suppliers have established, to ensure sure they have sufficient capacity and means of protection.</p>
<hr>
<p><em>This article was translated from the original French by the <a href="https://blogrecherche.wp.imt.fr/en/2018/02/22/when-the-Internet-goes-down/">site I'MTech</a></em>.</p><img src="https://counter.theconversation.com/content/92481/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Hervé Debar has received funding from the European Commission under the H2020 programme, the National Research Agency (ANR) and the Directorate General for Enterprise (DGE) under the FUI and PIA programmes.</span></em></p>The Internet provides us with many services thanks to sites hosted by servers. These may be the victims of denial-of-service attacks that paralyze the entire server.Hervé Debar, Directeur de la Recherche et des Formations Doctorales à Télécom SudParis, Télécom SudParis – Institut Mines-TélécomLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/896692018-01-05T12:08:43Z2018-01-05T12:08:43ZApple, Android and PC chip problem – why your smartphone and laptop are so at risk<figure><img src="https://images.theconversation.com/files/200933/original/file-20180105-26172-1v8qqry.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/illustration-computer-processor-bright-blue-on-513588976?src=DM3a9z-b8bs5l_-416KnBA-1-4">Shutterstock</a></span></figcaption></figure><p>Less than a week into 2018 and we may have already seen the year’s biggest technology story. <a href="https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html">Researchers have</a> identified <a href="https://spectreattack.com/">a security flaw</a> in the computer processors made by three of the world’s biggest chip designers, Intel, AMD and ARM, and a second flaw in Intel chips. This means that almost every smartphone, tablet, laptop and business computer in the world could be vulnerable to having sensitive data including passwords stolen. The cloud servers that store websites and other internet data are also at risk.</p>
<p>This is one of the biggest cyber security vulnerabilities we’re ever seen in terms of the potential impact to personal, business and infrastructure computer systems. What’s more, because the flaw is located in such a fundamental part of the computer, there’s no way to know whether or not a machine has been targeted and what data might have been accessed. </p>
<p>Both the main flaw (<a href="https://spectreattack.com/spectre.pdf">Spectre</a>), and the Intel-only flaw (<a href="https://meltdownattack.com/meltdown.pdf">Meltdown</a>) have been created by a design technique intended to enhance the chips’ performance known as “speculative execution”. The problem means hackers can access parts of the computer’s memory that should be inaccessible. Sensitive data including passwords, email, documents and photos could all be at risk.</p>
<p>Most cyber attacks involve finding a flaw in a computer’s software that allows hackers to access the machine’s memory or operating system. For example, in 2017 an attack <a href="https://theconversation.com/heres-how-the-ransomware-attack-was-stopped-and-why-it-could-soon-start-again-77745">known as “WannaCry”</a> exploited a flaw in older versions of Windows. It affected around 300,000 computers in 150 countries and had a devastating effect on businesses and organisations including the UK’s National Health Service (NHS).</p>
<p>But the Spectre and Meltdown flaws could let hackers cut through all the layers of software to violate the very heart of a computer, the processor chip that powers its fundamental workings. Because similar designs are used by all the major chip makers, almost every computer in the world could be affected, from Apple iPhones and Android devices, to MacBooks, large desktop PCs and internet servers.</p>
<p>The process is also so fundamental that it doesn’t create any log of its operations, meaning there is no record of whether a particular chip has been hacked or not. This makes it harder to spot cyber attacks at an early stage in order to prevent them happening again, or to investigate what data might have been accessed or stolen.</p>
<p>Luckily, tech companies have already begun releasing software patches that they say will <a href="http://www.bbc.co.uk/news/technology-42561169">solve the problems</a> without a significant impact on performance. But <a href="https://www.newscientist.com/article/2157704-your-computer-may-run-30-per-cent-slower-due-to-intel-chip-bug/">some have claimed</a> any fix could dramatically slow down computer processing speed. We will have to wait to see the long-term impact.</p>
<h2>Responsible disclosure</h2>
<p>The story also raises an important issue about the responsible disclosure of such security flaws. <a href="http://uk.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1?r=US&IR=T">Reports suggest</a> the industry has known of the problem for months but only limited details have been disclosed so far. You could argue that consumers have the right to know about such flaws as soon as they are discovered so they can try to protect their data. Of course, the problem is this could end up fuelling cyber attacks by also making hackers aware of the flaw.</p>
<p>In the past, this debate has forced tech companies to use the law to prevent researchers disclosing security problems. For example,
scientists from the University of Birmingham faced a <a href="https://www.theguardian.com/technology/2013/jul/26/scientist-banned-revealing-codes-cars">legal injunction</a> from car manufacturer Volkswagen stopping them publishing details of flaws in car keyless entry systems. </p>
<p>The preferred route is “responsible disclosure”. When researchers discover a problem, they tell a small number of relevant people who can then work on a solution. The manufacturer can then reveal the problem to the public once the solution is ready, minimising the potential for hacking and damage to the company’s share price.</p>
<p>In this case, a researcher at Google who found the flaws seems to have alerted Intel in June 2017, and the two companies had been planning on announcing a fix. But details of the flaw were then published by technology website <a href="https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/">The Register</a>, forcing the firms to reveal what they knew earlier than planned, and hitting <a href="https://www.reuters.com/article/us-cyberintel-stocks/intel-shares-fall-as-investors-worry-about-costs-of-chip-flaw-idUSKBN1ET1NH">Intel’s share price</a>. While this kind of revelation arguably undermines responsible disclosure, the counter argument is that it forces manufacturers to <a href="http://science.sciencemag.org/content/314/5799/610.full">fix the problem faster</a>.</p><img src="https://counter.theconversation.com/content/89669/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Siraj Ahmed Shaikh receives funding from EPSRC. </span></em></p>Chips from the biggest chipmakers – Intel, AMD and ARM – all contain serious security flaws.Siraj Ahmed Shaikh, Professor of Systems Security, Coventry UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/862952017-10-25T22:48:27Z2017-10-25T22:48:27ZRansomware like Bad Rabbit is big business<p>October is <a href="https://www.getcybersafe.gc.ca/index-en.aspx">Cybersecurity Awareness month</a>, which is being observed in the <a href="https://www.fbi.gov/news/stories/national-cyber-security-awareness-month-2017">United States</a>, <a href="https://cybersecuritymonth.eu/about-ecsm/whats-ecsm">Europe</a>, and elsewhere around the world. Ironically, it began with updates about a large-scale hack, and is ending with a large-scale ransomware outbreak.</p>
<p>Internet firm Yahoo kicked things off on Oct. 3 when it admitted that hackers in 2013 had accessed information about <a href="http://www.cbc.ca/news/technology/yahoo-breach-three-billion-1.4322100">all three billion of its user accounts</a>, not “just” the one billion first reported.</p>
<p>Ransomware “<a href="https://www.theguardian.com/technology/2017/oct/25/bad-rabbit-game-of-thrones-ransomware-europe-notpetya-bitcoin-decryption-key">Bad Rabbit</a>” is providing the finale with attacks that began Oct. 24. So far, the outbreak is mostly affecting business computers in Russia.</p>
<p>Both stories are fitting, in a way. The FBI considers computer break-ins and data ransoming the <a href="https://www.fbi.gov/investigate/cyber">top two cyber threats</a> we face. But while the former is old-fashioned e-crime, ransomware is much trendier. Much like <a href="https://theconversation.com/tailoring-the-customer-experience-boosts-online-sales-84941">online retailing</a>, <a href="https://theconversation.com/online-shopping-retailers-seek-visibility-in-face-of-google-control-80129">online advertising</a>, and <a href="https://theconversation.com/by-concealing-identities-cryptocurrencies-fuel-cybercrime-82282">online currencies</a>, ransomware is soaring.</p>
<h2>Your money or your data</h2>
<p>Traditional criminal hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then look for customers, such as other criminals, to buy that data.</p>
<p>In contrast, ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.</p>
<p>For example, in summer 2016, ransomware locked down the University of Calgary email system. <a href="http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979">The university paid $20,000</a> to unlock it.</p>
<p>Today, that looks cheap. In July, a <a href="https://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844">Canadian company reportedly paid $425,000</a> to regain its data. The month before, South Korean firm <a href="http://www.foxnews.com/tech/2017/06/21/ransomware-attack-costs-south-korean-company-1m-largest-payment-ever.html">Nayana paid $1 million</a>, the highest ransom publicly admitted so far.</p>
<h2>Growing scale and sophistication</h2>
<p>Much like legitimate firms, some ransomware charges lower “prices” but targets larger volumes. Bad Rabbit demands only a few hundred dollars to decrypt each computer. But it is affecting machines across Russia.</p>
<p>Similarly, the <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">Wannacry ransomware attack</a> in May affected computers in about 100 countries. It forced many <a href="http://www.cbc.ca/news/canada/ottawa/cgi-cybersecurity-wannacry-ransomware-small-business-at-risk-1.4116429">British hospitals</a> to cancel surgeries.</p>
<p>An <a href="https://www-03.ibm.com/press/us/en/pressrelease/51230.wss">IBM survey</a> found that almost half of businesses suffered ransomware attacks in 2016. Some 70 per cent of those paid a ransom to regain their data.</p>
<p>The survey also indicates small businesses are particularly vulnerable. They often lack the computer expertise to defend themselves. Only 30 per cent provided cybersecurity training to employees, compared to 58 per cent within larger companies.</p>
<p>Ransomware’s sophistication is growing too. Ransomware “worms” like <a href="http://www.securityweek.com/zcryptor-ransomware-spreads-removable-drives">ZCryptor</a> spread themselves across networks, rather than riding on infected emails.</p>
<p>Some ransomware specialists are selling their services to organized crime. This crime-as-a-service business model allows criminals to outsource their technology needs. User-friendly <a href="https://www.pcworld.com/article/3190852/security/at-175-this-ransomware-service-is-a-boon-to-cybercriminals.html">ransomware “kits” can be purchased for $175</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=368&fit=crop&dpr=1 600w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=368&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=368&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=462&fit=crop&dpr=1 754w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=462&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=462&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A specialist works at the U.S. National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va. in Sept. 2014.</span>
<span class="attribution"><a class="source" href="http://www.cpimages.com/fotoweb/cpimages_details.pop.fwx?position=22&archiveType=ImageFolder&sorting=ModifiedTimeAsc&search=cybersecurity&fileId=7ED4E565C8CEED276553137C3F07278F0211563F5E7047DF3AAB663AE59BB0CF1642B0B80D34257E6710EC2568FB7698B59B4D70A14C35A5085499F7776FCE74F2B7765E8750034730859FC82D50AED936F94C876BDCF9BEC438833511658A5442F841C1FF39A6F82A1B1FF576DC98DFDEBAE60A57D8B1868787E68E4DB65177C56CA13FE83A463BAFB139FF949304109FA1D488C8D1A475">(AP Photo/Manuel Balce Ceneta)</a></span>
</figcaption>
</figure>
<h2>Future possibilities</h2>
<p>What might come next? Imagine state-sponsored hackers using ransomware. Host countries might give — or even sell — permission for local hackers to attack rival countries’ computers.</p>
<p>These cyber-<a href="https://www.britannica.com/topic/privateer">privateers</a> could plunder commerce abroad, without the host country’s direct involvement or accountability. Think of regional rivals like North and South Korea, or major powers like the U.S., Russia and China.</p>
<p>Sound far-fetched? Russian security services have already been accused of <a href="https://www.ft.com/content/21be48ec-0a48-11e7-97d1-5e720a26771b">working with organized crime</a> on cyberattacks. The Russian government denies any involvement. But its president, Vladimir Putin, did suggest independent “<a href="http://www.cnn.com/2017/06/01/politics/russia-putin-hackers-election/index.html">patriotic hackers</a>” may have tampered with the U.S. election process.</p>
<p>How about virtual protection rackets? Instead of one-time payments for decryption, users might be “convinced” to pay ongoing fees for the “service” of avoiding encryption.</p>
<p>Or instead of hiding virtual data, ransomware could shut down physical objects. The <a href="https://www.wired.com/2013/05/internet-of-things-2/">Internet of Things</a> is exposing new targets. Control systems for factories, utilities and our homes are increasingly online.</p>
<p>What if ransomware turned them off? Businesses begrudgingly pay thousands to recover emails. Imagine what they’d pay to restart assembly lines.</p>
<h2>Precautions to take</h2>
<p>To defend themselves, computer users need to do the basics. Run antivirus programs to detect threats. Think before clicking on unexpected email attachments. Keep application software and operating systems updated. (Surely you’re not <a href="https://www.wired.com/2017/05/still-use-windows-xp-prepare-worst/">still running Windows XP</a>?)</p>
<p>Users should also back-up files regularly. If ransomware strikes, backups allow ransom-free recovery. But keep them on removable drives to prevent their infection.</p>
<p>Infected users can also try decrypting files with tools from sites like <a href="https://www.nomoreransom.org/en/index.html">NoMoreRansom.org</a>. But these might work only on simple cases.</p>
<h2>Corporate and government action</h2>
<p>Software makers should do more to facilitate safe computing practices. For example, it’s great that Windows now has self-updating antivirus protection. Unfortunately, it’s still awkward to back-up data onto removable drives.</p>
<p>Business insurers could also play a role. They might require corporate computers to be updated and backed-up to qualify for coverage.</p>
<p>Co-operation among independent agencies is needed to fight ransomware’s breadth. Canada’s <a href="http://www.cbc.ca/news/canada/cse-what-do-we-know-about-canada-s-eavesdropping-agency-1.1400396">Communications Security Establishment</a> set a good example two weeks ago when it made its <a href="http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728">Assemblyline malware analysis software</a> publicly available to tech professionals.</p>
<p>In contrast, the U.S. National Security Agency sets a bad example: It <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">had known about a weakness in Windows</a> for years, but didn’t tell Microsoft until early 2017.</p>
<p>Law enforcement likewise needs to cooperate across jurisdictions. September’s <a href="https://www.interpol.int/News-and-media/Events/2017/5th-Europol-INTERPOL-Cybercrime-Conference/5th-Europol-INTERPOL-Cybercrime-Conference">Interpol-Europol Cybercrime Conference</a> was a good step in this direction.</p>
<p>As foreign hackers increasingly “tax” domestic businesses, ransomware becomes a national security issue. Governments may need to negotiate agreements like those covering <a href="http://www.un.org/depts/los/piracy/piracy.htm">seaborne piracy</a>.</p>
