tag:theconversation.com,2011:/fr/topics/malware-1618/articlesMalware – The Conversation2023-05-11T05:16:47Ztag:theconversation.com,2011:article/2054052023-05-11T05:16:47Z2023-05-11T05:16:47ZIt’s being called Russia’s most sophisticated cyber espionage tool. What is Snake, and why is it so dangerous?<figure><img src="https://images.theconversation.com/files/525550/original/file-20230511-15-nzjt8r.jpeg?ixlib=rb-1.1.0&rect=6%2C41%2C1016%2C981&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock AI</span></span></figcaption></figure><p>Like most people I check my emails in the morning, wading through a combination of work requests, spam and news alerts peppering my inbox.</p>
<p>But yesterday brought something different and deeply disturbing. I noticed an alert from the American Cybersecurity and Infrastructure Security Agency (<a href="https://www.cisa.gov/news-events/cybersecurity-advisories">CISA</a>) about some very devious <a href="https://www.bing.com/videos/search?q=what+is+malware&qft=+filterui:duration-short&view=detail&mid=FE061B5C45296C83E456FE061B5C45296C83E456&&FORM=VRDGAR&ru=/videos/search?&q=what+is+malware&qft=+filterui:duration-short&FORM=VRFLTR">malware</a> that had infected <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a">a network of computers</a>.</p>
<p>The malware in question is Snake, a cyber espionage tool deployed by Russia’s Federal Security Service that has been around for about 20 years. </p>
<p>According to CISA, the Snake implant is the “most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service for long-term intelligence collection on sensitive targets”.</p>
<h2>The stealthy Snake</h2>
<p>The Russian Federal Security Service developed the Snake network in 2003 to conduct global <a href="https://www.techtarget.com/searchsecurity/definition/cyber-espionage">cyber espionage</a> operations against NATO, companies, research institutions, media organisations, financial services, government agencies and more. </p>
<p>So far, it has been detected on Windows, Linux and macOS computers in more than 50 countries, including <a href="https://www.cyber.gov.au/about-us/advisories/hunting-russian-intelligence-snake-malware">Australia</a>. </p>
<p>Elite Russian cyber espionage teams put the malware on a target’s computer, copy sensitive information of interest and then send it to Russia. It’s a simple concept, cloaked in masterful technical design.</p>
<p>Since its creation, Russian cyber spies have regularly <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">upgraded the Snake malware</a> to avoid detection. The current version is cunning in how it <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">persistently</a> evades detection and protects itself.</p>
<p>Moreover, the Snake network can disrupt critical <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a">industrial control systems</a> that manage our buildings, hospitals, energy systems, water and wastewater systems, among others – so the risks went beyond just intelligence collection. </p>
<p>There are warnings that in a couple of years bad actors may gain the capability to hijack critical Australian infrastructure and cause unprecedented harm by interfering <a href="https://ia.acs.org.au/article/2021/industrial-cyber-attacks-will-kill-someone-by-2025.html">with physical operations</a>. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1656064279148396546"}"></div></p>
<h2>Snake hunting</h2>
<p>On May 9, the US Department of Justice <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">announced</a> the Federal Bureau of Investigation had finally disrupted the global Snake <a href="https://www.digitalcitizen.life/what-is-p2p-peer-to-peer/">peer-to-peer network</a> of infected computers.</p>
<p>The covert network allowed infected computers to collect sensitive information. The Snake malware then disguised the sensitive information through sophisticated <a href="https://us.norton.com/blog/privacy/what-is-encryption">encryption</a>, and sent it to the spy masters.</p>
<p>Since the Snake malware used custom <a href="https://www.comptia.org/content/guides/what-is-a-network-protocol">communication protocols</a>, its covert operations remained undetected for decades. You can think of custom protocols as a way to transmit information so it can go undetected.</p>
<p>However, with Russia’s war in Ukraine and the rise in cybersecurity activity over the past few years, the FBI has increased its monitoring of Russian cyber threats.</p>
<p>While the Snake malware is an elegantly designed piece of code, it is complex and needs to be precisely deployed to avoid detection. According to the Department of Justice’s press release, Russian cyber spies were careless in more than a few instances and did not deploy it as designed. </p>
<p>As a result, the Americans discovered Snake, and crafted a response.</p>
<h2>Snake bites</h2>
<p>The FBI received a court order to <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">dismantle Snake</a> as part of an operation code-named MEDUSA.</p>
<p>They developed a tool called PERSEUS that causes the Snake malware to <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">disable</a> itself and stop further infection of other computers. The <a href="https://www.cyber.gov.au/about-us/advisories/hunting-russian-intelligence-snake-malware">PERSEUS</a> tool and instructions are freely available to guide detection, patching and remediation.</p>
<p>The Department of Justice <a href="https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled">advises</a> that PERSEUS only stops this malware on computers that are already infected; it does not <a href="https://blogs.iuvotech.com/what-is-patching-and-why-is-it-important">patch</a> vulnerabilities on other computers, or search for and remove other malware. </p>
<p>Even though the Snake network has been disrupted, the department warned <a href="https://www.splunk.com/en_us/blog/learn/vulnerability-vs-threat-vs-risk.html">vulnerabilities</a> may still exist for users, and they should follow safe <a href="https://www.digitalguardian.com/blog/what-cyber-hygiene-definition-cyber-hygiene-benefits-best-practices-and-more">cybersecurity hygiene</a> practices. </p>
<h2>Snake bite treatment</h2>
<p>Fortunately, effective cybersecurity hygiene isn’t overly complicated. <a href="https://www.microsoft.com/en/security/business/microsoft-digital-defense-report-2022">Microsoft</a> has identified five activities that protect against 98% of cybersecurity attacks, whether you’re at home or work.</p>
<ol>
<li><p><a href="https://www.onelogin.com/learn/what-is-mfa">Enable multi-factor authentication</a> across all your online accounts and apps. This login process requires multiple steps such as entering your password, followed by a code received through a SMS message – or even a biometric fingerprint or secret question (favourite drummer? Ringo!).</p></li>
<li><p><a href="https://www.csoonline.com/article/3695697/what-is-zero-trust-and-why-is-it-so-important.html">Apply “zero trust” principles</a>. It’s best practice to authenticate, authorise and continuously validate all system users (internal and external) to ensure they have the right to use the systems. The zero trust approach should be applied whether you’re using computer systems at work or home.</p></li>
<li><p><a href="https://www.cyber.gov.au/protect-yourself/securing-your-devices/how-secure-your-device/anti-virus-software">Use modern anti-malware</a> programs. Anti-malware, also known as antivirus software, protects and removes malware from our systems, big and small.</p></li>
<li><p><a href="https://www.techtarget.com/whatis/feature/5-reasons-software-updates-are-important">Keep up to date</a>. Regular system and software updates not only help keep new applications secure, but also patch vulnerable areas of your system.</p></li>
<li><p><a href="https://geekflare.com/data-backup-best-practices/">Protect your data</a>. Make a copy of your important data, whether it’s a physical printout or on an external device disconnected from your network, such as an external drive or USB.</p></li>
</ol>
<p>Like most Australians, I have been a victim of a cyberattack. And between the recent <a href="https://www.abc.net.au/news/2023-04-21/optus-hack-class-action-customer-privacy-breach-data-leaked/102247638">Optus</a> data breach and the <a href="https://www.abc.net.au/news/2022-10-15/woolworths-mydeal-cyber-attack-hack-information-leaked/101539686">Woolworths MyDeal</a> and <a href="https://www.afr.com/technology/cyber-experts-worry-as-medibank-puts-hack-behind-it-20230223-p5cn10">Medibank</a> attacks, people are catching on to just how dire the consequences of these events can be. </p>
<p>We can expect malicious cyberattacks to increase in the future, and their impact will only become more severe. The Snake malware is a sophisticated piece of software that raises yet another concern. But in this case, we have the antidote and can protect ourselves by proactively following the above steps. </p>
<p>If you have concerns about the Snake malware you can read more <a href="https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3389044/us-agencies-and-allies-partner-to-identify-russian-snake-malware-infrastructure/">here</a>, or speak to the fine folks at your IT service desk.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/205405/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Greg Skulmoski works at Bond University and having it's academics comment on the news elevates Bond University's reputation. </span></em></p>The Snake network has been detected in more than 50 countries, including Australia.Greg Skulmoski, Associate Professor, Project Management, Bond UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1973932023-01-18T13:38:56Z2023-01-18T13:38:56ZDozens of US schools, universities move to ban TikTok<figure><img src="https://images.theconversation.com/files/504510/original/file-20230113-14-datjvf.jpg?ixlib=rb-1.1.0&rect=0%2C6%2C4608%2C3442&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The TikTok social media app has raised concerns about cybersecurity and online safety.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/illustration-tiktok-a-short-video-platform-suqian-jiangsu-news-photo/1245918786">Future Publishing via Getty Images</a></span></figcaption></figure><p>A growing number of public schools and colleges in the U.S. are moving to ban TikTok – the popular Chinese-owned social media app that allows users to share short videos.</p>
<p>They are following the lead of the <a href="https://www.nbcnews.com/tech/tech-news/tiktok-ban-biden-government-college-state-federal-security-privacy-rcna63724">federal government</a> and <a href="https://news.yahoo.com/tiktok-bans-government-devices-raise-222316798.html">several states</a>, that are banishing the social media app because <a href="https://www.nbcnews.com/tech/students-question-tiktok-bans-public-universities-rcna62801">authorities believe foreign governments – specifically China – could use the app</a> to spy on Americans.</p>
<p>The app is created by ByteDance, which is based in China and has <a href="https://www.theguardian.com/technology/2022/nov/07/tiktoks-china-bytedance-data-concerns">ties to the Chinese government</a>. </p>
<p><a href="https://www.nbcnews.com/tech/students-question-tiktok-bans-public-universities-rcna62801">The University of Oklahoma, Auburn University in Alabama</a> and <a href="https://www.cnet.com/news/social-media/tiktok-also-banned-by-some-us-universities/">26 public universities and colleges in Georgia</a> have banned the app from campus Wi-Fi networks. <a href="https://www.bestcolleges.com/news/these-colleges-just-banned-tiktok/">Montana’s governor has asked</a> the state’s university system to ban it. </p>
<p>Some K-12 schools have also blocked the app. Public schools in Virginia’s <a href="https://www.fox5dc.com/news/stafford-county-public-schools-blocking-students-access-to-tiktok">Stafford, Prince William and Loudoun counties</a> have banned TikTok on school-issued devices and schools’ Wi-Fi networks. Louisiana’s state superintendent of education recommended that <a href="https://www.wdsu.com/article/louisiana-superintendent-education-tik-tok-ban/42393440">schools in the state remove the app from public devices</a> and <a href="https://www.edweek.org/technology/should-schools-ban-tiktok-louisiana-ed-chief-urges-districts-to-do-it/2023/01#:%7E:text=He%20implored%20districts%20to%20delete,laptops%2C%20a%20department%20spokesman%20added.">block it</a> on school-issued devices. </p>
<p>As a <a href="https://scholar.google.com/citations?user=g-jALEoAAAAJ&hl=en&oi=ao">researcher</a> who specializes in <a href="https://doi.org/10.1080/1097198X.2019.1603527">cybersecurity</a>, I don’t believe these schools are overreacting. TikTok captures user data in a way that is <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">more aggressive than other apps</a>.</p>
<p>The version of TikTok that is raising all these concerns is not available in China itself. In an effort to protect Chinese students from the harmful effects of social media, the Chinese Communist Party has issued a rule that limits the time students can spend on TikTok to <a href="https://www.voanews.com/a/fbi-says-it-has-national-security-concerns-about-tiktok/6836340.html">40 minutes a day</a>. And they can view only <a href="https://www.voanews.com/a/fbi-says-it-has-national-security-concerns-about-tiktok/6836340.html">videos with a patriotic theme or educational content</a> such as science experiments and museum exhibits.</p>
<h2>Aggressive tactics to capture and harvest user data</h2>
<p>All <a href="https://www.wdsu.com/article/louisiana-superintendent-education-tik-tok-ban/42393440">major social media platforms</a> <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">raise privacy concerns and include security risks</a> for users.</p>
<p>But TikTok does more than the rest. Its default privacy settings allow the app to collect much more information than the app needs to actually function. </p>
<p>Every hour, the app accesses users’ <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">contact lists and calendars</a>. It also <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">collects the location of devices</a> used to access the service and can scan hard drives attached to any of those devices. </p>
<p>If a user changes privacy settings to avoid that scrutiny, the app <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">persistently asks for that permission to be restored</a>. Other social networking apps, like Facebook, don’t ask users to revise their privacy settings if they lock down their information.</p>
<p>How TikTok handles the data it collects from users also raises concerns. Ireland’s data protection regulator, for instance, is <a href="https://www.politico.eu/article/eu-leaders-fire-warning-shots-at-tiktok-over-privacy/">investigating possible illegal transfers</a> of European citizens’ data to Chinese servers and potential violations of rules protecting children’s privacy.</p>
<h2>Cybersecurity vulnerabilities</h2>
<p>As <a href="https://businessplus.ie/tech/social-media-lost-user-data/">with other social media services</a>, researchers have found <a href="https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/">serious vulnerabilities</a> with TikTok.</p>
<p>In 2020, cybersecurity company Check Point found that it could send users messages that looked as if they came from TikTok but actually contained malicious links. When users clicked on those links, <a href="https://futurism.com/major-security-flaws-tiktok">Check Point’s researchers could seize control of their TikTok accounts</a>, get access to private information, delete existing content and even post new material under that user’s account.</p>
<p>Hackers have also taken advantage of <a href="https://www.theregister.com/2022/11/29/tiktok_invisible_challenge_malware/">viral TikTok trends to distribute malicious software</a> that creates additional cybersecurity problems. For instance, a trend called the “Invisible Challenge” encouraged users to use a TikTok filter called “Invisible Body” to film themselves naked – assuring users their followers would only see a blurry image, not anything revealing. </p>
<p>Cybercriminals created TikTok videos that claimed they had made software that would reveal users’ nude bodies by reversing the body-masking filter. But the software they encouraged users to download actually just stole people’s <a href="https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/">social media, credit card and cryptocurrency credentials</a> from elsewhere on their phones, as well as files from victims’ computers.</p>
<h2>National security concerns</h2>
<p>Many U.S. lawmakers have objected to <a href="https://www.npr.org/2022/12/22/1144745813/why-the-proposed-tiktok-ban-is-more-about-politics-than-privacy-according-to-exp">the app’s location tracking services</a>, saying it could allow the Chinese government to monitor <a href="https://www.newsweek.com/tiktok-security-concerns-explained-republican-led-states-look-ban-it-1765790">the movements and locations of U.S. citizens</a> – including members of the military or government officials.</p>
<p>If the Chinese government wants information about the <a href="https://www.statista.com/statistics/1100836/number-of-us-tiktok-users/">more than 90 million TikTok users</a>, it does not need to hack anything.</p>
<p>That’s because China’s <a href="https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html">2017 National Intelligence Law</a> <a href="https://usa.kaspersky.com/resource-center/preemptive-safety/is-tiktok-safe">requires Chinese companies</a> to <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">share any data they collect if the government asks</a>.</p>
<p>Technology industry observers have also raised concerns that ByteDance, the company that makes TikTok, may be <a href="https://www.newsweek.com/tiktok-owned-controlled-china-communist-party-ccp-influence-1752415">partially owned by the Chinese government</a>.</p>
<p>These problems take on even more importance in the context of the Chinese government’s alleged efforts to build a <a href="https://www.infosecurity-magazine.com/news/chinas-mss-linked-to-marriott/">huge “data lake” of information about all Americans</a>. China has been linked to several large-scale cyberattacks targeting federal employees and U.S. consumers. These attacks include the <a href="https://edition.cnn.com/2017/08/24/politics/fbi-arrests-chinese-national-in-opm-data-breach/index.html">2015 hack of the U.S. Office of Personnel Management</a>, 2017 attacks on the <a href="https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html">consumer credit reporting agency Equifax</a> and the 2018 attack on hotel group <a href="https://www.infosecurity-magazine.com/news/chinas-mss-linked-to-marriott/">Marriott International</a>. </p>
<h2>Negative effects outweighing positive ones?</h2>
<p><a href="https://www.edweek.org/technology/tiktok-gas-twitter-how-social-media-is-influencing-education/2022/12">Teachers and school administrators have used TikTok</a> in some interesting, and useful, ways – such as connecting with students, building relationships, teaching about the risks of social media and delivering small, quick lessons.</p>
<p>But it is not clear whether those positive effects counterbalance the potential and actual harm. In addition to general concerns about <a href="https://doi.org/10.1177/0894439316660340">the possible risks of social media addictions</a>, some school officials say increased TikTok use has <a href="https://www.fox5dc.com/news/stafford-county-public-schools-blocking-students-access-to-tiktok">distracted students from paying attention</a> to teachers.</p>
<p>Also, the app’s algorithm for recommending videos to watch next has increased students’ risk of <a href="https://www.cnn.com/2022/12/15/tech/tiktok-teens-study-trnd/index.html">suicide and eating disorders</a>. The “One Chip Challenge,” which asks TikTok users to eat a single chip containing <a href="https://shop.paqui.com/products/one-chip-challenge">two of the world’s spiciest chili peppers</a>, sent <a href="https://medicalxpress.com/news/2022-10-tiktok-trend-kids-home-sick.html">some students to the hospital</a> and made others sick.</p>
<p>TikTok videos have also led students to <a href="https://www.krgv.com/news/students-destroy-steal-school-property-for-viral-tiktok-challenge/">engage in vandalism</a>. In response to one viral challenge, some students <a href="https://www.cbsnews.com/losangeles/news/viral-trend-on-tiktok-encourages-students-to-damage-school-property-steal/">stole bathroom sinks and soap dispensers</a> from schools. </p>
<p>With all that potential for harm and damage, it’s not surprising school officials are considering a ban on TikTok.</p><img src="https://counter.theconversation.com/content/197393/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>School officials are becoming increasingly wary of TikTok amid concerns that the app poses a risk to student safety and privacy and makes the nation vulnerable to spies.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1817202022-04-27T19:58:25Z2022-04-27T19:58:25ZCan your mobile phone get a virus? Yes – and you’ll have to look carefully to see the signs<figure><img src="https://images.theconversation.com/files/459988/original/file-20220427-24-hwrpt4.jpeg?ixlib=rb-1.1.0&rect=75%2C67%2C5531%2C3665&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>With nearly <a href="https://www.bankmycell.com/blog/how-many-phones-are-in-the-world">84%</a> of the world’s population now owning a smartphone, and our dependence on them growing all the time, these devices have become an attractive avenue for scammers. </p>
<p>Last year, cyber security company Kaspersky detected nearly <a href="https://securelist.com/mobile-malware-evolution-2021/105876/">3.5 million</a> malicious attacks on mobile phone users. The spam messages we get on our phones via text message or email will often contain links to viruses, which are a type of malicious software (malware).</p>
<p>There’s a decent chance that at some point you’ve installed <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6138859">malware</a> that infected your phone and worked (without you noticing) in the background. According to a global report commissioned by private company Zimperium, more than <a href="https://www.zimperium.com/global-mobile-threat-report/">one-fifth</a> of mobile devices have encountered malware. And four in ten mobiles worldwide are <a href="https://blog.checkpoint.com/2020/08/06/achilles-small-chip-big-peril/">vulnerable</a> to cyber attacks.</p>
<p>But how do you know if your phone has been targeted? And what can you do?</p>
<h2>How does a phone get infected?</h2>
<p>Like personal computers, phones can be compromised by malware. </p>
<p>For example, the Hummingbad virus infected <a href="https://www.wired.co.uk/article/hummingbad-malware-10-million-android-devices">ten million</a> Android devices within a few months of its creation in 2016, and put as many as <a href="https://www.theguardian.com/technology/2016/jul/06/what-is-hummingbad-malware-android-devices-checkpoint">85 million</a> devices at risk. </p>
<p>Typically, a phone virus works the same way as a computer virus: a malicious code infects your device, replicates itself and spreads to other devices by auto-messaging others in your contact list or auto-forwarding itself as an email.</p>
<p>A virus can limit your phone’s functionality, send your personal information to hackers, send your contacts spam messages linking to malware, and even allow the virus’s operator to “spy” on you by capturing your screen and keyboard inputs, and tracking your geographical location. </p>
<p>In Australia, Scamwatch received <a href="https://www.scamwatch.gov.au/news-alerts/missed-delivery-call-or-voicemail-flubot-scams">16,000 reports</a> of the Flubot virus over just eight weeks in 2021. This <a href="https://suretyit.com.au/blog/what-is-the-flubot-virus/">virus</a> sends text messages to Android and iPhone users with links to malware. Clicking on the links can lead to a malicious app being downloaded on your phone, giving scammers access to your personal information. </p>
<p>Flubot scammers regularly change their <a href="https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered">target countries</a>. According to cyber security firm Bitdefender, FluBot operators targeted Australia, Germany, Poland, Spain, Austria and other European countries between December 1 2021 and January 2 of this year. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/being-bombarded-with-delivery-and-post-office-text-scams-heres-why-and-what-can-be-done-167975">Being bombarded with delivery and post office text scams? Here's why — and what can be done</a>
</strong>
</em>
</p>
<hr>
<h2>Is either Apple or Android more secure?</h2>
<p>While Apple devices are generally considered more secure than Android, and <a href="https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6637558">less prone</a> to virus attacks, iPhone users who “jailbreak” or modify their phone open themselves up to security vulnerabilities.</p>
<p>Similarly, Android users who install apps from outside the Google Play store increase their risk of installing malware. It’s recommended all phone users stay on guard, as both Apple and Android are <a href="https://www.forbes.com/sites/zakdoffman/2021/03/16/iphone-12-pro-max-and-iphone-13-not-more-secure-than-google-and-samsung-android-warns-cyber-billionaire/?sh=596442d623f8">vulnerable</a> to security risks.</p>
<p>That said, phones are generally better protected against viruses than personal computers. This is because software is usually installed through authorised app stores that vet each app (although some malicious apps can occasionally slip through <a href="https://blog.pradeo.com/spyware-facestealer-google-play">the cracks</a>). </p>
<p>Also, in comparison to computers, phones are more secure as the apps are usually “<a href="https://source.android.com/security/app-sandbox">sandboxed</a>” in their own isolated environment – unable to access or interfere with other apps. This reduces the risk of infection or cross contamination from malware. However, no device is entirely immune.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A smartphone with a virus alert warning is held up by a hand in front of a dark background." src="https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/459712/original/file-20220426-12-4550kz.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Apple devices are generally considered more secure against malware than Android devices, but they’re still at risk.</span>
<span class="attribution"><span class="source">Pixabay/Pexels.com (edited)</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<h2>Watch out for the signs</h2>
<p>While it’s not always easy to tell whether your phone is infected, it will exhibit some abnormal behaviours if it is. Some signs to watch out for include:</p>
<ul>
<li><p>poor performance, such as apps taking longer than usual to open, or crashing randomly</p></li>
<li><p>excessive battery drain (due to the malware constantly working in the background)</p></li>
<li><p>increased mobile data consumption</p></li>
<li><p>unexplained billing charges (which may include increased data usage charges as a result of the malware chewing up your data)</p></li>
<li><p>unusual pop-ups, and</p></li>
<li><p>the device overheating unexpectedly.</p></li>
</ul>
<p>If you do suspect a virus has infected your device, there are some steps you can take. First, to prevent further damage you’ll need to remove the malware. Here are some simple troubleshooting steps:</p>
<ol>
<li><p>Use a reliable antivirus app to scan your phone for infections. Some reputable vendors offering paid and free protection services include <a href="https://apps.apple.com/us/app/avast-security-privacy/id1276551855">Avast</a>, <a href="https://www.avg.com/en-au/antivirus-for-android#pc">AVG</a>, <a href="https://www.bitdefender.com/solutions/mobile-security-android.html">Bitdefender</a>, <a href="https://www.mcafee.com/en-us/antivirus/mobile.html">McAfee</a> or <a href="https://us.norton.com/products/mobile-security-for-android">Norton</a>.</p></li>
<li><p>Clear your phone’s storage and cache (in Android devices), or browsing history and website data (in Apple devices).</p></li>
<li><p>Restart your iPhone, or restart your Android phone to <a href="https://www.digitaltrends.com/mobile/how-to-turn-safe-mode-on-and-off-in-android/">go into safe mode</a> – which is a feature on Android that prevents third-party apps from operating for as long as it’s enabled.</p></li>
<li><p>Delete any suspicious or unfamiliar apps from your downloaded apps list and, if you’re an Android user, turn safe mode off once the apps are deleted.</p></li>
</ol>
<p>As a last resort, you can back up all your data and perform a factory reset on your phone. Resetting a phone to its original settings will eliminate any malware.</p>
<h2>Protecting your phone from infection</h2>
<p>Now you’ve fixed your phone, it’s important to safeguard it against future viruses and other security risks. The mobile security apps mentioned above will help with this. But you can also:</p>
<ul>
<li><p>avoid clicking unusual pop-ups, or links in unusual text messages, social media posts or emails</p></li>
<li><p>only install apps from authorised app stores, such as Google Play or Apple’s App Store</p></li>
<li><p>avoid jailbreaking or modifying your phone</p></li>
<li><p>check app permissions before installing, so you’re aware of what the app will access (rather than blindly trusting it)</p></li>
<li><p>back up your data regularly, and</p></li>
<li><p>keep your phone software updated to the latest version (which will have the latest security patches).</p></li>
</ul>
<p>Continually monitor your phone for suspicious activity and trust your gut instincts. If something sounds too good to be true, it probably is.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nvIXGeB1WgE?wmode=transparent&start=38" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Google’s tips on how to spot malware.</span></figcaption>
