tag:theconversation.com,2011:/id/topics/hacking-210/articlesHacking – The Conversation2024-01-18T03:32:12Ztag:theconversation.com,2011:article/2214012024-01-18T03:32:12Z2024-01-18T03:32:12ZWhat is credential stuffing and how can I protect myself? A cybersecurity researcher explains<figure><img src="https://images.theconversation.com/files/569990/original/file-20240118-23-wz0bip.jpg?ixlib=rb-1.1.0&rect=0%2C16%2C3748%2C1888&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/password-box-internet-browser-on-computer-127894811">kpatyhka/Shutterstock</a></span></figcaption></figure><p>Cyber-skulduggery is becoming the bane of modern life. Australia’s prime minister has called it a “<a href="https://www.news.com.au/finance/work/leaders/prime-minister-calls-major-hack-a-scourge-after-guzman-y-gomez-binge-targeted-in-coordinated-cyber-hack/news-story/d4853d70755478a1f72acb1197a7e287">scourge</a>”, and he is correct. In 2022–23, nearly 94,000 cyber crimes were <a href="https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-july-2022-june-2023">reported</a> in Australia, up 23% on the previous year.</p>
<p>In the latest high-profile <a href="https://www.cyberdaily.au/security/10038-customers-of-guzman-y-gomez-dan-murphys-and-more-affected-in-credential-stuffing-campaign">attack</a>, around 15,000 customers of alcohol retailer Dan Murphy, Mexican restaurant chain Guzman y Gomez, Event Cinemas, and home shopping network TVSN had their login credentials and credit card details used fraudulently to buy goods and services in what is known as a “<a href="https://owasp.org/www-community/attacks/Credential_stuffing#">credential stuffing</a>” attack.</p>
<p>So what is credential stuffing – and how can you reduce the risk of it happening to you?</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A Dan Murphy's liquor store sign reflects golden sunlight." src="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/569988/original/file-20240118-15-jqdixp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Many customers of alcohol retailer Dan Murphy are among those hit by the latest round of credential stuffing cyber attacks.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/sydney-australia-on-february-7-2018-1019906509">ArliftAtoz2205/Shutterstock</a></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/an-expert-reviews-the-governments-7-year-plan-to-boost-australias-cyber-security-here-are-the-key-takeaways-218117">An expert reviews the government’s 7-year plan to boost Australia’s cyber security. Here are the key takeaways</a>
</strong>
</em>
</p>
<hr>
<h2>Re-using the same login details</h2>
<p>Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords to gain unauthorised access to other online accounts.</p>
<p>In other words, they steal a set of login details for one site, and try it on another site to see if it works there too.</p>
<p>This is possible because many people use the same username and password combination across multiple websites.</p>
<p>It is common for people to use the <a href="https://us.norton.com/blog/privacy/password-statistics#:%7E:text=More%20than%2080%25%20of%20confirmed,to%20their%20accounts%20or%20devices.">same password</a> for multiple accounts (even though this is very risky).</p>
<p>Some even use the same password for all their accounts. This means if one account is compromised, hackers can potentially access many (or all) their other accounts with the same credentials.</p>
<h2>‘Brute force’ attacks</h2>
<p>Hackers purchase job lots of login credentials (obtained from earlier <a href="https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2023#:%7E:text=Large%2Dscale%20data%20breaches,period%20%E2%80%93%20a%2045%25%20decrease.">data breaches</a>) on the “<a href="https://en.wikipedia.org/wiki/Dark_web">dark web</a>”. </p>
<p>They then use automated tools called “bots” to perform credential stuffing attacks. These tools can also be purchased on the dark web. </p>
<p>Bots are programs that perform tasks on the internet much faster and more efficiently than humans can. </p>
<p>In what is colourfully termed a “brute force” attack, hackers use bots to test millions of username and password combinations on different websites until they find a match. It’s easier and quicker than many people realise.</p>
<p>It is happening more often because the barrier to entry for would-be cybercriminals has never been lower. The dark web is readily accessible and the resources needed to launch attacks are available to anyone with cryptocurrency to spend and the will to cross over to the dark side. </p>
<h2>How can you protect yourself from credential stuffing?</h2>
<p>The best way is to <em>never</em> reuse passwords across multiple sites or apps. Always use a unique and strong password for each online account.</p>
<p>Choose a password or pass phrase that is at least 12 characters long, is complex, and hard to guess. It should include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t use pet names, birthdays or anything else that can be found on social media. </p>
<p>You can use a <a href="https://www.forbes.com/advisor/business/are-password-managers-safe/">password manager</a> to generate unique passwords for all your accounts and store them securely. These use strong encryption and are generally regarded as pretty safe.</p>
<p>Another way to protect yourself from credential stuffing is to enable two-factor authentication (2FA) for your online accounts. </p>
<p>Two-factor authentication is a security feature that requires you to enter a code or use a device in addition to your password when you log in.</p>
<p>This adds an extra layer of protection in case your password is stolen. You can use an <a href="https://au.pcmag.com/security/86845/the-best-authenticator-apps">app</a>, a text message, or a <a href="https://www.nytimes.com/wirecutter/reviews/best-security-keys/">hardware device</a> (such as a little “key” you plug into a computer) to receive your two-factor authentication code.</p>
<p>Monitor your online accounts regularly to look for any suspicious activity. You can also check if your email or password has been exposed in a data breach by using the website <a href="https://haveibeenpwned.com/">Have I Been Pwned</a>. </p>
<p>You may be surprised by what you see. If you do discover your login details on there, use this as a timely warning to change your passwords as soon as possible.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/569989/original/file-20240118-17-qxptsb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Have your passwords and login details been exposed in a data breach?</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/portland-usa-apr-19-2023-closeup-2291663313">Tada Images/Shutterstock</a></span>
</figcaption>
</figure>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-lockbit-the-cybercrime-gang-hacking-some-of-the-worlds-largest-organisations-217679">What is LockBit, the cybercrime gang hacking some of the world's largest organisations?</a>
</strong>
</em>
</p>
<hr>
<h2>Eternal vigilance</h2>
<p>In today’s world of rising cyber crime, your best defence against credential stuffing and other forms of hacking is vigilance. Be proactive, not complacent about online security.</p>
<p>Use unique passwords and a password manager, enable two-factor authentication, monitor your accounts, and check breach notification sites (like Have I Been Pwned). </p>
<p>Remember, the recent attacks on Dan Murphy, Guzman y Gomez and others show how readily our online lives can be disrupted. Don’t let your credentials become another statistic. As you are reading this, the criminals are thinking up new ways to exploit our vulnerabilities. </p>
<p>By adopting good digital hygiene and effective security measures, we can take back control of our online identities.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/an-ai-driven-influence-operation-is-spreading-pro-china-propaganda-across-youtube-219962">An AI-driven influence operation is spreading pro-China propaganda across YouTube</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/221401/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>David Tuffley is affiliated with the Australian Computer Society (MACS).</span></em></p>In what is colourfully termed a ‘brute force’ attack, hackers use bots to test millions of username and password combinations on different websites – until they find a match.David Tuffley, Senior Lecturer in Applied Ethics & CyberSecurity, Griffith UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2176792023-11-16T23:59:02Z2023-11-16T23:59:02ZWhat is LockBit, the cybercrime gang hacking some of the world’s largest organisations?<p>While ransomware incidents have been occurring for more than 30 years, only in the last decade has the term “ransomware” appeared regularly in popular media. Ransomware is a type of malicious software that blocks access to computer systems or encrypts files until a ransom is paid.</p>
<p>Cybercriminal gangs have adopted ransomware as a get-rich-quick scheme. Now, in the era of “ransomware as a service”, this has become a prolific and highly profitable tactic. Providing ransomware as a service means groups benefit from affiliate schemes where commission is paid for successful ransom demands.</p>
<p>Although only one of the many gangs operating, LockBit has been increasingly visible, with several high-profile victims recently appearing on the group’s website.</p>
<p>So what is LockBit? Who has fallen victim to them? And how can we protect ourselves from them?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/international-ransomware-gangs-are-evolving-their-techniques-the-next-generation-of-hackers-will-target-weaknesses-in-cryptocurrencies-211233">International ransomware gangs are evolving their techniques. The next generation of hackers will target weaknesses in cryptocurrencies</a>
</strong>
</em>
</p>
<hr>
<h2>What, or who, is LockBit?</h2>
<p>To make things confusing, the term LockBit refers to both the malicious software (malware) and to the group that created it.</p>
<p>LockBit <a href="https://www.kaspersky.com/resource-center/threats/lockbit-ransomware">first gained attention in 2019</a>. It’s a form of malware deliberately designed to be secretly deployed inside organisations, to find valuable data and steal it.</p>
<p>But rather than simply stealing the data, LockBit is a form of ransomware. Once the data has been copied, it is encrypted, rendering it inaccessible to the legitimate users. This data is then held to ransom – pay up, or you’ll never see your data again.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723850461898281180"}"></div></p>
<p>To add further incentive for the victim, if the ransom is not paid, they are threatened with publication of the stolen data (often described as double extortion). This threat is reinforced with a countdown timer on LockBit’s blog on <a href="https://theconversation.com/explainer-what-is-the-dark-web-46070">the dark web</a>.</p>
<p>Little is known about the LockBit group. Based on their website, the group doesn’t have a specific political allegiance. Unlike some other groups, they also don’t limit the number of affiliates:</p>
<blockquote>
<p>We are located in the Netherlands, completely apolitical and only interested in money. We always have an unlimited amount of affiliates, enough space for all professionals. It does not matter what country you live in, what types of language you speak, what age you are, what religion you believe in, anyone on the planet can work with us at any time of the year.</p>
</blockquote>
<p>Notably, LockBit have rules for their affiliates. Examples of forbidden targets (victims) include:</p>
<ul>
<li>critical infrastructure</li>
<li>institutions where damage to the files could lead to death (such as hospitals)</li>
<li>post-Soviet countries such as Armenia, Belarus, Estonia, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Lithuania, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine and Uzbekistan.</li>
</ul>
<p>Other ransomware providers have also claimed they won’t target institutions like hospitals – but this doesn’t guarantee victim immunity. Earlier this year a <a href="https://www.theregister.com/2023/01/04/lockbit_sickkids_ransomware/">Canadian hospital was a victim of LockBit</a>, triggering the group behind LockBit to post an apology, offer free decryption tools and allegedly expel the affiliate who hacked the hospital. </p>
<p>While rules may be in place, there is always potential for rogue users to <a href="https://www.scmagazine.com/analysis/ransomware-groups-dont-abide-by-promises-not-to-target-healthcare">target forbidden organisations</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1609857321315835906"}"></div></p>
<p>The final rule in the list above is an interesting exception. According to the group, these countries are off limits because a high proportion of the group’s members were “born and grew up in the Soviet Union”, despite now being “located in the Netherlands”.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/putins-russia-people-increasingly-identify-with-the-soviet-union-heres-what-that-means-181129">Putin's Russia: people increasingly identify with the Soviet Union – here's what that means</a>