<p>Finally, firms might consider keeping key systems disconnected from the internet, as some military computers have always been. Just because anything can be online, it doesn’t mean everything should be.</p><img src="https://counter.theconversation.com/content/86295/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Like legitimate e-commerce, ransomware e-crime is increasing in scale, value and sophistication.Michael J. Armstrong, Associate professor of operations research, Brock UniversityTeju Herath, Associate Professor of Information Systems, Brock UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/814332017-08-02T01:21:06Z2017-08-02T01:21:06ZInside the fight against malware attacks<figure><img src="https://images.theconversation.com/files/179694/original/file-20170725-30125-reje0u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Taking a much closer look at what's going on inside malware.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/magnifying-glass-look-through-germ-bacteria-302763653">MuchMania/Shutterstock.com</a></span></figcaption></figure><p>When malicious software attacks, computer scientists and security researchers want to know how the attackers got into what was supposed to be a secure system, and what they’re actually doing that’s causing problems for users. It’s a growing problem, affecting <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">government projects</a>, <a href="https://www.wired.com/2014/01/target-malware-identified/">retail</a> <a href="https://corporate.target.com/press/releases/2013/12/target-confirms-unauthorized-access-to-payment-car">stores</a> and <a href="https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html">individuals around the world</a>. </p>
<p>However, fighting malware is a cyclical arms race: As defenders and analysts improve their methods, attackers step up their game, too. Today, as many as <a href="https://www.lastline.com/labsblog/three-interesting-changes-in-malware-activity-over-the-past-year/">80 percent of malware authors</a> include elements in their attacks that specifically try to <a href="https://www.lastline.com/labsblog/labs-report-at-rsa-evasive-malwares-gone-mainstream/">defeat malware-protection software</a>.</p>
<p>My <a href="https://wiki.uta.edu/display/serc/">research group at the University of Texas at Arlington</a> develops methods and tools <a href="https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf">professional malware analysts</a> use to understand these attacks. One of our best-known efforts was led by alumna Shabnam Aboughadareh, who while she was working toward her Ph.D. developed a <a href="https://doi.org/10.1145/2689702.2689703">malware analysis tool</a> that is particularly hard for malware authors to defend against.</p>
<h2>Analyzing malware</h2>
<p>When an attack is discovered or reported, malware analysts work to get a copy of any software that’s being installed on target computers. When they begin examining it, an early topic of inquiry is how the malware managed to break into a computer network or system. That often uncovers <a href="https://krebsonsecurity.com/2017/07/adobe-microsoft-push-critical-security-fixes-11/">security holes</a> in commonly used operating systems or applications – which can then be disclosed to those programs’ authors, who can <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">fix the flaws</a>.</p>
<p>In addition, analysts try to figure out <a href="https://www.nytimes.com/2017/07/02/technology/hackers-find-ideal-testing-ground-for-attacks-developing-countries.html">what a piece of malware does</a> once it breaks in – how it travels through a computer and throughout a network, and what actions it takes, such as altering files, copying data, running programs or even installing new software to assist itself in the attack. Those actions can be described in ways that help malware detection tools <a href="https://www.cnet.com/news/microsoft-build-smart-antivirus-using-400-million-computers-artificial-intelligence/">catch future attacks</a> before they can do damage.</p>
<p>In observing a malware attack, we also try to <a href="http://www.cbsnews.com/news/fruitfly-mac-malware-new-details-emerge/">determine which computers and which files have been manipulated</a>, so they can be repaired. We also see what data – such as client lists, product plans or other sensitive business data – might have been <a href="https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/">read and copied by the malware</a>. And we often try to <a href="https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/">infer the attackers’ identity</a>, or at least how advanced their skills are, to help prepare defenses against possible follow-up attacks.</p>
<h2>Running malicious code</h2>
<p>Doing any of that requires us to watch the malware in action. It would be nice if we could simply decode the software and dissect its instructions without actually running these malicious programs. But malware authors know we’ll be looking, so <a href="https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/">they take steps to make our jobs harder</a>, such as compressing or encrypting their malware programs before setting them loose.</p>
<p>So our best option is to run the malware on our own computers. To prevent our own machines from being taken over or corrupted, though, we have to be careful. Typically we create what’s called a “<a href="http://www.pcworld.com/article/3182816/security/pwn2own-hacking-contest-ends-with-two-virtual-machine-escapes.html">virtual machine</a>” – a program that <a href="https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc_50%2FGUID-CEFF6D89-8C19-4143-8C26-4B6D6734D2CB.html">simulates a fully functional computer</a> but that does not have direct access to the computer’s files and hardware. Ideally, that would let us observe all the actions the malware tries to take without actually harming our own computers.</p>
<p>So far, however, there has been no single piece of software that can analyze every attack. Some malware programs operate on a very low technological level, <a href="https://www.wired.com/2014/11/darkhotel-malware/">working directly with very specific areas</a> of a computer’s memory and hard drive storage systems, even changing how the computer works – so users can no longer trust the machines to do what is expected of them. Other malicious software works at higher levels, more like normal software that interacts with the operating system rather than the computer’s hardware directly. The most advanced malware <a href="https://arstechnica.com/security/2015/06/stepson-of-stuxnet-stalked-kaspersky-for-months-tapped-iran-nuke-talks/">attacks on both levels</a>.</p>
<p>Most analysis tools focus on one or the other of those types of attacks – but <a href="https://doi.org/10.1145/2689702.2689703">not both</a>. So they can’t catch everything, and – even for the malware they do detect – can’t show every action the malware takes. (Some analysis techniques involve <a href="https://threatpost.com/macos-fruitfly-backdoor-analysis-renders-new-spying-capabilities/126943/">running some anti-malware software in the virtual machine</a>, but those programs are vulnerable to manipulation from the malware itself.)</p>
<h2>Taking a fuller look</h2>
<p>The program Shabnam Aboughadareh created, called SEMU, is the first malware analysis system that addresses all these problems. It operates fully outside the virtual machine, and watches closely what goes on inside it, to detect and log malware actions. That helps SEMU provide a comprehensive log of malware operations, which in turn reduces the manual effort required for a malware analyst to understand what the malware writer’s program was supposed to do.</p>
<p>That comprehensive log – recording events at the lowest levels of the virtual machine’s operating system – is the key to SEMU’s success, because it allows human analysts to track where and how malware manipulates aspects of the operating system. </p>
<p>When we tested SEMU against other malware analysis tools, we found that SEMU was <a href="https://doi.org/10.1145/2689702.2689703">the only publicly available tool that could detect all the activity</a> – things like reading files, changing memory or file data, or sending information out over a network connection – needed to understand how the malware worked. By merging close examination of computer activity with detailed logging, and running in a safe environment where the malware couldn’t tamper with its monitoring, SEMU shows a direction for future analysis methods.</p><img src="https://counter.theconversation.com/content/81433/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Christoph Csallner is currently a member of the Association for Computing Machinery and an academic editor of PeerJ Computer Science. This material is based upon work supported by the National Science Foundation under Grants No. 1017305 and 1117369. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.</span></em></p>How do malware analysts examine software that’s designed to wreak havoc with computers? By using tools that watch software’s inner workings very closely.Christoph Csallner, Associate Professor of Computer Science and Engineering, University of Texas at ArlingtonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/801042017-06-28T10:46:56Z2017-06-28T10:46:56ZHappy 10th birthday iPhone, the nearest thing to a secure pocket computer<figure><img src="https://images.theconversation.com/files/175839/original/file-20170627-24817-t89mdn.png?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.youtube.com/watch?v=0rLYx4iyD8I">adrianisen</a></span></figcaption></figure><p>It’s common for security experts to regard themselves as necessary critics, guardians against malpractice, and raisers of worst-case scenarios. While there is a very present fear of insecurity these days, it’s rare that we celebrate security. But on the tenth anniversary of a revolutionary technology, we’d like to do just that: happy birthday to the iPhone, <a href="http://news.bbc.co.uk/1/hi/technology/7085643.stm">first released in June 2007</a>.</p>
<p>Ten years ago, a computer was something that hurt your foot if you accidentally dropped it. Mobile phones were devices that were chiefly used for making phone calls. Today, the idea that we can’t use these palm-sized pocket computers to command all our digital communications, and also as a camera, games console, torch, and a hundred other things, is quite unthinkable.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/175838/original/file-20170627-24760-lg2mke.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">What a difference ten years make.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/x1brett/4742540168">x1brett</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>There is no such thing as complete security, and the iPhone is not perfect. Like many other technologies, the iPhone’s security relies on a user’s ability to choose and protect a strong password, which is a pragmatic rather than ideal basis for security. Researchers have also uncovered <a href="https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/garman">weaknesses in the protection of messages</a> stored on the iPhone. Nonetheless, in an era when the rush to market has resulted in far too many insecure technologies, the iPhone stands out as an exemplar for how it’s possible to do things right.</p>
<h2>A benevolent dictatorship</h2>
<p>The internet, in case you hadn’t noticed yet, can be a dangerous place. Apple has often been <a href="https://theconversation.com/ten-years-on-the-iphone-has-taken-us-back-as-many-steps-as-it-has-taken-us-forward-70988?sr=5">criticised for its restrictions</a> on what programs its users can and cannot load onto an iPhone. Users are required to download apps from the well-marshalled Apple App Store, which provides a secure gated compound within which software has been scrutinised by Apple before being made available for download.</p>
<p>While this may be seen as nannying, in a world of <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674?sr=2">ruthless ransomware</a> and untold other malicious programs that can ruin both our computers, our bank accounts, and even our lives – what’s wrong with a benign governess? The Android app store by comparison allows users to install any software of their choice, not all of which has been closely inspected for vulnerabilities or malicious intent.</p>
<h2>Getting cryptography right</h2>
<p>The iPhone makes extensive use of state-of-the-art cryptography to protect data on the device. Cryptography provides mathematical tools to ensure secret data is kept secret, ensuring data is not maliciously altered or deleted, and identifies the source of data. Cryptography is easy to get wrong when used in a computer, but the iPhone mostly gets cryptography right. Everything from photos, messages, email and app data is protected using strong cryptography. The iPhone also supports innovative applications of cryptography, such as the contactless payment system ApplePay.</p>
<p>Cryptography relies on cryptographic keys, which are secret components critical to providing secure services, and security. Many of the spectacular past failures of security technology, for example the infamous <a href="https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/">Diginotar hack</a>, have resulted from careless management of keys. There is no point, after all, in using the best lock to lock your front door, only to leave the key under the doormat. The iPhone has a secure hardware vault known as the Secure Enclave within which its critical keys are safely stored. In fact the keys are so safe that they are inaccessible even to Apple or any other companies involved in manufacturing iPhones.</p>
<h2>Standing up for privacy</h2>
<p>Which brings us to the matter of Apple’s <a href="https://theconversation.com/fbi-backs-off-from-its-day-in-court-with-apple-this-time-but-there-will-be-others-56932?sr=1">skirmish with the FBI</a>. Apple has been at the forefront of a much wider and more fundamental debate about security and privacy on the internet. </p>
<p>In one corner stand national security agencies and law enforcement. They have been <a href="https://theconversation.com/investigatory-powers-bill-will-remove-isps-right-to-protect-your-privacy-50178?sr=2">demanding the means to access data</a> secured on mobile phones, including <a href="https://theconversation.com/how-whatsapp-encryption-works-and-why-there-shouldnt-be-a-backdoor-75266?sr=6">encrypted messaging services like WhatsApp</a> and emails, in order to defend the realm. In the other corner stand proponents of digital freedom. They argue that building “backdoors” into strong encryption even for legitimate use by investigators would <a href="https://theconversation.com/the-genie-is-out-of-the-bottle-its-foolish-to-think-encryption-can-now-be-banned-52395?sr=5">become a potential weakness for cybercriminals to exploit</a>. </p>
<p>Apple has <a href="https://theconversation.com/why-apple-is-making-a-stand-against-the-fbi-54925?sr=3">not shied away from taking a strong stance</a> in favour of privacy. Apple does not know the keys on your iPhone, or the PIN needed to unlock it, by design. That protects you from Apple, just as much as it prevents Apple handing them over to law enforcement. The iPhone was designed to be secure, so why make it insecure just because bad guys sometimes use them?</p>
<p>Apple’s security design decisions haven’t always made them popular, especially among its community of developers or with government agencies. But, unlike many of its competitors, the iPhone is a personal device which is just as secure for children and grandparents to use as it is for the few these days who really understand how the technology works. That’s something to celebrate, not bemoan. So, many happy returns to the iPhone, perhaps the closest we’ve come to having a secure computer in our pocket.</p><img src="https://counter.theconversation.com/content/80104/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Keith Martin receives funding from the EPSRC and the European Commission. </span></em></p><p class="fine-print"><em><span>Kenny Paterson receives funding from EPSRC and the European Commission. He is co-chair of the Crypto Forum Research Group of the Internet Research Task Force. He serves as an advisor to Huawei Technologies, SkyHigh Networks and CYBERCRYPT ApS.</span></em></p>Apple’s design decisions don’t please everyone, but in the iPhone the company created something truly revolutionary that has lasted.Keith Martin, Professor, Information Security Group, Royal Holloway University of LondonKenny Paterson, Professor of Information Security, Royal Holloway University of LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/655022016-09-20T11:25:10Z2016-09-20T11:25:10ZDoes the UK need or even want a ‘Great British Firewall’?<figure><img src="https://images.theconversation.com/files/138099/original/image-20160916-17008-19mncnn.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Is a Great British Firewall what UK plc perhaps needs? Or is it asking for trouble?</span> <span class="attribution"><span class="source">Andrea Danti/shutterstock.com</span></span></figcaption></figure><p>You’ve probably heard of the Great Firewall of China, the virtual fortification that allows the Chinese government to monitor and restrict internet traffic to and from the world’s most populous nation. Well, the cyber-security chief of the UK Government Communication Headquarters (GCHQ) has <a href="http://www.itpro.co.uk/security/27236/national-cyber-security-centre-to-fight-hackers-with-dns-filtering">suggested early plans</a> for what sounds rather like a “Great British Firewall”. Privacy groups immediately sounded the alarm that it might pose a risk to freedom of speech, and offer the potential for Britain’s secret services to get up to no good. So what exactly is GCHQ proposing and should we be worried?</p>