</figure><img src="https://counter.theconversation.com/content/181720/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Ritesh Chugh does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s true that phones aren’t as prone to viruses as computers – but they’re still far from immune.Ritesh Chugh, Associate Professor - Information and Communications Technology, CQUniversity AustraliaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1670172022-02-23T13:36:55Z2022-02-23T13:36:55ZHow AI is shaping the cybersecurity arms race<figure><img src="https://images.theconversation.com/files/447353/original/file-20220218-45245-1hgu9fk.jpg?ixlib=rb-1.1.0&rect=51%2C0%2C5700%2C3771&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Defending against cyberattacks increasingly means looking for patterns in large amounts of data – a task AI was made for.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/artificial-intelligence-robot-control-futuristic-royalty-free-image/1328784596">Yuichiro Chino/Moment via Getty Images</a></span></figcaption></figure><p>The average business receives <a href="https://www.fortinet.com/blog/industry-trends/overcoming-the-challenges-of-rapid-and-effective-incident-response">10,000 alerts every day</a> from the various software tools it uses to monitor for intruders, malware and other threats. Cybersecurity staff often find themselves inundated with data they need to sort through to manage their cyber defenses.</p>
<p>The stakes are high. Cyberattacks are increasing and affect <a href="https://www.verizon.com/about/news/verizon-2021-data-breach-investigations-report">thousands of organizations</a> and <a href="https://www.cisa.gov/be-cyber-smart/facts">millions of people</a> in the U.S. alone.</p>
<p>These challenges underscore the need for better ways to stem the tide of cyber-breaches. Artificial intelligence is particularly well suited to finding patterns in huge amounts of data. As a researcher who <a href="https://scholar.google.com/citations?user=jdFquF4AAAAJ&hl=en">studies AI and cybersecurity</a>, I find that AI is emerging as a much-needed tool in the cybersecurity toolkit.</p>
<h2>Helping humans</h2>
<p>There are two main ways AI is bolstering cybersecurity. First, AI can help automate many tasks that a human analyst would often handle manually. These include automatically detecting unknown workstations, servers, code repositories and other hardware and software on a network. It can also determine how best to allocate security defenses. These are data-intensive tasks, and AI has the potential to sift through terabytes of data much more efficiently and effectively than a human could ever do. </p>
<p>Second, AI can help detect patterns within large quantities of data that human analysts can’t see. For example, AI could detect the key linguistic patterns of hackers posting emerging threats in the <a href="https://theconversation.com/illuminating-the-dark-web-105542">dark web</a> and alert analysts.</p>
<p>More specifically, AI-enabled analytics can help discern the jargon and code words hackers develop to refer to their new tools, techniques and procedures. One example is using the name Mirai to mean botnet. Hackers developed the term to hide the botnet topic from law enforcement and cyberthreat intelligence professionals.</p>
<p>AI has already seen some early successes in cybersecurity. Increasingly, companies such as FireEye, Microsoft and Google are developing innovative AI approaches to detect malware, stymie phishing campaigns and monitor the spread of disinformation. One notable success is <a href="https://news.microsoft.com/cyber-signals/">Microsoft’s Cyber Signals</a> program that uses AI to analyze 24 trillion security signals, 40 nation-state groups and 140 hacker groups to produce cyberthreat intelligence for C-level executives. </p>
<p>Federal funding agencies such as the Department of Defense and the National Science Foundation recognize the potential of AI for cybersecurity and have invested tens of millions of dollars to develop advanced AI tools for extracting insights from data generated from the dark web and open-source software platforms such as <a href="https://github.com/">GitHub</a>, a global software development code repository where hackers, too, can share code.</p>
<h2>Downsides of AI</h2>
<p>Despite the significant benefits of AI for cybersecurity, cybersecurity professionals have questions and concerns about AI’s role. Companies might be thinking about replacing their human analysts with AI systems, but might be worried about how much they can trust automated systems. It’s also not clear whether and how the well-documented AI <a href="https://theconversation.com/ftc-warns-the-ai-industry-dont-discriminate-or-else-159622">problems of bias, fairness, transparency and ethics</a> will emerge in AI-based cybersecurity systems.</p>
<p>Also, AI is useful not only for cybersecurity professionals trying to turn the tide against cyberattacks, but also for malicious hackers. Attackers are using methods like reinforcement learning and <a href="https://developers.google.com/machine-learning/gan">generative adversarial networks</a>, which generate new content or software based on limited examples, to produce new types of cyberattacks that can evade cyber defenses.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/XOxxPcy5Gr4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Just as AI can generate realistic-looking fake faces from photos of real people, the software can be used to create new forms of malware based on existing code.</span></figcaption>
</figure>
<p>Researchers and cybersecurity professionals are still learning all the ways malicious hackers are using AI. </p>
<h2>The road ahead</h2>
<p>Looking forward, there is significant room for growth for AI in cybersecurity. In particular, the predictions AI systems make based on the patterns they identify will help analysts respond to emerging threats. AI is an intriguing tool that could help stem the tide of cyberattacks and, with careful cultivation, could become a required tool for the next generation of cybersecurity professionals.</p>
<p>The current pace of innovation in AI, however, indicates that fully automated cyber battles between AI attackers and AI defenders is likely years away.</p>
<p>[<em>Climate change, AI, vaccines, black holes and much more.</em> <a href="https://memberservices.theconversation.com/newsletters/?nl=science&source=inline-science-various">Get The Conversation’s best science and health coverage</a>.]</p><img src="https://counter.theconversation.com/content/167017/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sagar Samtani works for Indiana University. </span></em></p>Artificial intelligence is emerging as a key cybersecurity tool for both attackers and defenders.Sagar Samtani, Assistant Professor of Operations and Decision Technologies, Indiana UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1630152021-06-18T14:17:13Z2021-06-18T14:17:13ZInside a ransomware attack: how dark webs of cybercriminals collaborate to pull them off<figure><img src="https://images.theconversation.com/files/407209/original/file-20210618-26-d4o3ua.jpeg?ixlib=rb-1.1.0&rect=17%2C8%2C5973%2C3197&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/insecure-network-several-red-platforms-connected-530465965">BeeBright/Shutterstock</a></span></figcaption></figure><p>In their Carbis Bay communique, the G7 <a href="https://www.g7uk.org/wp-content/uploads/2021/06/Carbis-Bay-G7-Summit-Communique-PDF-430KB-25-pages-5.pdf">announced</a> their intention to work together to tackle <a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">ransomware groups</a>. Days later, US president Joe Biden met with Russian president Vladimir Putin, where an <a href="https://www.ft.com/content/81c644d4-811f-4d9c-b4ac-bb0ee1038526">extradition process</a> to bring Russian cybercriminals to justice in the US was discussed. Putin reportedly agreed in principle, but insisted that extradition be <a href="https://www.telegraph.co.uk/news/2021/06/14/putin-says-open-prisoner-swap-russia-us/">reciprocal</a>. Time will tell if an extradition treaty can be reached. But if it is, who exactly should extradited – and what for? </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/inside-a-ransomware-attack-how-dark-webs-of-cybercriminals-collaborate-to-pull-one-off-163015&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>The problem for <a href="https://doi.org/10.1016/j.cose.2019.101568">law enforcement</a> is that ransomware – a form of malware used to steal organisations’ data and hold it to ransom – is a very slippery fish. Not only is it a blended crime, including different offences across different bodies of law, but it’s also a crime that straddles the remit of <a href="https://theconversation.com/how-cities-can-fight-back-against-ransomware-attacks-132782">different policing agencies</a> and, in many cases, <a href="https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html">countries</a>. And there is no one key offender. Ransomware attacks involve a distributed network of different cybercriminals, often unknown to each other to reduce the risk of arrest.</p>
<p>So it’s important to look at these attacks in detail to understand how the US and the G7 might go about tackling the <a href="https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490">increasing number</a> of ransomware attacks we’ve seen during the pandemic, with at least <a href="https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached">128 publicly disclosed incidents</a> taking place globally in May 2021. </p>
<p>What we find when we connect the dots is a professional industry far removed from the organised crime playbook, which seemingly takes its inspiration straight from the pages of a <a href="https://link.springer.com/article/10.1007%2Fs12117-020-09397-5">business studies manual</a>.</p>
<p>The ransomware industry is responsible for a huge amount of disruption in today’s world. Not only do these attacks have a crippling economic effect, costing <a href="https://blog.emsisoft.com/en/38426/the-cost-of-ransomware-in-2021-a-country-by-country-analysis/">billions of dollars</a> in damage, but the <a href="https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-may-2021-116-million-records-breached">stolen data</a> acquired by attackers can continue to <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3429958">cascade down</a> through the crime chain and fuel other cybercrimes. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">Ransomware gangs are running riot – paying them off doesn't help</a>
</strong>
</em>
</p>
<hr>
<p>Ransomware attacks are also changing. The criminal industry’s business model has shifted towards providing ransomware <a href="https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoin-deposit-on-hacker-forum/">as a service</a>. This means operators provide the malicious software, manage the extortion and payment systems and manage the reputation of the “<a href="https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/">brand</a>”. But to reduce their exposure to the risk of arrest, they recruit affiliates on generous commissions to use their software to launch attacks. </p>
<p>This has resulted in an extensive distribution of criminal labour, where the people who own the malware are not necessarily the same as those who plan or execute ransomware attacks. To complicate things further, both are assisted in committing their crimes by services offered by the wider cybercrime ecosystem.</p>
<figure class="align-center ">
<img alt="A hooded hacker" src="https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407210/original/file-20210618-25-1967hxz.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Even a lone hacker draws upon the criminal capabilities of others.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/cybercriminal-hood-without-face-sits-dark-1576054075">trambler58/Shutterstock</a></span>
</figcaption>
</figure>
<h2>How do ransomware attacks work?</h2>
<p>There are <a href="https://conference.cepol.europa.eu/media/cepol-online-conference-2021/submissions/DBR7WE/resources/Wall_Cybercrime_and_Covid_CEPO_Zx0nGyn.pdf">several stages</a> to a ransomware attack, which I have teased out after analysing over 4,000 attacks from between 2012 and 2021.</p>
<p>First, there’s the reconnaissance, where criminals identify potential victims and access points to their networks. This is followed by a hacker gaining “initial access”, using log-in credentials bought on the dark web or obtained through deception.</p>
<p>Once initial access is gained, attackers seek to escalate their access privileges, allowing them to search for key organisational data that will cause the victim the most pain when stolen and held to ransom. This is why <a href="https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">hospital medical records</a> and <a href="https://www.databreaches.net/threat-actors-claim-to-have-attacked-city-of-dade-city-florida/?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">police records</a> are often the target of ransomware attacks. This key data is then extracted and saved by criminals – all before any ransomware is installed and activated.</p>
<p>Next comes the victim organisation’s first sign that they’ve been attacked: the ransomware is deployed, locking organisations from their key data. The victim is quickly <a href="https://www.databreachtoday.com/maze-promotes-other-gangs-stolen-data-on-its-darknet-site-a-14386?highlight=true">named and shamed</a> via the ransomware gang’s leak website, located on the dark web. That “press release” may also feature <a href="https://therecord.media/ransomware-gang-threatens-to-expose-police-informants-if-ransom-is-not-paid/?campaign_id=158&emc=edit_ot_20210429&instance_id=29942&nl=on-tech-with-shira-ovide&regi_id=95633146&segment_id=56818&te=1&user_id=b427913b60c799d875886038d08ae44e">threats to share</a> stolen sensitive data, with the aim of frightening the victim into paying the ransom demand.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A ransomware lockout screen" src="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=454&fit=crop&dpr=1 600w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=454&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=454&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=571&fit=crop&dpr=1 754w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=571&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/407212/original/file-20210618-24-1b6u2cr.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=571&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Victims of ransomware attacks are typically presented with a screen like this.</span>
<span class="attribution"><a class="source" href="https://i1.wp.com/www.technollama.co.uk/wp-content/uploads/2017/05/ransomware.jpg">TechnoLlama</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Successful ransomware attacks see the ransom paid in cryptocurrency, which is difficult to trace, and converted and laundered into fiat currency. Cybercriminals often invest the proceeds to enhance their capabilities – and to pay affiliates – so they don’t get caught.</p>
<h2>The cybercrime ecosystem</h2>
<p>While it’s feasible that a suitably skilled offender could perform each of the functions, it’s highly unlikely. To reduce the risk of being caught, offender groups tend to develop and master specialist skills for different stages of an attack. These groups benefit from this inter-dependency, as it offsets criminal liability at each stage. </p>
<p>And there are plenty of specialisations in the cybercrime underworld. There are <a href="https://krebsonsecurity.com/2019/05/legal-threats-make-powerful-phishing-lures/#more-47793">spammers</a>, who hire out spamware-as-a-service software that <a href="https://theconversation.com/phishing-scams-are-becoming-ever-more-sophisticated-and-firms-are-struggling-to-keep-up-73934">phishers</a>, scammers, and fraudsters use to steal people’s credentials, and <a href="https://nos.nl/artikel/2374024-datalek-bij-autobedrijven-treft-mogelijk-miljoenen-nederlanders.html">databrokers</a> who trade these stolen details on the dark web.</p>
<p>They might be purchased by “<a href="https://www.theregister.com/2021/06/09/trend_micro_nefilim_ransomware_research/">initial access brokers</a>”, who specialise in gaining initial entry to computer systems before selling on those access details to would-be ransomware attackers. These attackers often engage with <a href="https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware/">crimeware-as-a-service</a> brokers, who hire out ransomware-as-a-service software as well as other malicious malware.</p>
<p>To coordinate these groups, <a href="https://www.zdnet.com/article/us-weve-just-seized-1bn-in-bitcoin-stolen-from-silk-road-by-individual-x-hacker/">darkmarketeers</a> provide online markets where criminals can openly sell or trade services, usually via the Tor network on the dark web. <a href="https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html">Monetisers</a> are there to launder cryptocurrency and turn it into fiat currency, while negotiators, representing both victim and offender, are hired to settle the ransom amount.</p>
<p>This ecosystem is constantly evolving. For example, a recent development has been the emergence of the “<a href="https://geminiadvisory.io/ransomware-unmasked/">ransomware consultant</a>”, who collects a fee for advising offenders at key stages of an attack. </p>
<h2>Arresting offenders</h2>
<p>Governments and law enforcement agencies appear to be ramping up their efforts to tackle ransomware offenders, following a year blighted by their continued attacks. As the G7 met in Cornwall in June 2021, Ukrainian and South Korean police forces coordinated to arrest elements of the infamous <a href="https://www.theregister.com/2021/06/16/clop_ransomware_gang_arrests_ukraine/">CL0P ransomware gang</a>. In the same week, Russian national <a href="https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/">Oleg Koshkin</a> was convicted by a US court for running a malware encryption service that criminal groups use to perform cyberattacks without being detected by antivirus solutions.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1405212347912839174"}"></div></p>
<p>While these developments are promising, ransomware attacks are a complex crime involving a distributed network of offenders. As the offenders have honed their methods, law enforcers and cybersecurity experts have tried to keep pace. But the relative inflexibility of policing arrangements, and the lack of a key offender (Mr or Mrs Big) to arrest, may always keep them one step behind the cybercriminals – even if an extradition treaty is struck between the US and Russia.</p><img src="https://counter.theconversation.com/content/163015/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David S. Wall receives funding from UKRI EP/P011721/1 & EP/M020576/1</span></em></p>Ransomware has gone professional, with criminal consultants, affiliates and brokers – arresting them all will be difficult.David S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1619092021-06-01T12:45:31Z2021-06-01T12:45:31ZWhy are there so many text scams all of a sudden?<figure><img src="https://images.theconversation.com/files/403823/original/file-20210601-663-4zypfs.jpeg?ixlib=rb-1.1.0&rect=0%2C7%2C4992%2C3502&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/upset-stressed-woman-holding-cellphone-disgusted-236219071">pathdoc/Shutterstock</a></span></figcaption></figure><p>A new “<a href="https://www.theguardian.com/money/2021/may/18/delivery-text-scams-the-nasty-new-wave-sweeping-the-uk">fraud wave</a>” has been reported in the UK, targeting mobile phone users with texts that, at first glance, appear to be from delivery companies or government institutions. </p>
<hr>
<iframe id="noa-web-audio-player" style="border: none" src="https://embed-player.newsoveraudio.com/v4?key=x84olp&id=https://theconversation.com/why-are-there-so-many-text-scams-all-of-a-sudden-161909&bgColor=F5F5F5&color=D8352A&playColor=D8352A" width="100%" height="110px"></iframe>
<p><em>You can listen to more articles from The Conversation, narrated by Noa, <a href="https://theconversation.com/uk/topics/audio-narrated-99682">here</a>.</em></p>
<hr>
<p>You may even have been targeted by the text scams yourself, which often ask you to pay missed delivery charges or tax fees and are sent from numbers that claim to belong to <a href="https://www.royalmail.com/help/scam-examples">Royal Mail</a>, <a href="https://www.birminghammail.co.uk/news/midlands-news/new-hermes-parcel-scam-text-20625341">Hermes</a> or <a href="https://www.thinkmoney.co.uk/blog/dont-fall-for-the-hmrc-text-scam/">HMRC</a>.</p>
<p>While these scams are actually nothing new, there does appear to have been a <a href="https://www.standard.co.uk/news/uk/scam-calls-texts-phone-massive-sudden-increase-b932553.html">sudden and dramatic increase</a> in their volume in recent weeks, coming after the recent spike in <a href="https://theconversation.com/coronavirus-vaccine-scams-fraud-experts-give-their-top-tips-to-help-you-stay-safe-154610">coronavirus vaccine scams</a> and scams targeting those seeking to <a href="https://theconversation.com/how-to-avoid-scams-when-buying-a-pet-online-153138">buy a pet online</a> during the pandemic. </p>
<p>The resurgence of text scams in the spring of 2021 also appears to be taking advantage of circumstances brought about by the pandemic – but learning more about them can help us to stamp them out.</p>
<h2>Increasing text scams</h2>
<p>To understand the apparent increase in text scams, we need to consider two key factors. The first is timing. Missed delivery charge scams are most often rolled out around the busy <a href="https://www.theguardian.com/money/2020/dec/19/missed-delivery-parcel-scams-christmas-dpd-royal-mail">Christmas postal period</a>, while tax scams are <a href="https://www.bbc.co.uk/news/business-47988270">usually timed around April</a> to coincide with the new financial year.</p>
<p>The pandemic has extended the window of opportunity for fraudsters to successfully target people with both types of scam. More of us are expecting a parcel in the post after increasing our <a href="https://blog.ons.gov.uk/2020/09/18/how-the-covid-19-pandemic-has-accelerated-the-shift-to-online-spending/">online shopping</a> since March 2020, while novel financial measures related to the pandemic, such as the furlough scheme, may have given people the impression that HMRC has temporarily altered its operations.</p>
<p>The second factor is volume. These types of scams are delivered en masse, and fraudsters only need to receive responses to a handful of the thousands of texts they send out to make significant sums of money. </p>
<p>That’s not because of the money they’re asking people to send them – which appears tiny in the case of a £1.43 delivery fee – but because criminals can use the card details they’re provided to <a href="https://www.irishexaminer.com/news/munster/arid-40303331.html">empty victims’ bank accounts</a>. Other text scams, which prompt you to click on a link, are designed to <a href="https://www.bbc.co.uk/news/technology-56859091">infect your phone with malware</a> that can help criminals steal your personal data. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1385609431598223366"}"></div></p>
<p>The increasing volume of these scams suggests that they do work. And because their success encourages “<a href="https://www.ftadviser.com/your-industry/2019/06/03/hmrc-shuts-down-copy-cat-scams/">copy cat</a>” scams, with new criminal groups experimenting with their own text scams, it’s difficult to stamp them out entirely, despite <a href="https://www.bbc.co.uk/news/uk-england-57226704">recent arrests</a>. The best way to counter these scams is to reduce their success rate, and we can do this by making the public aware of how and why text scams work.</p>
<h2>Why do we fall for text scams?</h2>
<p>Despite the apparent <a href="https://conversation.which.co.uk/scams/dpd-delivery-scam-email-phishing-warning/">crudeness</a> of these fraudulent messages, which often feature misspellings or incorrect grammar, they take advantage of timeworn techniques that exploit our <a href="https://theconversation.com/five-psychological-reasons-why-people-fall-for-scams-and-how-to-avoid-them-102421">psychological vulnerabilities</a>. The aim is to encourage us to respond on impulse rather than thinking through whether we may be being scammed.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-do-we-fall-for-scams-55543">Why do we fall for scams?</a>
</strong>
</em>
</p>
<hr>
<p><a href="https://www.sciencedirect.com/science/article/abs/pii/S0191886920300374?via%3Dihub">Exploiting emotion</a> is the main method used by scammers to achieve this. The delivery charge scam, for instance, often threatens a loss if you don’t immediately pay for redelivery, with fraudsters issuing a tight deadline before they claim your parcel will be returned to its sender. Emotions such as fear, panic and anxiety can cause us to respond impulsively to scam messages.</p>
<p>On the other hand, positive emotions, such as excitement or hope, can also bias our judgement and encourage impulsive behaviour. The <a href="https://www.lovemoney.com/guides/15794/hmrc-tax-scams-refund-rebate-frauds-email-text-is-this-real-fake-uk">HMRC tax refund scam</a> is built on the promise of financial gain if you click on a link – but instead of transferring you cash, the link is built to facilitate <a href="https://www.actionfraud.police.uk/a-z-of-fraud/phishing">phishing</a> that gives criminals access to your personal data or bank details. </p>
<p>People are far more likely to fall for this scam if they’ve already received a genuine communication from HMRC that they’re due a tax refund. Psychologists refer to this feeling as “<a href="https://www.sciencedirect.com/topics/engineering/illusory-correlation">illusory correlation</a>”, which happens when we see events as linked when they’re not. Illusory correlation tends to confuse or relax our natural caution, making us more vulnerable to scams.</p>
<h2>Who are scammers targeting?</h2>
<p>Anyone can fall victim to scams. Contrary to popular opinion, <a href="https://theconversation.com/how-loneliness-in-older-people-makes-them-more-vulnerable-to-financial-scammers-73483">older people</a> are not more likely to be victims of text scams, partially because many older people may be less likely to bank and shop online, have dealings with HMRC, or even use mobile phones. </p>
<p>It’s the use of <a href="https://www.arunvishwanath.us/2019/05/10/why-smartphones-are-more-susceptible-to-social-attacks/">mobile devices</a> for these text-based scams that may actually make <a href="https://www.sciencedirect.com/science/article/abs/pii/S0747563216303624?via%3Dihub">younger people more susceptible</a>. While we’re somewhat used to scam emails, scam texts are relatively new. Texts also feel more intimate – we expect them to be from people we know, or from institutions we’ve trusted with our mobile number. And we often access texts on the go, when we’re <a href="https://link.springer.com/article/10.1007/s11747-018-0604-7">busy or distracted</a> and less likely to question their veracity.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1392403825294782466"}"></div></p>
<p>To avoid falling victim to text scams, we suggest you take <a href="https://takefive-stopfraud.org.uk/">a few simple steps</a> before choosing to respond. First, make sure you take some time to properly look at the content of any message you receive. Any written message containing email addresses, phone numbers or language errors could help you spot a scam.</p>
<p>If you can’t spot any blatant errors, just wait – even for a few minutes – before responding. This will allow you time to think whether it’s normal for a company to communicate with you via text.</p>
<p>For delivery scams in particular, which are currently <a href="https://www.theguardian.com/money/2021/may/18/delivery-text-scams-the-nasty-new-wave-sweeping-the-uk">surging in the UK</a>, it’s well worth interrogating everything about the text you receive. Checking websites for the delivery companies they use, or even making a quick call to the delivery company the text claims to be from, can help clear things up. And at the end of the day, it’s better to miss your parcel than to lose thousands of pounds to scam artists.</p><img src="https://counter.theconversation.com/content/161909/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Crude text scams, sent en masse, only have to work a handful of times to make criminals significant sums of cash.Gareth Norris, Senior Lecturer, Department of Psychology, Aberystwyth UniversityAlexandra Brookes, Associate lecturer / PhD researcher, Aberystwyth UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1599902021-05-20T12:27:00Z2021-05-20T12:27:00ZShape-shifting computer chip thwarts an army of hackers<figure><img src="https://images.theconversation.com/files/401722/original/file-20210519-19-1m48kfo.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5656%2C3166&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Morpheus secure processor works like a puzzle that keeps changing before hackers have a chance to solve it.</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/TOOhhlGHOsQ">Alan de la Cruz via Unsplash</a></span></figcaption></figure><p><em>The <a href="https://theconversation.com/us/topics/research-brief-83231">Research Brief</a> is a short take about interesting academic work.</em></p>
<h2>The big idea</h2>
<p>We have developed and tested a <a href="https://doi.org/10.1145/3297858.3304037">secure new computer processor</a> that thwarts hackers by randomly changing its underlying structure, thus making it virtually impossible to hack. </p>
<p>Last summer, 525 security researchers spent three months trying to hack our Morpheus processor as well as others. <a href="https://spectrum.ieee.org/tech-talk/semiconductors/processors/morpheus-turns-a-cpu-into-a-rubiks-cube-to-defeat-hackers">All attempts against Morpheus failed</a>. This study was part of a program sponsored by the U.S. Defense Advanced Research Program Agency to <a href="https://spectrum.ieee.org/tech-talk/computing/embedded-systems/darpa-hacks-its-secure-hardware-fends-off-most-attacks">design a secure processor</a> that could protect vulnerable software. DARPA <a href="https://www.darpa.mil/news-events/2020-01-28">released the results on the program to the public</a> for the first time in January 2021.</p>
<p>A processor is the piece of computer hardware that runs software programs. Since a processor underlies all software systems, a secure processor has the potential to protect any software running on it from attack. Our team at the University of Michigan first developed Morpheus, a secure processor that thwarts attacks by turning the computer into a puzzle, in 2019.</p>
<p>A processor has an architecture – x86 for most laptops and ARM for most phones – which is the set of instructions software needs to run on the processor. Processors also <a href="https://www.computerhope.com/jargon/m/microarchitecture.htm">have a microarchitecture</a>, or the “guts” that enable the execution of the instruction set, the speed of this execution and how much power it consumes.</p>