</strong>
</em>
</p>
<hr>
<h2>Who’s been hacked by LockBit?</h2>
<p>High-profile victims include the United Kingdom’s Royal Mail and Ministry of Defence, and Japanese cycling component manufacturer Shimano. Data stolen from aerospace company Boeing was leaked just this week after the company refused to pay ransom to LockBit.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit website screenshot showing download links for stolen data" src="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=562&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=562&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=562&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=706&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=706&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559314/original/file-20231114-19-vcp8j5.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=706&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s website on the dark web is used to publish stolen data if the ransom is not paid.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<p>While not yet confirmed, the recent ransomware incident experienced by the Industrial and Commercial Bank of China has been <a href="https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank%20https://www.scmagazine.com/news/lockbit-takes-credit-for-ransomware-attack-on-us-subsidiary-of-chinese-bank">claimed by LockBit</a>.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1723060456888193238"}"></div></p>
<p>Since appearing on the cybercrime scene, LockBit has been linked to almost <a href="https://www.cyber.gov.au/about-us/advisories/understanding-ransomware-threat-actors-lockbit">2,000 victims in the United States alone</a>.</p>
<p>From the list of victims seen below, LockBit is clearly being used in a scatter-gun approach, with a wide variety of victims. This is not a series of planned, targeted attacks. Instead, it shows LockBit software is being used by a diverse range of criminals in a service model.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="LockBit blog screenshot showing victims with countdown timer" src="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=294&fit=crop&dpr=1 600w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=294&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=294&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=369&fit=crop&dpr=1 754w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=369&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/559313/original/file-20231114-21-syppv0.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=369&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">LockBit’s blog on the dark web provides a showroom for public shaming of their victims.</span>
<span class="attribution"><span class="source">Screenshot sourced by authors.</span></span>
</figcaption>
</figure>
<h2>How we can protect ourselves</h2>
<p>In recent years, ransomware as a service (RaaS for short) has become popular.</p>
<p>Just as organisations use software-as-a-service providers – such as licensing for office tools like Microsoft 365, or accounting software for payroll – malicious services are providing tools for cybercriminals.</p>
<p>Ransomware as a service enables an inexperienced criminal to deliver a ransomware campaign to multiple targets quickly and efficiently – often at minimal cost and usually on a profit-sharing basis.</p>
<p>The RaaS platform handles the malware management, data extraction, victim negotiation and payment handling, effectively outsourcing criminal activities.</p>
<p>The process is so well developed, such groups even provide guidelines on how to become an affiliate, and what benefits one will gain. With a 20% commission of the ransom being paid to LockBit, this system can generate significant revenue for the group – including the deposit of 1 Bitcoin (approximately A$58,000) required from new users.</p>
<p>While ransomware is a growing concern around the globe, good cybersecurity practices can help. Updating and patching our systems, good password and account management, network monitoring and reacting to unusual activity can all help to minimise the likelihood of any compromise – or at least limit its extent.</p>
<p>For now, whether or not to pay a ransom is a matter of preference and ethics for each organisation. But if we can make it more difficult to get in, criminal groups will simply shift to easier targets.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-considering-a-ban-on-cyber-ransom-payments-but-it-could-backfire-heres-another-idea-194516">Australia is considering a ban on cyber ransom payments, but it could backfire. Here's another idea</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/217679/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Prolific and highly profitable, LockBit provides ransomware as a service. Aspiring cybercriminals sign up to the scheme, and the group takes a cut. Here’s how it works.Jennifer Medbury, Lecturer in Intelligence and Security, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2115502023-08-15T15:29:11Z2023-08-15T15:29:11ZCyber-attacks against the UK Electoral Commission reveal an ongoing threat to democracy<figure><img src="https://images.theconversation.com/files/542664/original/file-20230814-29-4dvaiz.jpg?ixlib=rb-1.1.0&rect=54%2C27%2C5898%2C3980&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/close-image-woman-hands-typing-on-1916951258">TippaPatt / Shutterstock</a></span></figcaption></figure><p>The revelations this month that <a href="https://thehackernews.com/2023/08/uk-electoral-commission-breach-exposes.html">data on 40 million UK voters had been exposed to hackers</a> came as no surprise to many cybersecurity experts, who have long pointed out the vulnerability of democracies to malicious online interference.</p>
<p>In this case, it appears that the data and systems of the UK’s Electoral Commission had been available to hackers for over a year. There was a significant delay in reporting the incident due to concerns that the voting networks were still not free from malicious presence or interference.</p>
<p>Officials have stated that the <a href="https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers">integrity of our elections is not under immediate threat</a>, mainly due to the continued reliance across the UK electoral system on paper ballots. </p>
<p>However, the attack reflects the serious and ongoing threat to democracies posed by cyber-interference from foreign nations and criminal organisations. The details surrounding this latest attack are still emerging, and the source remains undetermined. But to understand and defend our electoral system effectively against such a threat, three main points need to be considered.</p>
<h2>1. Hacking democracy</h2>
<p>The first is the determination and creativity of a variety of states to use cyber-attacks to subvert democracy and create mistrust in electoral systems around the world. With elections due next year in the US and UK, protecting the integrity of democratic countries is a growing concern.</p>
<p>We know that Russia, China and other nations including Iran have interfered in elections before – including, most notoriously, <a href="https://www.bbc.co.uk/news/world-us-canada-44825345">Russian hack and leak operations</a> targeting US elections in 2016, which were directed at the Democratic party.</p>
<p>With tensions in the world increasing due to the war in Ukraine, and deteriorating relations between the west and China, leaders in Beijing and Moscow will see cyber-attacks as relatively easy ways to manipulate western countries. </p>
<figure class="align-center ">
<img alt="Rescuers work in the aftermath of a Russian missile strike in Lviv, July 2023." src="https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=402&fit=crop&dpr=1 600w, https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=402&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=402&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=505&fit=crop&dpr=1 754w, https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=505&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/542660/original/file-20230814-21-vhwprt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=505&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The Ukraine war has increased tensions around the world.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/lviv-ukraine-july-6-2023-rescuers-2327629641">Bumble Dee / Shutterstock</a></span>
</figcaption>
</figure>
<p>They also see them as a means of casting further doubts on election integrity, planting narratives in public discourse via social media, and attempting to access data on politicians, parties, finance and political campaigns. These methods could be used to swing votes in favour of candidates who might take foreign policy approaches that are more in line with Russian and Chinese interests.</p>
<p>And they may have a new tranche of voter data to help them do just that. As a number of experts have warned, the possibility for the data from this current UK breach to be <a href="https://www.theguardian.com/politics/2023/aug/09/hacked-uk-electoral-commission-data-target-voter-disinformation-warn-expert">used in disinformation campaigns is a real fear</a>. While paper-based elections are safer than those using electronic voting machines, that should not lead to complacency about the wider threats to electoral processes from these determined hacking groups.</p>
<h2>2. The value of data</h2>
<p>The second concern is the wider misuse of data in ways that affect UK national security. Whether it’s electoral databases, banking and finance, the operation of critical infrastructure, or even the research that is produced by our universities, data is an increasingly valuable and exploitable commodity for malicious groups.</p>
<p>Revenue from the sale of <a href="https://www.makeuseof.com/how-can-data-be-sold-dark-web/">illegally obtained data on the internet</a> is growing in line with the increase in the amount of data being generated globally. Hackers have vast repositories of data to target, and can generate revenue from doing so. </p>
<p>Ransomware attacks are often being used alongside a threat to leak or sell the data obtained. This is now a <a href="https://www.cloudwards.net/ransomware-statistics/">multi-billion dollar business</a>.</p>
<h2>3. Delays in disclosure</h2>
<p>A third concern is that the reporting of cyber-breaches continues to lag behind the attacks themselves. It may seem surprising to observers of the recent UK incident that it took so long to disclose. This delay constitutes a serious concern for the rights of those electors who have had their data accessed.</p>
<p>But this must be balanced against the operational need to ensure that the systems the data was stored on are free from malicious interference, and to make sure that hackers aren’t still inside the system, having obtained access.</p>
<p>We know that attackers can maintain access to a system over long periods while staying undetected. This approach of “<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a">living off the land</a>”, as the US Cybersecurity and Infrastructure Security Agency (Cisa) recently referred to it, is an increasingly common modus operandi for state-supported hackers in particular.</p>
<p>The <a href="https://www.barclaysimpson.com/calculating-the-reputational-cost-of-cybersecurity-breaches/">reputational cost</a> to an organisation after suffering a data breach is often serious and damaging. But when the costs are to the reputation and integrity of electoral processes, a different approach may be required when it comes to public disclosure of the incident.</p>
<h2>Being a responsible cyber-power</h2>
<p>The UK government has framed its national cyber-strategy around the idea of being <a href="https://www.gov.uk/government/publications/responsible-cyber-power-in-practice/responsible-cyber-power-in-practice-html">a responsible and democratic cyber-power</a>. That responsibility clearly extends to protecting electoral processes from malicious interference.</p>
<p>Currently, government capabilities are battling to keep up with the hackers. The UK’s <a href="https://www.gov.uk/government/organisations/national-cyber-force">National Cyber Force</a> (NCF) has a mandate to deter, disrupt and respond to these types of incident, including against both foreign states and criminal organisations. </p>
<figure class="align-center ">
<img alt="Polling station" src="https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&rect=17%2C8%2C5946%2C3979&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/542658/original/file-20230814-29-ygck98.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/uk-polling-station-sign-outside-church-2152937041">Peter Fleming / Shutterstock</a></span>