<p>Firewalls are standard tools for computer defence. They are essentially filters which can control what traffic enters and leaves a network. You are probably protected by a firewall right now, at your workplace or at home, that runs either on your computer’s operating system or on the hardware that provides your connection to the internet. </p>
<p>A firewall can be configured to reject certain types of traffic deemed undesirable or potentially harmful. This might be a connection request from an untrustworthy source, such as a web address known to harbour hackers or spammers, for example. Or it could block a file that looks like it might contain a computer virus or other malware. While deflecting this sort of undesirable traffic the firewall allows standard traffic such as web browsing and email to pass through.</p>
<p>Who decides what gets in and what doesn’t? This is normally the job of whoever manages the network, be that an IT professional working at a company, or you (or your ISP) at home. The policy this manager applies determines what is accepted and what is rejected, so anyone relying on the firewall to be effective needs to trust that this policy is acting in their best interest.</p>
<p>What GCHQ seems to be proposing is a large-scale, nationwide firewall behind which any UK organisation could sit. The intention appears to be that organisations that are central to Britain’s national security would be required to operate behind this firewall, while other organisations big and small could opt-in.</p>
<p>There are too few details at the moment, but this seems like a classic case of who watches the watchman?. If GCHQ is to be the guard that chooses what is deemed “good” or “bad”, then the debate about the merits of a Great British Firewall is really a debate about whether there is trust in GCHQ.</p>
<h2>Wearing two hats</h2>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=752&fit=crop&dpr=1 600w, https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=752&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=752&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=945&fit=crop&dpr=1 754w, https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=945&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/138101/original/image-20160916-17018-24rtq.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=945&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Who’s listening?</span>
<span class="attribution"><span class="source">Stephen Clarke/shutterstock.com</span></span>
</figcaption>
</figure>
<p>GCHQ has two roles that don’t always sit particularly comfortably together. Most fundamentally it leads Britain’s <a href="https://www.gchq.gov.uk/features/story-signals-intelligence-1914-2014">signals intelligence</a>, which means essentially that GCHQ eavesdrops on communications for the UK government and the armed forces. Few would argue with the value of spying on enemies during wartime. What has proved much more controversial is GCHQ’s capabilities and activities revealed by former National Security Agency contractor Edward Snowden, including the <a href="https://theconversation.com/two-years-on-from-snowden-uk-gets-green-light-to-continue-accessing-bulk-data-43138">bulk collection of communication data</a> relating to everyone’s online activities. GCHQ has been accused of conducting mass surveillance, and there is no doubt that these revelations have damaged the reputation of it and the security services among some in the UK and worldwide.</p>
<p>However, GCHQ’s other important role is as a source of cyber-security expertise. It helped develop the <a href="https://www.gov.uk/government/publications/the-uk-cyber-security-strategy-2011-2016-annual-report">National Cyber Security Strategy</a> and has been working hard to implement it alongside the UK government, industry and academia. In October 2016, the <a href="https://www.gov.uk/government/news/new-national-cyber-security-centre-set-to-bring-uk-expertise-together">National Cyber Security Centre will open</a> and will oversee many of these activities. GCHQ employs many cyber-security specialists and is supporting the training of even more. Put simply, there is a lot of cyber-security expertise in GCHQ.</p>
<p>So if there is to be a Great British Firewall, GCHQ seems like the logical organisation to provide it. Private companies will be given the opportunity to choose whether to trust GCHQ as their firewall guard. So long as they are genuinely free to make this decision for themselves, and their customers are aware of this relationship, then this might well be workable. Achieving security in cyberspace inevitably requires placing faith in some organisations – why not trust one that knows a great deal about cyber-security?</p>
<p>Of course there is a precedent: the use of the Great Firewall of China by the Chinese government to censor internet content is infamous. Through constant tight monitoring of internet traffic the government blocks access to websites, filters or blocks searches for keywords, and monitors the population’s interactions in cyberspace. There is no doubt that the Great Firewall of China stifles freedom of speech and is used in an authoritarian, anti-democratic fashion. Other nations are also known to interfere with the global Domain Name System (DNS) that links domain names (such as theconversation.com) to the actual internet addresses used by the web servers for those sites. Filtering out DNS requests for certain domains and dropping them essentially prevents those domains from being accessed – certainly not in the spirit of the global open internet that many desire.</p>
<p>Is GCHQ proposing something equivalent? I suspect not, as the UK has a very different view of human rights and internet governance than in China. But there is a fine line between having the power to censor the internet, and choosing to implement that power. Returning to GCHQ’s two functions, while I suspect the security function of GCHQ has good intentions, the intelligence function of GCHQ does not have an unblemished record in this area. Something to think about before choosing to hide behind the Great British Firewall.</p><img src="https://counter.theconversation.com/content/65502/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Keith Martin receives funding from the EPSRC and the European Commission.</span></em></p>Having a nationwide firewall means trusting the same people who spy on communications.Keith Martin, Professor, Information Security Group, Royal Holloway University of LondonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/632412016-07-29T16:58:37Z2016-07-29T16:58:37ZHow vulnerable to hacking is the US election cyber infrastructure?<p>Following the hack of Democratic National Committee emails and reports of a new <a href="http://www.computerworld.com/article/3102024/security/fbi-probing-possible-hack-of-another-democratic-party-organization.html">cyberattack against the Democratic Congressional Campaign Committee</a>, worries abound that foreign nations may be clandestinely involved in the 2016 American presidential campaign. <a href="http://abcnews.go.com/Politics/wireStory/clues-dnc-hacking-point-russia-trump-claims-40965742">Allegations swirl that Russia</a>, under the direction of President Vladimir Putin, is secretly working to undermine the U.S. Democratic Party. The apparent logic is that a Donald Trump presidency would result in more pro-Russian policies. At the moment, the <a href="http://www.bloomberg.com/politics/articles/2016-07-25/fbi-investigating-dnc-cyber-hack-some-democrats-blame-on-russia">FBI is investigating</a>, but no U.S. government agency has yet made a formal accusation.</p>
<p>The Republican nominee added unprecedented fuel to the fire by <a href="http://www.nytimes.com/2016/07/28/us/politics/donald-trump-russia-clinton-emails.html">encouraging Russia to “find”</a> and release Hillary Clinton’s missing emails from her time as secretary of state. Trump’s comments drew sharp rebuke from the media and politicians on all sides. Some suggested that by soliciting a foreign power to intervene in domestic politics, his musings bordered on criminality or treason. Trump backtracked, saying his <a href="http://www.cnn.com/2016/07/28/politics/donald-trump-russia-hacking-sarcastic/">comments were “sarcastic,”</a> implying they’re not to be taken seriously.</p>
<p>Of course, the desire to interfere with another country’s internal political processes is nothing new. Global powers routinely monitor their adversaries and, when deemed necessary, will try to clandestinely undermine or influence foreign domestic politics to their own benefit. For example, the Soviet Union’s foreign intelligence service engaged in so-called “<a href="http://fas.org/irp/world/russia/kgb/su0523.htm">active measures</a>” designed to influence Western opinion. Among other efforts, it spread conspiracy theories about government officials and fabricated documents intended to exploit the social tensions of the 1960s. Similarly, U.S. intelligence services have conducted their own secret activities against foreign political systems – perhaps most notably its repeated attempts to <a href="https://www.washingtonpost.com/news/worldviews/wp/2014/12/11/the-history-of-absurd-american-plots-in-cuba/">help overthrow</a> pro-communist Fidel Castro in Cuba.</p>
<p>Although the Cold War is over, intelligence services around the world continue to monitor other countries’ domestic political situations. Today’s “<a href="http://www.rand.org/content/dam/rand/pubs/monographs/2009/RAND_MG654.pdf">influence operations</a>” are generally subtle and strategic. Intelligence services clandestinely try to sway the “hearts and minds” of the target country’s population toward a certain political outcome.</p>
<p>What has changed, however, is the ability of individuals, governments, militaries and criminal or terrorist organizations to use internet-based tools – commonly called <a href="https://theconversation.com/america-is-dropping-cyberbombs-but-how-do-they-work-58476">cyberweapons</a> – not only to gather information but also to generate influence within a target group.</p>
<p>So what are some of the technical vulnerabilities faced by nations during political elections, and what’s really at stake when foreign powers meddle in domestic political processes? </p>
<h2>Vulnerabilities at the electronic ballot box</h2>
<p>The process of democratic voting requires a strong sense of trust – in the equipment, the process and the people involved.</p>
<p>One of the most obvious, direct ways to affect a country’s election is to interfere with the way citizens actually cast votes. As the United States (<a href="https://www.ndi.org/e-voting-guide/electronic-voting-and-counting-around-the-world">and other nations</a>) embrace electronic voting, it must take steps to ensure the security – and more importantly, the trustworthiness – of the systems. Not doing so can endanger a nation’s domestic democratic will and create general political discord – a situation that can be exploited by an adversary for its own purposes.</p>
<p>As early as 1975, the U.S. government <a href="http://votingmachines.procon.org/sourcefiles/saltman1975.pdf">examined the idea of computerized voting</a>, but electronic voting systems were not used <a href="http://votingmachines.procon.org/view.source.php?sourceID=001042">until Georgia’s 2002 state elections</a>. Other states have adopted the technology since then, although given ongoing fiscal constraints, those with aging or problematic electronic voting machines are <a href="http://thehill.com/policy/cybersecurity/222470-states-ditch-electronic-voting-machines">returning to more traditional</a> (and cheaper) paper-based ones.</p>
<p>New technology always comes with some glitches – even when it’s not being attacked. For example, during the 2004 general election, North Carolina’s Unilect e-voting machines <a href="http://www.the-dispatch.com/news/20050730/lawmakers-shouldnt-experiment-with-ballots---remember-carteret-county">“lost” 4,438 votes</a> due to a system error.</p>
<p>But cybersecurity researchers focus on the kinds of problems that could be intentionally caused by bad actors. In 2006, Princeton computer science professor <a href="https://www.cs.princeton.edu/%7Efelten/">Ed Felten</a> demonstrated how to install a self-propagating piece of vote-changing malware <a href="http://citpsite.s3-website-us-east-1.amazonaws.com/oldsite-htdocs/pub/ts06full.pdf">on Diebold e-voting systems</a> in less than a minute. In 2011, technicians at the Argonne National Laboratory showed <a href="http://www.computerworld.com/article/2511508/security0/argonne-researchers--hack--diebold-e-voting-system.html">how to hack e-voting machines remotely</a> and change voting data. </p>
<p>Voting officials recognize that these technologies are vulnerable. Following a 2007 study of her state’s electronic voting systems, Ohio Secretary of State Jennifer L. Brunner <a href="http://abcnews.go.com/Politics/story?id=4008511">announced that</a></p>
<blockquote>
<p>the computer-based voting systems in use in Ohio do not meet computer industry security standards and are susceptible to breaches of security that may jeopardize the integrity of the voting process.</p>
</blockquote>
<p>As the first generation of voting machines ages, even maintenance and updating become an issue. A 2015 report found that electronic voting machines in 43 of 50 U.S. states <a href="http://www.brennancenter.org/sites/default/files/publications/Americas_Voting_Machines_At_Risk.pdf">are at least 10 years old</a> – and that state election officials are unsure where the funding will come from to replace them. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/80kUed21j9s?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A rigged (and murderous) voting machine on ‘The Simpsons’ satirized the issue in 2008.</span></figcaption>
</figure>
<h2>Securing the machines and their data</h2>
<p>In many cases, electronic voting depends on a distributed network, just like the electrical grid or municipal water system. Its spread-out nature means there are many points of potential vulnerability.</p>
<p>First, to be secure, the hardware “internals” of each voting machine must be made tamper-proof at the point of manufacture. Each individual machine’s software must remain tamper-proof and accountable, as must the vote data stored on it. (Some machines provide voters with a paper receipt of their votes, too.) When problems are discovered, the machines must be removed from service and fixed. Virginia did just this in 2015 once numerous glaring <a href="https://www.theguardian.com/us-news/2015/apr/15/virginia-hacking-voting-machines-security">security vulnerabilities were discovered</a> in its system. </p>
<p>Once votes are collected from individual machines, the compiled results must be transmitted from polling places to higher election offices for official consolidation, tabulation and final statewide reporting. So the network connections between locations must be tamper-proof and prevent interception or modification of the in-transit tallies. Likewise, state-level vote-tabulating systems must have trustworthy software that is both accountable and resistant to unauthorized data modification. Corrupting the integrity of data anywhere during this process, either intentionally or accidentally, can lead to botched election results.</p>
<p>However, technical vulnerabilities with the electoral process extend far beyond the voting machines at the “edge of the network.” Voter registration and administration systems operated by state and national governments are at risk too. Hacks here could affect voter rosters and citizen databases. Failing to secure these systems and records could result in fraudulent information in the voter database that may lead to improper (or illegal) voter registrations and potentially the casting of fraudulent votes.</p>
<p>And of course, underlying all this is human vulnerability: Anyone involved with e-voting technologies or procedures is susceptible to coercion or human error.</p>
<h2>How can we guard the systems?</h2>
<p>The first line of defense in protecting electronic voting technologies and information is common sense. Applying the <a href="http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf">best practices</a> of cybersecurity, data protection, information access and other objectively developed, responsibly implemented procedures makes it more difficult for adversaries to conduct cyber mischief. These are essential and must be practiced regularly.</p>