<p>Hackers need to be intimately familiar with the details of the microarchitecture to <a href="https://theconversation.com/microprocessor-designers-realize-security-must-be-a-primary-concern-98044">graft their malicious code, or malware, onto vulnerable systems</a>. To stop attacks, Morpheus randomizes these implementation details to turn the system into a puzzle that hackers must solve before conducting security exploits. From one Morpheus machine to another, details like the commands the processor executes or the format of program data change in random ways. Because this happens at the microarchitecture level, software running on the processor is unaffected.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a fan on top of a metal square in the middle of a computer circuit board" src="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=427&fit=crop&dpr=1 600w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=427&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=427&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=537&fit=crop&dpr=1 754w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=537&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/401701/original/file-20210519-19-1t96mso.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=537&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">The Morpheus computer processor, inside the square beneath the fan on this circuit board, rapidly and continuously changes its underlying structure to thwart hackers.</span>
<span class="attribution"><span class="source">Todd Austin</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>A skilled hacker could reverse-engineer a Morpheus machine in as little as a few hours, if given the chance. To counter this, Morpheus also changes the microarchitecture every few hundred milliseconds. Thus, not only do attackers have to reverse-engineer the microachitecture, but they have to do it very fast. With Morpheus, a hacker is confronted with a computer that has never been seen before and will never be seen again.</p>
<h2>Why it matters</h2>
<p>To conduct a security exploit, hackers use vulnerabilities in software to get inside a device. Once inside, they <a href="https://theconversation.com/guarding-against-the-possible-spectre-in-every-machine-89825">graft their malware</a> onto the device. Malware is designed to infect the host device to steal sensitive data or spy on users.</p>
<p>The typical approach to computer security is to fix individual software vulnerabilities to keep hackers out. For these patch-based techniques to succeed, programmers must write perfect software without any bugs. But ask any programmer, and the idea of creating a perfect program is laughable. Bugs are everywhere, and security bugs are the most difficult to find because they don’t impair a program’s normal operation. </p>
<p>Morpheus takes a distinct approach to security by augmenting the underlying processor to prevent attackers from grafting malware onto the device. With this approach, Morpheus protects any vulnerable software that runs on it. </p>
<h2>What other research is being done</h2>
<p>For the longest time, processor designers considered security a problem for software programmers, since programmers made the software bugs that lead to security concerns. But recently computer designers have discovered that hardware can help protect software. </p>
<p>Academic efforts, such as <a href="https://www.cl.cam.ac.uk/research/security/ctsrd/cheri/">Capability Hardware Enhanced RISC Instructions</a> at the University of Cambridge, have demonstrated strong protection against memory bugs. Commercial efforts have begun as well, such as Intel’s soon-to-be-released <a href="https://newsroom.intel.com/editorials/intel-cet-answers-call-protect-common-malware-threats/">Control-flow Enforcement Technology</a>. </p>
<p>Morpheus takes a notably different approach of ignoring the bugs and instead randomizes its internal implementation to thwart exploitation of bugs. Fortunately, these are complementary techniques, and combining them will likely make systems even more difficult to attack.</p>
<h2>What’s next</h2>
<p>We are looking at how the fundamental design aspects of Morpheus can be applied to protect sensitive data on people’s devices and in the cloud. In addition to randomizing the implementation details of a system, how can we randomize data in a way that maintains privacy while not being a burden to software programmers?</p>
<p>[<em>Research into coronavirus and other news from science</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-corona-research">Subscribe to The Conversation’s new science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/159990/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Todd Austin receives funding from DARPA, which supported the development of the Morpheus secure CPU through DARPA Contract HR0011-18-C-0019. He owns shares in Agita Labs, which is commercializing a derivative of the Morpheus technology. </span></em></p><p class="fine-print"><em><span>Lauren Biernacki receives funding from DARPA, which supported the development of the Morpheus secure CPU through DARPA Contract HR0011-18-C-0019.</span></em></p>Most computer security focuses on software, but computer processors are vulnerable to hackers, too. An experimental secure processor changes its underlying structure before hackers can figure it out.Todd Austin, Professor of Electrical Engineering and Computer Science, University of MichiganLauren Biernacki, Ph.D. Candidate in Computer Science & Engineering, University of MichiganLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1580692021-03-30T05:06:49Z2021-03-30T05:06:49ZHolding the news to ransom? What we know so far about the Channel 9 cyber attack<p>On Sunday afternoon, Channel 9 posted a cryptic tweet indicating it was under attack. The accompanying video acknowledged that the <a href="https://www.theguardian.com/media/2021/mar/28/targeted-attack-nine-network-investigating-claims-cyber-attack-stopped-tv-shows-being-broadcast">failure to run the Weekend Today show</a> that morning was attributed to a major cyber incident. </p>
<p><a href="https://www.theaustralian.com.au/business/technology-crash-hits-nine-sydney-broadcast/news-story/9f3ee9d7af074ef81130785c6091dc26">Reporting also confirmed</a> the situation had affected the network’s ability to “produce its news and current affairs content”.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1376078823863816195"}"></div></p>
<p>Emails and editing systems were all impacted by the incident, in what was described as an unprecedented attack against a mainstream media organisation in Australia. In a <a href="https://www.9news.com.au/national/nine-network-hit-by-cyber-attack-threatening-news-services-nationwide/c653fe12-a5c4-4da8-9a33-b902f1325eed">follow-up article</a>, 9 News described the outage as a “sophisticated and calculated attack” that has “fundamentally disrupted how the network delivers and presents news”.</p>
<p>The disruption was so significant that many Channel 9 staff were instructed to work from home. They were also warned to avoid turning on or restarting computers until the problems were addressed.</p>
<figure class="align-center ">
<img alt="Screenshot from Channel 9 news clip" src="https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=329&fit=crop&dpr=1 600w, https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=329&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=329&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=413&fit=crop&dpr=1 754w, https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=413&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/392282/original/file-20210329-21-7az49i.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=413&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Screenshot from Channel 9 news clip.</span>
<span class="attribution"><span class="source">Channel 9 news clip</span></span>
</figcaption>
</figure>
<p>As is often the case in the early stages of a major cyber incident, details are scarce, and it’s very hard to know who is behind it.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-vulnerable-to-a-catastrophic-cyber-attack-but-the-coalition-has-a-poor-cyber-security-track-record-113470">Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record</a>
</strong>
</em>
</p>
<hr>
<h2>What happened?</h2>
<p>There is no official statement of cause, but it is clear that <a href="https://www.afr.com/companies/media-and-marketing/suspected-cyberattack-hits-nine-20210328-p57epg">malware spread between devices at Channel 9’s Sydney headquarters</a>, leaving data and production systems inaccessible. </p>
<p>The speed with which the malware spread through system may indicate a concerted effort to misuse Channel 9’s systems. Some experts have pointed to the possibility of <a href="https://www.smh.com.au/technology/nine-cyber-attack-has-all-the-hallmarks-of-ransomware-without-the-ransom-20210329-p57eum.html">fraudulent “IT updates” being sent out to users’ computers to spread the infection</a>. This suggests the attacker(s) may have had prolonged access to Channel 9’s systems before the events on Sunday.</p>
<p>Although live television broadcasts resumed quickly, it is likely that a full recovery behind the scenes will take considerably longer. It could potentially cost significant time and money to fix the existing problems and address the underlying vulnerabilities that allowed the attack to be so effective.</p>
<p>A Channel 9 spokesperson told The Conversation there was “no indication any data has been removed from our systems”, and said that despite the widespread public interest and speculation around the incident, the company would “not be making comments on the nature and motives of the attack”.</p>
<h2>How did it happen?</h2>
<p>Ransomware attacks often start with a phishing attack, in which large numbers of emails are sent to staff at an organisation.</p>
<p>These emails often replicate the look of a legitimate message, and can include seemingly privileged information (such as staff names and internal departments) in an attempt to appear genuine.</p>
<p>These emails aim to deceive individuals into clicking on a link or installing a file, perhaps by claiming this is a necessary patch to repair an issue with their computer.</p>
<p>Once installed, ransomware will typically encrypt important files or even entire systems, rendering them inaccessible. The malware will often target common file types such as Word documents, PDFs, spreadsheets or emails.</p>
<figure class="align-center ">
<img alt="Screenshot of WannaCry ransom demand." src="https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=449&fit=crop&dpr=1 600w, https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=449&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=449&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=564&fit=crop&dpr=1 754w, https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=564&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/392287/original/file-20210329-15-pzfsks.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=564&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A ransom demand from the infamous WannaCry malware.</span>
<span class="attribution"><span class="source">Wikimedia</span></span>
</figcaption>
</figure>
<p>Many cyber-criminals have a financial motive, and will typically ask for a ransom in exchange for releasing the locked-out data. The “key” to unlock the data will usually be transmitted to a remote server and then deleted from the compromised system.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/ransomware-gangs-are-running-riot-paying-them-off-doesnt-help-155254">Ransomware gangs are running riot – paying them off doesn't help</a>
</strong>
</em>
</p>
<hr>
<p>Another possibility is cyber-sabotage by a foreign state actor. In this context, the attack may be meant as a statement, retribution, or have some other political motivation. In such cases, it is probable that the “key” used to encrypt data is discarded on creation, rather than kept as a bargaining chip. This is distinct from financial cyber-extortion, as the intent is to wreak havoc by permanently denying access to the resources (thus this malware is sometimes referred to as “wiperware”).</p>
<h2>Who is to blame?</h2>
<p>Although it is too early to definitively attribute blame, <a href="https://www.9news.com.au/national/nine-network-cyber-attack-likely-to-be-from-state-actor/776687f8-7ca6-42e1-af2e-3211247553d0">media reports have pointed to a foreign state actor</a>. This theory is bolstered by Nine’s statement that “ransomware was used but no ransom demanded”.</p>
<p>Previous state-sanctioned attacks have been attributed to a range of countries, including China, Iran and North Korea. But Russia is considered the most likely aggressor in this instance. </p>
<p>It has been <a href="https://www.smh.com.au/national/why-was-nine-hacked-and-how-do-cyber-attacks-actually-work-20210329-p57ewm.html">alleged</a> that this attack is a retaliation for Channel 9’s screening of an exposé on <a href="https://www.smh.com.au/world/europe/beware-the-tea-why-do-russians-keep-being-poisoned-20200827-p55poy.html">politically motivated poisonings</a> attributed to the Russian government.</p>
<h2>What next?</h2>
<p>Addressing these incidents requires a careful approach. Limiting the spread of the malware is crucial — hence the instruction to staff to avoid turning on devices. </p>
<p>It is also important to identify the specific vulnerability that was exploited, to prevent future outbreaks. If data have been deleted (or rendered permanently inaccessible), backups will need to be retrieved.</p>
<p>While the focus at the moment is on restoring access to systems, the company will also need to conduct a forensic examination of the attack, to ensure lessons are learned.</p>
<p>While Australian news outlets have often reported on previous cyber-attacks, this incident is a wake-up call that they are not immune from becoming targets themselves.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-solarwinds-hack-was-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-and-what-can-be-done-about-it-153084">The SolarWinds hack was all but inevitable – why national cyber defense is a 'wicked' problem and what can be done about it</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/158069/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Paul Haskell-Dowland does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s still too early to say who attacked Channel Nine, disrupting its live broadcasts over the weekend. But fingers have been pointed at Russian state actors using a tactic nicknamed ‘wiperware’.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1475312020-10-29T18:49:22Z2020-10-29T18:49:22ZRansomware can interfere with elections and fuel disinformation – basic cybersecurity precautions are key to minimizing the damage<figure><img src="https://images.theconversation.com/files/366273/original/file-20201028-13-111h5ve.jpg?ixlib=rb-1.1.0&rect=0%2C33%2C7348%2C4858&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Ransomware attacks often strike local government computer systems, which poses a challenge for protecting elections.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/woman-finding-computer-getting-virus-attack-royalty-free-image/847207652">PRImageFactory/iStock via Getty Images</a></span></figcaption></figure><p>Government computer systems in Hall County, Georgia, including a voter signature database, were <a href="https://www.cnn.com/2020/10/22/tech/ransomware-election-georgia/index.html">hit by a ransomware attack</a> earlier this fall in the first known ransomware attack on election infrastructure during the 2020 presidential election. Thankfully, county officials reported that the voting process for its citizens was not disrupted.</p>
<p>The attack follows on the heels of a <a href="https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html">ransomware attack last month on eResearchTechnology</a>, a company that provides software used in clinical trials, including trials for COVID-19 tests, treatments and vaccines. Less than a week after the attack in Georgia was revealed, the <a href="https://apnews.com/article/politics-crime-elections-presidential-elections-548634f03e71a830811d291401651610">FBI warned</a> that cyber criminals have unleashed a wave of ransomware attacks targeting hospital information systems.</p>
<p>Attacks like these underscore the challenges that cybersecurity experts face daily – and which loom over the upcoming election. As a <a href="https://cybersecurity.umbc.edu/richard-forno/">cybersecurity professional and researcher</a>, I can attest that there is no silver bullet for defeating cyber threats like ransomware. Rather, defending against them comes down to the actions of thousands of IT staff and millions of computer users in organizations large and small across the country by embracing and applying the basic good computing practices and IT procedures that have been promoted for years.</p>
<h2>What is ransomware?</h2>
<p>Ransomware is a form of malicious software, or malware, that typically encrypts a victim’s computer files, holds the files hostage and then demands a payment to send the decryption key that unlocks the files. Individual ransomware payments usually range from a few hundred to a few thousand dollars, with the expectation that a relatively low dollar amount will motivate the victim to quickly pay the attacker to end the incident. </p>
<p>Ransomware attacks frequently begin through email as a typical <a href="https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html">phishing</a> message purporting to be from someone the potential victim trusts, such as a co-worker or friend. However, emerging types of ransomware exploit existing or recently discovered security vulnerabilities – in other words, they hack in – <a href="https://arstechnica.com/information-technology/2020/10/dhs-warns-that-emotet-malware-is-one-of-the-most-prevalent-threats-today/">to gain system access</a> without requiring any user interaction at all.</p>
<p>Once a computer system is compromised, there are many things a ransomware attack can do. But the most common outcome is encrypting a user’s data to hold it for a ransom payment. In other cases, ransomware encrypts a victim’s data and the ransomware’s creator threatens to release personal or sensitive information onto the internet unless the ransom is paid. </p>
<figure class="align-center ">
<img alt="Computer screen showing ransomware demand" src="https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=449&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=449&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=449&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=565&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=565&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366260/original/file-20201028-15-17rhadh.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=565&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A typical ransomware attack seizes control of a victim’s computer files and holds them for ransom.</span>
<span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:%EA%B0%90%EC%97%BC%EC%82%AC%EC%A7%84.png">So5146/Wikimedia</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>While ransomware attacks can affect any internet user or organization, attackers tend to target entities known for having less-robust cybersecurity defenses, including <a href="https://enterprise.verizon.com/resources/reports/dbir/">hospitals, health systems and state or local government computers</a>. But health care remains an enticing ransomware target: In 2019, <a href="https://healthitsecurity.com/news/ransomware-attacks-on-healthcare-providers-rose-350-in-q4-2019">759 health care providers</a> in the U.S. were hit. Overall, ransomware attacks cost users and companies <a href="https://www.technologyreview.com/2020/01/02/131035/ransomware-may-have-cost-the-us-more-than-75-billion-in-2019/">over US$7 billion</a> in 2019 as a result of either ransoms paid or through costs incurred in recovering from attacks.</p>
<h2>Ransomware’s toll</h2>
<p>The first high-profile ransomware incident was launched by North Korea in 2017. Using malware called <a href="https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html">“Wannacry</a>,” the attackers brought the British National Health Service to a paralyzing halt. Hospitals lost access to their computer systems and routine and emergency care was disrupted. But that was a preview of things to come: In 2020, <a href="https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html">a patient in Germany died</a> after being diverted to another hospital due to a ransomware incident.</p>
<p>In 2020, during the COVID-19 pandemic, a ransomware attack <a href="https://www.wired.com/story/universal-health-services-ransomware-attack/">crippled over 250 medical facilities</a> run by American-based Universal Health Services. At eResearchTechnology, staff conducting COVID-19 clinical trials were <a href="https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html">locked out of their data</a> and unable to conduct business for nearly two weeks.</p>
<p>And it’s not just health care organizations. The city of Atlanta was <a href="https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/">crippled</a> by ransomware in 2018. Baltimore was similarly <a href="https://theconversation.com/hackers-seek-ransoms-from-baltimore-and-communities-across-the-us-118089">paralyzed</a> in 2019. In both cases, city services – from tax collection and business licensing to real estate transactions – were unavailable to citizens. Numerous smaller cities around the world also have been affected by ransomware attacks.</p>
<p>However, even organizations with good IT policies and procedures find it extremely <a href="https://www.baltimoresun.com/politics/bs-md-ci-ransomware-expenses-20190828-njgznd7dsfaxbbaglnvnbkgjhe-story.html">costly</a> to investigate and recover from ransomware attacks, whether or not they pay the ransom. For example, an organization’s routine data backup can also inadvertently include ransomware code. This means victims need to ensure <a href="https://www.infosecurity-magazine.com/opinions/keeping-backups-ransomware/">they are not restoring the ransomware infection</a> when they reconstruct their systems after an attack. Depending on the victim’s backup procedures, locating a ransomware-free backup can be a very time-consuming process.</p>
<h2>Ransomware and election 2020</h2>
<p>The 2016 elections underscored the importance of ensuring the security and integrity of information related to government operations, including elections. Unfortunately, for many state and local governments, ransomware concerns are just another in a <a href="https://cybersecurity.umbc.edu/cybersecurity-for-local-governments/">long line of issues</a> that cybersecurity teams must contend with during periods of limited budgets and staffing.</p>
<p>Much has already been <a href="https://theconversation.com/how-vulnerable-to-hacking-is-the-us-election-cyber-infrastructure-63241">written</a> about the vulnerable and fragile state of America’s election systems, ranging from obsolete operating systems installed on voting machines to insecure networks and systems that exchange and store vote tabulations, to ensuring the protection of voter registration databases. </p>
<p>Making this situation more challenging is that many local governments don’t know what’s happening on their networks. A <a href="https://doi.org/10.1111/puar.13028">nationwide survey</a> conducted by University of Maryland, Baltimore County researchers in 2016 reported that nearly 30% of local government officials would not know if a cyberattack was affecting them. This lack of awareness means an attack could be well underway and causing havoc before security teams realize it – let alone respond.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="voters fill out ballots during early voting in Cleveland, Ohio on October 6, 2020" src="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366266/original/file-20201028-15-17rdomk.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Voting is vulnerable to cyberattacks at several points, from voter registration rolls to voter signature databases and computers that tabulate votes.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/ElectionSecurityTrump/cb65c952390c43ddbaaa435640d87e8c/photo">AP Photo/Tony Dejak</a></span>
</figcaption>
</figure>
<p>Despite a growing awareness of the threat, ransomware has the potential to adversely affect the 2020 election. Unfortunately, if state and local election offices haven’t implemented strong cybersecurity protections by now, it’s probably too late to do anything meaningful given that voting is well underway. So it’s no surprise that election offices across America are considering <a href="https://slate.com/news-and-politics/2020/08/election-nightmares-experts.html">potential nightmare scenarios</a> that include cyberattacks that might disrupt election activities.</p>
<h2>Fuel for disinformation</h2>
<p>Elections are based on trust – trust in the voting mechanisms and procedures, trust in the voting data and trust in the overall electoral process. But trust in all these items is under <a href="https://theconversation.com/weaponized-information-seeks-a-new-target-in-cyberspace-users-minds-100069">active attack</a> by adversaries both <a href="https://www.npr.org/2020/09/28/917757932/trumps-baseless-attacks-on-election-integrity-bolstered-by-disinformation-online">at home</a> and <a href="https://www.washingtonpost.com/national-security/us-defends-russian-election-interference/2020/10/21/533b508a-130a-11eb-bc10-40b25382f1be_story.html">from abroad</a> using a variety of <a href="https://www.sciencemag.org/news/2020/10/us-election-nears-researchers-are-following-trail-fake-news">influence and disinformation techniques</a> that have become more <a href="https://www.insidehook.com/article/politics/how-election-hacks-work-according-cybersecurity-expert">refined</a> since 2016.</p>
<p>Thankfully, ransomware attacks are unlikely to cripple the entire U.S. election given the <a href="https://abcnews.go.com/Politics/election-cybersecurity-decentralized-system-viewed-blessing-curse/story?id=58877082">decentralized nature</a> of voting jurisdictions and systems. However, even a few successful attacks could <a href="https://www.technologyreview.com/2020/10/15/1010551/election-ransomware-disinformation/">contribute to disinformation campaigns</a> that erode confidence in the outcome of the election.</p>
<p>[<em><a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=experts">Expertise in your inbox. Sign up for The Conversation’s newsletter and get expert takes on today’s news, every day.</a></em>]</p>
<h2>How to lower the risk</h2>
<p>At this point, since the election is already happening, state and local governments should increase the monitoring of their computer systems and implement even more stringent security controls on any devices or computers that might touch election-related networks in any way. Sharing real-time information about threats and working with the DHS, FBI and Office of the Director of National Intelligence election security teams, along with other states’ election offices, also will help keep election officials informed. Additionally, <a href="https://www.washingtonpost.com/technology/2020/10/12/microsoft-trickbot-ransomware/">major technology vendors</a> and the <a href="https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html">U.S. military</a> are taking active steps to disrupt cybersecurity threats, including ransomware, that may target the electoral process. </p>
<figure class="align-center ">
<img alt="A woman walks in front of the Microsoft stand " src="https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=296&fit=crop&dpr=1 600w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=296&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=296&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=372&fit=crop&dpr=1 754w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=372&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/366257/original/file-20201028-21-jb0kcm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=372&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Microsoft took legal action this month to disrupt a major botnet, a cybercrime digital network that used more than 1 million zombie computers to spread ransomware.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Cybersecurity-TrickbotBotnet/c39a2d954b584e9888083bba54751d7d/photo">AP Photo/Michel Spingler</a></span>
</figcaption>
</figure>
<p>As with most cybersecurity problems, the ransomware threat can be minimized by implementing common-sense best practices – many of which have been <a href="https://theconversation.com/overcoming-cyber-fatigue-requires-users-to-step-up-for-security-70621">recommended for decades</a> but often are not followed. These include keeping systems up to date, ensuring security software is installed and current, monitoring network activities and implementing appropriate IT policies and procedures to include resilient backup practices. For individual users, thinking before clicking an email link – even from people you know – is excellent self-defense to make many ransomware or phishing attacks less likely to succeed. </p>
<p>None of these practices is specific to the ransomware threat or election security. But for this and other cyber threats, the best thing to do is continuing to implement and enforce those common-sense, decades-old best practices of information protection that can help guard against the ever-widening range of cyberthreats – including ransomware.</p><img src="https://counter.theconversation.com/content/147531/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem</span></em></p>A ransomware attack on election-related government computers in a Georgia county raises the specter of more disruptions for Election Day voting and vote tabulation.Richard Forno, Senior Lecturer, Cybersecurity & internet researcher, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1470182020-09-30T04:37:28Z2020-09-30T04:37:28ZAirports, ATMs, hospitals: Microsoft Windows XP leak would be less of an issue, if so many didn’t use it<figure><img src="https://images.theconversation.com/files/360679/original/file-20200930-24-cu2eex.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5590%2C3640&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The source code of the Windows XP operating system is now circulating online as a huge <a href="https://www.pcgamesn.com/microsoft/windows-xp-source-code-leak">43GB mega-dump</a>. </p>
<p>Although the software is nearly two decades old, it’s still used by people, businesses and organisations around the world. This source code leak leaves it open to being scoured for bugs and weaknesses hackers can exploit.</p>