</figcaption>
</figure>
<p>The <a href="https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers">National Crime Agency</a> has also stated that “defending the UK’s democratic processes” and helping to “strengthen the cyber-resilience of our electoral systems” is a priority.</p>
<p>But attributing the attacks to specific groups or states is a difficult task. Holding them to any kind of legal punishment has always been challenging, particularly if they are operating with the endorsement of their governments.</p>
<h2>Insider threat</h2>
<p>There have also been wider concerns in the electoral system around the <a href="https://www.wired-gov.net/wg/news.nsf/articles/Statement+NCSC+offer+of+assistance+to+political+parties+14032017091500?open">cybersecurity of political parties and candidates</a>. These combine with concerns citizens have that their democracies are not operating well. This makes it easier for those who seek to undermine public faith in democracy to claim that elections are not being conducted fairly, and are not free from foreign interference.</p>
<p>Disinformation about the integrity of elections, both from within and outside the UK, will find greater traction in the wake of these types of incident.</p>
<p>The viability of the UK to hold cybersecure elections in the near-future will be the product of work by the cybersecurity community now. A renewed effort to provide our electoral system with the tools to secure their networks, including giving direct support to political parties, candidates and civil society, is clearly needed.</p><img src="https://counter.theconversation.com/content/211550/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Joe Burton does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Securing our voting systems to defend against hacks is vital but challenging.Joe Burton, Professor of International Security (Security and Protection Science), Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2104592023-07-27T02:10:28Z2023-07-27T02:10:28ZThe $500 million ATO fraud highlights flaws in the myGov ID system. Here’s how to keep your data safe<figure><img src="https://images.theconversation.com/files/539683/original/file-20230727-15-wdarm.jpeg?ixlib=rb-1.1.0&rect=46%2C0%2C5184%2C3453&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>The Australian Tax Office (ATO) paid out more than half a billion dollars to cyber criminals between July 2021 and February 2023, according to an <a href="https://www.abc.net.au/news/2023-07-26/ato-reveals-cost-of-mygov-tax-identity-crime-fraud/102632572">ABC report</a>. </p>
<p>Most of the payments were for small amounts (less than A$5,000) and were not flagged by the ATO’s own monitoring systems.</p>
<p>The fraudsters exploited a weakness in the identification system used by the myGov online portal to redirect other people’s tax refunds to their own bank accounts.</p>
<p>The good news is there’s plenty the federal government can do to crack down on this kind of fraud – and that you can do to keep your own payments secure. </p>
<h2>How these scams work</h2>
<p>Setting up a myGov account or a myGov ID requires proof of identity in the form of “<a href="https://www.afp.gov.au/sites/default/files/PDF/NPC-100PointChecklist-18042019.pdf">100 points of ID</a>”. It usually means either a passport and a driver’s licence or a driver’s licence, a Medicare card, and a bank statement. </p>
<p>Once a myGov account is created, linking it to your tax records requires two of the following: an ATO assessment, bank account details, a payslip, a Centrelink payment, or a super account.</p>
<p>These documents were precisely the ones targeted in three large data breaches in the past year: at <a href="https://theconversation.com/what-does-the-optus-data-breach-mean-for-you-and-how-can-you-protect-yourself-a-step-by-step-guide-191332">Optus</a>, at <a href="https://theconversation.com/medibank-hackers-are-now-releasing-stolen-data-on-the-dark-web-if-youre-affected-heres-what-you-need-to-know-194340">Medibank</a>, and at <a href="https://asic.gov.au/about-asic/news-centre/news-items/guidance-for-consumers-impacted-by-the-latitude-financial-services-data-breach/">Latitude Financial</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/why-are-there-so-many-data-breaches-a-growing-industry-of-criminals-is-brokering-in-stolen-data-193015">Why are there so many data breaches? A growing industry of criminals is brokering in stolen data</a>
</strong>
</em>
</p>
<hr>
<p>In this scam, the cyber criminal creates a fake myGov account using the stolen documents. If they can also get enough information to link to the ATO or your Tax File Number, they can then change bank account details to have your tax rebate paid to their account. </p>
<p>It is a sadly simple scam.</p>
<h2>How government can improve</h2>
<p>One of the issues here is quite astounding. The ATO knows where salaries are paid, via the “<a href="https://www.ato.gov.au/business/single-touch-payroll/what-is-stp-/">single touch</a>” payroll system. This ensures salaries, tax and superannuation contributions are all paid at once.</p>
<p>Most people who have received a tax refund will have provided bank account details where that payment can be made. Indeed, many people use precisely those bank account details to identify themselves to myGov.</p>
<p>At present, those bank details can be changed within myGov without any further ado. If the ATO simply checked with the individual via another channel when bank account details are changed, this fraud could be prevented. It might be sensible to check with the individual’s employer as well.</p>
<p>Part of the problem is the ATO has not been very transparent about the risks. If these risks were clearly set out, then calls for changes to ATO procedures would have been loud and clear from the cyber security community.</p>
<p>The ATO is usually good at identifying when a cyber security incident may lead to fraud. For example, when the recruitment software company <a href="https://www.abc.net.au/news/2018-06-06/australian-data-may-be-compromised-in-pageup-security-breach/9840048?itm_campaign=newsapp">PageUp was hacked in 2018</a>, the ATO required people who may have been affected to reconfirm their identities. This was done without public commentary and represents sound practice.</p>
<p>Sadly, the millions of records stolen in the Optus, Medibank and Latitude Financial breaches have not led to a similar level of vigilance.</p>
<p>Another action the ATO could take would be to check when a single set of bank account details is associated with more than one myGov account.</p>
<p>A national digital identity would also help. However, this system has been in development for years, is not universally popular, and may well be <a href="https://www.themandarin.com.au/226280-gallagher-warns-community-support-for-digital-identity-not-ubiquitous/">delayed</a> until after the federal election due in 2024. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australias-national-digital-id-is-here-but-the-governments-not-talking-about-it-130200">Australia's National Digital ID is here, but the government's not talking about it</a>
</strong>
</em>
</p>
<hr>
<h2>Protecting yourself</h2>
<p>The most important thing to do is make sure the ATO does not use a bank account number other than yours. As long as the ATO only has your bank account number to transfer your tax rebate, this scam does not work.</p>
<p>It also helps to protect your Tax File Number. There are only four groups that ever need this number. </p>
<p>The first is the ATO itself. The second is your employer. However, remember you do not need to give your TFN to a prospective employer, and your employer only needs your TFN <em>after</em> you have started work. </p>
<p>Your super fund and your bank may ask for your TFN. However, providing your TFN to your super fund or bank is optional – it just makes things easier, as otherwise they will withhold tax which you will need to claim back later.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/we-have-filed-a-case-under-your-name-beware-of-tax-scams-theyll-be-everywhere-this-eofy-162171">'We have filed a case under your name': beware of tax scams — they'll be everywhere this EOFY</a>
</strong>
</em>
</p>
<hr>
<p>Of course, all the usual data safety issues still apply. Don’t share your driver’s licence details without good reason. Take similar care with your passport. Your Medicare card is for health services and does not need to be shared widely. </p>
<p>Don’t open emails from people you do not know. Never click links in messages unless you are sure they are safe. Most importantly, know your bank will not send you emails containing links, nor will the ATO.</p><img src="https://counter.theconversation.com/content/210459/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rob Nicholls receives funding from each of Google, Meta, and the Australian Research Council.</span></em></p>Scammers have exploited a simple weakness in the myGov online portal to redirect hundreds of millions of dollars in tax refunds.Rob Nicholls, Associate professor of regulation and governance, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2079442023-06-22T16:04:31Z2023-06-22T16:04:31ZFour ways criminals could use AI to target more victims<figure><img src="https://images.theconversation.com/files/532713/original/file-20230619-25-f0xjc9.jpg?ixlib=rb-1.1.0&rect=16%2C0%2C5341%2C3566&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Building a profile of someone can make it easier for criminals to gain access to their personal accounts.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/ai-artificial-intelligence-concept-763283053">Metamorworks / Shutterstock</a></span></figcaption></figure><p>Warnings about artificial intelligence (AI) are ubiquitous right now. They have included <a href="https://www.safe.ai/statement-on-ai-risk">fearful messages</a> about AI’s potential to cause the extinction of humans, invoking images of the Terminator movies. The UK Prime Minister Rishi Sunak has even <a href="https://www.gov.uk/government/news/pm-urges-tech-leaders-to-grasp-generational-opportunities-and-challenges-of-ai">set up a summit to discuss AI safety</a>.</p>
<p>However, we have been using AI tools for a long time – from the algorithms used to <a href="https://online.york.ac.uk/ai-search-and-recommendation-algorithms/">recommend relevant products</a> on shopping websites, to cars with technology that <a href="https://en.wikipedia.org/wiki/Traffic-sign_recognition">recognises traffic signs</a> and <a href="https://journals.sagepub.com/doi/full/10.1177/17298814211002974">provides lane positioning</a>. AI is a tool to increase efficiency, process and sort large volumes of data, and offload decision making.</p>
<p>Nevertheless, these tools are open to everyone, including criminals. And we’re already seeing the early stage adoption of AI by criminals. Deepfake technology has been used to <a href="https://www.bbc.co.uk/news/entertainment-arts-65854112">generate revenge pornography</a>, for example. </p>
<p>Technology <a href="https://www.europol.europa.eu/crime-areas-and-statistics/crime-areas/cybercrime">enhances the efficiency of criminal activity</a>. It allows lawbreakers to target a greater number of people and helps them be more plausible. Observing how criminals have adapted to, and adopted, technological advances in the past, can provide some clues as to how they might use AI. </p>
<h2>1. A better phishing hook</h2>
<p>AI tools like <a href="https://openai.com/blog/chatgpt">ChatGPT</a> and <a href="https://bard.google.com">Google’s Bard</a> provide writing support, allowing inexperienced writers to craft effective marketing messages, for example. However, this technology could also help criminals sound more believable when contacting potential victims.</p>
<p>Think about all those spam phishing emails and texts that are badly written and easily detected. Being plausible is key to being able to elicit information from a victim. </p>
<figure class="align-center ">
<img alt="Woman holding a smartphone." src="https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/532909/original/file-20230620-15-in15vt.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Criminals could create a deepfake version of you who could interact with family members over the phone, text and email.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/hands-woman-holding-smartphone-using-online-2062352315">Fizkes / Shutterstock</a></span>
</figcaption>
</figure>
<p>Phishing is a numbers game: an <a href="https://www.securitymagazine.com/articles/90345-more-than-three-billion-fake-emails-are-sent-worldwide-every-day">estimated 3.4 billion spam emails</a> are sent every day. My own calculations show that if criminals were able to improve their messages so that as little as 0.000005% of them now convinced someone to reveal information, it would result in 6.2 million more phishing victims each year.</p>