<p>Sure, it’s unlikely a single voting machine in a specific precinct in a specific polling place would be targeted by an overseas or criminal entity. But the security of each electronic voting machine is essential to ensuring not only free and fair elections but fostering citizen trust in such technologies and processes – think of the chaos around the infamous <a href="http://www.usnews.com/news/articles/2008/01/17/the-legacy-of-hanging-chads">hanging chads</a> during the contested 2000 <a href="https://en.wikipedia.org/wiki/Bush_v._Gore">Florida recount</a>. Along these lines, in 2004, Nevada was the first state to mandate e-voting machines <a href="http://www.nbcnews.com/id/5937115/ns/politics-voting_problems/t/paper-trail-voting-system-used-nevada/">include a voter-verified paper trail</a> to ensure public accountability for each vote cast. </p>
<p>Proactive examination and analysis of electronic voting machines and voter information systems are essential to ensuring free and fair elections and facilitating citizen trust in e-voting. Unfortunately, some <a href="https://www.eff.org/cases/online-policy-group-v-diebold">voting machine manufacturers have invoked</a> the controversial <a href="http://www.copyright.gov/legislation/dmca.pdf">Digital Millennium Copyright Act</a> to prohibit external researchers from assessing the security and trustworthiness of their systems.</p>
<p>However, a 2015 <a href="https://community.rapid7.com/community/infosec/blog/2015/10/28/new-dmca-exemption-is-a-positive-step-for-security-researchers">exception to the act</a> authorizes security research into technologies otherwise protected by copyright laws. This means the security community can legally research, test, reverse-engineer and analyze such systems. Even more importantly, researchers now have the freedom to publish their findings without fear of being sued for copyright infringement. Their work is vital to identifying security vulnerabilities before they can be exploited in real-world elections.</p>
<p>Because of its benefits and conveniences, electronic voting may become the preferred mode for local and national elections. If so, officials must secure these systems and ensure they can provide trustworthy elections that support the democratic process. State-level election agencies must be given the financial resources to invest in up-to-date e-voting systems. They also must guarantee sufficient, proactive, ongoing and effective protections are in place to reduce the threat of not only operational glitches but intentional cyberattacks.</p>
<p>Democracies endure based not on the whims of a single ruler but the shared electoral responsibility of informed citizens who trust their government and its systems. That trust must not be broken by complacency, lack of resources or the intentional actions of a foreign power. As famed investor <a href="http://business.time.com/2010/03/01/warren-buffetts-boring-brilliant-wisdom/">Warren Buffett once noted</a>, “It takes 20 years to build a reputation and five minutes to ruin it.” </p>
<p>In cyberspace, five minutes is an eternity.</p><img src="https://counter.theconversation.com/content/63241/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF), the Department of Defense (DOD), and the State of Maryland during his academic career.</span></em></p>With the DNC email leak and Trump calling on Russia to hack Clinton’s emails, concern about foreign meddling in the 2016 presidential election process is rising. Is e-voting the next cyber battleground?Richard Forno, Senior Lecturer, Cybersecurity & Internet Researcher, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/569322016-03-30T12:37:20Z2016-03-30T12:37:20ZFBI backs off from its day in court with Apple this time – but there will be others<p>After a <a href="https://theconversation.com/why-apple-is-making-a-stand-against-the-fbi-54925">very public stand-off</a> over an encrypted terrorist’s smartphone, the FBI has <a href="http://www.theguardian.com/technology/2016/mar/21/fbi-apple-court-hearing-postpone-unlock-terrorist-iphone">backed down</a> in its court case against Apple, stating that an “outside party” – rumoured to be <a href="https://www.rt.com/usa/336948-fbi-israel-crack-iphone/">an Israeli mobile forensics company</a> – has found a way of accessing the data on the phone.</p>
<p>The exact method is not known. Forensics experts <a href="http://www.zdziarski.com/blog/?p=5966">have speculated</a> that it involves tricking the hardware into not recording how many passcode combinations have been tried, which would allow all 10,000 possible four-digit passcodes to be tried within a fairly short time. This technique would apply to the iPhone 5C in question, but not newer models, which have stronger hardware protection through the so-called <a href="https://www.apple.com/business/docs/iOS_Security_Guide.pdf">secure enclave</a>, a chip that performs security-critical operations in hardware. The FBI has denied that the technique involves <a href="https://www.washingtonpost.com/world/national-security/the-fbi-is-testing-a-code-based-way-to-get-into-the-san-bernardino-iphone/2016/03/24/bc79cd14-f1dc-11e5-a61f-e9c95c06edca_story.html">copying storage chips</a>.</p>
<p>So while the details of the technique <a href="http://www.theguardian.com/technology/2016/mar/22/apple-fbi-san-bernardino-iphone-method-for-cracking">remain classified</a>, it’s reasonable to assume that <a href="https://theintercept.com/2016/03/08/snowden-fbi-claim-that-only-apple-can-unlock-phone-is-bullshit/">any security technology can be broken</a> given sufficient resources. In fact, the technology industry’s dirty secret is that most products are frighteningly insecure.</p>
<p>Even when security technologies are carefully designed and reviewed by experts, mistakes happen. For example, researchers recently found a way of <a href="http://blog.cryptographyengineering.com/2016/03/attack-of-week-apple-imessage.html">breaking the encryption of Apple’s iMessage service</a>, one of the most prominent examples of end-to-end encryption (which ensures that even the service provider cannot read the messages travelling via its network).</p>
<p>Most products have a much worse security record, as they are not designed by security experts, and often contain flaws that are easily found by attackers. For example, <a href="http://boingboing.net/2016/01/19/griefer-hacks-baby-monitor-te.html">internet-connected baby monitors</a> that could be hacked and allow strangers to <a href="http://sfglobe.com/2016/01/06/stranger-hacks-familys-baby-monitor-and-talks-to-child-at-night/">talk to their child</a> at night. Insecure cars that <a href="https://theconversation.com/auto-industry-must-tackle-its-software-problems-to-stop-hacks-as-cars-go-online-45325">could be controlled via an internet connection</a> while being driven. Drug infusion pumps at US hospitals that could be hacked by an attacker to <a href="https://www.boxer.senate.gov/?p=release&id=3254">manipulate drug dosage levels</a>.</p>
<p>Even national infrastructure is vulnerable, with software weaknesses exploited to cause serious damage at a <a href="http://www.bbc.co.uk/news/technology-30575104">German steel mill</a>, bring down parts of the <a href="https://theconversation.com/the-cyberattack-on-ukraines-power-grid-is-a-warning-of-whats-to-come-52832">Ukrainian power grid</a>, and <a href="http://news.softpedia.com/news/hackers-modify-water-treatment-parameters-by-accident-502043.shtml">alter the mix of chemicals added to drinking water</a>. While our lives depend more and more on “smart” devices, they are frequently designed in incredibly stupid ways.</p>
<h2>Insecure by design</h2>
<p>The conflict between Apple and the FBI was particularly jarring to security experts, seen as an attempt to deliberately make technology less secure and win legal precedent to gain access to other devices in the future. Smartphones are becoming increasingly ubiquitous, and we know from the Snowden files that the NSA can <a href="http://www.theguardian.com/world/2014/feb/01/edward-snowden-intelligence-leak-nsa-contractor-extract">turn on a phone’s microphone</a> remotely without the owner’s knowledge. We are heading towards a state in which every inhabited space contains a microphone (and a camera) that is connected to the internet and which might be recording anything you say. This is not even a paranoid exaggeration.</p>
<p>So, in a world in which we are constantly struggling to make things more secure, the FBI’s desire to create a backdoor to provide it access is like pouring gasoline on the fire. </p>
<p>The problem with security weaknesses is that it is impossible to control who can use them. Responsible researchers report them to the vendor so that they can be fixed, and sometimes receive a <a href="http://www.tripwire.com/state-of-security/vulnerability-management/11-essential-bug-bounty-programs-of-2015/">bug bounty</a> in return. But those who want to make more money may <a href="http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/">secretly sell the knowledge to the highest bidder</a>. Customers of this <a href="https://theconversation.com/trusting-hackers-with-your-security-youd-better-be-able-to-sort-the-whitehats-from-the-blackhats-44477">dark trade in vulnerabilities</a> often include <a href="https://citizenlab.org/2015/08/hacking-team-leak-highlights-citizen-lab-research/">governments with repressive human rights records</a>.</p>
<p>If the FBI has found a means of getting data off a locked phone, that means the intelligence services of other countries have probably independently developed the same technique – or been sold it by someone who has. So if an American citizen has data on their phone that is of intelligence interest to another country that data is at risk if the phone is lost or stolen.</p>
<p>Most people will never be of intelligence interest of course, so perhaps such fears are overblown. But the push from governments, for example through the pending <a href="https://theconversation.com/us/topics/investigatory-powers-bill">Investigatory Powers Bill</a> in the UK, to allow the security services to hack devices in bulk – even if the devices belong to people who are not suspected of any crime – cannot be ignored.</p>
<p>Bulk hacking powers, taken together with insecure, internet-connected microphones and cameras in every room, are a worrying combination. It is a cliche to conjure up Nineteen Eighty-Four, but the picture it paints is something very much like Orwell’s telescreens.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/CCfW6HFP5cI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<h2>Used by one, used by all</h2>
<p>To some extent law enforcement has historically benefited from poor computer security, as hacking a poorly secured digital device is easier and cheaper than planting a microphone in someone’s house or rifling their physical belongings. No wonder that the former CIA director <a href="http://www.wired.com/2012/03/petraeus-tv-remote/">loves the Internet of Things</a>.</p>
<p>This convenience often tempts governments to deliberately weaken device security – the FBI’s case against Apple is just one example. In the UK, the proposed Investigatory Powers Bill allows the secretary of state to issue “<a href="http://www.theguardian.com/technology/2015/nov/09/tech-firms-snoopers-charter-end-strong-encryption-britain-ip-bill">technical capability notices</a>”, which are secret government orders to demand manufacturers make a device or service deliberately less secure than it could be. GCHQ’s new MIKEY-SAKKE standard for encrypted phone calls is also <a href="https://www.benthamsgaze.org/2016/01/19/insecure-by-design-protocols-for-encrypted-phone-calls/">deliberately weakened</a> to allow easier surveillance.</p>
<p>But a security flaw that can be used by one can be used by all, whether legitimate police investigations or hostile foreign intelligence services or organised crime. The fears of <a href="https://cyber.law.harvard.edu/pubrelease/dont-panic/Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf">criminals and terrorists “going dark” are overblown</a>, but the risk to life from insecure infrastructure is real: fixing these weaknesses should be our priority, not striving to make devices less secure for the sake of law enforcement.</p><img src="https://counter.theconversation.com/content/56932/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Martin Kleppmann is supported by a research grant from Boeing. He is a member of the Open Rights Group and Liberty.</span></em></p>Insecurity by design, as the FBI or UK government would have it, is pouring petrol on an already raging fire.Martin Kleppmann, Research associate, University of CambridgeLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/547622016-02-19T09:53:58Z2016-02-19T09:53:58ZComputer viruses deserve a museum: they’re an art form of their own<figure><img src="https://images.theconversation.com/files/111944/original/image-20160218-1248-1hy9vi5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Do not adjust your set</span> <span class="attribution"><a class="source" href="https://archive.org/details/malware_CRASH.COM">Museum of Malware</a></span></figcaption></figure><p>Computer viruses now have their own museum. The recently opened online <a href="https://archive.org/details/malwaremuseum&tab=collection">Malware Museum</a> exhibits samples of early viruses that often include amusing graphics or popular culture references. But the significance of viruses goes beyond funny curiosities from the 1980s and 1990s.</p>
<p>The practice of creating viruses became an important subculture and part of new sorts of cultural activities, practices and interests. We too often think that all malware is by necessity just vandalism or criminal activity. The actual skills of coding them – even with simple scripts – may be just a hobby for some but an art form for others. And viruses themselves are cultural objects that tell the story of contemporary security.</p>
<p>Exhibits in the Malware Museum, which is based on the personal collection of the prominent Finnish viruses researcher <a href="https://mikko.hypponen.com">Mikko Hyppönen</a>, demonstrate how viruses in the 1980s and 1990s crystallised both cultural stories and fears. One program that displayed the word’s “<a href="https://www.f-secure.com/v-descs/frodo.shtml">Frodo lives</a>” on an infected computer’s screen referred directly to the character from Tolkein’s The Lord of The Rings. But it was also a nod to a phrase made popular <a href="http://www.nybooks.com/articles/1972/12/14/does-frodo-live/">during the hippie era</a>, reflecting the <a href="http://www.press.uchicago.edu/Misc/Chicago/817415.html">influence of 1960s counterculture</a> on the nascent tech scene.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=375&fit=crop&dpr=1 600w, https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=375&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=375&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=471&fit=crop&dpr=1 754w, https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=471&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/111945/original/image-20160218-1243-yh8awb.gif?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=471&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Download this if you want to live.</span>
<span class="attribution"><a class="source" href="https://archive.org/details/malware_SKYNET.COM">Malware Museum</a></span>
</figcaption>
</figure>
<p>The name of the <a href="https://www.youtube.com/watch?v=0QA7JKNAg2I">“Skynet” virus</a>, meanwhile, is a reference to the Terminator films. But it also gives a perhaps tongue-in-cheek reminder of the <a href="http://www.pcmag.com/slideshow/story/263366/five-real-computer-systems-that-could-become-skynet">possibility of artificial intelligence</a> one day surpassing and subjugating or destroying humanity. In this way, computer viruses almost provide their own version of speculative science fiction. They have even been discussed in research on the possibility of creating artificial life.</p>
<p>The way computer viruses were portrayed in the 1980s and 1990s also reflected contemporary concerns about HIV and AIDS. The fear of computer viruses spreading through digital contagion was similar to a fear of touch in many discussions of the era. In the late 1980s, <a href="https://books.google.com.tr/books?id=yhe0w_j1iiQC&pg=PA142&lpg=PA142&dq=%E2%80%98It+might+do+to+computers+what+AIDS+has+done+to+sex,%E2%80%99&source=bl&ots=EpAfDUVzNK&sig=QYQ9ajSXOwhhx5HfLd-1suMPpQ4&hl=tr&sa=X&ved=0ahUKEwiN0-PRtvLKAhUGXCwKHRVuCPsQ6AEIIDAA#v=onepage&q&f=false">some warned</a> that “[viruses] might do to computers what AIDS has done to sex”, and computers had to have their own prophylactics and guidance for safe use.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=375&fit=crop&dpr=1 600w, https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=375&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=375&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=471&fit=crop&dpr=1 754w, https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=471&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/111484/original/image-20160215-22547-1enjnxs.gif?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=471&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Hippie hippie shake.</span>