<p>The leaked torrent files, published on the bulletin board website 4chan, include the source code for Windows XP Service Pack 1, Windows Server 2003, MS DOS 3.30, MS DOS 6.0, Windows 2000, Windows CE 3, Windows CE 4, Windows CE 5, Windows Embedded 7, Windows Embedded CE, Windows NT 3.5 and Windows NT 4.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1309275918943301636"}"></div></p>
<p>Tech news site The Verge <a href="https://www.theverge.com/2020/9/25/21455655/microsoft-windows-xp-source-code-leak">claims</a> to have verified the material. And Microsoft said it was “investigating the matter”, <a href="https://www.thurrott.com/windows/241670/microsoft-is-investigating-windows-xp-source-code-leak">according to reports</a>. </p>
<p>The leak came with files containing bizarre misinformation related to Microsoft founder Bill Gates and various conspiracy theories. This is consistent with past leaks from <a href="https://www.mygc.com.au/university-of-tasmania-issue-security-alert-following-threat/">4chan</a>, a site often associated with extremist content and internet trolls. </p>
<p>Using the name “billgates3”, the leaker <a href="https://thehackernews.com/2020/09/windows-xp-source-code.html">reportedly</a> said: </p>
<blockquote>
<p>I created this torrent for the community, as I believe information should be free and available to everyone and hoarding information for oneself and keeping it secret is an evil act in my opinion.</p>
</blockquote>
<p>If the leak is genuine, this won’t be the first time a Microsoft operating system source code was released online. At least 1GB of Windows 10 source code was leaked <a href="https://www.theverge.com/2017/6/24/15867350/microsoft-windows-10-source-code-leak">a few years ago</a>, too.</p>
<h2>Vulnerabilities in the source code</h2>
<p>The source code is the “source” of a program. It’s essentially the list of instructions a computer programmer writes when they develop a program, which can then be understood by other programmers. </p>
<p>A leaked source code can make it easier for cyber criminals to find and exploit weaknesses and serious security flaws (such as bugs) in a program. It also makes it easier for them to craft <a href="https://support.microsoft.com/en-au/help/129972/how-to-prevent-and-remove-viruses-and-other-malware">malware</a> (software designed to cause harm).</p>
<p>One example would be “rogue” security software trying to make you think your computer is infected by a virus and prompting you to download, or buy, a product to “remove” it. Instead, the download or purchase introduces a virus to your computer.</p>
<p>According to a report from computer security company F-Secure, on average it takes about <a href="https://www.thenational.ae/arts-culture/microsoft-has-ended-its-support-for-windows-7-so-what-does-it-mean-for-users-1.964362">20 minutes for a Windows XP machine to be hacked</a> once it’s connected to the internet.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-cybersecurity-strategy-cash-for-cyberpolice-and-training-but-the-devil-is-in-the-detail-144070">Australia’s cybersecurity strategy: cash for cyberpolice and training, but the devil is in the detail</a>
</strong>
</em>
</p>
<hr>
<h2>Is Windows XP still supported?</h2>
<p>Windows XP <a href="https://www.microsoft.com/en-us/microsoft-365/windows/end-of-windows-xp-support">hasn’t had</a> “official” support from Microsoft since 2014. This means there are currently no security updates or technical support options available for users of the operating system. </p>
<p>However, until as recently as <a href="https://www.wired.com/story/microsoft-windows-xp-patch-very-bad-sign/">last year</a>, Microsoft continued to release security fixes and virus preventive measures for it. </p>
<p>The most notable was an <a href="https://www.theverge.com/2017/5/13/15635006/microsoft-windows-xp-security-patch-wannacry-ransomware-attack">emergency patch</a> released in 2017, to prevent another incident like the massive WannaCry ransomware attack from happening again. This malware affected 75,000 computers in 99 countries – <a href="https://www.wsj.com/articles/english-hospitals-hit-by-suspected-cyberattack-1494603884">impacting</a> hospitals, Telefonica, FedEx and other major businesses.</p>
<p>Windows XP is <a href="https://www.forbes.com/sites/ajdellinger/2019/07/31/survey-finds-one-in-three-businesses-still-run-windows-xp/#5dfdb66357fc">still used</a> by people, <a href="https://japantoday.com/category/tech/skymark-airlines-still-using-windows-xp">airlines</a>, <a href="https://www.theregister.com/2018/06/25/indian_banks_on_notice_windows_xp_must_die/">banks</a>, organisations and in industrial environments the world over.</p>
<p>In 2016, the network which runs the Royal Melbourne Hospital, Melbourne Health, <a href="https://www.theage.com.au/national/victoria/royal-melbourne-hospital-attacked-by-damaging-computer-virus-20160118-gm8m3v.html">was infected</a> with a virus targeting computers using Windows XP. The attack forced staff to temporarily manually process blood, tissue and urine samples.</p>
<p>Online, users have posted photos of Windows XP being used at places such as Singapore’s <a href="https://twitter.com/Mami_AtTheDisco/status/1235467882307268609">Changi Airport</a>, Heathrow Airport and Zeventem Brussels Airport.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1222175279751233537"}"></div></p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1202131713561956352"}"></div></p>
<p>Although the exact figure isn’t known, <a href="https://www.techradar.com/au/news/if-you-can-believe-it-millions-of-people-are-still-using-windows-xp">one estimate</a> suggests the operating system was running on 1.26% of all laptops and desktops, as of last month.</p>
<h2>Is there still incentive for hackers to target Windows XP?</h2>
<p>The availability of the Windows XP source code opens access for cyber criminals to search for “<a href="https://securityaffairs.co/wordpress/108762/data-breach/windows-xp-server-2003-code-leaked.html">zero-day threats</a>” in the code that could be exploited. </p>
<p>These are discovered flaws in software, hardware or firmware that are unknown to the parties responsible for patching or “fixing” them – in this case, Microsoft.</p>
<p>Zero-day threats are often found in older ATM machines, for example, as these can’t be patch-managed remotely. This is because they have an embedded version of Windows XP with limited connectivity. </p>
<p>To upgrade in such cases, a bank’s IT professionals would have to visit the machines one by one, branch by branch, to <a href="https://hackernoon.com/do-atms-running-windows-xp-pose-a-security-risk-you-can-bank-on-it-1b7817902d61">apply security patches for the embedded systems</a>. One report suggests hackers can break through the defences and security features of these older style ATMs within <a href="https://www.itproportal.com/news/security-firms-warn-that-most-atms-still-run-windows-xp/">10-15 minutes</a>. </p>
<p>There’s no easy way to confirm whether ATMs in Australia are still running this 19-year-old software, but <a href="https://www.techradar.com/au/news/atm-security-still-running-windows-xp">past</a> <a href="https://www.zdnet.com/article/is-running-windows-xp-on-atms-stupid/">reports</a> indicate this could be the case. <em>The Conversation</em> has reached out to certain parties to obtain this information and is awaiting a response. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1296670913287671815"}"></div></p>
<h2>Possible defences</h2>
<p>Windows XP was left to its own defences back in 2014 when Microsoft stopped mainstream support for the operating system.</p>
<p>But as one of Microsoft’s <a href="https://screenrant.com/microsoft-windows-xp-source-code-leak-matters/">most widely-used operating systems</a>, it’s still being run and could be around for many <a href="https://windowsreport.com/keep-using-windows-xp/">years to come</a>.</p>
<p><a href="https://support.microsoft.com/en-us/help/14223/windows-xp-end-of-support">According to Microsoft Support</a>, since Windows XP is no longer supported, computers running it “will not be secure and will still be at <a href="https://www.abc.net.au/news/2019-07-08/microsoft-windows-vulnerability-bluekeep-and-cyber-security-risk/11277270">risk for infection</a>”.</p>
<p>Any antivirus software has limited effectiveness on computers that don’t have the latest security updates. The number of holes in software also increases as machines are left unpatched. </p>
<p>Luckily, most organisations have strategies (requiring money and human resources) to manage large-scale upgrades and isolate their most critical systems.</p>
<p>If your computers are still running on the extremely <a href="https://www.cio.com/article/2371858/windows-xp-turns-10--what-tech-was-like-in-2001.html">outdated Windows XP operating system</a>, you too should migrate to a more modern one. No one can force you, but it’s certainly a good idea.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/apple-iphones-could-have-been-hacked-for-years-heres-what-to-do-about-it-122860">Apple iPhones could have been hacked for years – here's what to do about it</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/147018/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The outdated Microsoft operating system was recently dumped online in a huge leak. Hackers can now scour it for bugs to exploit.Brianna O'Shea, Lecturer, Ethical Hacking and Defense, Edith Cowan UniversityPaul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1460552020-09-14T11:52:33Z2020-09-14T11:52:33ZDefending the 2020 election against hacking: 5 questions answered<figure><img src="https://images.theconversation.com/files/357726/original/file-20200911-20-1200tfr.jpg?ixlib=rb-1.1.0&rect=46%2C0%2C5184%2C3453&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Vote count machines are just one target of hackers looking to disrupt US elections.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/AmericaVotes/512f213da588491797e38759e2917f52/photo?boardId=6576eeb175bb4623a6e17828de4a73e8&st=boards&mediaType=audio,photo,video,graphic&sortBy=&dateRange=Anytime&totalCount=4&currentItemNo=2">AP Photo/Ben Margot</a></span></figcaption></figure><p><em>Editor’s note: Journalist Bob Woodward reports in his new book, “<a href="https://www.simonandschuster.com/books/Rage/Bob-Woodward/9781982131739">Rage</a>,” that the NSA and CIA have classified evidence that the <a href="https://www.cnn.com/2020/09/09/politics/bob-woodward-rage-book-trump-coronavirus/index.html">Russian intelligence services placed malware in the election registration systems</a> of at least two Florida counties in 2016, and that the malware was sophisticated and could erase voters. This appears to confirm <a href="https://www.nytimes.com/2019/04/26/us/florida-russia-hacking-election.html">earlier reports</a>. Meanwhile, Russian intelligence agents and other foreign players are already at work <a href="https://www.technologyreview.com/2020/09/10/1008297/the-russian-hackers-who-interfered-in-2016-were-spotted-targeting-the-2020-us-election/">interfering in the 2020 presidential election</a>. Douglas W. Jones, Associate Professor of Computer Science at the University of Iowa and coauthor of the book “<a href="https://press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html">Broken Ballots: Will Your Vote Count?</a>,” describes the vulnerabilities of the U.S. election system in light of this news.</em></p>
<h2>1. Though Woodward reports there was no evidence the election registration system malware had been activated, this sounds scary. Should people be worried?</h2>
<p>Yes, we should be worried. Four years ago, Russia managed to penetrate systems in several states but there’s no evidence that they “pulled the trigger” to take advantage of their penetration. One possibility is that they simply saw no need, having successfully “hacked the electorate” by damaging Hillary Clinton’s candidacy through <a href="https://www.reuters.com/article/us-usa-trump-russia-senate/senate-committee-concludes-russia-used-manafort-wikileaks-to-boost-trump-in-2016-idUSKCN25E1US">selective dumps of hacked documents on Wikileaks</a>. </p>
<p>We know that VR Systems, a contractor that worked for several Florida counties, <a href="https://www.politico.com/news/magazine/2019/12/26/did-russia-really-hack-2016-election-088171">was hacked</a>, and we know that there were <a href="https://www.newsobserver.com/news/politics-government/article231199243.html">serious problems in Durham County, North Carolina,</a> during the 2016 election, including software glitches that caused poll workers to turn away voters during parts of Election Day. Durham county was also <a href="https://www.washingtonpost.com/investigations/federal-investigators-to-examine-equipment-from-2016-north-carolina-election-amid-renewed-fears-of-russian-hacking/2019/06/05/b70402e6-7816-11e9-b7ae-390de4259661_story.html">a VR Systems customer</a>. </p>
<p>I know of no post-election investigation of the problems in Durham County that was conducted with sufficient depth to assure me that Russia was not involved. It remains possible that they did pull the trigger on that county, but it is also possible that the problems there were entirely the result of “normal incompetence.”</p>
<h2>2. How does this change what we knew previously about Russian efforts to hack U.S. election systems?</h2>
<p>The specific counties compromised in Florida were never officially revealed. Previous leaks indicated that Washington County was one of them. Now we know that St. Lucie was the other. </p>
<p>Furthermore, previous reports mostly said that the systems had been penetrated. Woodward is saying that malware was installed on these machines. I am not sure whether I should interpret his use of terms in their narrow technical sense, but there is a significant difference between penetration, as in “they got the password to your system, broke in and looked around,” and installing malware, as in “they got in and made technical changes to the operation of your system.” </p>
<p>The latter is far more serious because voters could have been removed from registration rolls and therefore prevented from casting ballots, and that’s what I gather Woodward is describing.</p>
<h2>3. How have attempts to hack U.S. election systems changed since 2016?</h2>
<p>I do not have inside knowledge of what’s going on now, but my impression is that the Russians are getting more subtle. The basic Russian tactics of four years ago were only moderately subtle. Dumping all the stolen Democratic National Committee files on Wikileaks wasn’t subtle, but some of the narrowcasting of <a href="https://www.nytimes.com/2020/09/01/technology/facebook-russia-disinformation-election.html">targeted misinformation on social media</a> was brilliant, if utterly evil. For example, using Facebook, Russian propagandists were able to <a href="https://www.wired.com/story/russian-facebook-ads-targeted-us-voters-before-2016-election/">target prospective voters in swing states</a> with disinformation tailored for them.</p>
<p>My impression is that they’re getting better at disinformation campaigns. I think it’s safe to assume that they’re also getting better at digging into the actual machinery of elections.</p>
<h2>4. Have efforts to defend U.S. election systems against hackers improved?</h2>
<p>On the social media front, there has certainly been improvement. The obvious “<a href="https://theconversation.com/how-fake-accounts-constantly-manipulate-what-you-see-on-social-media-and-what-you-can-do-about-it-139610">sock puppet farms</a>,” large numbers of fake accounts controlled by a single entity, that Russia was running on U.S. social media are far more difficult to run these days because of the way the social media companies are cracking down. What I fear is that the country is defending against the attacks of four years ago while not really knowing about the attacks of today.</p>
<figure class="align-center ">
<img alt="A mail-in election ballot partially obscured by its envelope" src="https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=356&fit=crop&dpr=1 600w, https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=356&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=356&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=447&fit=crop&dpr=1 754w, https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=447&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/357733/original/file-20200911-24-y04nty.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=447&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The COVID-19 pandemic is expected to lead to a large increase in mail-in ballots like this 2020 primary election ballot in Philadelphia.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/wcn247/49946333537/">WCN 24/7/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">CC BY-NC-ND</a></span>
</figcaption>
</figure>
<p>In the world of actual election machinery, the U.S. has made a little progress, but COVID-19 has thrown a monkey wrench in the system, <a href="https://theconversation.com/mail-in-votings-potential-problems-only-begin-at-the-post-office-an-underfunded-underprepared-decentralized-system-could-be-trouble-143798">forcing a massive shift to postal ballots</a> in states that permit this. That means that attacks on polling-place machinery will be generally less effective than in the past, while attacks on county election offices remain a real threat.</p>
<h2>5. What keeps you awake at night going into the 2020 presidential election?</h2>
<p>Oh dear. The list is long. Everything from crazies on the loony fringe of American politics shooting at each other in response to election results they don’t like, to people living in such closed media bubbles that we are effectively two different cultures living next door to each other while believing entirely different things about the world we live in. </p>
<p>Between those extremes, consider the possibility of results appearing to be reversed after polls have closed. If there is a demographic split between the vote-in-person crowd and the vote-by-mail crowd, election night results could go one way, while in states like Iowa, where postal <a href="https://sos.iowa.gov/elections/electioninfo/absenteemail.html">ballots received six days after the election get counted</a> if there is proof they were mailed on time, the final results could go another way. </p>
<p>Then, add in the possibility of hacked central tabulating software in key counties, and there’s plenty to lose sleep over.</p>
<p>[<em>Get our best science, health and technology stories.</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-best">Sign up for The Conversation’s science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/146055/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Douglas W. Jones has received funding from the National Science Foundation for his work on voting technology; he is a member of the Democratic Party; he serves on the Board of Advisors of Verified Voting; and he is a member of the ACLU..</span></em></p>Russian agents reportedly placed malware in U.S. voter registration systems in 2016 and are actively interfering in the 2020 election. Here’s the state of election cybersecurity.Douglas W. Jones, Associate Professor of Computer Science, University of IowaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1228602019-09-04T19:52:46Z2019-09-04T19:52:46ZApple iPhones could have been hacked for years – here’s what to do about it<p>For many years, the Apple iPhone has been considered one of the most secure smart phones available. But despite this reputation, security issues that might affect millions of users came to light last week, when <a href="https://www.gizmodo.com.au/2019/08/google-hackers-reveal-websites-hacked-thousands-of-iphone-users-silently-for-years/">researchers at Google</a> revealed they had discovered websites that can infect iPhones, iPads, and iPods with dangerous software. </p>
<p>Simply visiting one of these websites is enough to infect your device with malicious software, allowing a high level of access to the device. Worryingly, it seems these vulnerabilities have been “in the wild” (that is, actively used by cyber-criminals) for around two years. </p>
<p>As there is no visible sign of infection on the device, it is likely users are completely unaware of the risks they’re facing.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/dont-click-that-link-how-criminals-access-your-digital-devices-and-what-happens-when-they-do-109802">Don't click that link! How criminals access your digital devices and what happens when they do</a>
</strong>
</em>
</p>
<hr>
<p>The vulnerabilities being exploited are present on devices running recent (but not the most recent) versions of Apple’s iOS operating system — specifically, iOS 10 through to early versions of iOS 12. Every device running the vulnerable versions of iOS is a potential target for these websites.</p>
<p>Devices are infected via several methods, using <a href="https://www.gizmodo.com.au/2019/08/google-hackers-reveal-websites-hacked-thousands-of-iphone-users-silently-for-years/">14 different security flaws</a> — an unusual number of ways to compromise a device. Worse is that seven of the flaws involve Safari, the default web browser for many of these devices (and web browsing is a common activity for many users). </p>
<p>It’s not all bad news though. After Google reported the issues to Apple earlier this year, the vulnerabilities were promptly patched with the latest release of iOS (12.4.1). </p>
<p>Any user updating their device to the latest version of iOS should be protected against this attack. The easiest way to do it is to go to Settings > General > Software Update on your phone and then follow the prompts.</p>
<h2>What happens when you visit an infected site?</h2>
<p>As soon you open the web page, <a href="https://www.bbc.com/news/technology-49520355">malicious software is installed on the device</a>. This software has the potential to access location data and information stored by various apps (such as iMessage, WhatsApp, and Google Hangouts). </p>
<p>This information can be transmitted to a remote location and potentially misused by an attacker. The information extracted can include messages that are otherwise protected when sent and received by the user, removing the protection offered through encryption. Hackers can also potentially access private files stored on the device, including photos, emails, contact lists, and sensitive information such as WiFi passwords. </p>
<p>All of this data has value and can be <a href="https://www.trendmicro.com/vinfo/us/security/special-report/cybercriminal-underground-economy-series/global-black-market-for-stolen-data/">sold on the Internet to other cyber-criminals</a>.</p>
<p><a href="https://blog.malwarebytes.com/mac/2019/08/unprecedented-new-iphone-malware-discovered/">According to antivirus firm Malwarebytes</a>, the malicious software is removed when the infected device is restarted. While this limits the amount of time that the device is compromised, the user risks being reinfected the next time they visit the same website (if still using a vulnerable version of iOS). </p>
<p>The list of websites involved has not yet been made publicly available, so users have no means to protect themselves other than by updating their device’s operating system. But we do know the number of visitors to these sites are estimated in the <a href="https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html">thousands per week</a>.</p>
<h2>Are Apple devices no longer secure?</h2>
<p>High-profile attacks on these devices might dispel the myth that Apple devices are not susceptible to serious security breaches. However, Apple does have a bug-bounty program that offers a <a href="https://www.businessinsider.com.au/apple-offers-1-million-bug-bounty-reward-for-hacking-iphone-2019-8">US$1 million reward</a> to users who report problems that help to identify security flaws. </p>
<p>But considering the impact of this incident, it’s obvious someone out there is making considerable efforts to target Apple devices. While the tech giant regularly updates its software, there have been recent incidents in which <a href="https://techcrunch.com/2019/08/26/apple-security-fix-jailbreak/">previously fixed security flaws were reintroduced</a>. This highlights the complexity of these devices and the challenge of maintaining a secure platform.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<p>The most important lesson for Apple’s millions of users is to ensure you keep up to date with the latest patches and fixes. Simply installing the latest iOS update is sufficient to remove the threats caused by this vulnerability. </p>
<p>If you’re concerned your details may have been stolen, changing passwords and checking your credit card and bank account statements are also important steps to take.</p><img src="https://counter.theconversation.com/content/122860/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The news that malware can invade iPhones and other Apple devices via the Safari web browser has damaged Apple’s reputation for security. But you can fix the problem by updating your phone’s software.Leslie Sikos, Lecturer, Edith Cowan UniversityPaul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1223472019-08-27T14:58:15Z2019-08-27T14:58:15ZRansomware attacks on cities are rising – authorities must stop paying out<figure><img src="https://images.theconversation.com/files/289666/original/file-20190827-184234-5kn0up.jpg?ixlib=rb-1.1.0&rect=256%2C4%2C2692%2C1728&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-illustration/computer-programming-code-detecting-virus-online-1209102469?src=-4-97">Shutterstock.</a></span></figcaption></figure><p>A ransomware campaign that targeted <a href="https://www.nytimes.com/2019/08/20/us/texas-ransomware.html">23 US cities</a> across Texas has raised serious concerns about the vulnerability of local governments and public services to cyber-attacks. These events come not long after similar attacks on <a href="https://www.bleepingcomputer.com/news/security/la-porte-county-pays-130-000-ransom-to-ryuk-ransomware/">governmental and business organisations</a> in Indiana, Florida and elsewhere. They reflect a <a href="https://theconversation.com/hackers-are-making-personalised-ransomware-to-target-the-most-profitable-and-vulnerable-113583">general shift in ransomware tactics</a> from “spray and pray” attacks on large numbers of individual consumers, to “big game hunting”, which targets organisations, usually through people in positions of power.</p>
<p>A recent report from cyber-security firm Malwarebytes <a href="https://blog.malwarebytes.com/reports/2019/08/labs-quarterly-report-finds-ransomwares-gone-rampant-against-businesses/">found a 363% increase</a> in ransomware detections against businesses and organisations (as opposed to individuals) from 2018 to 2019. Put simply, cyber-criminals see an opportunity to extort far more money from organisations than individuals. Although <a href="https://blog.malwarebytes.com/reports/2019/08/labs-quarterly-report-finds-ransomwares-gone-rampant-against-businesses/">the majority</a> of ransomware attacks were found to occur in the US, local governments around the world are equally vulnerable.</p>
<p>Ransomware usually spreads via phishing emails or links to infected websites, relying on human error to gain access to systems. As its name suggests, ransomware is designed to block access to data, systems or services until a ransom is paid. At a technical level, cities tend to be fairly easy targets because they often have bespoke operating systems, with parts that are old and out-of-date, as well as ineffective back-up measures.</p>
<p>Cities also tend to lack system-wide security policies, so if cyber-criminals gain entry through one system, they can then access others and wreak havoc by freezing essential data and preventing the delivery of services. But even if organisations have improved their technical security, <a href="https://www.sciencedirect.com/science/article/pii/S0167404819301336?via%3Dihub">my research with my colleague Lena Connolly</a> has found that few put equal emphasis on training employees to identify and resist attacks. </p>
<h2>Target acquired</h2>
<p>Employees in many small and medium-sized organisations, like local governments, often do not recognise their organisation’s true commercial value to criminals, and commonly <a href="https://www.theguardian.com/small-business-network/2016/feb/08/huge-rise-hack-attacks-cyber-criminals-target-small-businesses">think they are unlikely to be targeted</a>. As a result, they might also develop bad habits – such as using work systems for personal reasons – which can increase vulnerability.</p>
<p>Offenders will do their homework before launching an attack, in order to create the most severe disruption they possibly can. After all, the greater the pressure to pay the ransom, the higher they can set the tariff. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=398&fit=crop&dpr=1 600w, https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=398&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=398&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/289659/original/file-20190827-184252-uagnli.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Held to ransom.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/ransomware-close-your-files-encrypted-on-668772517?src=-4-52">Shutterstock.</a></span>
</figcaption>
</figure>
<p>Attackers identify key individuals to target and seek out vulnerabilities such as computers which have been left switched on outside of working hours, or have not been updated. Once they’ve worked out who to target, cyber-criminals deploy “social engineering” techniques, such as phishing, which <a href="https://us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html">psychologically manipulate</a> victims into opening an email attachment or clicking on a link, which allows the ransomware programme into the organisation’s operating system. </p>
<h2>To pay or not to pay?</h2>
<p>Whether or not to pay the ransom is not a straightforward decision for city authorities with vital public services on the line. Most policing agencies instruct victims not to pay, but as Mayor Stephen Witt of Lake City, Florida, <a href="https://www.nytimes.com/2019/06/27/us/lake-city-florida-ransom-cyberattack.html">put it</a> after his ward was targeted: </p>
<blockquote>
<p>With your heart, you really don’t want to pay these guys. But, dollars and cents, representing the citizens, that was the right thing to do.</p>
</blockquote>
<p>Another problem is that ransomware is not always deployed to extort money – so paying the ransom doesn’t guarantee that data will be restored. Attackers can have varying motives, skills and resources – working out their motive (often with very little information) is therefore crucial. </p>