<h2>2. Automated interactions</h2>
<p>One of the early uses for AI tools was to automate interactions between customers and services over text, chat messages and the phone. This enabled a faster response to customers and optimised business efficiency. Your first contact with an organisation is likely to be with an AI system, before you get to speak to a human.</p>
<p>Criminals can use the same tools to create automated interactions with large numbers of potential victims, <a href="https://www.scmagazine.com/news/emerging-technology/attackers-using-ai-to-enhance-conversational-scams-over-mobile-devices">at a scale not possible</a> if it were just carried out by humans. They can impersonate legitimate services like banks over the phone and on email, in an attempt to elicit information that would allow them to steal your money. </p>
<h2>3. Deepfakes</h2>
<p>AI is really good at generating mathematical models that can be “trained” on large amounts of real-world data, making those models better at a given task. Deepfake technology in video and audio is an example of this. A deepfake act called <a href="https://blogs.nvidia.com/blog/2022/09/13/metaphysic-ai-avatars-americas-got-talent/">Metaphysic</a>, recently demonstrated the technology’s potential when they unveiled a video of <a href="https://www.youtube.com/watch?v=mJeE9BNEa-o">Simon Cowell singing opera on the television show America’s Got Talent</a>.</p>
<p>This technology is beyond the reach of most criminals, but the ability to use AI to mimic the way a person would respond to texts, write emails, leave voice notes or make phone calls is freely available using AI. So is the data to train it, which can be gathered from videos on social media, for example. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/mJeE9BNEa-o?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The deepfake act Metaphysic perform on America’s Got Talent.</span></figcaption>
</figure>
<p>Social media has always been a rich seam for criminals mining information on potential targets. There is now the potential for AI to be used to create a deepfake version of you. This deepfake can be exploited to interact with friends and family, convincing them to hand criminals information on you. Gaining a <a href="https://dl.acm.org/doi/abs/10.1145/3372297.3417892">better insight into your life</a> makes it <a href="https://www.itpro.com/security/34616/the-top-password-cracking-techniques-used-by-hackers">easier to guess</a> passwords or pins.</p>
<h2>4. Brute forcing</h2>
<p>Another technique used by criminals called “brute forcing” could also benefit from AI. This is where many combinations of characters and symbols are tried in turn to see if they match your passwords. </p>
<p>That’s why long, complex passwords are safer; they are harder to
guess by this method. Brute forcing is resource intensive, but it’s easier if you know something about the person. For example, this allows lists of potential passwords to be ordered according to priority – increasing the efficiency of the process. For instance, they could start off with combinations that relate to the names of family members or pets.</p>
<p>Algorithms trained on your data could be used to help build these prioritised lists more accurately and target many people at once – so fewer resources are needed. Specific AI tools could be developed that harvest your online data, then analyse it all to build a profile of you.</p>
<p>If, for example, you frequently posted on social media about Taylor Swift, manually going through your posts for password clues would be hard work. Automated tools do this quickly and efficiently. All of this information would go into making the profile, making it easier to guess passwords and pins.</p>
<h2>Healthy scepticism</h2>
<p>We should not be frightened of AI, as it could bring real benefits to society. But as with any new technology, society needs to adapt to and understand it. Although we take smart phones for granted now, society had to adjust to having them in our lives. They have largely been beneficial, but uncertainties remain, such as a good amount of screen time for children. </p>
<p>As individuals, we should be proactive in our attempts to understand AI, not complacent. We should develop our own approaches to it, maintaining a healthy sense of scepticism. We will need to consider how we verify the validity of what we are reading, hearing or seeing. </p>
<p>These simple acts will help society reap the benefits of AI while ensuring we can protect ourselves from potential harms.</p><img src="https://counter.theconversation.com/content/207944/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Daniel Prince receives funding from UKRI via the PETRAS The National Centre of Excellence for IoT Systems Cyber Security.</span></em></p>AI could allow cybercriminals to operate with greater efficiency, targeting more people at once.Daniel Prince, Professor of Cyber Security, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2076702023-06-19T13:44:08Z2023-06-19T13:44:08ZMoveit hack: attack on BBC and BA offers glimpse into the future of cybercrime<figure><img src="https://images.theconversation.com/files/531739/original/file-20230613-15-41oll0.jpg?ixlib=rb-1.1.0&rect=44%2C0%2C7238%2C4803&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>British Airways (BA), the BBC, Ofcom and Boots were among a number of organisations that were reportedly <a href="https://www.bbc.co.uk/news/technology-65814104">victims of a major recent cyber-attack</a>, resulting in the breach of numerous staff details.</p>
<p>The stolen data is said to include staff names, staff ID numbers and national insurance numbers (although, importantly, not banking details). But, other than for those personally affected, the real issue is what this attack reveals about the evolution of cybercrime. </p>
<p>More cybercriminals are realising that if they can compromise a trusted supplier, this will lead to the compromise of that organisation’s customers. The hackers can then steal the data and potentially hold both individuals and companies to ransom. </p>
<p>So far, this has proven a more difficult way to make a lot of money. But it’s arguably only a matter of time.</p>
<p><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a">The recent attack</a> was against a piece of software called <a href="https://en.wikipedia.org/wiki/MOVEit">Moveit</a>, which is used to transfer computer files from one location to another. It involved what’s called a “<a href="https://www.intel.co.uk/content/www/uk/en/business/enterprise-computers/resources/what-is-a-zero-day-exploit.html">zero-day exploit</a>”, a piece of computer code that takes advantage of a previously unknown vulnerability.</p>
<p>This allowed hackers to compromise Zellis, a trusted supplier of services to BA, the BBC, Boots and others. Zellis confirmed a <a href="https://www.zellis.com/resources/press-and-media/statement-on-moveit-transfer-data-breach/">“small number” of customers had been affected</a>, adding that it had disconnected the server using Moveit as soon as it became aware of the incident.</p>
<p>Since Zellis is the main payroll service provider to these organisations, it is easy to trace how this incident started. Responsibility for the attack was claimed by the Russia-linked “cl0p” group, which has since issued an ultimatum to the affected organisations – asking for money unless they want the stolen data to be released on the <a href="https://theconversation.com/what-is-the-dark-web-and-how-does-it-work-63613">dark web</a>. </p>
<h2>Future of cybercrime</h2>
<p>Unlike many previous types of attack, particularly those that have employed <a href="https://theconversation.com/inside-a-ransomware-attack-how-dark-webs-of-cybercriminals-collaborate-to-pull-them-off-163015">ransomware</a>, in this case the criminal group launched a mass attack and waited for individual organisations to fall prey, then sought to exploit each one in turn.</p>
<p>This suggests these cybercriminals have learned from previous <a href="https://www.ncsc.gov.uk/collection/supply-chain-security/supply-chain-attack-examples">supply-chain attacks</a>, and are experimenting with making the strategy commercially viable. In supply-chain attacks, cybercriminals target one organisation by attacking an external provider they use.</p>
<figure class="align-center ">
<img alt="BBC New Broadcasting House in London." src="https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=463&fit=crop&dpr=1 600w, https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=463&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=463&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=582&fit=crop&dpr=1 754w, https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=582&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/531741/original/file-20230613-25-zss8e5.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=582&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The BBC was among the organisations successfully hacked.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/london-uk-october-10-2022-broadcasting-2217633041">Nigel J. Harris / Shutterstock</a></span>
</figcaption>
</figure>
<p>Groups such as cl0p appear to have watched and learned, especially from the <a href="https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack">SolarWinds attack of late 2020</a>, where the system for “patching” – doing quick repairs of – a near-ubiquitous software tool was compromised. </p>
<p>This software was widely used across the US government and industry, leading to tens of thousands of SolarWinds clients falling victim, including the Department of Defense, Nasa, TimeWarner and AT&T. Attributed to Russia’s military intelligence agency the GRU, SolarWinds was seen as being mainly motivated by state espionage. </p>
<p>And in the case of Moveit, the cl0p group appears to have taken the logic of supply-chain attacks – which proved so effective against SolarWinds – and wielded it against corporate targets. </p>
<h2>Evolutionary step</h2>
<p>This was arguably always going to be an evolutionary step for cybercriminals. First, sophisticated state-sponsored hackers verify an innovative method of attacking computers, as in the case of SolarWinds. Later, criminal copycats such as cl0p apply the same strategy, avoiding the pain of inventing new methods.</p>
<p>The ultimatum issued by cl0p is also revealing about the behaviour and motivation of cybercriminals. It is a strange pivot from traditional ransomware campaigns, where the victims’ payment details were stolen. </p>
<p>In the case of Moveit, it is instructive that cl0p has <a href="https://www.lbc.co.uk/news/cyber-crime-gang-clop-issues-ultimatum-to-100-000-victims-of-hacking-threatening/">issued a public ultimatum</a>, telling victim organisations to get in touch unless they want their data to be released into the wild – allowing its exploitation by scammers, fraudsters and other criminals. </p>
<figure class="align-center ">
<img alt="British Airways flight." src="https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/532199/original/file-20230615-17-5fawnu.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">The organisations involved, including BA, were using Zellis for payroll services.</span>
<span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/london-uk-august-17-2018-largest-1164809374">Jarek Kilian / Shutterstock</a></span>
</figcaption>
</figure>
<p>Effectively, cl0p is relying on a panic tactic to get organisations to take responsibility for the stolen data and protect their staff’s identities, by volunteering themselves to the criminals for negotiation – presumably on the topic of payment. </p>
<p>This reveals a clear lack of resource – outside the technical “attack teams” – on the part of cl0p to fully exploit its apparent success in compromising Moveit. </p>
<p>This is a potential flaw in the behaviour of such criminal groups. It shows that a move from ransomware-driven campaigns to supply-chain attacks is more difficult to monetise. </p>
<p>The final step in maximising the return from the attack, by making all the victims pay, is clearly harder than with simple ransomware, where the focus is on one target organisation and one route to the pay-out from the crime. </p>
<p>In short, cybercriminal groups have copied the supply-chain attack strategy and are now experimenting with it. But they are struggling to fully exploit and monetise the successes they have with it.</p>