<span class="attribution"><a class="source" href="https://archive.org/details/malware_LSD.COM">Malware Museum</a></span>
</figcaption>
</figure>
<h2>Into the mainstream</h2>
<p>The cultural significance of malware and its potential for creativity has also infected the more mainstream art world over the last couple of decades. Artists such as <a href="http://www.eyewithwings.net/nechvatal/">Joseph Nechvatal</a> incorporated viral code into new forms of digital painting to <a href="http://kayjohns.blogspot.co.uk/2011/08/interview-with-joseph-nechvatal.html">infect and break down</a> the images produced. Associated avant-garde art techniques of randomness and variation became part of digital visual culture.</p>
<p>The custom-programmed <a href="http://0100101110101101.org/biennale-py/">Biennale.py virus</a> was released on disc by the Slovenian Pavilion of the 2001 Venice Biennale. This was not a work of malice but an investigation into how contagion works as part of computer culture and the art world. As well as appearing in viral digital format, the source code was sold on printed t-shirts and CD-ROMs, demonstrating how the commercial art world can turn even potentially malicious software into a saleable commodity. In doing so, the little piece of code also became a socially <a href="http://www.metamute.org/editorial/articles/contagious-art-virus-biennale">contagious object in the art market</a>.</p>
<p>Many net and software art projects dealing with viruses have attempted to debate digital security, and in many cases asked how malware is related to issues of privacy and control. Hacker-artist Luca Lampo, for example, <a href="http://four.fibreculturejournal.org/fcj-019-digital-monsters-binary-aliens-%E2%80%93-computer-viruses-capitalism-and-the-flow-of-information/">has suggested that the fear of computer viruses</a> and other “monsters” of digital culture was part of a longer history of projected (Western) fears, replacing previous monsters such as Soviet Russia.</p>
<p>Today we have seen a shift from malware being written predominantly by individuals and hobbyists to its development by organised criminals and state agencies, who are less interested in seeing their creations as art or cultural objects. The most famous piece of malware of recent years is probably the Stuxnet worm, which was discovered in 2010 and targeted Iranian nuclear infrastructure and <a href="http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet">was supposedly</a> programmed with American-Israeli support.</p>
<figure>
<iframe src="https://player.vimeo.com/video/106282943" width="500" height="281" frameborder="0" webkitallowfullscreen="" mozallowfullscreen="" allowfullscreen=""></iframe>
</figure>
<p>This kind of <a href="https://www.ted.com/talks/mikko_hypponen_how_the_nsa_betrayed_the_world_s_trust_time_to_act">state-sponsored malware</a> compromises security <a href="http://www.bbc.co.uk/news/technology-25087627">on a wider scale</a> than individual pieces of viral code. As such, information leaks, insecure websites and state surveillance have become a bigger social concern than annoying home-made viruses, particularly discussed <a href="https://theconversation.com/the-internet-after-snowden-what-now-20775">after the revelation</a> by Edward Snowden that governments capture and process bulk internet and other data from their citizens.</p>
<p>Artworks such as Holly Herndon’s Home song and music video directed by <a href="http://metahaven.net/">Metahaven</a> describe how our personal relationship with digital culture has been compromised by this kind of surveillance and hacking. Modern cyber warfare has made us vulnerable to a multitude of technical attacks, including the ones designed by our own governments. The malware museums of the future will have to include the extensive measures taken by state intelligence agencies in the name of cyberdefense, with civilian casualties included. The problem is much of that data is likely to be secret, stored in the <a href="http://www.wired.com/2012/03/ff_nsadatacenter/">data centres and server farms</a> of government agencies.</p><img src="https://counter.theconversation.com/content/54762/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jussi Parikka received funding from the Finnish Cultural Foundation for the original research (Digital Contagions: A Media Archaeology of Computer Viruses)</span></em></p>From Frodo to Skynet – the new Malware Museum shows how viruses reflect our culture and our fears.Jussi Parikka, Professor in Technological Culture & Aesthetics, University of SouthamptonLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/530382016-01-13T01:53:57Z2016-01-13T01:53:57ZGovernments undermining encryption will do more harm than good<figure><img src="https://images.theconversation.com/files/107963/original/image-20160113-8441-1o5alr5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Western governments are threatening to undermine the encryption that keeps our online communications private.</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Western governments, notably the UK and the US, are pushing the software industry to open “backdoors” into our encrypted communications. </p>
<p>The argument touted by government agencies for nearly 20 years is that terrorists use strong encryption to hide their communications, therefore we should ban strong encryption.</p>
<p>British Prime Minister David Cameron has been outspoken in his desire for a <a href="http://www.wired.co.uk/news/archive/2015-07/15/cameron-ban-encryption-u-turn">such a ban</a>. </p>
<p>And last week, US President Barack Obama’s Chief of Staff and a team of national security officials flew to Silicon Valley to meet with top technology companies Twitter, Microsoft, YouTube, Facebook, LinkedIn, Apple and Dropbox. It’s likely <a href="http://www.theguardian.com/technology/2016/jan/07/white-house-social-media-terrorism-meeting-facebook-apple-youtube-">they discussed</a> collaboration between the Silicon Valley and the US intelligence and law enforcement on backdooring encryption.</p>
<p>Next week, Prime Minister Malcolm Turnbull will be <a href="https://www.pm.gov.au/media/2016-01-09/prime-minister-visit-united-states">meet the US president in Washington DC</a> and encryption may also be on their security agenda. </p>
<p>Australia is already a member of the “<a href="https://en.wikipedia.org/wiki/Five_Eyes">5-Eyes</a>” alliance, and a <a href="https://www.privacyinternational.org/node/658">user</a> of the <a href="https://theconversation.com/nine-reasons-you-should-care-about-nsas-prism-surveillance-15075">PRISM regime</a> to spy on citizens, which was revealed by Edward Snowdon. It is also a signatory to the <a href="https://theconversation.com/au/topics/trans-pacific-partnership">Trans Pacific Partnership</a>. It seems likely Australia will try to follow the US and UK lead.</p>
<p>In response to this push to undermine encryption, an open letter to governments, called “<a href="https://securetheinternet.org/">Secure The Internet</a>”, was published this week. It is signed by more than 170 companies, organisations and individuals from around the world, including leading data security researchers.</p>
<p>The letter calls for all governments to reject backdooring or the weakening of encryption products.</p>
<h2>Keys to the door</h2>
<p>Encryption is used by most of us every day, typically with no conscious effort. If you log into your email or bank site with an address starting “https://”, then you are using encryption.</p>
<p>It seems likely governments around the world are trying to either <a href="http://www.zdnet.com/article/australia-may-do-dumb-things-with-crypto-in-2016-eff/">woo or cajole the tech industry</a> and security researchers to “break” the software they build by installing backdoors or other holes for the government to access our communications effortlessly.</p>
<p>The problem with installing backdoors is that bad actors – organised crime, fraudsters, hostile foreign governments and the like – may also focus their attention on these security holes. Any universal “passkey” built into such a system would be immensely valuable, and worth spending enormous resources to capture, thus making those who had them significant targets for espionage.</p>
<p>The push to emasculate the strong encryption we use every day is akin to the government telling every citizen we can’t lock our front door, or maybe we can only use a weak little latch. It’s like requiring everyone to send our passwords to a central government office.</p>
<p>The aim should be to improve security on the internet, not to break it. Governments colluding to break internet security introduces the risk of breaking our evolving digital economy as well by undermining trust in businesses and banks. Imagine logging into your online banking at National Australia Bank, ANZ, Westpac, Commonwealth Bank or your insurance company, and not knowing if the encryption was secure.</p>
<p>The argument that terrorists might use encryption so we should ban it is without nuance and probably even effect. Terrorists might also use steak knives to commit crimes, but we don’t make steak knives illegal. Steak knives have other useful purposes in society. And, like strong encryption, these benefits greatly outweigh the very small risks.</p>
<h2>Will it even work?</h2>
<p>The Secure the Internet letter references the <a href="https://www.schneier.com/cryptography/paperfiles/paper-keys-under-doormats.pdf">research paper</a> authored by a who’s who of the world’s top computer security researchers. </p>
<p>The paper highlights the numerous problems with implementing such policies in practice. Many of these researchers were around when the first major push came from government to impose weakened encryption on the masses in the form of <a href="https://en.wikipedia.org/wiki/Clipper_chip">Clipper Chip</a> in 1997. </p>
<p>They concluded “the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago.” Such schemes kill innovation. Indeed the authors query whether Facebook and Twitter would even exist today if the previous scheme had been imposed.</p>
<p>Australian security agencies have significantly expanded their powers over the past few years. The agencies can break into computers remotely, plant software, copy data, <a href="http://mslods.com/2015/02/04/data-retention-whats-at-stake/">access related metadata</a>, install keyloggers to track a target’s every keystroke. </p>
<p>These agencies’ methods require some targeting, although some do not even require the oversight of judge. They already can force anyone to <a href="http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s3la.html">reveal a harddrive’s encryption passphrase</a> or face a prison term for failing to do so.</p>
<p>Agencies have also had a huge budget increase, with an extra <a href="http://www.budget.gov.au/2015-16/content/highlights/nationalsecurity.html">A$1.2 billion</a> added for national security in the 2015 budget. In short, they have a cornucopia of powers and resources to chase terrorists.</p>
<p>At some point, that chase has to be about the mundane gumshoe work of gathering “HUMINT” – intelligence from human contacts – not just about sitting at a desk of computers scanning communications.</p>
<p>Realistically, backdooring strong encryption software, which is what is being floated here, will not stop terrorists. They will simply find and use other channels, including secure software distributed via other countries that do not have such restrictive laws.</p>
<h2>Making us more or less secure?</h2>
<p>The desire to break the computer security of an entire population also hints at the more insidious aim of governments trawling all of our private communications. With <a href="https://theconversation.com/au/topics/edward-snowden">Edward Snowden’s</a> revelations about exactly this, it is important to view this recent push to destroy the innocent citizen’s right to use encryption securely through this lens.</p>
<p>The contradiction of this push is that governments are trying to force our communications to be less secure while claiming to make us more secure.</p>
<p>If we want to retain our freedoms, we will also need to take some responsibility by changing our own mindsets. We as citizens need to accept that there is some risk in an uncertain world. We cannot expect law enforcement nor intelligence agencies to provide 100% guarantees; it is both unrealistic and unreasonable. </p>
<p>The urge to “do something” after terrible attacks like those in Paris, should be spent fixing the underlying causes of terrorism, not creating legislative overreach designed to grab tomorrow’s headline.</p>
<p>Keeping the keys to our own house requires a balanced approach in all things.</p><img src="https://counter.theconversation.com/content/53038/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Suelette Dreyfus is affiliated with Blueprint for Free Speech, a not-for-profit international NGO which supports freedom of expression, protection of individual privacy and institutional transparency. She is a signatory to the 'Secure the Internet' open letter.</span></em></p>An open letter signed by security experts from around the world is calling on governments to protect encryption rather than undermine it in a quixotic attempt to tackle terrorism.Suelette Dreyfus, Lecturer, Department of Computing and Information Systems, The University of MelbourneLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/422292015-05-22T17:13:37Z2015-05-22T17:13:37ZLogjam isn’t the only reason your computer might be more vulnerable to internet threats<figure><img src="https://images.theconversation.com/files/82728/original/image-20150522-32551-by8t5e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cyber warning</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>There’s a hole in the protection surrounding some of the internet’s supposedly secure websites. A <a href="https://weakdh.org/imperfect-forward-secrecy.pdf">group of researchers</a> has discovered that cyber criminals and other hackers can attack websites that use the “https” security encryption using a method known as “Logjam”. This attack, which is thought to work on around 8% of the top one million websites, allows hackers to see important information that should be protected, such as payment details or private communication.</p>
<p><a href="http://searchsecurity.techtarget.com/definition/encryption">Encryption is</a> a way of turning information into a secret code in order to stop others from eavesdropping on your internet conversations. Every time you see a padlock or then letters “https” in the address bar of your web browser, everything being sent between your computer and the remote web server where the website you are viewing is stored is encrypted and should be secret. The discovery of the Logjam attack, which is possible because of a flaw in the security software, means this may not always be the case. </p>
<p>Logjam works by attacking a part of the security process called the “<a href="http://searchsecurity.techtarget.com/definition/Diffie-Hellman-key-exchange">Diffie-Hellman key exchange</a>”. This is a way of creating and securely sending the key that unlocks the encryption and allows you to read the information. This key is formed using two very large, complex and random <a href="https://primes.utm.edu/lists/small/1000.txt">prime numbers</a> (numbers that can only be divided by themselves or the number one), which cannot easily be predicted. The larger the key, the stronger the encryption.</p>
<p>Older keys are saved with 1024 bits of computer memory, meaning each one has 2<sup>1024</sup> possible combinations. But computers are now powerful enough to work out what the right combination is. The Logjam attack involves capturing the key data and then using computational power to crack its code. As a result, security experts are advising web sites that still use these keys to move to much longer versions that are harder to predict.</p>