<p>Rather than simply making money using ransomware, some cyber-criminals might seek to disable market competitors who provide competing goods or services. Or, they may use the attacks for political gain, to reduce public confidence in a local government’s ability to deliver essential services. In such cases, the data is unlikely ever to be restored, even if the ransom is paid. </p>
<h2>Seeking cover</h2>
<p>Many cities are insured against attacks, and insurers often pay the ransom to retrieve stolen data – <a href="https://www.propublica.org/article/sting-catches-another-ransomware-firm-red-mosquito-negotiating-with-hackers">sometimes employing third party negotiators</a>, against national advice. Ironically, the knowledge that cyber-criminals are likely to get paid justifies the time they spend researching their target’s weaknesses, and leaves the door open for repeat attacks. This was one of the reasons why cyber-criminals changed tactics and started targeting organisations in the first place. </p>
<p>This leaves city authorities a difficult choice, between paying to restore essential data and services (and encouraging cybercriminals) or admitting their systems have been compromised and facing up to social and political backlash. Even so, there are some measures city authorities can take to protect themselves, and their citizens, from ransomware.</p>
<p>Today, authorities need to assume that it’s a matter of when – not if – an attack will happen. They should install back up systems for protected data that have the capacity to replace infected operating systems and databases if need be. For example, in the UK, research found that <a href="https://securitybrief.eu/story/more-quarter-uk-councils-infected-ransomware">27% of local government organisations</a> were targets of ransomware in 2017. Yet 70% of their 430 respondents had backup systems in place, in preparation for the EU’s <a href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation">General Data Protection Regulation (GDPR)</a>, and could therefore recover from a ransomware attack much faster than their counterparts in the US. </p>
<p>Local authorities need to separate their data systems where possible and install appropriate levels of security. They also need to train employees about the nature of the threat and the impacts of their own actions when working within the organisation’s systems. They should also be aware of international schemes to prevent and mitigate ransomware (such as <a href="https://www.nomoreransom.org/en/index.html">nomoreransom.org</a>) – which provide advice and publish the keys to some ransomware online. </p>
<p>Public organisations must be able to think quickly and adapt to these new security threats – especially since cyber-criminals are <a href="https://www.computing.co.uk/ctg/opinion/3078977/cyber-security-think-like-the-enemy">always coming up</a> with new techniques. Local governments need to be prepared to simultaneously prevent cyber-attacks, mitigate their effects when they do happen and bring cyber-criminals to justice.</p><img src="https://counter.theconversation.com/content/122347/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Wall receives funding from the EconoMical, PsycHologicAl and Societal Impact of RanSomware (EMPHASIS) (EP/P011721/1)</span></em></p>Cyber-criminals are targeting city authorities because they often pay out – but there are other ways to protect public data and services.David S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1198122019-07-04T04:59:08Z2019-07-04T04:59:08ZWhy the ‘molecular scissors’ metaphor for understanding CRISPR is misleading<figure><img src="https://images.theconversation.com/files/282579/original/file-20190704-126376-1ak2d64.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The metaphors we use when we talk about gene editing shape public perception of the complexity involved. </span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/download/confirm/1179311608?src=0QOwip0uEcBP0oDj0keuBw-1-26&studio=1&size=huge_jpg">Shutterstock</a></span></figcaption></figure><p>Last week I read an article about CRISPR, the latest tool scientists are using to edit DNA. It was a great piece – well researched, beautifully written, factually accurate. It covered some of the amazing projects scientist are working on using CRISPR, like bringing animals back from extinction and curing diseases. It also gave me the heebies, but not for the reason you might expect. </p>
<p>My unease was the echo of a feeling I’d had during the early days of my PhD, when some fellow malaria researchers made a discovery that was reported on the news. I was thrilled for them, but I understood the incremental nature of the work they were doing. I knew that in a real-world, drugs-in-the-clinic sense, we were no closer to a breakthrough than we’d been the day before. I thought the reporters had communicated that clearly. Five minutes later my Dad called to ask if I was out of a job, and what I was going to do now that malaria was cured. </p>
<p>I don’t pretend to understand all the myriad reasons for the gaping chasm between what scientists say and what the public hears. Lately though, I’m starting to think it might have something to do with the metaphors we use, and the way they shape our perception of the complexity involved. </p>
<p>Take CRISPR. It’s most often described as a pair of molecular scissors that can be used to modify DNA, the blueprint for life. And when we read that, I think most of us start imagining something like a child with her Lego bricks strewn in front of her, instruction booklet in one hand, scissors in the other. One set of pictograms, one model; one gene, one disease; one snip, one cure. We’re there in a blink. CRISPR seems like it can work miracles. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-crispr-gene-editing-and-how-does-it-work-84591">What is CRISPR gene editing, and how does it work?</a>
</strong>
</em>
</p>
<hr>
<p>I want to stress that the molecular scissors metaphor is pretty damn accurate as far as it goes. But in focusing on the relatively simple relationship between CRISPR and DNA, we miss the far more complicated relationship between DNA and the rest of the body. This metaphor ignores an entire ecosystem of moving parts that are crucial for understanding the awe-inspiring, absolutely insane thing scientists are trying to do when they attempt gene editing. </p>
<h2>I prefer the metaphor of malware</h2>
<p>In my research I use CRISPR from time to time. To design experiments and interpret results effectively, I need a solid way to conceptualise what it can (and can’t) do. I do not think of CRISPR as molecular scissors. </p>
<p>Instead I imagine a city. The greater metropolis represents the body, the suburbs are organs, the buildings are cells, the people are proteins, and the internet is DNA. </p>
<p>In this metaphor CRISPR is malware. More precisely, CRISPR is malware that can search for any chosen 20-character line of code and corrupt it. This is not a perfect metaphor by any stretch, but it gets me closer to understanding than almost anything else.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=337&fit=crop&dpr=1 600w, https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=337&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=337&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=423&fit=crop&dpr=1 754w, https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=423&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/282585/original/file-20190704-126345-bfb1b9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=423&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/top-view-aerial-photo-flying-drone-484957621?src=Xoy1lU-uQ6f69T0t8flLRA-1-7&studio=1">Shutterstock</a></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/editing-human-embryos-with-crispr-is-moving-ahead-nows-the-time-to-work-out-the-ethics-81732">Editing human embryos with CRISPR is moving ahead – now's the time to work out the ethics</a>
</strong>
</em>
</p>
<hr>
<h2>Alzheimer’s is like a riot</h2>
<p>As an example, let’s look at Alzheimer’s, one of the diseases CRISPR is being touted to cure. The headlines are usually some variation of “CRISPR to correct Alzheimer’s gene!”, and the molecular scissors analogy is never far behind. </p>
<p>It seems reasonable to me that someone could read those words and assume that chopping away the disease-gene with the DNA-shears should be relatively simple. When the cure doesn’t appear within five years, I can understand why that same person would come to ask me why Big Pharma is holding out (this has happened to me more than once).</p>
<p>Now let’s see how it looks using the malware metaphor. The consensus is that Alzheimer’s manifests when a specific protein goes rogue, causing damage to cells and thereby stopping things from working properly inside the brain. It might have a genetic cause, but it’s complicated. In our allegorical city, what would that look like? </p>
<p>I think riots would come close. Rampaging humans (proteins) destroying houses and property (cells), thereby seriously derailing the normal functioning of a specific suburb (the brain).</p>
<p>And you want to fix that with malware?</p>
<h2>It’s hard to predict the domino effect</h2>
<p>Can you imagine for a second trying to stop soccer hooligans smashing things on the streets of Buenos Aires by corrupting roughly three words in the FIFA by-laws with what’s essentially a jazzed-up command-F function? </p>
<p>I’m not saying it’s not possible – it absolutely is. </p>
<p>But think of all the prior knowledge you need, and all the pieces that have to fall in place for that to work. You’d have to know that the riots are caused by football fans. You’d have to understand which rule was bothering them (heaven help you if it’s more than one), and if that rule causes drama at every game. You’d have to find a 20-character phrase that, when corrupted, would change how the rule was read, rather than just making a trivial typo. </p>
<p>You’d have to know that the relevant footballers have access to the updated rule book, and you’d have to know there were no other regulations making your chosen rule redundant. You’d have to know there aren’t any similar 20-character phrases anywhere on the internet that might get corrupted at the same time (like in the rules for presidential succession say, or in the nuclear warhead codes). Even then you’d still be rolling the dice. </p>
<p>Even if you stop the riots successfully, which of us really know the long-term consequences of changing the World Game forever? </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/these-crispr-modified-crops-dont-count-as-gmos-96002">These CRISPR-modified crops don't count as GMOs</a>
</strong>
</em>
</p>
<hr>
<h2>Reflecting the right level of complexity</h2>
<p>At this point, you might say I’m stretching the metaphor a bit far; that this analogy has become a little stuck up its own behind. You’d not be wrong. </p>
<p>But by thinking the problem this way, we’ve just given ourselves a pretty decent feel for the complications of polygenic disease, incomplete penetrance, missense/nonsense mutations, epigenetic silencing, genetic compensation, off target and germline effects – all without a single word of science jargon. </p>
<p>These are real difficulties scientists are trying to work through to make sure CRISPR is effective and safe. That’s why it takes a long time and costs a lot of money. That’s why most of the promising leads end up going nowhere. </p>
<p>Amazingly, astoundingly, sometimes it works.</p><img src="https://counter.theconversation.com/content/119812/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elinor Hortle does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The idea of CRISPR as scissors ignores an entire ecosystem of moving parts that are crucial for understanding the awe-inspiring, crazy thing scientists are trying to do when they attempt gene editing.Elinor Hortle, Research Fellow, University of SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1180892019-06-04T20:18:33Z2019-06-04T20:18:33ZHackers seek ransoms from Baltimore and communities across the US<figure><img src="https://images.theconversation.com/files/277964/original/file-20190604-69091-n0othk.jpg?ixlib=rb-1.1.0&rect=1016%2C729%2C3720%2C2447&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Many of Baltimore's city services are crippled by a cyberattack.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/laptop-blank-screen-on-tableblur-background-440302609">The Conversation from City of Baltimore and Love Silhouette/Shutterstock.com</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>The people of Baltimore are beginning their fifth week under an <a href="https://www.governing.com/topics/public-justice-safety/gov-cyber-attack-security-ransomware-baltimore-bitcoin.html">electronic siege</a> that has prevented residents from <a href="https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-open-baltimore-ransomware-20190513-story.html">obtaining</a> building permits and business licenses – and even <a href="https://www.npr.org/2019/05/21/725118702/ransomware-cyberattacks-on-baltimore-put-city-services-offline">buying or selling homes</a>. A year after hackers <a href="https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-hack-folo-20180328-story.html">disrupted</a> the city’s emergency services dispatch system, city workers throughout the city are unable to, among other things, use their government email accounts or conduct <a href="https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-property-deeds-20190524-story.html">routine city business</a>. </p>
<p>In this attack, a type of malicious software called ransomware has encrypted key files, rendering them unusable until the city pays the unknown attackers 13 bitcoin, or about US$76,280. But even if the city were to pay up, there is no guarantee that its files would all be recovered; many ransomware attacks <a href="https://cyber-edge.com/wp-content/uploads/2019/03/CyberEdge-2019-CDR-Report.pdf#page=14">end with the data lost</a>, whether the ransom is paid or not.</p>
<p>Similar attacks in recent years have <a href="https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/">crippled</a> the United Kingdom’s National Health Service, <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">shipping giant Maersk</a> and <a href="https://www.recordedfuture.com/state-local-government-ransomware-attacks/">local, county and state governments across the U.S.</a> and <a href="https://www.thespec.com/news-story/8902484-opp-warn-of-ransomware-attacks-on-municipal-governments/">Canada</a>.</p>
<p><iframe id="lkvX4" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/lkvX4/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>These types of attacks are becoming more frequent and gaining more media attention. Speaking as a career cybersecurity professional, the technical aspects of incidents like this are but one part of a much bigger picture. Every user of technology must consider not only threats and vulnerabilities, but also operational processes, potential points of failure and how they use technology on a daily basis. Thinking ahead, and taking protective steps, can help reduce the effects of cybersecurity incidents on both individuals and organizations.</p>
<h2>Understanding cyberattack tools</h2>
<p>Software designed to attack other computers is nothing new. Nations, private companies, individual researchers and criminals continue developing these types of programs, for a wide range of <a href="https://theconversation.com/america-is-dropping-cyberbombs-but-how-do-they-work-58476">purposes</a>, including digital warfare and intelligence gathering, as well as extortion by ransomware.</p>
<p>Many malware efforts begin as a normal and crucial function of cybersecurity: identifying software and hardware vulnerabilities that could be exploited by an attacker. Security researchers then work to close that vulnerability. By contrast, malware developers, criminal or otherwise, will figure out how to get through that opening undetected, to explore and potentially wreak havoc in a target’s systems.</p>
<p>Sometimes a <a href="https://theconversation.com/what-are-software-vulnerabilities-and-why-are-there-so-many-of-them-77930">single weakness is enough</a> to give an intruder the access they want. But other times attackers will use multiple vulnerabilities in combination to infiltrate a system, take control, steal data and modify or delete information – while trying to hide any evidence of their activity from security programs and personnel. The challenge is so great that <a href="https://www.rsaconference.com/writable/presentations/file_upload/spo1-t11_combatting-advanced-cybersecurity-threats-with-ai-and-machine-learning_copy1.pdf">artificial intelligence and machine learning systems</a> are now also being incorporated to help with cybersecurity activities.</p>
<p>There’s some question about the role the federal government <a href="https://cybersecpolitics.blogspot.com/2019/05/baltimore-is-not-eternalblue.html">may have played</a> in this situation, because one of the hacking tools the attackers <a href="https://www.nytimes.com/2019/05/31/us/nsa-baltimore-ransomware.html">reportedly</a> used in Baltimore was <a href="https://money.cnn.com/2016/01/12/technology/nsa-michael-hayden-us-hacker-thief/index.html">developed</a> by the U.S. National Security Agency, which the <a href="https://www.nytimes.com/2019/05/31/us/nsa-baltimore-ransomware.html">NSA has denied</a>. However, hacking tools stolen from the NSA in 2017 by the hacker group <a href="https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/">Shadow Brokers</a> were used to launch <a href="http://www.cyberdefensemagazine.com/at-least-3-different-groups-have-been-leveraging-the-nsa-eternalblue-exploit-whats-went-wrong">similar attacks</a> within months of those tools being posted on the internet. Certainly, those tools should never have been stolen from the NSA – and should have been better protected. </p>
<p>But my views are more complicated than that: As a citizen, I recognize the NSA’s mandate to research and develop advanced tools to protect the country and fulfill its national security mission. However, <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">like many cybersecurity professionals</a>, I remain conflicted: When the government discovers a new technology vulnerability but doesn’t tell the maker of the affected hardware or software until after it’s used to cause havoc or disclosed by a leak, everyone is at risk.</p>
<p><iframe id="Yj50Z" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/Yj50Z/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<h2>Baltimore’s situation</h2>
<p>The <a href="https://www.govtech.com/security/Estimates-Put-Baltimores-Ransomware-Recovery-at-18-2-M.html">estimated $18 million cost of recovery</a> in Baltimore is money the city likely doesn’t have readily available. Recent research by some of my colleagues at the University of Maryland, Baltimore County, shows that many state and <a href="https://doi.org/10.1111/puar.13028">local governments remain woefully underprepared</a> and underfunded to adequately, let alone proactively, deal with cybersecurity’s many challenges. </p>
<p>It is concerning that the ransomware attack in Baltimore exploited a vulnerability that has been publicly <a href="https://gizmodo.com/you-need-to-patch-your-older-windows-pcs-right-now-to-p-1835158876">known</a> about – with an available fix – <a href="http://fortune.com/2019/06/01/baltimore-nsa-ransowmare-microsoft-windows-eternalblue/">for over two years</a>. NSA had developed an exploit (code-named EternalBlue) for this discovered security weakness but didn’t alert Microsoft about this critical security vulnerability until early 2017 – and only after the Shadow Brokers had stolen the NSA’s tool to attack it. Soon after, Microsoft <a href="https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/">issued a software security update</a> to fix this key flaw in its Windows operating system.</p>
<p>Admittedly, it can be very complex to manage software updates for a large organization. But given the media coverage at the time about the unauthorized disclosure of many NSA hacking tools and the vulnerabilities they targeted, it’s unclear why Baltimore’s information technology staff didn’t ensure the city’s computers received that particular security update immediately. And while it’s not necessarily fair to <a href="https://www.nextgov.com/cybersecurity/2019/05/nsa-deflects-blame-baltimore-ransomware-attack/157376/">blame the NSA</a> for the Baltimore incident, it is entirely fair to say that the knowledge and techniques behind the tools of digital warfare are out in the world; we must learn to live with them and adapt accordingly.</p>
<p><iframe id="g2C5x" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/g2C5x/1/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<h2>Compounding problems</h2>
<p>In a global society where people, companies and governments are increasingly dependent on computers, digital weaknesses have the power to seriously disrupt or destroy everyday actions and functions.</p>
<p>Even trying to develop workarounds when a crisis hits can be challenging. Baltimore city employees who were blocked from using the city’s email system tried to set up free Gmail accounts to at least get some work done. But they were initially blocked by <a href="https://www.theverge.com/2019/5/23/18637638/google-gmail-baltimore-ransomware-attacks">Google’s automated security systems</a>, which identified them as <a href="https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-gmail-accounts-20190523-story.html">potentially fraudulent</a>. </p>
<p>Making matters worse, when Baltimore’s online services went down, <a href="https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-city-agencies-ransomware-20190509-story.html">parts</a> of the city’s municipal phone system couldn’t handle the resulting increase in calls attempting to compensate. This underscores the need to not only focus on technology products themselves but also the policies, procedures and capabilities needed to ensure individuals and/or organizations can remain at least minimally functional when under duress, whether by cyberattack, technology failures or acts of nature.</p>
<h2>Protecting yourself, and your livelihood</h2>
<p>The first step to <a href="https://theconversation.com/its-easier-to-defend-against-ransomware-than-you-might-think-57258">fighting a ransomware attack</a> is to regularly back up your data – which also provides protection against hardware failures, theft and other problems. To deal with ransomware, though, it’s particularly important to keep a few versions of your backups over time – don’t just rewrite the same files on a backup drive over and over. </p>
<p>That’s because when you get hit, you’ll want to determine when you were infected and restore files from a backup made before that time. Otherwise, you’ll just be recovering infected data, and not actually fixing your problem. Yes, you might lose some data, but not everything – and presumably only your most recent work, which you’ll probably remember and recreate easily enough.</p>
<p>And of course, following <a href="https://theconversation.com/its-easier-to-defend-against-ransomware-than-you-might-think-57258">some of cybersecurity’s best practices</a> – even just the basics – can help prevent, or at least minimize, the possibility of ransomware crippling you or your organization. Doing things like running current antivirus software, <a href="https://theconversation.com/the-petya-ransomware-attack-shows-how-many-people-still-dont-install-software-updates-77667">keeping all software updated</a>, using <a href="https://theconversation.com/using-truly-secure-passwords-6-essential-reads-84092">strong passwords</a> and <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">multifactor authentication</a>, and not blindly trusting random devices or email attachments you encounter are just some of the steps everyone should take to be a good digital citizen.</p>
<p>It’s also worth making plans to work around potential failures that might befall your email provider, internet service provider and power company, not to mention the software we rely on. Whether they’re attacked or <a href="https://gizmodo.com/major-google-outage-hits-youtube-g-suite-and-third-pa-1835189852">simply fail</a>, their absence can disrupt your life.</p>
<p>In this way, ransomware incidents serve as an important reminder that cybersecurity is not just limited to protecting digital bits and bytes in cyberspace. Rather, it should force everyone to think broadly and holistically about their relationship with technology and the processes that govern its role and use in our lives. And, it should make people consider how they might function without parts of it at both work and home, because it’s a matter of when, not if, problems will occur.</p><img src="https://counter.theconversation.com/content/118089/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing remedying the password problem.</span></em></p>Ransomware has crippled governments and companies around the world, encrypting data and demanding payment for the decryption key – though that’s no guarantee of recovering the information.Richard Forno, Senior Lecturer, Cybersecurity & Internet Researcher, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1135832019-03-15T14:54:48Z2019-03-15T14:54:48ZHackers are making personalised ransomware to target the most profitable and vulnerable<figure><img src="https://images.theconversation.com/files/264113/original/file-20190315-28492-smzv0c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/worried-businessman-looking-laptop-ramsomware-word-1005704599">Andrey Popov/Shutterstock</a></span></figcaption></figure><p>Once a piece of ransomware has got hold of your valuable information, there is very little you can do to get it back other than accede to the attacker’s demands. Ransomware, a type of malware that holds a computer to ransom, has become <a href="https://theconversation.com/nhs-ransomware-cyber-attack-was-preventable-77674">particularly prevalent</a> in the past few years and <a href="https://searchsecurity.techtarget.com/definition/encryption">virtually unbreakable encryption</a> has made it an even more powerful force.</p>
<p>Ransomware is typically delivered by <a href="https://uk.norton.com/internetsecurity-malware-what-is-a-botnet.html">powerful botnets</a> used to send out millions of malicious emails to randomly targeted victims. These aim to extort <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">relatively small</a> amounts of money (normally £300-£500, but more in recent times) from as many victims as possible. But according to police officers we have interviewed from UK cybercrime units, ransomware attacks are becoming increasingly targeted at high-value victims. These are usually businesses that can afford to pay very large sums of money, up to <a href="http://www.bbc.co.uk/news/technology-40340820">£1,000,000</a> to get their data back.</p>
<p>In 2017 and 2018 there was a rise in such targeted ransomware attacks on UK <a href="https://www.techrepublic.com/article/why-ransomware-attacks-are-growing-more-targeted/">businesses</a>. Attackers increasingly use software to search for vulnerable computers and servers and then use various techniques to penetrate them. Most commonly, perpetrators use <a href="https://www.cloudways.com/blog/what-is-brute-force-attack">brute force attacks</a> (using software to repeatedly try different passwords to find the right one), often on systems that let you operate <a href="https://www.pcworld.com/article/3126256/ransomware-spreads-through-weak-remote-desktop-credentials.html">computers remotely</a>.</p>
<p>If the attackers gain access, they will try to infect other machines on the network and gather essential information about the company’s business operations, IT infrastructure and further potential <a href="https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/">vulnerabilities</a>. These vulnerabilities can include when networks are not effectively segregated into different parts, or are not designed in a way that makes them easy to monitor (network visibility), or have <a href="https://www.computerworld.com/article/2503105/weak-passwords-still-the-downfall-of-enterprise-security.html">weak administration passwords</a>.</p>
<p>They then upload the ransomware, which encrypts valuable data and sends a ransom note. Using information such as the firm’s size, turnover and profits, the attackers will then estimate the amount the company can afford and tailor their ransom demand accordingly. Payment is typically requested in <a href="https://theconversation.com/how-are-bitcoin-cryptowallets-and-blockchain-related-some-jargon-busted-88906">cryptocurrency</a> and usually between 35 and 100 bitcoins (value at time of publication <a href="http://preev.com/">£100,000–£288,000</a>).</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/264114/original/file-20190315-28487-b4l7gf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Personalised attacks often target financial employees.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/young-businesswoman-laptop-computer-concept-stock-788636134">2p2play/Shutterstock</a></span>
</figcaption>
</figure>
<p>According to the police officers we spoke to, another popular attack method is “<a href="https://www.kaspersky.co.uk/resource-center/definitions/spear-phishing">spear phishing</a>” or “<a href="https://www.zdnet.com/article/ransomware-warning-the-gang-behind-this-virulent-malware-just-changed-tactics-again/">big game hunting</a>”. This involves researching specific people who handle finances in a company and sending them an email that pretends to be from another employee. The email will fabricate a story that encourages the recipient to open an attachment, normally a Word or Excel document containing <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/macro-malware">malicious code</a>. </p>
<p>These kind of targeted attacks are typically carried out by professional groups solely motivated <a href="https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/">by profit</a>, though some attacks seek to disrupt businesses or infrastructure. These criminal groups are highly organised and their activities constantly evolve. They are methodical, meticulous and creative in extorting money.</p>
<p>For example, traditional ransomware attacks ask for a fixed amount as part of an initial intimidating message, sometimes accompanied by a countdown clock. But in more targeted attacks, perpetrators typically drop a “proof of life” file onto the victim’s computer to demonstrate that they control the data. They will also send contact and payment details for release of the data, but also open up a tough negotiation process, which is <a href="https://blog.watchpointdata.com/cryptojoker-ransomware-you-can-negotiate-with">sometimes automated</a>, to extract as much money as possible.</p>