<p>Where ransomware has been the campaign of choice for more than half a decade, we should, however, be concerned that the Moveit attack signals a change of strategy. Supply-chain attacks are effective, and the criminals are now working to refine their methods in order to fully exploit them. As such, it’s very likely that these attacks will only become more widespread.</p><img src="https://counter.theconversation.com/content/207670/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cybercriminals are attempting to monetise the hacking techniques used by state actors.Danny Steed, Lecturer in Cyber Security, Cranfield UniversityRobert Black, Lecturer in Information Activities, Cranfield UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2023002023-03-23T12:38:48Z2023-03-23T12:38:48ZShould governments ban TikTok? Can they? A cybersecurity expert explains the risks the app poses and the challenges to blocking it<figure><img src="https://images.theconversation.com/files/517052/original/file-20230322-1082-cwscyw.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C3060%2C2038&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Is a wildly popular social media app a threat to U.S. citizens?</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/TikTok/0b4859f7cdfb496298dc229d0b257aad/photo">AP Photo/Michael Dwyer</a></span></figcaption></figure><p>The U.S. House of Representatives voted 352-65 on March 13, 2024, to require TikTok’s parent company, China-based ByteDance, to <a href="https://www.washingtonpost.com/technology/2024/03/13/tiktok-ban-passes-house-vote/">sell the app or face a nationwide ban on TikTok</a>. President Joe Biden said on March 8 that <a href="https://www.wsj.com/politics/policy/biden-backs-effort-to-force-sale-of-tiktok-by-chinese-owners-ba989656">he would sign the legislation</a> if it reached his desk.</p>
<p>The popular video social media app had <a href="https://www.statista.com/statistics/1299807/number-of-monthly-unique-tiktok-users/">149 million users in the U.S.</a> as of January 2024. Many of them contacted Congress to <a href="https://www.washingtonpost.com/technology/2024/03/07/tiktok-ban-congress-calls-us/">protest the possibility of a ban</a>.</p>
<p>The bill’s fate in the Senate is unclear. It’s also unclear whether any resulting legislation would survive a court challenge.</p>
<p>On May 17, 2023, Montana Gov. Greg Gianforte signed <a href="https://www.washingtonpost.com/technology/2023/05/17/tiktok-ban-montana/">legislation banning TikTok</a> in the state, the first total ban by a U.S. state government. The law would <a href="https://leg.mt.gov/bills/2023/billhtml/SB0419.htm">impose fines of US$10,000 per day</a> on any app store that offers TikTok and on the app-maker itself if it operates in the state. Individual users would not be subject to penalties. The law was scheduled to go into effect Jan. 1, 2024, but a <a href="https://www.npr.org/2023/11/30/1205735647/montana-tiktok-ban-blocked-state">federal judge blocked it</a> pending a trial to determine whether the state overstepped its authority and whether the law violates the First Amendment.</p>
<p>The federal government, along with many state and foreign governments and some companies, has already <a href="https://www.washingtonpost.com/world/2020/08/03/its-not-just-united-states-these-governments-see-tiktok-growing-problem/">banned TikTok on work-provided phones</a>. This type of ban can be effective for protecting data related to government work. </p>
<p>But a full national ban of the app is another matter, which raises a number of questions: What data privacy risk does TikTok pose? What could the Chinese government do with data collected by the app? Is its content recommendation algorithm dangerous? Is it legal for a government to impose a total ban on the app? And is it even possible to ban an app?</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/KzHLIqZyFr8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Governments around the world have been banning TikTok on government-issued phones.</span></figcaption>
</figure>
<h2>Vacuuming up data</h2>
<p>As a <a href="https://scholar.google.com/citations?user=KkGR-BwAAAAJ&hl=en">cybersecurity researcher</a>, I’ve noted that every few years, a newly popular mobile app raises issues of security, privacy and data access.</p>
<p>Apps collect data for several reasons. Sometimes the data is used to improve the app for users. However, most apps collect data that the companies use in part to fund their operations. This revenue typically comes from targeting users with ads based on the data they collect. The questions this use of data raises are: Does the app need all this data? What does it do with the data? And how does it protect the data from others? </p>
<p>So what makes TikTok different from the likes of <a href="https://pokemongolive.com/">Pokemon-GO</a>, Facebook or even your phone itself? TikTok’s <a href="https://www.tiktok.com/legal/page/us/privacy-policy/en">privacy policy</a>, which <a href="https://theconversation.com/nobody-reads-privacy-policies-heres-how-to-fix-that-81932">few people read</a>, is a good place to start. Overall, the company is <a href="https://brandonsilverman.substack.com/p/how-transparent-is-tiktok">not particularly transparent</a> about its practices. The document is too long to list here all the data it collects, which should be a warning.</p>
<p>There are a few items of interest in TikTok’s privacy policy besides the information you give them when you create an account – name, age, username, password, language, email, phone number, social media account information and profile image – that are concerning. This information includes location data, data from your clipboard, contact information, website tracking, plus all data you post and messages you send through the app. The company claims that current versions of the app <a href="https://docs.house.gov/meetings/IF/IF00/20230323/115519/HHRG-118-IF00-Wstate-ChewS-20230323.pdf">do not collect GPS information</a> from U.S. users. </p>
<p>If <a href="https://www.nytimes.com/2021/06/14/technology/personal-data-apple-google-facebook.html">most apps collect data</a>, why are governments worried about TikTok? First, they worry about the <a href="https://www.buzzfeednews.com/article/emilybakerwhite/tiktok-tapes-us-user-data-china-bytedance-access">Chinese government accessing data</a> from TikTok’s <a href="https://www.msn.com/en-us/money/other/tiktok-says-it-has-150-million-us-users-amid-renewed-calls-for-a-ban/ar-AA18UfZv">150 million users in the U.S.</a> There is also a concern about the algorithms used by TikTok to show content. </p>
<h2>Data in the Chinese government’s hands</h2>
<p>If the data does end up in the hands of the Chinese government, the question is how could it use the data to its benefit. The government could share it with other companies in China to help them profit, which is no different than U.S. companies sharing marketing data. The Chinese government is known for <a href="https://www.brookings.edu/essay/the-long-game-chinas-grand-strategy-to-displace-american-order/">playing the long game</a>, and data is power, so if it is collecting data, it could take years to learn how it benefits China. </p>
<p>One potential threat is the Chinese government using the data to spy on people, particularly people who have access to valuable information. The Justice Department is investigating TikTok’s parent company, ByteDance, for <a href="https://www.ft.com/content/a617dfba-4946-4977-a1f8-dcfb8997ef51">using the app to monitor U.S. journalists</a>. The Chinese government has an extensive history of <a href="https://www.cnn.com/2021/12/02/politics/china-hackers-espionage-defense-contractors/index.html">hacking U.S. government agencies and corporations</a>, and much of that hacking has been facilitated by <a href="https://www.csoonline.com/article/3648654/social-engineering-definition-examples-and-techniques.html">social engineering</a> – the practice of using data about people to trick them into revealing more information.</p>
<p>The second issue that the U.S. government has raised is algorithm bias or algorithm manipulation. TikTok and most social media apps have algorithms designed to learn a user’s interests and then try to adjust the content so the user will continue to use the app. TikTok has not shared its algorithm, so it’s not clear how the app chooses a user’s content. </p>
<p>The algorithm could be biased in a way that influences a population to believe certain things. There are numerous allegations that TiKTok’s algorithm is biased and can <a href="https://counterhate.com/research/deadly-by-design/">reinforce negative thoughts among younger users</a>, and be used to <a href="https://www.washingtonpost.com/opinions/2022/07/22/tiktok-privacy-foreign-software-policy/">affect public opinion</a>. It could be that the algorithm’s manipulative behavior is unintentional, but there is concern that the Chinese government has been using or could use the algorithm to influence people.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nfczi2cI6Cs?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">TikTok’s algorithm for serving you videos has also become a source of concern.</span></figcaption>
</figure>
<h2>Can a government ban an app?</h2>
<p>The pending Montana law aims to use fines to coerce companies into enforcing its ban. It’s not clear if companies will comply, and it’s unlikely that this would deter users from <a href="https://theconversation.com/banning-tiktok-could-weaken-personal-cybersecurity-203398">finding workarounds</a>. </p>
<p>Meanwhile, if the federal government comes to the conclusion that TikTok should be banned, is it even possible to ban it for all of its 149 million existing U.S. users? Any such ban would likely start with blocking the distribution of the app through Apple’s and Google’s app stores. This might keep many users off the platform, but there are other ways to download and install apps for people who are determined to use them. </p>
<p>A more drastic method would be to force Apple and Google to change their phones to prevent TikTok from running. While I’m not a lawyer, I think this effort would fail due to legal challenges, which <a href="https://www.cbsnews.com/news/tiktok-ban-whats-next-company-purchase/">include First Amendment concerns</a>. The bottom line is that an absolute ban will be tough to enforce.</p>
<p>There are also questions about how effective a ban would be even if it were possible. By some estimates, the Chinese government has already collected personal information on <a href="https://www.npr.org/2021/08/26/1013501080/chinas-microsoft-hack-may-have-had-a-bigger-purpose-than-just-spying">at least 80% of the U.S. population</a> via various means. So a ban might limit the damage going forward to some degree, but the Chinese government has already collected a significant amount of data. The Chinese government – along with anyone else with money – also has access to the <a href="https://theconversation.com/darknet-markets-generate-millions-in-revenue-selling-stolen-personal-data-supply-chain-study-finds-193506">large market for personal data</a>, which fuels <a href="https://www.nytimes.com/2023/03/20/opinion/tiktok-ban-big-tech-china.html">calls for stronger data privacy rules</a>.</p>
<h2>Are you at risk?</h2>
<p>So as an average user, should you worry? Again, it is unclear what data ByteDance is collecting and if it can harm an individual. I believe the most significant risks are to people in power, whether it is political power or within a company. Their data and information could be used to gain access to other data or potentially compromise the organizations they are associated with.</p>
<p>The aspect of TikTok I find most concerning is the algorithm that decides what videos users see and how it can affect vulnerable groups, <a href="https://theconversation.com/facebooks-own-internal-documents-offer-a-blueprint-for-making-social-media-safer-for-teens-169080">particularly young people</a>. Independent of a ban, families should have conversations about TikTok and other social media platforms and how they can be <a href="https://theconversation.com/6-ways-to-protect-your-mental-health-from-social-medias-dangers-117651">detrimental to mental health</a>. These conversations should focus on how to determine if the app is leading you down an unhealthy path.</p>
<p><em>This is an updated version of an article originally published on March 23, 2023, and updated on May 18, 2023.</em></p><img src="https://counter.theconversation.com/content/202300/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Doug Jacobson does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>What data privacy risk does TikTok pose, and what could the Chinese government do with data it collects? And is it even possible to ban an app?Doug Jacobson, Professor of Electrical and Computer Engineering, Iowa State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1973932023-01-18T13:38:56Z2023-01-18T13:38:56ZDozens of US schools, universities move to ban TikTok<figure><img src="https://images.theconversation.com/files/504510/original/file-20230113-14-datjvf.jpg?ixlib=rb-1.1.0&rect=0%2C6%2C4608%2C3442&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The TikTok social media app has raised concerns about cybersecurity and online safety.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/illustration-tiktok-a-short-video-platform-suqian-jiangsu-news-photo/1245918786">Future Publishing via Getty Images</a></span></figcaption></figure><p>A growing number of public schools and colleges in the U.S. are moving to ban TikTok – the popular Chinese-owned social media app that allows users to share short videos.</p>