<p>Hackers can also use something called a <a href="http://netsecurity.about.com/od/hackertools/a/Rainbow-Tables.htm">rainbow table</a> to look up pre-cracked codes and use their computer to match the key against them. The more power a computer has, the faster it can work through the database of pre-cracked codes. There are still multiple combinations to check, but the work has in part already been done for them.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=401&fit=crop&dpr=1 600w, https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=401&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=401&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/82726/original/image-20150522-32555-fxeb5i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Looking for the key.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>The growing power of computers means many existing security measures are increasingly likely to become obsolete and need replacing. However, it’s not just companies failing to keep up with the latest advances that could leave internet users more vulnerable. Most technology companies are trying to create stronger security for their products because we (their customers) demand it. But there is also a trade-off between national security and personal security they have to be aware of.</p>
<p>Agencies such as the FBI have stated that some methods of encryption are now <a href="http://www.theguardian.com/commentisfree/2015/may/03/fbi-computer-security-strong-break-in">too strong</a>, meaning they want to be able to peek at people’s communications. They want encryption to be strong but not impenetrable. This has become a frustrating dilemma and, as Logjam proves by exploiting weaker Diffe-Hellman keys, there are weaker servers at the lower end that may fall foul of this demand to balance the security expectations of their organisation with the policing demands of governmental bodies.</p>
<p>There is already a flurry of activity across the internet as server administrators are <a href="http://www.bbc.co.uk/news/technology-32814309">attempting to patch</a> the Logjam problem and increase their security level for key exchanges. We’ll just have to hope that they can accomplish this before someone compromises their servers. While only a proportional minority of websites are affected by Logjam, you can also check your <a href="https://weakdh.org/">web browser</a> and see if it needs updating.</p><img src="https://counter.theconversation.com/content/42229/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A new threat to secure online communication could be a symptom of a wider cyber security problem.Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/390922015-03-23T06:23:20Z2015-03-23T06:23:20ZWhen your body becomes your password, the end of the login is nigh<figure><img src="https://images.theconversation.com/files/75546/original/image-20150320-14614-4btymy.jpg?ixlib=rb-1.1.0&rect=0%2C126%2C836%2C632&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Soon you will be the key.</span> <span class="attribution"><span class="source">face scan by Franck Boston/www.shutterstock.com</span></span></figcaption></figure><p>Passwords are a pain. I’ve just had to rummage around for the password required in order to post this article. I seem to have 100 or more different identities on different websites to manage. Whenever I book a flight or buy a concert ticket this often means setting up yet another persona and coming up with a password to authenticate it.</p>
<p>It’s got so bad I’ve resorted to a <a href="http://lifehacker.com/5529133/five-best-password-managers">password manager program</a> to suggest secure, truly random passwords and then keep track of them for me. Of course if I forget the password to that program, or worse still if someone else guesses that password, I’ll be in all sorts of trouble.</p>
<h2>Your phone is the key</h2>
<p>This is a recognised problem, so it’s no surprise firms are looking at ways to make this easier. In the US, Yahoo has announced it plans to move to a password-on-demand system, where a new, one-time password is generated and <a href="http://www.pcworld.com/article/2896782/yahoo-wants-to-kill-the-password-one-text-message-at-a-time.html">texted to your mobile phone</a>, and you can text the password to Yahoo’s servers whenever its services require authentication.</p>
<p>This makes it things easier for the user, whose phone is now a key as well as everything else. But some security experts have been less than impressed. For example, many phones show the text of incoming messages automatically, popping up even when the phone is locked. All that would be required is five minutes alone with your phone and your Yahoo account could be hijacked. And who hasn’t left their phone unattended for even just a short while?</p>
<h2>How about your body?</h2>
<p>All this hassle with usernames and passwords has led many to think biometrics are the answer, in which uniquely identifying elements of our physical body are used as authentication keys.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=600&fit=crop&dpr=1 600w, https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=600&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=600&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=754&fit=crop&dpr=1 754w, https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=754&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/75545/original/image-20150320-14614-5y0w8x.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=754&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Obviously this still needs to be miniaturised.</span>
<span class="attribution"><span class="source">scanner by aurin/www.shutterstock.com</span></span>
</figcaption>
</figure>
<p>The most common, fingerprints, have been used as a means to authenticate users for some time. <a href="http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5635763&tag=1">Fingerprint-based controlled access</a> can be made to work reasonably well, although it is not immune to successful attack. When you find that Sherlock Holmes was cracking cases in 1903 which involved <a href="http://bakerstreet.wikia.com/wiki/The_Adventure_of_the_Norwood_Builder">forged fingerprints</a>, you might be forgiven for wondering if we really can provide security on the basis of our fingertips and thumbs. However, modern biometric security goes further to try to provide greater security.</p>
<h2>Goodbye Windows password</h2>
<p>Microsoft is building biometric password support into the forthcoming Windows 10, due to arrive later this year. The <a href="https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/">Windows Hello</a> component, essentially a login screen, will be able to use a webcam to examine the user’s face, iris, or a fingerprint scanner to unlock devices and provide Windows logon. Microsoft are also touting a mechanism built into its Passport service that will provide authentication on your behalf to other sites once you have successfully logged on to your computer and it has recognised you.</p>
<p>Halifax, the bank, has gone one step further for its online banking services. It is <a href="http://www.theguardian.com/technology/2015/mar/13/halifax-trials-heartbeat-id-technology-for-online-banking">currently testing a smart wristband</a> called <a href="http://techcrunch.com/2013/09/03/nymi/">Nymi</a> which reads the wearer’s heartbeat – another biometric measure that provides a rhythmic pattern that can be used as a unique identifier. Heartbeat biometrics are touted as harder to fake or fool than other biometrics, although when I consider what happens to my heartbeat when I check my bank balance I’d imagine it will need considerable testing.</p>
<h2>Give me convenience or give me death</h2>
<p>All this is a step toward the Holy Grail of authentication: security with convenience. Microsoft’s moves in this direction are as part of the <a href="http://fidoalliance.org/about">FIDO Alliance</a> which aims to improve the way we approach security for devices and online services in the future, improving security and reducing the burden on users, which has a tendency to lead towards corner-cutting, weak or re-used passwords, and security compromises.</p>
<p>The good news for us password jugglers is that there is now a greater imperative behind building higher levels of security into systems from the outset, rather than trying to add it on afterwards, and that new and better ways of doing this are being expored. Modern devices, the <a href="http://www.dell.com/us/p/dell-venue-8-7840-tablet/pd">latest Dell tablet</a> for example, have 3D cameras which can generate images that contain depth information as well as a visible picture. The wider introduction of these sorts of components and their successors will offer a way to provide a whole new way of authentication, to the point that in the not too distant future our <a href="http://news.bbc.co.uk/1/hi/uk_politics/3541444.stm">smile really will be our passport</a>.</p><img src="https://counter.theconversation.com/content/39092/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rob Miles is affiliated with Microsoft as a Microsoft Most Valuable Professional. </span></em></p>The days of the username and password combo may be numbered as biometric security grows more sophisticated.Rob Miles, Lecturer in Computer Science, University of HullLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/377152015-03-05T19:27:34Z2015-03-05T19:27:34ZHackers’ kit bag: the tools that terrorise the internet<figure><img src="https://images.theconversation.com/files/73557/original/image-20150303-15981-39nh7e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">These days anyone can download the tools used for cyber crime.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/mrcacahuate/5825972240/in/photolist-9SPCzf-bFZqyB-7z7QTr-pVcw6r-uop9t-dipTch-bt5yG3-4XbwhY-RBbbj-RBaPJ-5fV2aB-nurBWm-2he9dV-aSoKyH-bF6kV9-o6ukzJ-dipToE-av6N1N-58caSN-bkA1Lm-bWU33u-chqjK5-imUhy-dsfA1f-e6vNa7-dhqrKt-9rJJBk-dQw8Hq-4FEK5Y-bkA1WE-4GUsTW-bkA1UQ-byuUnB-byuUFD-j6baQm-eemWai-oiNCtj-bvb41q-5j4syQ-byuUAr-bkA1PW-byuUrp-fi31ew-9vsQaz-oiNuFg-73TcSY-4E78g1-qfkL9C-76rZMS-76rWGu">Ivan David Gomez Arce/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p><a href="https://theconversation.com/explainer-what-is-hacking-13039">Hacking</a> is a state of mind. Traditionally, hackers like to discover, understand and share the secrets they expose. They like to laugh at the dumb things they find. They’re not necessarily in it for the money, more so for the glory of mastering the arcane technicalities of computing. Hackers form a community where the most “<a href="http://www.urbandictionary.com/define.php?term=l33t">l33t</a>” (pron. “leet”, short for “elite”) hackers gain the most respect.</p>
<p>But these days any “noob” (short for “newbie”) can download software tools from the internet that take the hard work out of hacking. These tools are often written by malicious hackers, professional security testers or enthusiasts to increase productivity. For example, it’s hard work typing in three million <a href="https://theconversation.com/the-end-of-the-internet-ipv4-versus-ipv6-145">IP addresses</a>. Much easier to write a program that does it for you. </p>
<p>Add some features, such as automatic <a href="http://www.pcmag.com/encyclopedia/term/49515/port-scanning">port scanning</a>, <a href="http://www.firewalls.com/blog/banner_grab_ethical_hack/">banner grabbing</a> and <a href="http://news.hitb.org/content/footprinting-basics-hacking">footprinting</a>, and share it with fellow hackers and your “cred” (credibility) goes up. If it’s a really good tool, then you can sell the rights to a commercial cyber security company and retire (or work as a consultant). It’s a career path.</p>
<p>Here are some of the easiest and most potent tools being used by hackers, l33t and noob for both good and ill. </p>
<h2>NMAP</h2>
<p>Port scanning is a process of finding all of the computers on a network, and finding out all about them. It is a precursor to a malicious hacker (or a <a href="http://www.forbes.com/sites/ericbasu/2013/10/13/what-is-a-penetration-test-and-why-would-i-need-one-for-my-company/">penetration tester</a>) launching an attack. It’s like a lion finding the slowest gazelle in the herd. Find all of the gazelles, test their weaknesses, pick the slowest.</p>
<p><a href="http://insecure.org/fyodor/">Fydor</a> wrote the <a href="http://www.pcmag.com/encyclopedia/term/48010/nmap">NMAP</a> port scanner in 1997 and has been adding functionality ever since. NMAP finds responding computers (by scanning IP addresses), finds services running on them (by scanning ports) and identifies operating systems. </p>
<p>It runs from the <a href="http://www.computerhope.com/jargon/c/commandi.htm">command line</a>. Something as simple as “nmap 192.168.1.0/24” will scan your local network and find your router, PC, game console and phone (if they are connected) and tell you all about them. </p>
<p>There is a <a href="http://www.computerhope.com/jargon/g/gui.htm">GUI</a> version called Zenmap if you don’t like typing. It also has visualisation tools which display the network.</p>
<p>NMAP is an essential tool for network maintenance, and I use it all the time when setting up computers, to diagnose networking problems and to find out just what my <a href="https://technet.microsoft.com/en-us/library/dd145320%28v=ws.10%29.aspx">DHCP</a> server has been doing. </p>
<h2>SQLMap</h2>
<p>Daniele Bellucci and Bernardo Damele A. G. wrote <a href="http://resources.infosecinstitute.com/sql-injection/">SQLMap</a> in 2006, using the <a href="https://www.python.org/about/gettingstarted/">Python programming language</a>. This tool takes all of the hard work out of <a href="http://www.acunetix.com/websitesecurity/sql-injection/">SQL injection attacks</a>. </p>
<p><a href="http://www.sqlcourse.com/intro.html">SQL</a> injection normally requires considerable knowledge of how web sites and programs like <a href="http://www.mysql.com/">MySQL</a> store and retrieve information from databases. SQLMap systematically scans for errors while injecting portions of SQL scripts into the target web site. </p>
<p>It collates the results and by brute force (trial and error) and finds the names of the databases, tables, fields in the tables and even the passwords stored in the database. </p>
<p>The user has to run the program from a command line (by running a Python script) and has to progressively enter longer, and more specific, commands to get the entire contents of the database, but there are handy YouTube videos which <a href="https://www.youtube.com/watch?v=HnVQcCdgYWA">illustrate the process</a>.</p>
<p>SQLMap really lowered the bar for random hacker groups, hacktivists, cyberpunks and <a href="https://theconversation.com/lulzsec-anonymous-freedom-fighters-or-the-new-face-of-evil-2605">LulzSec</a>. It has arguably facilitated massive disclosures of private information, including names, addresses, credit card numbers and medical records. Everybody with a website should run this on their own web applications before they go live on the internet. </p>
<h2>PUNKSpider</h2>
<p>A small group of hackers started <a href="http://www.hyperiongray.com/">Hyperion Gray</a> in 2013, demonstrating PunkSPIDER, a web application (a web site) vulnerability search tool and scanner, which allows the user to check for common vulnerabilities without having to conduct noisy and potentially illegal port-scans on a target. </p>
<p>PunkSPIDER does not attack or exploit web sites, but it does make it easy for web site owners to test their sites for many of the most obvious vulnerabilities. Unlike port-scanners, scans are launched from the punkSPIDER servers, so it’s less likely to get you into trouble. </p>
<h2>Wikto</h2>
<p>This tool <em>will</em> get you into trouble. Wikto is an enhanced Windows version of <a href="http://en.wikipedia.org/wiki/Nikto_Web_Scanner">Nikto</a> –- a web application (a web site) vulnerability scanner which blasts <a href="http://www.webopedia.com/TERM/H/HTTP.html">HTTP</a> requests at a target web site relentlessly. </p>
<p>It is a brute-force tool that tries to access admin pages, configuration scripts, misconfigured password files (281,000 of them) just in case they are present. After that it tests for 3,000 known web site vulnerabilities, followed by 1,500 <a href="https://code.google.com/p/googlehacks/">GoogleHacks</a>, which lists web site vulnerabilities identifiable by Google search strings. </p>
<p>This tool will produce so much traffic and log entries –- at the victim’s server, your ISP and the NSA -– that everybody will know what you are up to. Wikto is a great tool for automatically checking for vulnerabilities on a complex web site, particularly if you don’t know it’s history and you need to maintain it.</p>
<h2>LOIC</h2>
<p>No discussion of entry-level <a href="http://www.urbandictionary.com/define.php?term=script+kiddie">script-kiddie</a> tools would be complete without the <a href="http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon">Low Orbit Ion Cannon</a>, a “stress testing” (<a href="http://www.webopedia.com/TERM/D/DoS_attack.html">denial of service</a>, or DOS) tool. </p>
<p>Many versions exist, written in <a href="http://www.webopedia.com/TERM/C/C_sharp.html">C#</a>, <a href="http://www.webopedia.com/TERM/J/Java.html">Java</a>, <a href="http://www.webopedia.com/TERM/J/JavaScript.html">Javascript</a>, and all should be identified by your anti-virus software as malware. </p>