<p>According to the police, the criminals usually prefer to target fully-digitised businesses that rely highly on IT and data. They tend to favour <a href="https://insidesmallbusiness.com.au/planning-management/ransomware-attacks-stopping-smes-in-their-tracks">small and medium-sized companies</a> and avoid large corporations that have more advanced security. Big firms are also more likely to attract media attention, which could lead to increased police interest and significant disruptions to the criminal operations.</p>
<h2>How to protect yourself</h2>
<p>So what can be done to fight back against these attacks? Our work is part of the multi-university research project <a href="https://www.emphasis.ac.uk/">EMPHASIS</a>, which studies the economic, social and psychological impact of ransomware. (As yet unpublished) data collected by EMPHASIS indicates that weak cybersecurity in the affected organisations is the main reason why cybercriminals have been so successful in extorting money from them.</p>
<p>One way to improve this situation would be to better protect remote computer access. This could be done by disabling the system when it’s not in use, and using stronger passwords and two-step authentication (when a second, specially generated code is needed to login alongside a password). Or alternatively switching to a <a href="https://www.cisco.com/c/en/us/products/security/vpn-endpoint-security-clients/what-is-vpn.html">virtual private network</a>, which connects machines via the internet as if they were in a private network.</p>
<p>When we interviewed cybercrime researcher Bob McArdle from IT security firm Trend Micro, he advised that email filters and anti-virus software containing dedicated ransomware protection are vital. Companies should also regularly backup their data so it doesn’t matter if someone seizes the original. Backups must be tested and stored in locations that are inaccessible to ransomware.</p>
<p>These kind of controls are crucial because ransomware attacks tend to leave very little evidence and so are inherently difficult to investigate. As such, targeted ransomware attacks are not going to stop any time soon, and attackers are only likely to get more sophisticated in their methods. Attackers are highly adaptive so companies will have to respond just as smartly.</p><img src="https://counter.theconversation.com/content/113583/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The EMPHASIS project receives funding from the EPSRC (grant number EP/P011772/1)
</span></em></p><p class="fine-print"><em><span>David S. Wall receives funding from EPSRC EP/P011772/1 - EMPHASIS (EconoMical, PsycHologicAl and Societal Impact of RanSomware) </span></em></p>The latest malware is designed especially to make small companies pay through the nose for their data.Lena Connolly, Research Fellow in Cyber Security., University of LeedsDavid S. Wall, Professor of Criminology, University of LeedsLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1098022019-02-11T02:55:49Z2019-02-11T02:55:49ZDon’t click that link! How criminals access your digital devices and what happens when they do<figure><img src="https://images.theconversation.com/files/257854/original/file-20190207-174851-1lwq94r.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A link is a mechanism for data to be delivered to your device.</span> <span class="attribution"><a class="source" href="https://unsplash.com/photos/4NCV8gS9syU">Unsplash/Marvin Tolentino</a></span></figcaption></figure><p>Every day, often multiple times a day, you are invited to click on links sent to you by brands, politicians, friends and strangers. You download apps on your devices. Maybe you use QR codes.</p>
<p>Most of these activities are secure because they come from sources that can be trusted. But sometimes criminals impersonate trustworthy sources to get you to click on a link (or download an app) that contains malware.</p>
<p>At its core, a link is just a mechanism for data to be delivered to your device. Code can be built into a website which redirects you to another site and downloads malware to your device en route to your actual destination. </p>
<p>When you click on unverified links or download suspicious apps you increase the risk of exposure to malware. Here’s what could happen if you do – and how you can minimise your risk. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-suppliers-of-everyday-devices-make-you-vulnerable-to-cyber-attack-and-what-to-do-about-it-98254">How suppliers of everyday devices make you vulnerable to cyber attack – and what to do about it</a>
</strong>
</em>
</p>
<hr>
<h2>What is malware?</h2>
<p>Malware is <a href="https://csrc.nist.gov/glossary/term/malware">defined as</a> malicious code that:</p>
<blockquote>
<p>will have adverse impact on the confidentiality, integrity, or availability of an information system. </p>
</blockquote>
<p>In the past, malware described malicious code that took the form of viruses, worms or Trojan horses. </p>
<p>Viruses embedded themselves in genuine programs and relied on these programs to propagate. Worms were generally stand alone programs that could install themselves using a network, USB or email program to infect other computers.</p>
<p>Trojan horses took their name from the gift to the Greeks during the Trojan war in Homer’s Odyssey. Much like the wooden horse, a Trojan Horse looks like a normal file until some predetermined action causes the code to execute.</p>
<p>Today’s generation of attacker tools are far more <a href="https://csrc.nist.gov/publications/detail/sp/800-83/rev-1/final">sophisticated, and are often a blend of these techniques</a>. </p>
<p>These so-called “blended attacks” rely heavily on social engineering - the ability to manipulate someone to doing something they wouldn’t normally do – and are often categorised by what they ultimately will do to your systems.</p>
<h2>What does malware do?</h2>
<p>Today’s malware comes in easy to use, customised toolkits distributed on the dark web or by well meaning security researchers attempting to fix problems. </p>
<p>With a click of a button, attackers can use these toolkits to send phishing emails and spam SMS messages to eploy various types of malware. Here are some of them.</p>
<p><iframe id="QDA3R" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/QDA3R/2/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<ul>
<li><p>a remote administration tool (RAT) can be used to access a computer’s camera, microphone and install other types of malware</p></li>
<li><p>keyloggers can be used to monitor for passwords, credit card details and email addresses</p></li>
<li><p>ransomware is used to encrypt private files and then demand payment in return for the password</p></li>
<li><p>botnets are used for distributed denial of service (DDoS) attacks and other illegal activities. DDoS attacks can flood a website with so much virtual traffic that it shuts down, much like a shop being filled with so many customers you are unable to move.</p></li>
<li><p>crytptominers will use your computer hardware to mine cryptocurrency, which will slow your computer down</p></li>
<li><p>hijacking or defacement attacks are used to deface a site or embarrass you by <a href="https://www.abc.net.au/news/2017-11-16/christopher-pyne-says-hacker-liked-porn-tweet/9155964">posting pornographic material to your social media</a></p></li>
</ul>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=329&fit=crop&dpr=1 600w, https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=329&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=329&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=413&fit=crop&dpr=1 754w, https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=413&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/257632/original/file-20190207-174861-1fuc7pg.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=413&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">An example of a defacement attack on The Utah Office of Tourism Industry from 2017.</span>
<span class="attribution"><span class="source">Wordfence</span></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/everyone-falls-for-fake-emails-lessons-from-cybersecurity-summer-school-81389">Everyone falls for fake emails: lessons from cybersecurity summer school</a>
</strong>
</em>
</p>
<hr>
<h2>How does malware end up on your device?</h2>
<p>According to <a href="https://www.willistowerswatson.com/en/insights/2017/09/Cyber-risk-its-a-people-problem-too">insurance claim data</a> of businesses based in the UK, over 66% of cyber incidents are caused by employee error. Although the data attributes only 3% of these attacks to social engineering, our experience suggests the majority of these attacks would have started this way. </p>
<p>For example, by employees not following dedicated IT and information security policies, not being informed of how much of their digital footprint has been exposed online, or simply being taken advantage of. Merely posting what you are having for dinner on social media can open you up to attack from a well trained social engineer.</p>
<p>QR codes are equally as risky if users open the link the QR codes point to without first validating where it was heading, as indicated by <a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.360.6189&rep=rep1&type=pdf">this 2012 study</a>. </p>
<p>Even <a href="https://www.youtube.com/watch?v=np0mPy-EHII">opening an image in a web browser</a> and running a mouse over it can lead to malware being installed. This is quite a useful delivery tool considering the advertising material you see on popular websites.</p>
<p>Fake apps have also been discovered on both the <a href="https://www.telegraph.co.uk/technology/2019/01/01/fraud-apples-app-store-becoming-target-fake-apps-rip-offs-copyright/">Apple</a> and <a href="https://techcrunch.com/2018/11/20/half-a-million-android-users-tricked-into-downloading-malware-from-google-play/">Google Play</a> stores. Many of these attempt to steal login credentials by mimicking well known banking applications.</p>
<p>Sometimes malware is placed on your device by someone who wants to track you. In 2010, the Lower Merion School District settled two lawsuits brought against them for violating students’ privacy and <a href="https://web.archive.org/web/20100602042403/http://www.lmsd.org/documents/news/100503_ballard_spahr_report.pdf">secretly recording using the web camera of loaned school laptops</a>. </p>
<h2>What can you do to avoid it?</h2>
<p>In the case of the the Lower Merion School District, students and teachers suspected they were being monitored because they “saw the green light next to the webcam on their laptops turn on momentarily.” </p>
<p>While this is a great indicator, many hacker tools will ensure webcam lights are turned off to avoid raising suspicion. On-screen cues can give you a false sense of security, especially if you don’t realise that the microphone is <a href="https://theconversation.com/how-silent-signals-from-your-phone-could-be-recording-and-tracking-you-94978">always being accessed</a> for verbal cues or other forms of tracking.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=300&fit=crop&dpr=1 600w, https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=300&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=300&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=377&fit=crop&dpr=1 754w, https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=377&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/254593/original/file-20190120-100288-c1ztpf.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=377&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Facebook CEO Mark Zuckerberg covers the webcam of his computer. It’s commonplace to see information security professionals do the same.</span>
<span class="attribution"><span class="source">iphonedigital/flickr</span></span>
</figcaption>
</figure>
<p>Basic awareness of the risks in cyberspace will go a long the way to mitigating them. This is called cyber hygiene.</p>
<p>Using good, up to date virus and malware scanning software is crucial. However, the most important tip is to update your device to ensure it has the latest security updates. </p>
<p>Hover over links in an email to see where you are really going. Avoid shortened links, such as bit.ly and QR codes, unless you can check where the link is going by using a URL expander. </p>
<h2>What to do if you already clicked?</h2>
<p>If you suspect you have malware on your system, there are simple steps you can take. </p>
<p>Open your webcam application. If you can’t access the device because it is already in use this is a telltale sign that you might be infected. Higher than normal battery usage or a machine running hotter than usual are also good indicators that something isn’t quite right. </p>
<p>Make sure you have good anti-virus and anti-malware software installed. Estonian start-ups, such as <a href="https://www.malwarebytes.com">Malware Bytes</a> and <a href="https://www.seguru.io/">Seguru</a>, can be installed on your phone as well as your desktop to provide real time protection. If you are running a website, make sure you have good security installed. <a href="https://www.wordfence.com">Wordfence</a> works well for WordPress blogs.</p>
<p>More importantly though, make sure you know how much data about you has already been exposed. Google yourself – including a Google image search against your profile picture – to see what is online. </p>
<p>Check all your email addresses on the website <a href="https://haveibeenpwned.com">haveibeenpwned.com</a> to see whether your passwords have been exposed. Then make sure you never use any passwords again on other services. Basically, treat them as compromised. </p>
<p>Cyber security has technical aspects, but remember: any attack that doesn’t affect a person or an organisation is just a technical hitch. Cyber attacks are a human problem. </p>
<p>The more you know about your own digital presence, the better prepared you will be. All of our individual efforts better secure our organisations, our schools, and our family and friends.</p><img src="https://counter.theconversation.com/content/109802/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Matthews is an elected member of Council at The University of Adelaide. He is a member of the South Australian branch of the Labor Party, a Graduate Member of the Institute of Engineers Australia, a Member of the Institute of Electrical and Electronic Engineers and a Member of the Australian and New Zealand Forensic Science Society.</span></em></p><p class="fine-print"><em><span>Kieren Niĉolas Lovell works as the Head of Computer Emergency Response Team at TalTech University, in Estonia. Kieren also runs his own cyber security company, Kieren Niĉolas OU, that advises Command, Control and Communications aspects of Incident Handling.</span></em></p>When you click on unverified links or download suspicious apps you increase the risk of exposure to malware. Here’s what could happen if you do – and how you can minimise your risk.Richard Matthews, Lecturer Entrepreneurship, Commercialisation and Innovation Centre | PhD Candidate in Image Forensics and Cyber | Councillor, University of AdelaideKieren Niĉolas Lovell, Head of TalTech Computer Emergency Response Team, Tallinn University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1048422018-10-21T19:17:45Z2018-10-21T19:17:45ZSome cybersecurity apps could be worse for privacy than nothing at all<figure><img src="https://images.theconversation.com/files/241158/original/file-20181018-41135-1yx7mqq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Apple has removed several security tools from the Mac app store after they were found to be collecting unnecessary personal data.</span> <span class="attribution"><a class="source" href="http://www.shutterstock.com">Shutterstock</a></span></figcaption></figure><p>It’s been a busy few weeks for cybersecurity researchers and reporters. There was the <a href="https://theconversation.com/facebook-hack-reveals-the-perils-of-using-a-single-account-to-log-in-to-other-services-104227">Facebook hack</a>, the <a href="https://www.theverge.com/2018/10/8/17951914/google-plus-data-breach-exposed-user-profile-information-privacy-not-disclosed">Google plus data breach</a>, and <a href="https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies">allegations</a> that the Chinese government implanted spying chips in hardware components. </p>
<p>In the midst of all this, some other important news was overlooked. In early September, <a href="https://www.bbc.com/news/technology-45482819">Apple removed several Trend Micro anti-malware</a> tools from the Mac app store after they were found to be collecting unnecessary personal information from users, such as browser history. Trend Micro has now removed this function from the apps.</p>
<p>It’s a good reminder that not all security apps will make your online movements more secure – and, in some cases, they could be worse than doing nothing at all. It’s wise to do your due diligence before you download that ad-blocker or VPN – read on for some tips.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/encrypted-smartphones-secure-your-identity-not-just-your-data-91715">Encrypted smartphones secure your identity, not just your data</a>
</strong>
</em>
</p>
<hr>
<h2>Security apps</h2>
<p>There are range of tools people use to protect themselves from cyber threats:</p>
<ul>
<li><p><strong>Virtual private networks (VPNs)</strong> allow you to establish a secure connection with a remote server and route all your traffic through it so it can’t be tracked by your internet service provider. VPNs are commonly used to access geo-blocked content, and for additional privacy.</p></li>
<li><p><strong>Ad-blockers</strong> prevent advertisements from appearing on the websites you visit.</p></li>
<li><p><strong>App-lockers</strong> allow you to set passwords for individual apps. For example, if somebody borrowed your phone to make a call, and then tried to access your Facebook app. </p></li>
<li><p><strong>Tor</strong> hides your identity while you browse the internet, by encrypting and moving your traffic across multiple Tor nodes.</p></li>
</ul>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/as-more-vulnerabilities-are-discovered-is-it-time-to-uninstall-antivirus-software-61374">As more vulnerabilities are discovered. Is it time to uninstall antivirus software?</a>
</strong>
</em>
</p>
<hr>
<h2>Know the risks</h2>
<p>There are multiple dangers in using these kinds of security software, especially without the proper background knowledge. The risks include:</p>
<h3>Accessing unnecessary data</h3>
<p>Many security tools request access to your personal information. In many cases, they need to do this to protect your device. For example, <a href="http://www.av-comparatives.org/wp-content/uploads/2016/12/avc_datasending_2014_en.pdf">antivirus software</a> requires information such as browser history, personal files, and unique identifiers to function. But in some cases, tools request more access than they need for functionality. This was the case with the <a href="https://blog.trendmicro.com/answers-to-your-questions-on-our-mac-apps-store/">Trend Micro apps</a>. </p>
<h3>Creating a false sense of security</h3>
<p>It makes sense that if you download a security app, you believe your online data is more secure. But sometimes mobile security tools don’t provide security at the expected levels, or don’t provide the claimed services at all. If you think you can install a state-of-the-art mobile malware detection tool and then take risks online, you are mistaken. </p>
<p>For example, a 2017 <a href="https://taesoo.kim/pubs/2017/jung:avpass-slides.pdf">study</a> showed it was not hard to create malware that can bypass 95% of commercial Android antivirus tools. Another <a href="https://research.csiro.au/ng/wp-content/uploads/sites/106/2016/08/paper-1.pdf">study</a> showed that 18% of mobile VPN apps did not encrypt user traffic at all. And if you are using Tor, there are many mistakes you can make that will compromise your anonymity and privacy – especially if you are not familiar with the Tor setup and <a href="https://www.howtogeek.com/142380/htg-explains-is-tor-really-anonymous-and-secure/">try to modify its configurations</a>. </p>
<p>Lately, there have been reports of fake antivirus software, which <a href="https://www.zdnet.com/article/can-you-trust-your-mobile-antivirus-software-malicious-fake-protection-apps-flood-google-play-store/">open backdoors for spyware, ransomware and adware</a>, occupying the top spots on the app charts. Earlier this year it was reported that 20 million Google Chrome users had <a href="https://thehackernews.com/2018/04/adblocker-chrome-extention.html">downloaded fake ad-blocker extensions</a>.</p>
<h3>Software going rogue</h3>
<p>Numerous free – or paid – security software is available in app stores created by enthusiastic individual developers or small companies. While this software can provide handy features, they can be poorly maintained. More importantly, they can be hijacked or bought by attackers, and then used to harvest personal information or propagate malware. This mainly happens in the case of <a href="https://www.forbes.com/sites/leemathews/2017/07/31/hackers-hijacked-a-chrome-extension-and-forced-ads-on-over-30000-users/#13fd147464e0">browser extensions</a>.</p>
<h2>Know what you’re giving away</h2>
<p>The table below shows what sort of personal data are being requested by the top-10 antivirus, app-locker and ad-blocking apps in the Android app store. As you can see, antivirus tools have access to almost all the data stored in the mobile phone. </p>
<iframe src="https://datawrapper.dwcdn.net/HIId8/4/" scrolling="no" frameborder="0" allowtransparency="true" width="100%" height="545"></iframe>
<p>That doesn’t necessarily mean any of these apps are doing anything bad, but it’s worth noting just how much personal information we are entrusting to these apps without knowing much about them.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/explainer-how-malware-gets-inside-your-apps-79485">Explainer: how malware gets inside your apps</a>
</strong>
</em>
</p>
<hr>
<h2>How to be safer</h2>
<p>Follow these pointers to do a better job of keeping your smart devices secure:</p>
<h3>Consider whether you need a security app</h3>
<p>If you stick to the official apps stores, install few apps, and browse only a routine set of websites, you probably <a href="https://www.smh.com.au/technology/mobile-antivirus-not-needed-google-20140702-zsthl.html">don’t need extra security software</a>. Instead, simply stick to the security guidelines provided by the manufacturer, be diligent about updating your operating system, and don’t click links from untrusted sources. </p>
<h3>If you do, use antivirus software</h3>
<p>But before you select one, read product descriptions and online reviews. Stick to solutions from well-known vendors. Find out what it does, and most importantly what it doesn’t do. Then read the permissions it requests and see whether they make sense. Once installed, update the software as required. </p>
<h3>Be careful with other security tools</h3>
<p>Only install other security tools, such as ad-blockers, app-lockers and VPN clients, if it is absolutely necessary and you trust the developer. The returns from such software can be minimal when compared with the associated risks.</p><img src="https://counter.theconversation.com/content/104842/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Suranga Seneviratne does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Before you download antivirus and ad-blocker apps, do your due diligence on what personal information they want to access. Here are some tips on what to look out for.Suranga Seneviratne, Lecturer - Security, University of SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/940882018-05-08T10:43:39Z2018-05-08T10:43:39ZCryptojacking spreads across the web<figure><img src="https://images.theconversation.com/files/217091/original/file-20180501-135837-y8qre9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Is someone else making money on your computer?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hooded-man-shadow-crypto-currency-bitcoin-1039762126">WICHAI WONGJONGJAIHAN/Shutterstock.com</a></span></figcaption></figure><p>Right now, your computer might be using its memory and processor power – and your electricity – to generate money for someone else, without you ever knowing. It’s called “cryptojacking,” and it is an offshoot of the <a href="https://en.wikipedia.org/wiki/List_of_cryptocurrencies">rising popularity of cryptocurrencies</a> like bitcoin.</p>
<p>Instead of minting coins or printing paper money, creating new units of cryptocurrencies, which is called “mining,” involves performing <a href="https://bitcoin.stackexchange.com/questions/8031/what-are-bitcoin-miners-really-solving">complex mathematical calculations</a>. These intentionally difficult calculations securely record transactions among people using the cryptocurrency and provide an objective record of the <a href="https://medium.com/@karthikmargabandu7/order-of-transactions-and-how-blockchain-avoids-double-spend-9daf9f697b8f">“order” in which transactions are conducted</a>.</p>
<p>The user who successfully completes each calculation gets a reward in the form of a tiny amount of that cryptocurrency. That helps offset the main costs of mining, which involve buying <a href="https://www.anythingcrypto.com/guides/best-bitcoin-mining-hardware-2018">advanced computer processors</a> and <a href="https://www.theatlantic.com/technology/archive/2018/03/bitcoin-mining-arbitrages-cheap-electricity-into-money/555416/">paying for electricity to run them</a>. It is not surprising that enterprising cryptocurrency enthusiasts have found a way to increase their profits, mining currency for themselves by using other people’s processing and electrical power.</p>
<p>Our <a href="http://security.cse.msu.edu/">security research group</a> at Michigan State University is presently focused on researching ransomware and cryptojacking – the two <a href="https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-executive-summary-en.pdf">biggest threats to user security in 2018</a>. Our <a href="https://censys.io/">preliminary web crawl</a> identified 212 websites involved in cryptojacking.</p>
<h2>Types of cryptojacking</h2>
<p>There are two forms of cryptojacking; one is like other malware attacks and involves <a href="https://thehackernews.com/2018/03/cryptocurrency-mining-malware.html">tricking a user into downloading a mining application</a> to their computer. It’s far easier, however, just to lure visitors to a webpage that includes a script their web browser software runs or to <a href="https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites">embed a mining script in a common website</a>. Another variant of this latter approach is to <a href="https://www.zdnet.com/article/hackers-now-mining-cryptocurrency-by-invading-ad-networks/">inject cryptomining scripts into ad networks</a> that legitimate websites then unknowingly serve to their visitors.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=41&fit=crop&dpr=1 600w, https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=41&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=41&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=51&fit=crop&dpr=1 754w, https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=51&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/213637/original/file-20180406-5578-1w5ge27.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=51&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Source code of a cryptojacking website, with a box around the text telling the software where to credit any cryptocurrency earnings.</span>
<span class="attribution"><span class="source">Screenshot by Pranshu Bajpai</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>The mining script can be very small – just a few lines of text that download a small program from a web server, activate it on the user’s own browser and tell the program where to credit any mined cryptocurrency. The user’s computer and electricity do all the work, and the person who wrote the code gets all the proceeds. The computer’s owner may never even realize what’s going on.</p>
<h2>Is all cryptocurrency mining bad?</h2>
<p>There are legitimate purposes for this sort of embedded cryptocurrency mining – if it is disclosed to users rather than happening secretly. <a href="https://www.salon.com">Salon</a>, for example, is asking its visitors to help provide financial support for the site in one of two ways: Either allow the site to display advertising, for which Salon gets paid, or <a href="https://www.salon.com/about/faq-what-happens-when-i-choose-to-suppress-ads-on-salon/">let the site conduct cryptocurrency mining</a> while reading its articles. That’s a case when the site is making very clear to users what it’s doing, including the effect on their computers’ performance, so there is not a problem. More recently, a <a href="https://www.thehopepage.org/">UNICEF charity</a> allows people to donate their computer’s processing power to mine cryptocurrency.</p>
<p>However, many sites do not let users know what is happening, so they are engaging in cryptojacking. Our initial analysis indicates that many sites with cryptojacking software are engaged in <a href="https://www.scmagazine.com/pirated-copies-of-hacking-game-watch-dogs-contain-bitcoin-mining-malware/article/538485/">other dubious practices</a>: Some of them are <a href="https://fortiguard.com/webfilter/categories">classified by internet security firm FortiGuard</a> as “malicious websites,” known to be homes for destructive and malicious software. Other cryptojacking sites were classified as “pornography” sites, many of which appeared to be hosting or indexing potentially illegal pornographic content. </p>
<p><iframe id="3jiea" class="tc-infographic-datawrapper" src="https://datawrapper.dwcdn.net/3jiea/3/" height="400px" width="100%" style="border: none" frameborder="0"></iframe></p>
<p>The problem is so severe that Google recently announced it would <a href="https://www.wired.com/story/google-bans-all-cryptomining-extensions-from-the-chrome-store">ban all extensions that involved cryptocurrency mining</a> from its Chrome browser – regardless of whether the mining was done openly or in secret.</p>