<p>They are following the lead of the <a href="https://www.nbcnews.com/tech/tech-news/tiktok-ban-biden-government-college-state-federal-security-privacy-rcna63724">federal government</a> and <a href="https://news.yahoo.com/tiktok-bans-government-devices-raise-222316798.html">several states</a>, that are banishing the social media app because <a href="https://www.nbcnews.com/tech/students-question-tiktok-bans-public-universities-rcna62801">authorities believe foreign governments – specifically China – could use the app</a> to spy on Americans.</p>
<p>The app is created by ByteDance, which is based in China and has <a href="https://www.theguardian.com/technology/2022/nov/07/tiktoks-china-bytedance-data-concerns">ties to the Chinese government</a>. </p>
<p><a href="https://www.nbcnews.com/tech/students-question-tiktok-bans-public-universities-rcna62801">The University of Oklahoma, Auburn University in Alabama</a> and <a href="https://www.cnet.com/news/social-media/tiktok-also-banned-by-some-us-universities/">26 public universities and colleges in Georgia</a> have banned the app from campus Wi-Fi networks. <a href="https://www.bestcolleges.com/news/these-colleges-just-banned-tiktok/">Montana’s governor has asked</a> the state’s university system to ban it. </p>
<p>Some K-12 schools have also blocked the app. Public schools in Virginia’s <a href="https://www.fox5dc.com/news/stafford-county-public-schools-blocking-students-access-to-tiktok">Stafford, Prince William and Loudoun counties</a> have banned TikTok on school-issued devices and schools’ Wi-Fi networks. Louisiana’s state superintendent of education recommended that <a href="https://www.wdsu.com/article/louisiana-superintendent-education-tik-tok-ban/42393440">schools in the state remove the app from public devices</a> and <a href="https://www.edweek.org/technology/should-schools-ban-tiktok-louisiana-ed-chief-urges-districts-to-do-it/2023/01#:%7E:text=He%20implored%20districts%20to%20delete,laptops%2C%20a%20department%20spokesman%20added.">block it</a> on school-issued devices. </p>
<p>As a <a href="https://scholar.google.com/citations?user=g-jALEoAAAAJ&hl=en&oi=ao">researcher</a> who specializes in <a href="https://doi.org/10.1080/1097198X.2019.1603527">cybersecurity</a>, I don’t believe these schools are overreacting. TikTok captures user data in a way that is <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">more aggressive than other apps</a>.</p>
<p>The version of TikTok that is raising all these concerns is not available in China itself. In an effort to protect Chinese students from the harmful effects of social media, the Chinese Communist Party has issued a rule that limits the time students can spend on TikTok to <a href="https://www.voanews.com/a/fbi-says-it-has-national-security-concerns-about-tiktok/6836340.html">40 minutes a day</a>. And they can view only <a href="https://www.voanews.com/a/fbi-says-it-has-national-security-concerns-about-tiktok/6836340.html">videos with a patriotic theme or educational content</a> such as science experiments and museum exhibits.</p>
<h2>Aggressive tactics to capture and harvest user data</h2>
<p>All <a href="https://www.wdsu.com/article/louisiana-superintendent-education-tik-tok-ban/42393440">major social media platforms</a> <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">raise privacy concerns and include security risks</a> for users.</p>
<p>But TikTok does more than the rest. Its default privacy settings allow the app to collect much more information than the app needs to actually function. </p>
<p>Every hour, the app accesses users’ <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">contact lists and calendars</a>. It also <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">collects the location of devices</a> used to access the service and can scan hard drives attached to any of those devices. </p>
<p>If a user changes privacy settings to avoid that scrutiny, the app <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">persistently asks for that permission to be restored</a>. Other social networking apps, like Facebook, don’t ask users to revise their privacy settings if they lock down their information.</p>
<p>How TikTok handles the data it collects from users also raises concerns. Ireland’s data protection regulator, for instance, is <a href="https://www.politico.eu/article/eu-leaders-fire-warning-shots-at-tiktok-over-privacy/">investigating possible illegal transfers</a> of European citizens’ data to Chinese servers and potential violations of rules protecting children’s privacy.</p>
<h2>Cybersecurity vulnerabilities</h2>
<p>As <a href="https://businessplus.ie/tech/social-media-lost-user-data/">with other social media services</a>, researchers have found <a href="https://research.checkpoint.com/2020/tik-or-tok-is-tiktok-secure-enough/">serious vulnerabilities</a> with TikTok.</p>
<p>In 2020, cybersecurity company Check Point found that it could send users messages that looked as if they came from TikTok but actually contained malicious links. When users clicked on those links, <a href="https://futurism.com/major-security-flaws-tiktok">Check Point’s researchers could seize control of their TikTok accounts</a>, get access to private information, delete existing content and even post new material under that user’s account.</p>
<p>Hackers have also taken advantage of <a href="https://www.theregister.com/2022/11/29/tiktok_invisible_challenge_malware/">viral TikTok trends to distribute malicious software</a> that creates additional cybersecurity problems. For instance, a trend called the “Invisible Challenge” encouraged users to use a TikTok filter called “Invisible Body” to film themselves naked – assuring users their followers would only see a blurry image, not anything revealing. </p>
<p>Cybercriminals created TikTok videos that claimed they had made software that would reveal users’ nude bodies by reversing the body-masking filter. But the software they encouraged users to download actually just stole people’s <a href="https://www.bleepingcomputer.com/news/security/tiktok-invisible-body-challenge-exploited-to-push-malware/">social media, credit card and cryptocurrency credentials</a> from elsewhere on their phones, as well as files from victims’ computers.</p>
<h2>National security concerns</h2>
<p>Many U.S. lawmakers have objected to <a href="https://www.npr.org/2022/12/22/1144745813/why-the-proposed-tiktok-ban-is-more-about-politics-than-privacy-according-to-exp">the app’s location tracking services</a>, saying it could allow the Chinese government to monitor <a href="https://www.newsweek.com/tiktok-security-concerns-explained-republican-led-states-look-ban-it-1765790">the movements and locations of U.S. citizens</a> – including members of the military or government officials.</p>
<p>If the Chinese government wants information about the <a href="https://www.statista.com/statistics/1100836/number-of-us-tiktok-users/">more than 90 million TikTok users</a>, it does not need to hack anything.</p>
<p>That’s because China’s <a href="https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-data-to-china-government-if-asked-experts.html">2017 National Intelligence Law</a> <a href="https://usa.kaspersky.com/resource-center/preemptive-safety/is-tiktok-safe">requires Chinese companies</a> to <a href="https://www.theguardian.com/technology/2022/jul/19/tiktok-has-been-accused-of-aggressive-data-harvesting-is-your-information-at-risk">share any data they collect if the government asks</a>.</p>
<p>Technology industry observers have also raised concerns that ByteDance, the company that makes TikTok, may be <a href="https://www.newsweek.com/tiktok-owned-controlled-china-communist-party-ccp-influence-1752415">partially owned by the Chinese government</a>.</p>
<p>These problems take on even more importance in the context of the Chinese government’s alleged efforts to build a <a href="https://www.infosecurity-magazine.com/news/chinas-mss-linked-to-marriott/">huge “data lake” of information about all Americans</a>. China has been linked to several large-scale cyberattacks targeting federal employees and U.S. consumers. These attacks include the <a href="https://edition.cnn.com/2017/08/24/politics/fbi-arrests-chinese-national-in-opm-data-breach/index.html">2015 hack of the U.S. Office of Personnel Management</a>, 2017 attacks on the <a href="https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html">consumer credit reporting agency Equifax</a> and the 2018 attack on hotel group <a href="https://www.infosecurity-magazine.com/news/chinas-mss-linked-to-marriott/">Marriott International</a>. </p>
<h2>Negative effects outweighing positive ones?</h2>
<p><a href="https://www.edweek.org/technology/tiktok-gas-twitter-how-social-media-is-influencing-education/2022/12">Teachers and school administrators have used TikTok</a> in some interesting, and useful, ways – such as connecting with students, building relationships, teaching about the risks of social media and delivering small, quick lessons.</p>
<p>But it is not clear whether those positive effects counterbalance the potential and actual harm. In addition to general concerns about <a href="https://doi.org/10.1177/0894439316660340">the possible risks of social media addictions</a>, some school officials say increased TikTok use has <a href="https://www.fox5dc.com/news/stafford-county-public-schools-blocking-students-access-to-tiktok">distracted students from paying attention</a> to teachers.</p>
<p>Also, the app’s algorithm for recommending videos to watch next has increased students’ risk of <a href="https://www.cnn.com/2022/12/15/tech/tiktok-teens-study-trnd/index.html">suicide and eating disorders</a>. The “One Chip Challenge,” which asks TikTok users to eat a single chip containing <a href="https://shop.paqui.com/products/one-chip-challenge">two of the world’s spiciest chili peppers</a>, sent <a href="https://medicalxpress.com/news/2022-10-tiktok-trend-kids-home-sick.html">some students to the hospital</a> and made others sick.</p>
<p>TikTok videos have also led students to <a href="https://www.krgv.com/news/students-destroy-steal-school-property-for-viral-tiktok-challenge/">engage in vandalism</a>. In response to one viral challenge, some students <a href="https://www.cbsnews.com/losangeles/news/viral-trend-on-tiktok-encourages-students-to-damage-school-property-steal/">stole bathroom sinks and soap dispensers</a> from schools. </p>
<p>With all that potential for harm and damage, it’s not surprising school officials are considering a ban on TikTok.</p><img src="https://counter.theconversation.com/content/197393/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>School officials are becoming increasingly wary of TikTok amid concerns that the app poses a risk to student safety and privacy and makes the nation vulnerable to spies.Nir Kshetri, Professor of Management, University of North Carolina – GreensboroLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1912582022-09-23T07:27:38Z2022-09-23T07:27:38ZHow not to tell customers their data is at risk: the Optus approach<p>Optus fears data on up to 9.8 million of its customers has been accessed in a <a href="https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack">sophisticated cyberattack</a> – including, for some customers, passport and drivers licence details, as well as phone numbers, dates of birth and email addresses.</p>
<p>It made the announcement through the media, in the middle of Thursday’s national day of mourning public holiday, and during the four-day long weekend in Melbourne in the lead-up to the AFL grand final.</p>
<p>At first, it didn’t text or email its customers. Instead, it issued a <a href="https://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack">press release</a> in the belief this was </p>
<blockquote>
<p>the quickest and most effective way to alert as many current and former customers as possible, so they could be vigilant and monitor for any suspicious activity.</p>
</blockquote>
<p>Trust in the media is at an all-time low. Communications authority Edelman reports that globally, only <a href="https://www.edelman.com/sites/g/files/aatuss191/files/2022-01/2022%20Edelman%20Trust%20Barometer%20FINAL_Jan25.pdf">50%</a> of people trust the media, down from 62% a decade ago. Far more people (61%) trust businesses.</p>
<h2>Tweets rather than texts</h2>
<p>It has been <a href="https://studycorgi.com/the-role-of-integrated-marketing-communications-campaign/">conventional wisdom</a> that brands should take an integrated approach to marketing communications. Many channels are better than one, increasingly so as audiences for traditional channels continue to fragment.</p>