<p>LOIC blasts a web site with traffic, overwhelming it and making it unavailable to legitimate users (hence the “denial of service”). Some versions allow thousands of users to simultaneously attack a single target, where the target is chosen by just one of them. Just type in the <a href="http://www.webopedia.com/TERM/D/domain_name.html">domain name</a> or IP address, and click on “IMMA CHARGIN MA LAZER”). </p>
<p>LOIC and its variants (LOWC, HOIC) have been used by hacktivist members of <a href="https://theconversation.com/au/topics/anonymous">Anonymous</a> and <a href="http://www.pocket-lint.com/news/131070-what-is-4chan-the-underbelly-of-the-internet-explained">4Chan</a> to attack (or as they might say, “exercise civil disobedience” against) businesses and governments in response to unpopular decisions, policies, laws or actions. Like any DOS tool, LOIC can have legitimate uses. Stress testing tools allow a web site developer to verify that their site can handle real-world traffic.</p>
<h2>Don’t try this at home</h2>
<p>A word of warning: these tools (with the possible exception of PUNKSpider) should not be used on the internet.</p>
<p>There are criminal laws about using these improperly. They should not be used to scan/profile/attack (“test”) web sites or networks that you do not own or have no legal authority to “test”. </p>
<p>However, they are great fun to play with and great for testing your own locally-hosted or pretend web sites. Just turn off your internet connection (your router, cable modem or WiFi) before unleashing them -– to be sure.</p><img src="https://counter.theconversation.com/content/37715/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>James H. Hamlyn-Harris does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Hacking is a state of mind. Traditionally, hackers like to discover, understand and share the secrets they expose. They like to laugh at the dumb things they find. They’re not necessarily in it for the…James H. Hamlyn-Harris, Senior Lecturer, Computer Science and Software Engineering, Swinburne University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/367162015-01-26T15:55:04Z2015-01-26T15:55:04ZFrom carjacking to carhacking: computerised vehicles are more vulnerable than ever<figure><img src="https://images.theconversation.com/files/70002/original/image-20150126-24515-1vlan4e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Who's really driving your car?</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/cblue98/7551357496/in/photostream/">Saad Faruque</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>Theft of vehicles is about as old as the notion of transport – from horse thieves to carjackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology, as demonstrated by a new method to steal a car without the need to be anywhere near it.</p>
<p>Modern vehicles are built with a range of computerised systems that control and monitor security, fuel, engine management and more. Most new cars are fitted with Bluetooth connectivity and USB sockets, so it was only a matter of time before reports of criminals abusing these systems appeared. The use of so-called <a href="http://www.scmagazineuk.com/researcher-develops-badusb-code-to-compromise-usb-sticks--and-their-computer-hosts/article/363819/">Bad USB</a> memory sticks to hijack systems has been reported, but the most recent issue involves a port fitted in virtually every car on the road today, the 30-year-old <a href="http://www.obdii.com/background.html">On-Board Diagnostic port</a> (OBD-II). So put away that coat hanger – car theft has got a lot more technological.</p>
<h2>Fleet attacks</h2>
<p>At the recent <a href="http://www.digitalbond.com/s4/">S4 security conference</a>, researcher <a href="http://www.digitalbond.com/blog/author/coreythuen/">Corey Thuen</a> shared his concerns regarding a specific OBD-II dongle provided by US insurer Progressive Insurance. Designed to track driving habits, the dongle “phones home” to report back to the company via the mobile phone network, and the driver is awarded a lower premium if his or her driving habits demonstrate no dangerous driving – speeding, hard accelerating or breaking.</p>
<p>Unfortunately the port also provides read and write access to the car’s engine management system. If a remote attacker was able to use a <a href="https://www.owasp.org/index.php/Man-in-the-middle_attack">man-in-the-middle attack</a> – intercepting traffic between the car and the company’s servers while passing themselves off as one or the other – they could compromise the dongle, and so have complete control over the car’s engine. Potentially this attack could compromise not just a single vehicle but potentially fleets of vehicles, depending on what data was exposed from the company’s servers. </p>
<p>The main issue is for manufacturers to design products with security in mind, and provide updates swiftly once security flaws and vulnerabilities such as these are discovered. Some manufacturers are much better at doing so than others. </p>
<p>In this case, the dongle does not attempt to validate or demand signed firmware updates, its boot process is not secure, it doesn’t authenticate the mobile phone connection, nor encrypt the data it sends, nor is it hardened in any way against potential attacks. “Basically it uses no security technologies whatsoever,” Thuen remarked. It’s essentially an open door. </p>
<h2>Malware in disguise</h2>
<p>Other security compromises based on computer systems in cars include using <a href="http://www.popsci.com/cars/article/2011-03/bluetooth-music-and-cell-phones-could-let-hackers-break-your-car-researchers-say">Bluetooth MP3 players</a>, where malware disguised as a music track is loaded into the car’s systems to compromise them, or through applications on <a href="http://www.independent.co.uk/life-style/motoring/features/the-rise-of-car-hacking-incar-technology-has-led-to-thieves-remotely-taking-over-our-vehicles-8825012.html">smart phones</a> that use the Bluetooth connection to access the car’s systems. </p>
<p>On top of the distinctly disturbing idea of your car being hijacked and remotely controlled, there are also privacy concerns about the data the car collects about you. As well as information about driving habits, GPS data can locate you and build a pattern of your comings and goings, posing further risks. </p>
<p>There’s long been a problem here due to closed, proprietary systems to which you the owner and user don’t have access – something Open Rights campaigners such as the journalist <a href="http://craphound.com/">Cory Doctorow</a> have <a href="http://boingboing.net/2014/07/14/teslas-car-as-service-ve.html">noted</a>. </p>
<h2>What can you do?</h2>
<p>Usually security advice includes not clicking on dodgy links, and keeping your antivirus and other software up-to-date. But with a car you are choosing to place your body inside a one-tonne computerised cage travelling at 100 km/h, which may no longer be in your control.</p>
<p>The solution, long understood by security researchers, is that software needs to be open to inspection so that bugs and flaws are easier to find and report, and so the software is fixed and improved more quickly. Closed, proprietary software puts users at unnecessary risk by obscuring potential problems that may not be made public, but could equally have been discovered by criminals who are only to happy to exploit them. Drivers need to understand how the modern car has changed and continues to change, and to lobby the car industry to change their approach.</p><img src="https://counter.theconversation.com/content/36716/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Blaine Price receives funding from the European Research Council, UK EPSRC and UK Foreign & Commonwealth Office. He is a Member of the Chartered Society of Forensic Sciences and the Open Rights Group.</span></em></p><p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Theft of vehicles is about as old as the notion of transport – from horse thieves to carjackers. No longer merely putting a brick through a window, vehicle thieves have continually adapted to new technology…Andrew Smith, Lecturer in Networking, The Open UniversityBlaine Price, Senior Lecturer in Computing, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/338462014-11-12T03:31:58Z2014-11-12T03:31:58ZTypewriters, not touchscreens … security the old-fashioned way<figure><img src="https://images.theconversation.com/files/63939/original/dj5pmrzk-1415335552.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">No longer a 'hipster thing' ... even governments are embracing typewriters.</span> <span class="attribution"><a class="source" href="http://www.flickr.com/photos/full-aperture/8306655374">Christian Gonzalez/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>In writing, music, photography and other areas, “outdated” technologies have initially been valued for their retro, nostalgic appeal in the hipster culture. Vinyl is one of the most notable technologies to have achieved a <a href="http://www.theguardian.com/culture/australia-culture-blog/2013/jul/18/vinyl-records-fair-revival">noticeable revival</a>, not only for its retro value but also for its superior quality in sound.</p>
<p>Now people are seeing the security benefits of returning to other so-called anachronistic technologies. Typewriters, for instance, are experiencing a revival in politics. Earlier this year, German politician Patrick Sensburg announced that Germany’s government officials might <a href="http://www.theguardian.com/world/2014/jul/15/germany-typewriters-espionage-nsa-spying-surveillance">start using typewriters</a>, as they are seen as being an “unhackable” technology.</p>
<p>While this move might be viewed as somewhat regressive, it’s actually progressive. Let me explain.</p>
<p>Following last year’s <a href="https://theconversation.com/au/topics/nsa-leaks">NSA leaks</a>, the Russian government is also set to return to typewriters in an effort to avoid hacking. Nikolai Kovalev, the former head of the Federal Security Service, <a href="http://www.theguardian.com/world/2013/jul/11/russia-reverts-paper-nsa-leaks">said in 2013</a>: “From the point of view of keeping secrets, the most primitive method is preferred: a human hand with a pen or a typewriter.” </p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=640&fit=crop&dpr=1 600w, https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=640&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=640&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=805&fit=crop&dpr=1 754w, https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=805&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/63936/original/bvbqtn7z-1415335342.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=805&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Jack Kerouac typed On The Road on a 40m scroll.</span>
<span class="attribution"><span class="source">Wikimedia Commons</span></span>
</figcaption>
</figure>
<p>Initially considered obsolete in the digital age, typewriters are experiencing a slow but noticeable resurgence. </p>
<p>In 2009, the New York Police Department spent nearly <a href="http://www.computerworld.com/article/2523894/it-management/it-change-is-hard--typewriters-still-in-use-at-nypd.html">US$1 million</a> on manual and electric typewriters. This year, The Times in London erected a speaker to produce the <a href="http://www.independent.co.uk/news/media/press/the-times-newsroom-set-to-ring-with-the-sounds-of-typewriters-once-more-9692335.html">sound of typewriters</a> in an effort to boost staff energy levels, which “coincides with a revival of interest in the typewriter”. </p>
<p><a href="http://www.theguardian.com/commentisfree/2013/jul/12/unthinkable-bring-back-typewriters-editorial">The Guardian</a> editorialised last year: </p>
<blockquote>
<p>Type a document and lock it away and more or less the only way anyone else can get it is if you give it to them. This is why the Russians have decided to go back to typewriters in some government offices, and why in the US, some departments have never abandoned them.</p>
</blockquote>
<p>Typewriter stores continue to cater to aspiring writers hoping to replicate the styles of 20th century authors. One <a href="http://mytypewriter.com/">online store</a> sells portable and desktop typewriters modelled after the famous ones used by renowned writers from Faulkner to Pynchon:</p>
<ul>
<li>Kerouac’s Underwood portable</li>
<li>Hemingway’s Corona No. 3 and his Royal Quiet Deluxe Portable</li>
<li>Ayn Rand’s Remington Portable No. 3</li>
<li>Joseph Heller’s SCM Smith Corona Electra. </li>
</ul>
<h2>Keep it simple, stupid</h2>
<p>American media theorist <a href="http://henryjenkins.org/">Henry Jenkins</a> once claimed that old media never die – they simply transform. In contemporary society it appears that not only do old media and technology never die, but they return. </p>
<p><a href="http://en.wikipedia.org/wiki/Technological_determinism">Technological determinism</a> and the “doctrine of progress” dictates that society must move in a forward momentum towards digitally efficient technologies that operate faster, better and longer.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/LKWQkLwYv8Y?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>The use of old technologies is criticised for being anachronistic and pretentious, but people from politics to art are acknowledging the benefits of older technological instruments. </p>
<p>Analogue technology is not only valued for its nostalgic, retro value, but for its simplicity in an increasingly digitised world that is vulnerable to hacking and breaches of privacy. So while digital technology is heralded as the most efficient is terms of speed and productivity, older technologies offer something perhaps more valuable but under-appreciated. </p>
<p>This trend of returning to ostensibly old technologies, as <a href="http://www.theguardian.com/culture/2011/apr/24/mavericks-defying-digital-age">Sean O’Hagan wrote</a> in The Guardian in 2011, is characterised by a </p>
<blockquote>
<p>willingness to slow down, to run counter to the furious momentum of digitised contemporary culture, its speed and its pursuit of sanitised perfection – of sound, image and format.</p>
</blockquote>
<h2>Worth a thousand words</h2>
<p>It’s not just typewriters that have gained renewed significance. Analogue photography has in recent years become more popular. The analogue camera movement <a href="http://www.lomography.com/">Lomography</a> is aimed at producing pictures with low-fi quality. </p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=888&fit=crop&dpr=1 600w, https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=888&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=888&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1116&fit=crop&dpr=1 754w, https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1116&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/63941/original/9kjxzc97-1415335814.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1116&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="http://www.flickr.com/photos/bikeman04/6433452689">Gerry Lauzon/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>The <a href="http://www.lomography.com/magazine/locations/2009/04/01/lomographic-society-international-hq-vienna-austria">Lomographic Society International</a>, which was founded in 1992 by Viennese students, distributes and celebrates Lomography cameras, which are purposefully low-fidelity and have a very simple construction. With stores set up around the world, it has developed a community of photographers for whom regression is a form of art. </p>
<p>Lomography culture, alongside <a href="https://www.the-impossible-project.com/">The Impossible Project</a>, a company founded in 2008 that manufactures instant photographic material, is flying in the face of technological determinists who see each successive technology as being overtaken by newer and supposedly “better” technologies. </p>
<p>Technological determinism sees technology as the driving force of change, and the most famous technological determinist, <a href="http://www.marshallmcluhan.com/">Marshall McLuhan</a>, argued that the medium is the message. But in this instance, social and cultural issues are actually driving people to use older, simpler technologies. </p>
<p>And, analogue cameras prove better than digital when it comes to privacy. Although there are many famous cases of manipulating or altering analogue photographs, from Stalin erasing his enemies to the Gang of Four being airbrushed from Mao Zedong’s memorial service, the photos are still harder to “hack” and do not exist in an elusive cloud. The control rests with the photographer. </p>
<h2>Regressive vs progressive</h2>