<p>The longer a person stays on a cryptojacked website, the more cryptocurrency their computer will mine. The most successful cryptojacking efforts are on streaming media sites, because they have lots of visitors who stay a long time. While legitimate streaming websites such as YouTube and Netflix are safe for users, some sites that host pirated videos are targeting visitors for cryptojacking.</p>
<p>Other sites extend a user’s apparent visit time by opening a <a href="https://www.bleepingcomputer.com/news/security/cryptojacking-script-continues-to-operate-after-users-close-their-browser/">tiny additional browser window</a> and placing it in a hard-to-spot part of the screen, say, behind the taskbar. So even after a user closes the original window, the site stays connected and continues to mine cryptocurrency.</p>
<h2>What harm does cryptojacking do?</h2>
<p>The amount of electricity a computer uses depends on what it’s doing. Mining is very processor-intensive – and that activity <a href="https://web.archive.org/web/20180419184315/https://greenbiz.com/sites/default/files/document/White_Paper_7_-_Five_Ways_to_Save_Power.pdf">requires more power</a>. So a laptop’s battery will drain faster if it’s mining, like when it’s displaying a 4K video or handling a 3D rendering. </p>
<p>Similarly, a desktop computer will draw more power from the wall, both to power the processor and to run fans to prevent the machine from overheating. And even with proper cooling, the <a href="https://www.geek.com/glossary/electromigration/">increased heat can take its own toll</a> over the long term, damaging hardware and slowing down the computer. </p>
<p>This harms not only individuals whose computers are hijacked for cryptocurrency mining, but also <a href="https://www.bleepingcomputer.com/news/cryptocurrency/students-mining-cryptocurrencies-are-clogging-up-university-networks/">universities, companies and other large organizations</a>. A <a href="https://www.imperva.com/blog/2018/03/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/">large number of cryptojacked machines</a> <a href="https://www.helpnetsecurity.com/2018/04/12/cryptomining-enterprise/">across an institution</a> can consume substantial amounts of electricity and damage large numbers of computers.</p>
<h2>Protecting against cryptojacking</h2>
<p>Users may be able to recognize cryptojacking on their own. Because it involves increasing processor activity, the computer’s temperature can climb – and the computer’s fan may activate or run more quickly in an attempt to cool things down.</p>
<p>People who are concerned their computers may have been <a href="https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-executive-summary-en.pdf">subjected to cryptojacking</a> should run an up-to-date antivirus program. While cryptojacking scripts are not necessarily actual computer viruses, most antivirus software packages also check for other types of malicious software. That usually includes identifying and blocking mining malware and even browser-based mining scripts.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=362&fit=crop&dpr=1 600w, https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=362&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=362&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=454&fit=crop&dpr=1 754w, https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=454&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/215681/original/file-20180419-163986-1xoefrh.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=454&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A virus-checking program identifies cryptojacking malware.</span>
<span class="attribution"><span class="source">Screenshot by Pranshu Bajpai</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p><a href="https://theconversation.com/the-petya-ransomware-attack-shows-how-many-people-still-dont-install-software-updates-77667">Installing software updates</a> may also help users block attacks that try to download cryptojacking software or other malicious programs to their computers. In addition, <a href="https://github.com/xd4rker/MinerBlock">browser add-ons that block mining scripts</a> can reduce the likelihood of being cryptojacked by code embedded in websites. Further, users should either <a href="https://www.bleepingcomputer.com/news/security/15k-botnet-mines-for-cryptocurrencies-on-vulnerable-windows-servers/">turn off or use a strong password to secure</a> <a href="https://www.apple.com/remotedesktop/">remote services</a> such as Microsoft’s <a href="https://support.microsoft.com/en-us/search?query=remote%20desktop%20connection">Remote Desktop Connection</a> or <a href="https://en.wikipedia.org/wiki/Secure_Shell">secure shell (SSH) access</a>.</p>
<p>Cryptocurrency mining can be a legitimate source of revenue – but not when done secretly or by hijacking others’ computers to do the work and having them pay the resulting financial costs.</p><img src="https://counter.theconversation.com/content/94088/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Enterprising cryptocurrency enthusiasts have found a way to use your computer processor and electricity to make themselves money. What is cryptojacking, and how does it work?Pranshu Bajpai, Security Researcher, PhD Candidate, Michigan State UniversityRichard Enbody, Associate Professor, Computer Science & Engineering, Michigan State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/908802018-01-31T14:46:18Z2018-01-31T14:46:18ZStrava storm: why everyone should check their smart gear security settings before going for a jog<figure><img src="https://images.theconversation.com/files/204224/original/file-20180131-131717-1348a3p.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://labs.strava.com/">Strava</a></span></figcaption></figure><p>Fitness tracking app Strava recently kicked off a privacy and security storm after it was <a href="http://www.bbc.co.uk/news/technology-42853072">revealed</a> that its software had potentially exposed the location of secret military bases, courtesy of a data visualisation tool called a “heatmap”. </p>
<p>The <a href="https://labs.strava.com/heatmap/">heatmap</a> was created to depict the activities of Strava users across the globe. But while it’s a great idea in general (and quite a nice heatmap), a closer inspection of the user data generated by the tool highlights some worrying developments. </p>
<p>It’s also a reality check for consumers of wearable gadgets – be they a National Security Agency operative or a retired librarian going for a gentle jog – who are lax with the privacy and security settings on apps that monitor location and other personal data. </p>
<p>Nathan Ruser, a <a href="http://money.cnn.com/2018/01/29/technology/strava-nathan-ruser/index.html">20-year-old student based in Australia</a>, pored over Strava’s heatmap and <a href="https://twitter.com/Nrg8000/status/957318498102865920">tweeted</a> his findings, saying that the “pretty” data visualisation tool – which mapped 13 trillion GPS points from the app’s users – wasn’t “amazing for op-sec [operations security]. US bases are clearly identifiable and mappable.” </p>
<p>By publishing the <a href="https://medium.com/strava-engineering/the-global-heatmap-now-6x-hotter-23fc01d301de">heatmap of Strava users’ activities</a> and their locations, the San Francisco-based company had seemingly leaked the location of secret bases and routes service personnel use for exercise. </p>
<h2>Don’t be dumb about smart tech</h2>
<p>The <a href="https://theconversation.com/explainer-the-internet-of-things-16542">Internet of Things (IoT)</a> represents a new advancement in technology that harnesses data to help streamline our lives. The simplest way to think of the IoT is as a network of devices and objects with embedded electronics – deemed “smart” – that communicate to perform various tasks.</p>
<p>IoT technologies enable voice commands to control appliances such as lights, TVs and even <a href="https://www.yale.co.uk/en/yale/couk/news/2017/articles/alexa-lock-my-lock-yale-partners-with-amazon-alexa-via-samsung-smartthings/">door locks</a>. At work, <a href="https://www.intel.co.uk/content/www/uk/en/internet-of-things/videos/smart-office-building-video.html">smart office buildings</a> offer significant promise for handling controls such as energy saving options and may soon become ubiquitous. And, on the move, wearable technologies such as fitness trackers and smart watches allow people to track and monitor their exercise regimes.</p>
<p>But there are clear security and privacy concerns associated with using these different forms of new technology. And there’s a danger that consumers – egged on by digital companies whose income heavily relies on data sharing – jump too quickly at the convenience of new personal tech without understanding the risks.</p>
<p>In research circles, the risks accompanying IoT technology – including data leakage via consumer wearables – have been known for some time now. One of the earliest comprehensive reports on the topic – from cyber security firm <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantified-self.pdf">Symantec</a> – linked wearables and other tracking devices to risks including identity theft, profiling and stalking users. </p>
<p>If a criminal accesses someone’s real-time online fitness tracker data (be it from Strava, FitBit or a smart watch) they could determine that person’s whereabouts – in and out of work and home. Oversharing on social media has been <a href="https://www.cs.ox.ac.uk/files/8375/xrds2015_nurse_final_author.pdf">a problem for many years</a> as it can lead to crime <a href="https://theconversation.com/social-media-and-crime-the-good-the-bad-and-the-ugly-66397">online</a> and in the <a href="http://www.telegraph.co.uk/technology/news/8789538/Most-burglars-using-Facebook-and-Twitter-to-target-victims-survey-suggests.html">physical world</a>.</p>
<p>It gets worse. Recently, we conducted <a href="http://www.cs.ox.ac.uk/files/9439/2017-ccs-mps-ang-author-final.pdf">research</a> on this topic, to investigate the potential dangers facing users when they share data from fitness trackers and social media.</p>
<p>We found that if a criminal or an organisation were able to combine data fragments gathered from a tracker and a social media profile, then users faced significant privacy risks. </p>
<p>These include financial loss (home burglary based on the knowledge of user location and address) and targeted profiling by marketing companies or even potential employers, who habitually <a href="https://theconversation.com/why-the-rise-of-wearable-tech-to-monitor-employees-is-worrying-70719">screen candidates based on their online profiles</a>.</p>
<h2>Chairman of the bored</h2>
<p>When speaking to users about these risks, we discovered their general awareness was quite low. The study confirmed other <a href="https://www.cs.ox.ac.uk/files/9213/2017-pst-wnc-preprint.pdf">research</a> that we have recently conducted where – to some users – “privacy is the boring bit” of using smart technologies. </p>
<figure class="align-left ">
<img alt="" src="https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=900&fit=crop&dpr=1 600w, https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=900&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=900&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1131&fit=crop&dpr=1 754w, https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1131&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/204229/original/file-20180131-131741-72vj5m.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1131&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The Strava brouhaha is a wake-up call for users of smart apps that track a person’s every move.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/bath-uk-august-31-2015-closeup-686602303?src=Hi8cDkU0HzHLj2iSPssTzw-1-2">Shutterstock</a></span>
</figcaption>
</figure>
<p>The Strava incident, while important, is the <a href="https://www.cs.ox.ac.uk/files/7825/SIoT2015-neagc-preprint.pdf">tip of the iceberg</a> when it comes to risks associated with the use of personal IoT technology in the workplace. For instance, an employee with a malware-infected smart device could then connect it to their employer’s network. </p>
<p>While organisations are largely prepared for this type of risk if it originates from a personal laptop, it’s a different issue with wearable devices – which are now being <a href="https://www.kaspersky.com/about/press-releases/2017_amount-of-malware-targeting-smart-devices-more-than-doubled-in-2017">heavily targeted</a> by malware miscreants. </p>
<p>The discrete nature of wearables presents another problem: they are typically paired with a secondary device and are more likely for that reason to avoid security measures, where checks are only conducted if a device is directly connected to the corporate network. Another real problem is that <a href="https://www.cs.ox.ac.uk/files/7825/SIoT2015-neagc-preprint.pdf">malicious employees</a> seeking to harm their organisation may use IoT technology for nefarious means, such as stealing intellectual property, or using hidden devices to inconspicuously record private office conversations.</p>
<p>The Strava episode is a stark reminder that as technology becomes smarter, it poses significant risks to people’s home, work and social lives if not properly considered, discussed and addressed. Privacy and security settings are there for a reason: use them.</p><img src="https://counter.theconversation.com/content/90880/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jason R. C. Nurse receives funding from The Engineering and Physical Sciences Research Council (EPSRC). </span></em></p>Revelations about the fitness app have turned up the heat on the privacy and security risks of wearables.Jason R.C. Nurse, Senior Researcher in Cyber Security, University of OxfordLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/883752017-11-30T08:27:22Z2017-11-30T08:27:22ZViruses and malware: are we protecting ourselves adequately?<figure><img src="https://images.theconversation.com/files/197017/original/file-20171129-12069-glc67z.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Bad news on the doorstep. How to stay safe?</span> <span class="attribution"><span class="source">Shutterstock.</span></span></figcaption></figure><p>Cybersecurity incidents are increasingly gaining public attention. They are frequently mentioned in the media and discussed by specialists, such as Guillame Poupard, Director General of the <a href="http://www.ssi.gouv.fr/en/">French Information Security Agency</a>. This attests to the fact that these digital incidents have an increasingly significant impact on our daily lives. Questions therefore arise about how we are protecting our digital activities, and if this protection is adequate. The publicity surrounding security incidents may, at first glance, lead us to believe that we are not doing enough.</p>
<h2>A look at the current situation</h2>
<p>Let us first take a look at the progression of software vulnerabilities since 2001, as illustrated by the National Vulnerability Database (NVD), the reference site of the <a href="https://www.nist.gov/">American National Institute of Standards and Technology</a> (NIST).</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=227&fit=crop&dpr=1 600w, https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=227&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=227&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=286&fit=crop&dpr=1 754w, https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=286&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/172117/original/file-20170604-20599-zvkox6.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=286&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Distribution of vulnerabilities to attacks, rated by severity of vulnerability over a period of time.</span>
<span class="attribution"><span class="source">https://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time</span>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<p>Upon an analysis of the distribution of vulnerabilities to computer-related attacks, as published by the American National Institute of Standards and Technology (NIST) in visualizations on the National Vulnerability Database, we observe that since 2005, there has not been a significant increase in the number of vulnerabilities published each year. The distribution of risk levels (high, medium, low) has also remained relatively steady. Nevertheless, it is possible that the situation may be different in 2017, since, just halfway through the year, we have already reached publication levels similar to those of 2012.</p>
<p>It should be noted, however, that the growing number of vulnerabilities published in comparison to before 2005 is also partially due to a greater exposure of systems and software to attempts to compromise and external audits. For example, Google has implemented Google Project Zero, which specifically searches for vulnerabilities in programs and makes them public. It is therefore natural that more discoveries are made.</p>
<p>There is also an increasing number of objects, the much-discussed <a href="https://en.wikipedia.org/wiki/Internet_of_things">Internet of things</a>, which use embedded software, and therefore present vulnerabilities. The recent example of the <a href="https://en.wikipedia.org/wiki/Mirai_(malware)">“Mirai” network</a> demonstrates the vulnerability of these environments which account for a growing portion of our digital activities. Therefore, the rise in the number of vulnerabilities published simply represents the increase in our digital activities.</p>
<h2>What about the attacks?</h2>
<p>The publicity surrounding attacks is not directly connected to the number of vulnerabilities, even if it is involved. The notion of vulnerability does not directly express the impact that this vulnerability may have on our lives. Indeed, the effect of the malicious code, <a href="https://theconversation.com/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action-86501">WannaCry</a>, which affected the British health system by disabling certain hospitals and emergency services, can be viewed as a significant step in the harmfulness of malicious codes. This attack led to either deaths or delayed care on an unprecedented scale.</p>
<p>It is always easy to say, in hindsight, that an event was foreseeable. And yet, it must be acknowledged that the use of “old” tools (Windows XP, SMBv1) in these vital systems is problematic. In the digital world, fifteen years represents three or even four generations of operating systems, unlike in the physical world, where we can have equipment dating from 20 or 30 years ago, if not even longer. Who could imagine a car being obsolete (to the point of no longer being usable) after five years? This major difference in evaluating time, which is deeply engrained in our current way of life, is largely responsible for the success and impact of the attacks we are experiencing today.</p>
<p>It should also be noted that in terms of both scale and impact, digital attacks are not new. In the past, worms such as <a href="https://en.wikipedia.org/wiki/Code_Red_(computer_worm)">CodeRed</a> in 2001 and Slammer in 2003, also infected a number of important machines, making the Internet unusable for some time. The only difference was that at the time of these attacks, critical infrastructures were less dependent on a permanent Internet connection, therefore limiting the impact to the digital world alone.</p>
<p>The most critical attacks, however, are not those in which the attackers benefit the most. In the <a href="https://bgpmon.net/the-canadian-bitcoin-hijack/">Canadian Bitcoin Highjack</a> in 2014, for example, attackers hijacked this virtual currency for a direct financial gain without disturbing the bitcoin network, while other similar attacks on routing in 2008 made the network largely unavailable without any financial gain.</p>
<p>So, where does all this leave us in terms of the adequacy of our digital protection?</p>
<p>There is no question that outstanding progress has been made in protecting information systems over the past several years. The detection of an increasing number of vulnerabilities, combined with progressively shorter periods between updates, is continually strengthening the reliability of digital services. The automation of the update process for individuals, which concerns operating systems as well as browsers, applications, telephones and tablets, has helped limit exposure to vulnerabilities.</p>
<p>At the same time, in the business world we have witnessed a shift towards a real understanding of the risks involved in digital uses. This, along with the introduction of technical tools and resources for training and certification, could help increase all users’ general awareness of both the risks and opportunities presented by digital technology.</p>
<h2>How can we continue to reduce the risks?</h2>
<p>After working in this field for 25 years, and though we must remain humble in response to the risks we face and will continue to face, I remain optimistic about the possibilities of strengthening our confidence in the digital world. Nevertheless, it appears necessary to support users in their digital activities in order to help them understand how these services work and the associated risks. ANSSI’s publication of measures for a healthy network for personal and business use is an important example of this need for information and training which will help all individuals make conscious, appropriate choices when it comes to digital use.</p>
<p>Another aspect, which is more oriented towards developers and service providers, is increasing the modularity of our systems. This will allow us to control access to our digital systems, make them simple to configure, and easier to update. In this way, we will continue to reduce our exposure to the risk of a computer-related attack while using our digital tools to an ever-greater extent.</p>
<hr>
<p><em>This article was translated from the French by <a href="https://blogrecherche.wp.imt.fr/en/2017/07/19/viruses-malware-protecting-adequately/">IM'Tech</a>.</em></p><img src="https://counter.theconversation.com/content/88375/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Hervé Debar has received funding from ANR, CELTIC, PIA, FP7, H2020, for collaborative research projects in the field of cyber security.</span></em></p>Like the recent WannaCry, viruses and other hacker software are now part of our digital lives. How big are the threats? How can we protect ourselves?Hervé Debar, Directeur de la Recherche et des Formations Doctorales à Télécom SudParis, Télécom SudParis – Institut Mines-TélécomLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/862952017-10-25T22:48:27Z2017-10-25T22:48:27ZRansomware like Bad Rabbit is big business<p>October is <a href="https://www.getcybersafe.gc.ca/index-en.aspx">Cybersecurity Awareness month</a>, which is being observed in the <a href="https://www.fbi.gov/news/stories/national-cyber-security-awareness-month-2017">United States</a>, <a href="https://cybersecuritymonth.eu/about-ecsm/whats-ecsm">Europe</a>, and elsewhere around the world. Ironically, it began with updates about a large-scale hack, and is ending with a large-scale ransomware outbreak.</p>
<p>Internet firm Yahoo kicked things off on Oct. 3 when it admitted that hackers in 2013 had accessed information about <a href="http://www.cbc.ca/news/technology/yahoo-breach-three-billion-1.4322100">all three billion of its user accounts</a>, not “just” the one billion first reported.</p>
<p>Ransomware “<a href="https://www.theguardian.com/technology/2017/oct/25/bad-rabbit-game-of-thrones-ransomware-europe-notpetya-bitcoin-decryption-key">Bad Rabbit</a>” is providing the finale with attacks that began Oct. 24. So far, the outbreak is mostly affecting business computers in Russia.</p>
<p>Both stories are fitting, in a way. The FBI considers computer break-ins and data ransoming the <a href="https://www.fbi.gov/investigate/cyber">top two cyber threats</a> we face. But while the former is old-fashioned e-crime, ransomware is much trendier. Much like <a href="https://theconversation.com/tailoring-the-customer-experience-boosts-online-sales-84941">online retailing</a>, <a href="https://theconversation.com/online-shopping-retailers-seek-visibility-in-face-of-google-control-80129">online advertising</a>, and <a href="https://theconversation.com/by-concealing-identities-cryptocurrencies-fuel-cybercrime-82282">online currencies</a>, ransomware is soaring.</p>
<h2>Your money or your data</h2>
<p>Traditional criminal hackers obtain their ill-gotten gains by stealing valuable data such as credit card numbers or passwords. They then look for customers, such as other criminals, to buy that data.</p>
<p>In contrast, ransomware hackers instead sell data back to the owners. If ransomware infects your computer, it encrypts your files to render them inaccessible until you pay a ransom. This simplifies cybercrime by replacing theft with extortion.</p>
<p>For example, in summer 2016, ransomware locked down the University of Calgary email system. <a href="http://www.cbc.ca/news/canada/calgary/university-calgary-ransomware-cyberattack-1.3620979">The university paid $20,000</a> to unlock it.</p>
<p>Today, that looks cheap. In July, a <a href="https://www.itworldcanada.com/article/canadian-firm-pays-425000-to-recover-from-ransomware-attack/394844">Canadian company reportedly paid $425,000</a> to regain its data. The month before, South Korean firm <a href="http://www.foxnews.com/tech/2017/06/21/ransomware-attack-costs-south-korean-company-1m-largest-payment-ever.html">Nayana paid $1 million</a>, the highest ransom publicly admitted so far.</p>
<h2>Growing scale and sophistication</h2>
<p>Much like legitimate firms, some ransomware charges lower “prices” but targets larger volumes. Bad Rabbit demands only a few hundred dollars to decrypt each computer. But it is affecting machines across Russia.</p>
<p>Similarly, the <a href="https://theconversation.com/how-wannacry-caused-global-panic-but-failed-to-turn-much-of-a-profit-77740">Wannacry ransomware attack</a> in May affected computers in about 100 countries. It forced many <a href="http://www.cbc.ca/news/canada/ottawa/cgi-cybersecurity-wannacry-ransomware-small-business-at-risk-1.4116429">British hospitals</a> to cancel surgeries.</p>
<p>An <a href="https://www-03.ibm.com/press/us/en/pressrelease/51230.wss">IBM survey</a> found that almost half of businesses suffered ransomware attacks in 2016. Some 70 per cent of those paid a ransom to regain their data.</p>
<p>The survey also indicates small businesses are particularly vulnerable. They often lack the computer expertise to defend themselves. Only 30 per cent provided cybersecurity training to employees, compared to 58 per cent within larger companies.</p>
<p>Ransomware’s sophistication is growing too. Ransomware “worms” like <a href="http://www.securityweek.com/zcryptor-ransomware-spreads-removable-drives">ZCryptor</a> spread themselves across networks, rather than riding on infected emails.</p>
<p>Some ransomware specialists are selling their services to organized crime. This crime-as-a-service business model allows criminals to outsource their technology needs. User-friendly <a href="https://www.pcworld.com/article/3190852/security/at-175-this-ransomware-service-is-a-boon-to-cybercriminals.html">ransomware “kits” can be purchased for $175</a>.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=368&fit=crop&dpr=1 600w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=368&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=368&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=462&fit=crop&dpr=1 754w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=462&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/191908/original/file-20171025-25533-1q52a0e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=462&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">A specialist works at the U.S. National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va. in Sept. 2014.</span>
<span class="attribution"><a class="source" href="http://www.cpimages.com/fotoweb/cpimages_details.pop.fwx?position=22&archiveType=ImageFolder&sorting=ModifiedTimeAsc&search=cybersecurity&fileId=7ED4E565C8CEED276553137C3F07278F0211563F5E7047DF3AAB663AE59BB0CF1642B0B80D34257E6710EC2568FB7698B59B4D70A14C35A5085499F7776FCE74F2B7765E8750034730859FC82D50AED936F94C876BDCF9BEC438833511658A5442F841C1FF39A6F82A1B1FF576DC98DFDEBAE60A57D8B1868787E68E4DB65177C56CA13FE83A463BAFB139FF949304109FA1D488C8D1A475">(AP Photo/Manuel Balce Ceneta)</a></span>
</figcaption>
</figure>
<h2>Future possibilities</h2>
<p>What might come next? Imagine state-sponsored hackers using ransomware. Host countries might give — or even sell — permission for local hackers to attack rival countries’ computers.</p>
<p>These cyber-<a href="https://www.britannica.com/topic/privateer">privateers</a> could plunder commerce abroad, without the host country’s direct involvement or accountability. Think of regional rivals like North and South Korea, or major powers like the U.S., Russia and China.</p>
<p>Sound far-fetched? Russian security services have already been accused of <a href="https://www.ft.com/content/21be48ec-0a48-11e7-97d1-5e720a26771b">working with organized crime</a> on cyberattacks. The Russian government denies any involvement. But its president, Vladimir Putin, did suggest independent “<a href="http://www.cnn.com/2017/06/01/politics/russia-putin-hackers-election/index.html">patriotic hackers</a>” may have tampered with the U.S. election process.</p>
<p>How about virtual protection rackets? Instead of one-time payments for decryption, users might be “convinced” to pay ongoing fees for the “service” of avoiding encryption.</p>
<p>Or instead of hiding virtual data, ransomware could shut down physical objects. The <a href="https://www.wired.com/2013/05/internet-of-things-2/">Internet of Things</a> is exposing new targets. Control systems for factories, utilities and our homes are increasingly online.</p>
<p>What if ransomware turned them off? Businesses begrudgingly pay thousands to recover emails. Imagine what they’d pay to restart assembly lines.</p>
<h2>Precautions to take</h2>
<p>To defend themselves, computer users need to do the basics. Run antivirus programs to detect threats. Think before clicking on unexpected email attachments. Keep application software and operating systems updated. (Surely you’re not <a href="https://www.wired.com/2017/05/still-use-windows-xp-prepare-worst/">still running Windows XP</a>?)</p>
<p>Users should also back-up files regularly. If ransomware strikes, backups allow ransom-free recovery. But keep them on removable drives to prevent their infection.</p>
<p>Infected users can also try decrypting files with tools from sites like <a href="https://www.nomoreransom.org/en/index.html">NoMoreRansom.org</a>. But these might work only on simple cases.</p>