<p>An integrated marketing approach need not mean communicating through every available channel, but it should mean strategically selecting channels that are trusted and consumed by the brand’s customers.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/this-law-makes-it-illegal-for-companies-to-collect-third-party-data-to-profile-you-but-they-do-anyway-190758">This law makes it illegal for companies to collect third-party data to profile you. But they do anyway</a>
</strong>
</em>
</p>
<hr>
<p>One of the best channels Optus has is its own phone network, and it is experienced in using it to contact its customers. </p>
<p>Customers are likely to expect this where Optus has something important to say, and they are likely to trust a direct message from Optus more than one filtered through the media. </p>
<p>They are even likely to spread it via word of mouth through friends who also use Optus, giving the company a continuing role in shaping the message. </p>
<p>Instead, Optus backed up its press release with tweets.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1572949683332583428"}"></div></p>
<p>Optus has around 5.8 million active users, around 21% of the Australian population. They are a cross-section of the population, having little in common other than the fact they use Optus for communications. </p>
<p>Some of Optus’ customers, especially those in Gen Z, might not use traditional news media. They wouldn’t have received the message through that channel. </p>
<p>Former customers dating back to 2017 are also likely to be affected by the breach, taking the total affected to around <a href="https://www.smh.com.au/technology/sophisticated-attack-optus-hackers-used-european-addresses-could-be-state-linked-20220923-p5bkfn.html">9.8 million</a>, about one third of the population.</p>
<p>Twitter is used by about only about <a href="https://www.genroe.com/blog/social-media-statistics-australia/13492">18%</a> of the population, and the overlap with Optus customers might not be large.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1573136010904363008"}"></div></p>
<h2>What can brands learn from Optus?</h2>
<p>As marketing and branding experts, we’ve distilled three lessons, each well known before the data breach.</p>
<ol>
<li><p>When you have news affecting your customers, tell them before anyone else, in a personalised, one-to-one approach.</p></li>
<li><p>Use channels that are trusted and consumed by your customers.</p></li>
<li><p>Encourage word of mouth through your relationships with your brand community and loyal customers.</p></li>
</ol><img src="https://counter.theconversation.com/content/191258/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nicholas used to work for Edelman. </span></em></p><p class="fine-print"><em><span>Edwina Luck does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Optus used press releases, and Twitter when it could have contacted its customers by text.Edwina Luck, Senior Lecturer QUT Business School, Advertising, Marketing and Public Relations, Queensland University of TechnologyNicholas Grech, Sessional Academic and PhD Candidate, Queensland University of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1889542022-08-22T16:00:13Z2022-08-22T16:00:13Z‘Liberate the tractors’: the right to repair movement that’s regaining control of our devices<figure><img src="https://images.theconversation.com/files/480316/original/file-20220822-71718-67fm5m.jpeg?ixlib=rb-1.1.0&rect=206%2C4%2C2788%2C1913&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A software 'jailbreak' gave US farmers the power to repair their vehicles.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/john-deere-tractor-disc-cultivator-vaderstad-2042555513">Maksim Safaniuk/Shutterstock</a></span></figcaption></figure><p>The software that runs John Deere tractors was successfully “<a href="https://www.kaspersky.com/resource-center/definitions/what-is-jailbreaking">jailbroken</a>” at this year’s <a href="https://defcon.org/">DEF CON</a> hacker convention, enabling farmers to repair or retune their equipment without engaging with the company that sold them their vehicles. </p>
<p>The hacker involved, who calls himself Sick Codes, was responding directly to US farmers’ <a href="https://www.bloomberg.com/news/features/2020-03-05/farmers-fight-john-deere-over-who-gets-to-fix-an-800-000-tractor">long-standing concerns</a> that their “smart” tractors are run on software that only John Deere can access to repair. Smart tractors, including those manufactured by John Deere, are also <a href="https://aea.uk.com/industry-insight/tractor-statistics/">widely used</a> in the UK. </p>
<p>Sick Codes’ jailbreak was undertaken to “<a href="https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/">liberate the tractors</a>”, he said. John Deere responded in a <a href="https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/">statement to Wired magazine</a> that it works closely with cybersecurity partners and also “embraces the broader ethical hacking community” to ensure its security capabilities remain industry-leading. In March 2022, the manufacturer responded to pressure from farmers with the <a href="https://www.deere.com/en/news/all-news/john-deere-expands-access-to-self-repair-resources/">announcement</a> that it would make more of its software repair tools available to customers and mechanics from next year. </p>
<p>The smart tractor is just one of thousands of machines and devices that have come to feature an <a href="https://www.verdict.co.uk/what-is-the-internet-of-things/">additional layer</a> of software on top of their traditional functions. By maintaining control over that software, manufacturers are afforded power over our devices long after the moment we purchase them.</p>
<p>Hacking tractor software is the latest example of the fightback against this power, called the “<a href="https://www.nytimes.com/2020/10/23/climate/right-to-repair.html">right to repair</a>” movement. Motivated by consumer rights and environmental concerns, it’s a movement that’s gathering pace worldwide. But our research shows the power remains firmly in manufacturers’ hands – for now.</p>
<h2>Consumer exploitation</h2>
<p>Owners of smart or “Internet of Things” (IoT) devices – from smartphones to internet-connected <a href="https://www.rollingstone.com/product-recommendations/lifestyle/best-smart-coffee-maker-machine-1027282/">coffee makers</a> – may have experienced similar frustrations to the owners of John Deere tractors. </p>
<p>To encourage customers to purchase their latest device, some tech firms effectively shut down older models by withdrawing the digital support services that keep them up and running. Sonos, the smart speaker company, was <a href="https://www.theregister.com/2020/01/24/sonos_support_legacy_speakers/">forced to backtrack</a> in 2020 after criticism of its plans to <a href="https://edition.cnn.com/cnn-underscored/electronics/sonos-legacy-speakers-guide">phase out</a> its older speakers in this way. In an open letter addressing customers’ outrage, Sonos CEO Patrick Spence admitted that “we did not get this right from the start”.</p>
<p>Additional layers of software also allow manufacturers to control their customers’ access to features built in to their products. For instance, BMW now requires new customers to purchase a subscription to use the <a href="https://www.theverge.com/2022/7/12/23204950/bmw-subscriptions-microtransactions-heated-seats-feature">heated seats</a> installed in the vehicles they own.</p>
<p>Many smart devices are purposefully designed to have short lives and to be quickly usurped by newer models, a manufacturing strategy termed <a href="https://durabilitymatters.com/planned-obsolescence/">planned obsolescence</a>. Other practices, such as adjusting a smartphone’s battery performance via its operating system, have led to accusations of deliberate <a href="https://www.techrepublic.com/article/how-to-turn-off-battery-throttling-on-your-iphone/">battery throttling</a> by manufacturers to increase sales.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/7aYJPonRJd8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Manufacturers argue that their control over internet-connected products is necessary to protect consumers from cybersecurity threats. But that control sometimes seems to exploit their customers. It’s also a key factor in the increase in the number of devices going to landfill as electronic waste, or <a href="https://globalewaste.org/what-is-e-waste/">e-waste</a>, and the extraction of more and more of the <a href="https://www.salon.com/2022/05/11/rare-earth-metal-ewaste-mining/">planet’s precious resources</a>. </p>
<p>In 2019 alone, the world generated 53.6 million tons of e-waste, a figure which is expected to grow to <a href="https://www.itu.int/en/ITU-D/Environment/Documents/Toolbox/GEM_2020_def.pdf">74.7 million tons by 2030</a>. Across Europe, less than <a href="https://ec.europa.eu/eurostat/databrowser/view/T2020_RT130/bookmark/table?lang=en&bookmarkid=a69be825-957e-473c-a81f-f02866dc9141">40% of e-waste</a> is subject to <a href="https://eprints.lancs.ac.uk/id/eprint/131084/1/Stead_Coulton_Lindley_Coulton._2019._The_Little_Book_of_Sustainability_for_the_Internet_of_Things.pdf">sustainable recovery</a> such as material recycling and reusable component harvesting. </p>
<p>By 2030, it is estimated there will be more than <a href="https://www.statista.com/statistics/1194701/iot-connected-devices-use-case/">25 billion</a> active smart devices worldwide. Many of these will be destined for landfill within a few short years if current manufacturing practices persist.</p>
<h2>The right to repair</h2>
<p>To address these issues, campaign groups like <a href="https://repair.eu/">Repair.EU</a>, <a href="https://www.repair.org/">Repair.org</a> and <a href="https://therestartproject.org/">The Restart Project</a> have successfully lobbied governments to introduce “<a href="https://www.which.co.uk/news/2021/06/new-right-to-repair-laws-introduced-what-do-they-actually-mean-for-you/">right to repair</a>” legislation for electronic products. These laws were first announced at the <a href="https://ec.europa.eu/environment/circular-economy/pdf%2520/new_circular_economy_action_plan.pdf">EU level</a> in 2020 and came into effect across the <a href="https://researchbriefings.files.parliament.uk/documents/CBP-9302/CBP-9302.pdf">UK</a> in the summer of 2021. </p>
<p>On the surface, the legislation seemingly tilts the balance of power into the hands of consumers. The law encourages manufacturers to be more sustainable by designing their electronic products to be easier to repair. It also compels them to supply spare parts for ten years after their products’ initial production.</p>
<p>Yet the reality is that manufacturers still retain the controlling stake. The current right to repair only extends to a <a href="https://www.which.co.uk/news/2021/06/new-right-to-repair-laws-introduced-what-do-they-actually-mean-for-you/">limited number of products</a>, such as washing machines, dishwashers, and refrigerators. It does not include smart, IoT devices, despite the growing volume of IoT e-waste.</p>
<h2>Power to the people?</h2>
<p>Appearing to support the right to repair, Apple initiated a product repair programme in 2022. But the firm loans its repair equipment to customers at a high cost and continues to promote <a href="https://www.youtube.com/watch?v=fz2R7-zTdKk">serialisation</a>, whereby only approved, expensive components can be used for repairs. The repair equipment itself has also been <a href="https://www.theverge.com/2022/5/21/23079058/apple-self-service-iphone-repair-kit-hands-on">criticised</a> for being cumbersome and difficult to use.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/0NCjoUx-KLI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>In a setback for right to repair activists, the UK government decided in June 2022 <a href="https://www.bbc.co.uk/news/technology-61720276">not to follow Europe</a> and sign up to a common standard for the design of USB ports, which aims to reduce the tangle of different wires we all own. That decision will only bolster the lack of <a href="https://www.techtarget.com/searchapparchitecture/definition/interoperability">interoperability</a> we experience between different devices and will hinder our ability to reduce IoT e-waste in the coming years.</p>
<p>Most importantly, our research has revealed, the general population lacks the capacity to repair their devices – in part because the tools to do so have been withheld from them for so long.</p>
<h2>Community repair shops</h2>
<p>To address this critical issue, we started <a href="https://twitter.com/RepairShop2049">The Repair Shop 2049</a> project to investigate how ordinary people could learn to repair their own devices. With this research, we have sought to challenge the status quo of manufacturer control by developing an open, citizen-led IoT repair centre in Blackburn, UK.</p>