<p>But if we are moving backwards in terms of technology, does this mean that, as a society, we are regressing, against the doctrine of progress? Are we becoming a regression culture? Well, it depends on what we understand as “progressive”, since modern technologies such as the internet, as American writer Nicholas Carr <a href="http://www.theeuropean-magazine.com/67-carr-nicholas/541-information-and-contemplative-thought">noted</a>, “seizes our attention only to scatter it”. In his 2010 book The Shallows, he writes: </p>
<blockquote>
<p>We focus intensively on the medium itself, on the flickering screen, but we’re distracted by the medium’s rapid-fire delivery of competing messages and stimuli.</p>
</blockquote>
<p>So this slow return to older technologies can actually be seen as progressive, as we are prioritising content over medium, quality over speed, and privacy over pervasive exposure. </p>
<p>Given the impact that newer technologies have on the brain in terms of memory and creativity, forcing the brain to slow down with older technologies might actually be a natural progression, rather than regressive. Or, if we are regressing in terms of technology, we may be <em>progressing</em> in terms of intellect, creativity and privacy as a result.</p><img src="https://counter.theconversation.com/content/33846/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Siobhan Lyons does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In writing, music, photography and other areas, “outdated” technologies have initially been valued for their retro, nostalgic appeal in the hipster culture. Vinyl is one of the most notable technologies…Siobhan Lyons, Tutor in Media and Cultural Studies, Macquarie UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/328452014-10-14T05:18:42Z2014-10-14T05:18:42ZApp to remotely wipe phones leaves police in tech arms race with thieves<figure><img src="https://images.theconversation.com/files/61542/original/k3kpgbfr-1413210529.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Your data needn't be lost even if your phone is.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com/pic-191117660/stock-photo-pickpocket-are-stealing-mobile-phone-from-back-pocket-close-up-isolated-on-white.html?src=ONevfisHp5J4tqtauKQk6Q-1-61">Pickpocket by Africa Studio/Shutterstock</a></span></figcaption></figure><p>Police play a proverbial cat-and-mouse game with those they pursue, but also with the technology of the day they use. This game of one-upmanship, of measure and countermeasure, sees one or the other side temporarily with the upper hand. </p>
<p>For example, some years ago some UK police forces introduced a device that could <a href="http://www.bbc.co.uk/news/technology-18102793">read and download data</a> from a suspect’s smartphone. However, more recently it’s been found that phones in police custody are being <a href="http://www.bbc.co.uk/news/technology-29464889">remotely wiped</a> by their owners. This is embarrassing for any police force, and demonstrates how technology designed to reduce crime can also be used to potentially cover it up.</p>
<h2>Tracking tool</h2>
<p>There are now several different ways to track your smartphone. Apple’s <a href="https://www.apple.com/uk/icloud/find-my-iphone.html">Find Your Phone</a> service helps its customers find their iPhone, whether mislaid or stolen – and this can provide police with useful information about whether a crime has been committed and the possible location of the phone and possibly the perpetrator. Other third-party apps and services such as <a href="https://preyproject.com/">Prey</a> can, <a href="http://www.theguardian.com/technology/2011/jun/01/man-uses-app-track-alleged-laptop-thief">and have</a>, helped owners locate their stolen possessions.</p>
<p>Some police forces have commended these tools, others <a href="https://storify.com/btballenger/man-tracks-stolen-laptop-thousands-of-miles-away">aren’t geared up to react</a> to the opportunities technology has provided. However, if your phone is not passcode protected or <a href="http://www.bbc.co.uk/news/technology-26331249">biometrically locked</a>, then it’s inevitable that, if stolen, a thief can access some of your personal data as well as wipe the phone for their own use. That’s why these locator apps offer the ability to connect to the phone and wipe it of any sensitive data.</p>
<h2>Double-edged sword</h2>
<p>Such remote control possibilities are a double-edged sword, however. Imagine if, as a junior gang member, you realise that your confiscated phone now in the hands of the police (containing all manner of contacts and incriminating evidence) is still visible via iCloud or some other service. This is good news for you and the gang, less so for the police.</p>
<p>One of the key tenets of digital forensic practice is that all law enforcement officers are trained to not switch off any device, as investigators need to capture the state of the phone as it was received, both stored on flash disk or drive and in volatile memory (RAM). All computer systems – and this includes smart phones – contain temporary information that may be crucial in an investigation. There’s also the possibility that a phone may require a passcode on restart that the police don’t have. </p>
<p>Worse, with Apple’s iPhone iOS 8 operating system and the new iPhone6, Apple has improved its encryption, enabling it by default and no longer storing the encryption key on its servers. This has temporarily <a href="http://www.wired.com/2014/10/golden-key/">thwarted</a> law enforcement’s ability to easily subpoena Apple for access to its customers’ data stored in the cloud and made it much harder to access data on the phone even with physical access to it. </p>
<p>If an officer is not able to get a phone into a <a href="http://www.edecdf.com/store/?SID=b9b386294ccd57b105f56b81645f6372">protective bag</a> in time, our suspect may be able to track their phone, wipe data, and hamper police enquiries. These bags operate as a <a href="http://www.princeton.edu/%7Eachaney/tmve/wiki100k/docs/Faraday_cage.html">Faraday cage</a> – blocking the phone network’s microwave radio signals (a form of <a href="http://www2.lbl.gov/MicroWorlds/ALSTool/EMSpec/">electromagnetic radiation</a>), from reaching the phone. The challenge for law enforcement officers is to get the phone to a secure location or one of these bags before the phone is remotely wiped. In a pinch, <a href="http://www.masslive.com/news/index.ssf/2014/07/greenfield_police_turn_to_micr.html">a microwave oven will do</a> as well.</p>
<h2>Traces</h2>
<p>However, there are always traces left behind. You or I might be happy knowing that the thief has not got access to the social media accounts, email, online banking or personal photos on the phone – and wiping any lost device clean would be good enough for most. But much of the data that passes through our phones, the online services used and the networks they connect to, leaves behind traces or even copies of it behind in the cloud that forensic digital investigators can retrieve. </p>
<p>Increasingly, as more and more data is <a href="http://teraknorblogs.blogspot.co.uk/2011/04/getting-lost-its-impossible-with-iphone.html?q=tracking">stored in the cloud</a>, indirectly or directly as back-ups, it’s harder and harder to be “lost”. Any advantage now will only be temporary as police and legislators find new ways to keep one step ahead of the criminals. On the internet, there’s very little that’s hidden forever.</p><img src="https://counter.theconversation.com/content/32845/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Andrew Smith does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Police play a proverbial cat-and-mouse game with those they pursue, but also with the technology of the day they use. This game of one-upmanship, of measure and countermeasure, sees one or the other side…Andrew Smith, Lecturer in Networking, The Open UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/320512014-09-24T09:42:23Z2014-09-24T09:42:23ZAfter all these hacks, tech firms could do more – but better security starts with you<figure><img src="https://images.theconversation.com/files/59822/original/q8n92bxj-1411502680.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A belt and braces approach is wise.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/modernrelics/6889241086/">Modern Relics</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span></figcaption></figure><p>After various celebrities’ accounts on Apple’s iCloud servers were <a href="https://theconversation.com/novice-mistake-may-have-been-the-cause-of-the-icloud-naked-celebrities-hack-31272">hacked</a>, the company has made a point of addressing these issues. It has made <a href="https://www.apple.com/privacy/">new claims for the security of iOS 8</a>, the firm’s latest phone operating system, and for its cloud services. Similarly, Google announced the next version of its Android phone operating system will <a href="http://www.bbc.co.uk/news/technology-29276955">encrypt all data by default</a>. But what sort of security do these measures provide?</p>
<h2>Security in the hand</h2>
<p>All phones and tablets provide a device lock that requires a passcode or swipe gesture to unlock. But many owners – up to 50% – either don’t use the feature, or use a <a href="http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes">trivial passcode such as 1234</a>. Fingerprint readers, as <a href="https://theconversation.com/iphone-5s-fingerprint-scanning-thumbs-up-or-down-18112">introduced in the iPhone 5</a>, are perhaps the way forward and through ease of use are likely to increase the number of users locking their phones.</p>
<p>While a device lock provides some protection, it’s still possible that a hacker, or the authorities, could extract data given physical access to the device. Encryption, as offered by both Apple’s iOS and Google’s Android platforms, would defeat this (or make it extremely difficult) by requiring a passcode to decrypt the contents and make them readable. </p>
<p>Android has offered this since 2011, while for Apple it was introduced with iOS 7 in September 2013 for mail and data in third-party apps. With iOS 8, this is extended to the phone’s messages, mail, calendar, contacts and photos. Additionally Apple claims that it no longer stores a copy of the encryption key used, making it unable to respond to a warrant demanding access to the data, whether backed up in the cloud or on the device.</p>
<p>In the UK, police will <a href="http://www.independent.co.uk/life-style/gadgets-and-tech/uk-police-to-start-seizing-drivers-mobile-phones-after-all-crashes-9632873.html">seize mobile phones after a car crash</a> in order to see if drivers were texting and driving. This follows a pilot scheme in which police stations equipped with specialist readers are able to swiftly <a href="http://www.bbc.co.uk/news/technology-18102793">extract the entire contents of a phone</a>. Whether this will be defeated by the encryption introduced by iOS and Android remains to be seen. Certainly the UK Regulation of Investigatory Powers Act 2000 (RIPA) empowers the authorities to <a href="https://theconversation.com/cloud-data-makes-life-easier-for-government-spooks-and-the-law-gives-them-a-free-pass-31696">compel a user to supply decryption keys</a> or passcodes.</p>
<p>Apple’s <a href="http://www.cnet.com/how-to/apple-pay-how-it-works-security/">new payment system</a> built around its near field communication (NFC) chip and protocol does not store or transmit credit card details. This makes it fairly secure, and should massively reduce the number of skimming techniques that are possible with other card payments, as neither the card number nor the pin code will be accessible during the payment process, stored as they are in a secure hardware chip in the phone.</p>
<h2>Security in the cloud</h2>
<p>Most smartphones now back-up data to the cloud and it was through this that hackers gained access to the images that were then leaked. There’s no evidence that Apple’s servers were hacked and compromised – unfortunately this privacy breach was made possible by poorly chosen passwords and <a href="http://www.eweek.com/mobile/what-apple-needs-to-do-to-secure-its-users.html">a weak security questions system</a> that allowed repeat guesses without raising the alarm.</p>
<p>There are files containing millions of popular passwords available on the internet and it’s likely hackers simply ran programs that tried various combinations until they succeeded – a “brute force” attack – together with answers to security questions guessed based on publicly known information. Apple has now firmed up its security procedure by introducing a maximum number of incorrect answers to security questions and notifying users when their online accounts are accessed.</p>
<h2>Security starts with you</h2>
<p>So make sure the weak link in the security isn’t you. Choose a <a href="http://xkcd.com/936">strong password</a> – it isn’t hard. Don’t use an obvious passcode, and use a fingerprint scanner if fitted. Use Apple <a href="https://www.apple.com/uk/icloud/find-my-iphone.html">Find My Phone</a> or Android’s <a href="http://android-device-manager.en.softonic.com/web-apps">Device Manager</a> so a lost or stolen phone can be locked, traced or even remotely wiped. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=487&fit=crop&dpr=1 600w, https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=487&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=487&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=612&fit=crop&dpr=1 754w, https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=612&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/59815/original/hp9qnst5-1411496487.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=612&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">xkcd</span>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<p>For iPhones, upgrade to iOS 8 or at the very least upgrade to iOS 5 or higher. For Android, look into encrypting the device’s contents and when installing a new app be aware of what it is asking access to – don’t blindly click on messages that say “Let this app have access to…” as malicious apps could wrestle data from your phone and send it out over the internet. Some companies have a terrible reputation when it comes to privacy (for example Facebook), so be cautious of default settings.</p>
<h2>Use the best tools available</h2>
<p>Currently the best way to secure online accounts is (together with a strong password) to turn on <a href="http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now">two-factor authentication</a> – as offered by <a href="http://support.apple.com/kb/ht5570">Apple</a>, <a href="https://www.google.com/landing/2step/index.html">Google</a>, <a href="https://www.facebook.com/note.php?note_id=10150172618258920">Facebook</a> and <a href="https://blog.twitter.com/2013/getting-started-with-login-verification">Twitter</a>.</p>
<p>You register a phone number, which the service will call or text with a pin number. This will be required in addition to your password to gain access. This is set up per device, for example once for your phone and once for your laptop. Trusted devices will work as they did, but someone else (or you) attempting to access your account from another device will need not only your password, but access to your phone to get the pin number the service sends.</p>
<p>Google goes further, allowing you to generate new, random passwords for each of its online services you use or each device, so that if someone compromises one password it won’t open any others.</p>
<p>While it’s a bit more of a hassle, try to have different passwords for different accounts as <a href="http://xkcd.com/792/">re-using passwords is as bad as having weak passwords</a>. Use the tools available – web browers save passwords and there are software tools such as password managers that can simplify the task – but make sure you know how they work.</p>
<p>And even at the end of their lives, computers, phones and other devices <a href="http://www.computerworld.com/article/2538325/computer-hardware/how-to-wipe-personal-data-from-cell-phones-and-pcs.html">need to be securely wiped</a> to <a href="http://ico.org.uk/for_the_public/topic_specific_guides/online/deleting_your_data">remove all traces of personal data</a> (including the passwords and financial details we’ve been so keen to protect) before being given away or sold. Not doing so is little different than handing your keys to a burglar.</p>
<p>Blaming the companies for security failures is too easy – consumers have to get wiser about locking their data away.</p><img src="https://counter.theconversation.com/content/32051/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Barry Avery does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>After various celebrities’ accounts on Apple’s iCloud servers were hacked, the company has made a point of addressing these issues. It has made new claims for the security of iOS 8, the firm’s latest phone…Barry Avery, Associate Professor, Informatics and Operations , Kingston UniversityLicensed as Creative Commons – attribution, no derivatives.