<h2>Corporate and government action</h2>
<p>Software makers should do more to facilitate safe computing practices. For example, it’s great that Windows now has self-updating antivirus protection. Unfortunately, it’s still awkward to back-up data onto removable drives.</p>
<p>Business insurers could also play a role. They might require corporate computers to be updated and backed-up to qualify for coverage.</p>
<p>Co-operation among independent agencies is needed to fight ransomware’s breadth. Canada’s <a href="http://www.cbc.ca/news/canada/cse-what-do-we-know-about-canada-s-eavesdropping-agency-1.1400396">Communications Security Establishment</a> set a good example two weeks ago when it made its <a href="http://www.cbc.ca/news/technology/cse-canada-cyber-spy-malware-assemblyline-open-source-1.4361728">Assemblyline malware analysis software</a> publicly available to tech professionals.</p>
<p>In contrast, the U.S. National Security Agency sets a bad example: It <a href="https://theconversation.com/should-spies-use-secret-software-vulnerabilities-77770">had known about a weakness in Windows</a> for years, but didn’t tell Microsoft until early 2017.</p>
<p>Law enforcement likewise needs to cooperate across jurisdictions. September’s <a href="https://www.interpol.int/News-and-media/Events/2017/5th-Europol-INTERPOL-Cybercrime-Conference/5th-Europol-INTERPOL-Cybercrime-Conference">Interpol-Europol Cybercrime Conference</a> was a good step in this direction.</p>
<p>As foreign hackers increasingly “tax” domestic businesses, ransomware becomes a national security issue. Governments may need to negotiate agreements like those covering <a href="http://www.un.org/depts/los/piracy/piracy.htm">seaborne piracy</a>.</p>
<p>Finally, firms might consider keeping key systems disconnected from the internet, as some military computers have always been. Just because anything can be online, it doesn’t mean everything should be.</p><img src="https://counter.theconversation.com/content/86295/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Like legitimate e-commerce, ransomware e-crime is increasing in scale, value and sophistication.Michael J. Armstrong, Associate professor of operations research, Brock UniversityTeju Herath, Associate Professor of Information Systems, Brock UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/831952017-10-11T23:17:58Z2017-10-11T23:17:58ZCan you be hacked by the world around you?<figure><img src="https://images.theconversation.com/files/189211/original/file-20171006-25775-xkadt6.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Could scanning a QR code be an invitation to malware?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/qr-code-payment-online-shopping-cashless-704697319">Zapp2Photo/Shutterstock.com</a></span></figcaption></figure><p>You’ve probably been told it’s dangerous to open unexpected attachment files in your email – just like you shouldn’t open suspicious packages in your mailbox. But have you been warned against scanning unknown QR codes or just taking a picture with your phone? New research suggests that cyberattackers could exploit cameras and sensors in phones and other devices.</p>
<p>As someone who researches <a href="http://dx.doi.org/10.3390/technologies3010019">3-D modeling</a>, including <a href="http://dx.doi.org/10.3390/machines3020055">assessing 3-D printed objects</a> to be sure they meet quality standards, I’m aware of being vulnerable to methods of storing malicious computer code in the physical world. Our group’s work is in the laboratory, and has not yet encountered malware hidden in 3-D printing instructions or encoded in the structure of an item being scanned. But we’re preparing for that possibility. </p>
<p>At the moment, it’s not very likely for us: An attacker would need very specialized knowledge about our system’s functions to succeed in attacking it. But the day is coming when intrusions can happen through normal communications with or sensing performed by a computer or smartphone. Product designers and users alike need to be aware of the risks. </p>
<h2>Transmitting infection</h2>
<p>In order for a device to become infected or compromised, the nefarious party has to figure out some way to get the computer to store or process the malware. The <a href="https://theconversation.com/spearphishing-roiled-the-presidential-campaign-heres-how-to-protect-yourself-68274">human at the keyboard</a> has been a common target. An attacker might send an email telling the user that he or she has won the lottery or is going to be in trouble for not responding to a work supervisor. In other cases, a virus is designed to be unwittingly triggered by routine software activities.</p>
<p>Researchers at the University of Washington tested another possibility recently, <a href="https://www.wired.com/story/malware-dna-hack/">embedding a computer virus in DNA</a>. The good news is that most computers can’t catch an electronic virus from bad software – called malware – embedded in a biological one. The <a href="https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/ney">DNA infection</a> was a test of the concept of attacking a computer equipped to read <a href="https://theconversation.com/storing-data-in-dna-brings-nature-into-the-digital-universe-78226">digital data stored in DNA</a>.</p>
<p>Similarly, when our team scans a 3-D printed object, we are both storing and processing the data from the imagery that we collect. If an attacker analyzed how we do this, they could – perhaps – identify a step in our process that would be vulnerable to a compromised or corrupted piece of data. Then, they would have to design an object for us to scan that would cause us to receive these data.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=451&fit=crop&dpr=1 600w, https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=451&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=451&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=567&fit=crop&dpr=1 754w, https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=567&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/189637/original/file-20171010-17684-14iwtt8.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=567&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A 3-D scanning rig in our lab.</span>
<span class="attribution"><span class="source">Jeremy Straub</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>Closer to home, when you scan a <a href="https://www.wired.com/story/the-curious-comeback-of-the-dreaded-qr-code/">QR code</a>, your computer or phone processes the data in the code and takes some action – perhaps sending an email or going to a specified URL. An attacker could find a bug in a code-reader app that allows certain precisely formatted text to be executed instead of just scanned and processed. Or there could be <a href="http://www.nbcnews.com/id/45729377/ns/technology_and_science-security/t/how-qr-codes-hide-privacy-security-risks/">something designed to harm your phone</a> waiting at the target website.</p>
<h2>Imprecision as protection</h2>
<p>The good news is that most sensors have less precision than DNA sequencers. For instance, two mobile phone cameras pointed at the same subject will collect somewhat different information, based on lighting, camera position and how closely it’s zoomed in. Even small variations could render encoded malware inoperable, because the sensed data would not always be accurate enough to translate into working software. So it’s unlikely that a person’s phone would be hacked just by taking a photo of something.</p>
<p>But some systems, like QR code readers, include methods for correcting anomalies in sensed data. And when the sensing environment is highly controlled, like with our <a href="http://dx.doi.org/10.3390/machines3020055">recent work to assess 3-D printing</a>, it is easier for an attacker to affect the sensor readings more predictably.</p>
<p>What is perhaps most problematic is the ability for sensing to provide a gateway into systems that are otherwise secure and difficult to attack. For example, to prevent the infection of our 3-D printing quality sensing system by a conventional attack, we <a href="http://dx.doi.org/10.1117/12.2264583">proposed</a> placing it on another computer, one disconnected from the internet and other sources of potential cyberattacks. But the system still must scan the 3-D printed object. A maliciously designed object could be a way to attack this otherwise disconnected system.</p>
<h2>Screening for prevention</h2>
<p>Many software developers don’t yet think about the potential for hackers to manipulate sensed data. But in 2011, Iranian government hackers were able to <a href="https://phys.org/news/2011-12-rq-drone-ambush-facts-iranian.html">capture a U.S. spy drone</a> in just this way. Programmers and computer administrators must ensure that sensed data are screened before processing, and handled securely, to prevent unexpected hijacking. </p>
<p>In addition to developing secure software, another type of system can help: An <a href="http://www.sciencedirect.com/science/article/pii/S1084804512001944">intrusion detection system</a> can look for common attacks, unusual behavior or even when things that are expected to happen don’t. They’re not perfect, of course, at times <a href="http://www.dtic.mil/docs/citations/ADA391565">failing to detect attacks</a> and at others <a href="https://doi.org/10.1145/357830.357849">misidentifing legitimate activities as attacks</a>.</p>
<p>Computer devices that both sense and modify the environment are becoming more common – in manufacturing robots, drones and self-driving cars, among many other examples. As that happens, the potential for attacks to include both physical and electronic elements grows significantly. Attackers may find it very attractive to embed malicious software in the physical world, just waiting for unsuspecting people to scan it with a smartphone or a more specialized device. Hidden in plain sight, the malicious software becomes a sort of “sleeper agent” that can avoid detection until it reaches its target – perhaps deep inside a secure government building, bank or hospital.</p><img src="https://counter.theconversation.com/content/83195/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jeremy Straub is the Associate Director of the NDSU Institute for Cyber Security Education and Research. Work referenced in this article has previously been funded by the North Dakota Department of Commerce.</span></em></p>Scanning physical items constructed with nefarious intent can introduce malware into a smartphone or computer.Jeremy Straub, Assistant Professor of Computer Science, North Dakota State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/821362017-08-10T00:10:57Z2017-08-10T00:10:57ZMalwareTech’s arrest sheds light on the complex culture of the hacking world<figure><img src="https://images.theconversation.com/files/181470/original/file-20170808-16034-rx08y0.jpg?ixlib=rb-1.1.0&rect=71%2C0%2C3856%2C1862&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Which hat would you wear?</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/three-stylish-hat-28748968">crystalfoto/Shutterstock.com</a></span></figcaption></figure><p>The <a href="https://www.theverge.com/2017/8/5/16097946/marcus-hutchins-malware-tech-wannacry-arrest-cfaa-prosecution-charges">arrest of a British cybersecurity researcher</a> on charges of disseminating malware and conspiring to commit computer fraud and abuse provides a window into the complexities of hacking culture. </p>
<p>In May, a person going by the nickname “MalwareTech” gained international fame – and <a href="http://www.telegraph.co.uk/technology/2017/08/08/wannacry-hero-marcus-hutchins-freed-us-jail-ahead-court-appearance/">near-universal praise</a> – for <a href="http://www.latimes.com/business/la-fi-tn-kryptos-logic-wannacry-20170629-story.html">figuring out how to slow</a>, and ultimately effectively stop, the <a href="https://www.cnet.com/news/england-hospitals-hit-by-ransomware-attack-in-widespread-hack/">worldwide spread</a> of the <a href="http://www.bbc.com/news/world-europe-39907965">WannaCry malware attack</a>. But in August, the person behind that nickname, Marcus Hutchins, was <a href="https://www.documentcloud.org/documents/3912539-Marcus-Hutchins-Kronos-indictment.html">arrested on federal charges</a> of writing and distributing a <a href="https://www.wired.co.uk/article/what-is-kronos-trojan-malware-marcus-hutchins-hacker">different malware attack</a> first spotted back in 2014. </p>
<p>The judicial system will sort out whether Hutchins, who has denied wrongdoing and <a href="https://www.theregister.co.uk/2017/08/04/marcus_hutchins_wannacry_kronos_court_bail/">pleaded not guilty</a>, will face as much as 40 years in prison. But to me as a sociologist studying the culture and social patterns of cybercrime, Hutchins’ experience is emblematic of the values, beliefs and practices of many hackers.</p>
<h2>The hacker ethic</h2>
<p>The term “hacking” has its <a href="http://www.newyorker.com/tech/elements/a-short-history-of-hack">origins in the 1950s and 1960s at MIT</a>, where it was used as a positive label to describe someone who tinkers with computers. Indeed, the use of the word “<a href="https://en.wikipedia.org/wiki/Life_hack">hack</a>,” signifying a clever or innovative use of something, is derived from this original meaning. Although the term may have originated at MIT, young people interested in computer technology were tinkering across the country. Technology journalist Steven Levy, in his <a href="http://www.stevenlevy.com/index.php/books/hackers">well-regarded history of that period</a>, writes that these early tinkerers were influenced by the countercultural milieu of the 1960s.</p>
<p>They developed a shared subculture, combining a disdain for tradition, a desire for an open society and optimistic views of how technology could transform people’s lives. Levy encapsulated this subculture into a series of beliefs he labeled the “hacker ethic.”</p>
<p>People who subscribe to the hacker ethic commonly have a disregard for traditional status markers, like class, age or educational credentials. In this sense, hacking is open, democratic and based on ability. This particular belief has come under scrutiny as some scholars have argued that <a href="https://theconversation.com/why-girls-are-put-off-studying-computer-science-70691">hacker culture discourages women</a> from joining in. However, many hackers have taken nontraditional career paths, including Hutchins, whose computer skills are <a href="http://www.telegraph.co.uk/news/2017/05/14/revealed-22-year-old-expert-saved-world-ransomware-virus-lives/">self-taught</a>. </p>
<p>Another aspect of hacker subculture is interest in tinkering, changing, modifying and making things work differently or better. This has led to a great deal of innovation, including <a href="https://www.r-project.org/">open-source</a> programs being <a href="https://www.ubuntu.com">maintained by collections of coders</a> and programmers – for free.</p>
<p>It is also this tinkering that allows hackers to find vulnerabilities in computers and software. It was <a href="https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html">through tinkering</a> that Hutchins found a way to slow the WannaCry attack. </p>
<h2>Different-colored hats</h2>
<p>Members of the hacker subculture don’t all agree on what they should do with those ideas. Typically, they’re <a href="https://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white-hats-and-gray-hats/">divided into three categories</a>, with names inspired by the tropes of Western movies.</p>
<p>“Black hat” hackers are the bad guys. They find vulnerabilities in software and networks and exploit them to make money, whether by stealing data or encrypting data and holding the decryption key for ransom. They also create mischief and havoc, defacing websites and taking over Twitter feeds. The person, or people, who did what Hutchins is charged with – writing and distributing the <a href="https://www.wired.co.uk/article/what-is-kronos-trojan-malware-marcus-hutchins-hacker">Kronos malware</a> – sought to hijack victims’ banking information, break into their accounts and steal their money. That’s a clear black hat activity.</p>
<p>“White hat” hackers are the good guys. They often work for technology companies, cybersecurity firms or government agencies, seeking to identify technological flaws and fix them. Some of them also use their skills to catch black hat hackers and shut down their operations, and even identify them so they can face legal repercussions. Hutchins, in his work as a researcher for the <a href="https://www.kryptoslogic.com/">Kryptos Logic cybersecurity firm</a>, was a white hat hacker.</p>
<p>A third group occupies a middle ground, that of the “gray hats.” They are often freelancers looking to identify exploits and vulnerabilities in systems for a varying range of purposes. Sometimes they may submit their findings to corporate or <a href="http://www.securityweek.com/grey-hat-hackers-helped-fbi-hack-iphone-report">government programs</a> intended to identify and fix problems; other times the same person may sell a new finding to a criminal.</p>
<p>What separates these three groups is not their actions – all three groups <a href="https://www.wired.com/2016/04/hacker-lexicon-white-hat-gray-hat-black-hat-hackers/">find weaknesses and tell someone else about them</a> – but their motives. This makes hacking distinct from other types of criminal behavior: There are no “white hat” burglars or “gray hat” money launderers. </p>
<p>The importance of motivation is why <a href="http://www.bbc.com/news/uk-england-40820837">many people</a> <a href="https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us">are skeptical</a> of <a href="https://www.wired.com/story/wannacry-malwaretech-arrest/">the charges</a> against Hutchins, at least at the moment. To hackers, whether someone is doing something wrong depends on what hat or hats he is wearing.</p>
<h2>Is hacking a crime?</h2>
<p>Prosecutions under the <a href="https://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> are not simple, mainly because the law addresses only actions, not motives. As a result, many things that white hat hackers do, such as <a href="https://theconversation.com/were-suing-the-federal-government-to-be-free-to-do-our-research-74676">public interest research reported in scholarly journals</a>, may be illegal, if prosecutors decide to charge the people involved.</p>
<p>Hutchins’ arrest for his alleged association with the Kronos banking Trojan carries the clear suggestion that he’s a black hat. The charges say that in 2014 an as-yet-unnamed person <a href="https://www.documentcloud.org/documents/3912539-Marcus-Hutchins-Kronos-indictment.html">allegedly posted a YouTube video</a> showing how the attack worked, and then offered it for sale. Hutchins is linked because he and that other person allegedly updated the malware’s code sometime in 2015, after which the other person allegedly sold the malware at least once.</p>
<p>But Hutchins’ white hat job is to find vulnerabilities. Just as he tinkered with the WannaCry code – and found the way to slow it down – he could have been tinkering with the Kronos code. And even if he wrote Kronos – which the government alleges but has not yet proven – that’s not necessarily illegal: <a href="https://www.law.gwu.edu/orin-s-kerr">Orin Kerr</a>, a George Washington University professor who studies the law of computer crimes, <a href="https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us">told the Guardian</a>, “It’s not a crime to create malware. It’s not a crime to sell malware. It’s a crime to sell malware with the intent to further someone else’s crime.”</p>
<p>Kerr’s comments suggest a third explanation – that Hutchins may have been wearing a gray hat, creating malware for a criminal to use. But we’re missing two key elements: proof of Hutchins’ actions and any understanding of what his motives might have been. It’s especially hard to be sure about his motives without knowing the details of any connection between Hutchins and the unnamed individual, nor even that person’s identity.</p>
<p>It is too early to know what will happen to Marcus Hutchins. But there are precedents. In 1988, Robert Morris wrote the <a href="https://doi.org/10.1109/MSECP.2003.1236233">first worm malware</a> while he was a graduate student at Cornell, and earned the dubious distinction of becoming the first person convicted under the Computer Fraud and Abuse Act. He is now a <a href="https://www.csail.mit.edu/user/972">tenured professor at MIT</a>. </p>
<p>Kevin Mitnick served five years in prison for various types of hacking. He now switches between white and gray hats – he is a <a href="https://www.wired.com/2014/09/kevin-mitnick-selling-zero-day-exploits/">security consultant and sells zero-day exploits to the highest bidder</a>. And Mustafa Al-Bassam was once a member of the infamous <a href="https://www.theguardian.com/technology/2013/may/16/lulzsec-hacking-fbi-jail">LulzSec hacking group</a> that hacked into the CIA and Sony. After serving a prison sentence, he completed a <a href="http://www.businessinsider.com/lulzsec-hacker-mustafa-al-bassam-has-joined-a-security-company-2016-3">computer science degree and is now a security adviser</a>. Hackers, unlike other criminals, can doff one hat and don another.</p><img src="https://counter.theconversation.com/content/82136/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Roderick S. Graham does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The situation of Marcus Hutchins – hailed as a hero for stopping one malware attack but charged with being involved with another – highlights the ambiguity of hacker culture.Roderick S. Graham, Assistant Professor of Sociology, Old Dominion UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/814332017-08-02T01:21:06Z2017-08-02T01:21:06ZInside the fight against malware attacks<figure><img src="https://images.theconversation.com/files/179694/original/file-20170725-30125-reje0u.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Taking a much closer look at what's going on inside malware.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-vector/magnifying-glass-look-through-germ-bacteria-302763653">MuchMania/Shutterstock.com</a></span></figcaption></figure><p>When malicious software attacks, computer scientists and security researchers want to know how the attackers got into what was supposed to be a secure system, and what they’re actually doing that’s causing problems for users. It’s a growing problem, affecting <a href="https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/">government projects</a>, <a href="https://www.wired.com/2014/01/target-malware-identified/">retail</a> <a href="https://corporate.target.com/press/releases/2013/12/target-confirms-unauthorized-access-to-payment-car">stores</a> and <a href="https://www.washingtonpost.com/world/national-security/the-nsa-has-linked-the-wannacry-computer-worm-to-north-korea/2017/06/14/101395a2-508e-11e7-be25-3a519335381c_story.html">individuals around the world</a>. </p>
<p>However, fighting malware is a cyclical arms race: As defenders and analysts improve their methods, attackers step up their game, too. Today, as many as <a href="https://www.lastline.com/labsblog/three-interesting-changes-in-malware-activity-over-the-past-year/">80 percent of malware authors</a> include elements in their attacks that specifically try to <a href="https://www.lastline.com/labsblog/labs-report-at-rsa-evasive-malwares-gone-mainstream/">defeat malware-protection software</a>.</p>
<p>My <a href="https://wiki.uta.edu/display/serc/">research group at the University of Texas at Arlington</a> develops methods and tools <a href="https://www.blackhat.com/presentations/bh-dc-07/Kendall_McMillan/Presentation/bh-dc-07-Kendall_McMillan.pdf">professional malware analysts</a> use to understand these attacks. One of our best-known efforts was led by alumna Shabnam Aboughadareh, who while she was working toward her Ph.D. developed a <a href="https://doi.org/10.1145/2689702.2689703">malware analysis tool</a> that is particularly hard for malware authors to defend against.</p>
<h2>Analyzing malware</h2>
<p>When an attack is discovered or reported, malware analysts work to get a copy of any software that’s being installed on target computers. When they begin examining it, an early topic of inquiry is how the malware managed to break into a computer network or system. That often uncovers <a href="https://krebsonsecurity.com/2017/07/adobe-microsoft-push-critical-security-fixes-11/">security holes</a> in commonly used operating systems or applications – which can then be disclosed to those programs’ authors, who can <a href="https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/">fix the flaws</a>.</p>
<p>In addition, analysts try to figure out <a href="https://www.nytimes.com/2017/07/02/technology/hackers-find-ideal-testing-ground-for-attacks-developing-countries.html">what a piece of malware does</a> once it breaks in – how it travels through a computer and throughout a network, and what actions it takes, such as altering files, copying data, running programs or even installing new software to assist itself in the attack. Those actions can be described in ways that help malware detection tools <a href="https://www.cnet.com/news/microsoft-build-smart-antivirus-using-400-million-computers-artificial-intelligence/">catch future attacks</a> before they can do damage.</p>
<p>In observing a malware attack, we also try to <a href="http://www.cbsnews.com/news/fruitfly-mac-malware-new-details-emerge/">determine which computers and which files have been manipulated</a>, so they can be repaired. We also see what data – such as client lists, product plans or other sensitive business data – might have been <a href="https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/">read and copied by the malware</a>. And we often try to <a href="https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/">infer the attackers’ identity</a>, or at least how advanced their skills are, to help prepare defenses against possible follow-up attacks.</p>
<h2>Running malicious code</h2>
<p>Doing any of that requires us to watch the malware in action. It would be nice if we could simply decode the software and dissect its instructions without actually running these malicious programs. But malware authors know we’ll be looking, so <a href="https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/">they take steps to make our jobs harder</a>, such as compressing or encrypting their malware programs before setting them loose.</p>
<p>So our best option is to run the malware on our own computers. To prevent our own machines from being taken over or corrupted, though, we have to be careful. Typically we create what’s called a “<a href="http://www.pcworld.com/article/3182816/security/pwn2own-hacking-contest-ends-with-two-virtual-machine-escapes.html">virtual machine</a>” – a program that <a href="https://pubs.vmware.com/vsphere-50/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc_50%2FGUID-CEFF6D89-8C19-4143-8C26-4B6D6734D2CB.html">simulates a fully functional computer</a> but that does not have direct access to the computer’s files and hardware. Ideally, that would let us observe all the actions the malware tries to take without actually harming our own computers.</p>
<p>So far, however, there has been no single piece of software that can analyze every attack. Some malware programs operate on a very low technological level, <a href="https://www.wired.com/2014/11/darkhotel-malware/">working directly with very specific areas</a> of a computer’s memory and hard drive storage systems, even changing how the computer works – so users can no longer trust the machines to do what is expected of them. Other malicious software works at higher levels, more like normal software that interacts with the operating system rather than the computer’s hardware directly. The most advanced malware <a href="https://arstechnica.com/security/2015/06/stepson-of-stuxnet-stalked-kaspersky-for-months-tapped-iran-nuke-talks/">attacks on both levels</a>.</p>
<p>Most analysis tools focus on one or the other of those types of attacks – but <a href="https://doi.org/10.1145/2689702.2689703">not both</a>. So they can’t catch everything, and – even for the malware they do detect – can’t show every action the malware takes. (Some analysis techniques involve <a href="https://threatpost.com/macos-fruitfly-backdoor-analysis-renders-new-spying-capabilities/126943/">running some anti-malware software in the virtual machine</a>, but those programs are vulnerable to manipulation from the malware itself.)</p>
<h2>Taking a fuller look</h2>
<p>The program Shabnam Aboughadareh created, called SEMU, is the first malware analysis system that addresses all these problems. It operates fully outside the virtual machine, and watches closely what goes on inside it, to detect and log malware actions. That helps SEMU provide a comprehensive log of malware operations, which in turn reduces the manual effort required for a malware analyst to understand what the malware writer’s program was supposed to do.</p>
<p>That comprehensive log – recording events at the lowest levels of the virtual machine’s operating system – is the key to SEMU’s success, because it allows human analysts to track where and how malware manipulates aspects of the operating system. </p>
<p>When we tested SEMU against other malware analysis tools, we found that SEMU was <a href="https://doi.org/10.1145/2689702.2689703">the only publicly available tool that could detect all the activity</a> – things like reading files, changing memory or file data, or sending information out over a network connection – needed to understand how the malware worked. By merging close examination of computer activity with detailed logging, and running in a safe environment where the malware couldn’t tamper with its monitoring, SEMU shows a direction for future analysis methods.</p><img src="https://counter.theconversation.com/content/81433/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Christoph Csallner is currently a member of the Association for Computing Machinery and an academic editor of PeerJ Computer Science. This material is based upon work supported by the National Science Foundation under Grants No. 1017305 and 1117369. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.</span></em></p>How do malware analysts examine software that’s designed to wreak havoc with computers? By using tools that watch software’s inner workings very closely.Christoph Csallner, Associate Professor of Computer Science and Engineering, University of Texas at ArlingtonLicensed as Creative Commons – attribution, no derivatives.