<p>Collaborating closely with <a href="https://www.makingrooms.org/">The Making Rooms</a>, Blackburn’s public makerspace and creative hub for digital innovation, our work is seeking to empower ordinary citizens with the knowledge, tools and confidence to repair and reuse IoT devices within their communities.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/WPMPtilRX5c?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Our project involves makers, repairers, council leaders, consumers and manufacturing representatives. Our workshops have so far revealed a number of barriers: chiefly, a lack of public awareness of the right to repair, a shortage of practical expertise, and the friction generated by manufacturers’ presiding grip on device repair. However, there is also a deep enthusiasm for the project’s vision among the Blackburn community.</p>
<p>The upcoming <a href="https://www.lancaster.ac.uk/news/fixing-the-future-the-right-to-repair-and-equal-iot">Fixing the Future</a> project will allow us to continue exploring local IoT repair initiatives alongside The Making Rooms, our research colleagues from Edinburgh, Nottingham, and Napier universities, and our new partners at Which? and <a href="https://www.bbc.co.uk/rd">BBC R&D</a>.</p>
<p>Whether liberating tractors or granting consumers the ability to fix their phones, the right to repair movement aims to hand power back to the owners of devices. But by aligning with <a href="https://www.eea.europa.eu/publications/europe2019s-consumption-in-a-circular/benefits-of-longer-lasting-electronics">circular economy</a> principles, the movement can also help communities reduce e-waste and contribute towards a sustainable, <a href="https://cop25.mma.gob.cl/en/climate-ambition-alliance/">net-zero future</a>.</p><img src="https://counter.theconversation.com/content/188954/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michael Stead receives funding for The Repair Shop 2049 project from the EPSRC ESRC Impact Accelerator Digital Futures scheme at Lancaster University.</span></em></p><p class="fine-print"><em><span>Paul Coulton receives funding from EPSRC for project Experiencing the Future Mundane and Fixing the Future. </span></em></p>From tractors to smartphones, consumers may own their devices but the manufacturers still often hold the keys.Michael Stead, Lecturer in Sustainable Design Futures, Lancaster UniversityPaul Coulton, Senior Lecturer in Design, Lancaster UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1886772022-08-17T18:08:16Z2022-08-17T18:08:16ZBefore paying a ransom, hacked companies should consider their ethics and values<figure><img src="https://images.theconversation.com/files/479427/original/file-20220816-1877-maolbq.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C7360%2C4902&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Ransomware attacks are increasing in frequency.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 100px; border: none; position: relative; z-index: 1;" allowtransparency="" allow="clipboard-read; clipboard-write" src="https://narrations.ad-auris.com/widget/the-conversation-canada/before-paying-a-ransom--hacked-companies-should-consider-their-ethics-and-values" width="100%" height="400"></iframe>
<p>The recent cyberattacks in August on <a href="https://www.itworldcanada.com/article/canadian-recreational-vehicle-maker-brp-ontario-cannabis-store-dealing-with-cyber-attacks/497252">Bombardier Recreational Products and the Ontario Cannabis Store</a> highlight the continuing scourge of cyber criminals and ransomware. </p>
<p>Ransomware is a piece of malware — malicious software — code that gets into an information system and blocks access to the computer or its files until the victim pays to obtain a key, or password. Ransomware was a term that did not enter the popular lexicon until about 10 years ago <a href="https://www.washingtontimes.com/news/2018/jan/31/ransomware-added-to-oxford-english-dictionary-in-l/">(and it was added to the Oxford English Dictionary in 2018)</a>. </p>
<p>It has now evolved, and in 2021, <a href="https://www.hsgac.senate.gov/imo/media/doc/HSGAC%20Majority%20Cryptocurrency%20Ransomware%20Report.pdf">there were 3,729 ransomware complaints registered, with losses of US$49.2 million in designated critical infrastructures alone</a>. The average ransomware payment climbed 82 per cent to hit a record US$570,000 in the first half of 2021.</p>
<p>And it’s only going to get worse. The FBI’s <a href="https://www.ic3.gov/">Internet Crime Complaint Centre</a> reported 2,084 ransomware complaints from January to July 31, 2021 – a 62% year-over-year increase.</p>
<p>For any organization, cyberattacks are not a matter of “if,” but “when”: A cyberattack is inevitable. This forces leaders to ask: Do we pay the ransom or not?</p>
<p>Roughly <a href="https://blog.knowbe4.com/ransomware-predicted-to-cost-20-billion-in-damages-globally-by-2021">half of all organizations opt to pay ransom</a>. But that also means that roughly half do not. What makes this an especially wicked problem is that there is no correct answer or clear structure. So the question becomes: Under what conditions should a ransom be paid? And what factors can help leaders make this decision?</p>
<h2>Blocking access</h2>
<p>There are four core actions that ransomware can execute, embodied in the acronym LEDS: Lock, Encrypt, Delete or Steal. Ransomware can lock, or prevent access to data or an information system, requiring a key to unlock. Similarly, it can allow access, but the data are gibberish as they have been encrypted in place, again requiring a decryption key to make legible. Data can be deleted in place (erased) or sold to the highest bidder. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="computer screen with the words SYSTEM HACKED displayed" src="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=413&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=413&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=413&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=519&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=519&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479679/original/file-20220817-8075-c9vamm.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=519&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Ransomware removes or prevents access to companies’ data.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>What makes today’s ransomware attacks especially harmful and insidious is that they often deploy more than one of these effects.</p>
<p>Once malware is embedded in an organization’s system, <a href="https://www.zdnet.com/article/ransomware-an-executive-guide-to-one-of-the-biggest-menaces-on-the-web/">the criminals contact the victim</a>, usually through an anonymous email, or through the malware itself (pop-up window) demanding immediate payment of a ransom in cryptocurrency, and typically threatening further harm. </p>
<p>Paying the ransom may lead to a decryption key being provided, which, when entered on the pop-up window immediately unlocks the system and anything that has been encrypted.</p>
<h2>Considerations before payment</h2>
<p>There are two dimensions to be considered when deciding to pay a ransom: the business decision and the ethical one.</p>
<p>Law enforcement authorities, including <a href="https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware">the FBI</a> and <a href="https://www.rcmp-grc.gc.ca/en/prevent-ransomware">the RCMP</a>, adamantly advise against paying ransom, ever. They do so for two good reasons: first, it rewards and encourages criminal activity. Second, it may further endanger the organization when it becomes known in hacker circles that this is an organization willing to pay. </p>
<p>In other words, it may not make the crime go away and may make you even more of a target.</p>
<p>If the criminals are not a known terrorist organization, then payment of a ransom is not a crime. This might change, as some countries, notably the United States, are proposing enactment of Sanctions Compliance Laws criminalizing all cyber-ransom payments. It might be difficult to attribute the attack, which is why the hackers often identify themselves to their victims. </p>
<h2>An honest crime</h2>
<p>There is a compelling business case to be made for paying a ransom demand. The crime works because, if you will, it is an honest one. That is, <a href="https://www.proofpoint.com/us/resources/threat-reports/state-of-phish">70 per cent of the time</a>, paying a ransom will result in a valid decryption key being provided. </p>
<p>This makes sense. For criminals to profit from this endeavor, they must show good faith and deliver on their promise.</p>
<p>Criminals also know this. Targeted campaigns see attackers spending on average nearly six months inside a company’s network before enacting ransom malware. They do so to ensure that their malware has infected as many systems as possible, including backups; to identify and extract the items of greatest value; to ensure they do not leave traces; and to garner any business intelligence (such as incident response plans or insurance policies). This allows them to determine the maximum amount of ransom to demand.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="padlocks represented digitally, all are blue with the exception of a red one which is broken open" src="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/479680/original/file-20220817-8144-f4spzz.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">For ransomware to be a lucrative endeavor for criminals, they have to release the data once they have received payment.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>This is the essence of the business case decision. Suppose, for example, that the cost of a ransom event is estimated to be $500,000 (based on the size of the database, time to recover, data validation upon recovery and other expenses). A ransom demand of $250,000 is clearly a better alternative because it is not only cheaper, but faster than the alternative. </p>
<p>Organizations can calculate the cost of various incidents and determine, in principle, their willingness to pay for each possible ransom scenario. This leads to the development of what is referred to as a ransomware payment matrix for the organization.</p>
<h2>Moral dimensions</h2>
<p>However, there is also a moral, or ethical dimension to this decision. Payments to criminals might not be consistent with the organization’s core values, culture or code of ethics. Even if they are, this might not sit well with the company’s employees, clients and other stakeholders. </p>
<p>There are many frameworks and theories dealing with ethics in the workplace, and leaders need to avail themselves of one or more. This will help them make a decision regarding paying a ransom because, while it may make great business sense to pay a ransom, it may not be the right thing to do for the organization. </p>
<p>Instead, the organization may choose to invest funds that would otherwise go to ransom payments into training, cyber-protection and upgrading and patching systems.</p>
<p>Whatever the decision, it is critical to explore all options well before any cyberattacks occur. This includes holding discussions with employees, customers and other stakeholders. It also includes insurers (who are increasingly loath to insure against ransomware events) and law enforcement authorities.</p>
<p>Accepting the inevitability of a cyberattack and thoroughly exploring different scenarios will have the dual effect of not only preparing for the attack, but allowing for a more effective response when it occurs.</p><img src="https://counter.theconversation.com/content/188677/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Michael Parent does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cyberattacks demanding ransoms for the release of information are on the rise. To determine if they should pay, businesses need to think about how they would react in such a scenario.Michael Parent, Professor, Management Information Systems, Simon Fraser UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1777272022-07-18T13:56:25Z2022-07-18T13:56:25ZHackathons should be renamed to avoid negative connotations<figure><img src="https://images.theconversation.com/files/454623/original/file-20220328-17-16qfxa6.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4368%2C2909&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">In hackathons, people come together to build more extensive and cohesive datasets.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>Events where groups of people come together to create or improve software using large data sets are usually called hackathons. As health data researchers who want to build and maintain public trust, we recommend the use of alternative terms, such as datathon and code fest. </p>
<p>Hackathon is a portmanteau that combines the words “hack” and “marathon.” The “hack” in hackathon is meant to refer to a clever and improvised way of doing something rather than unauthorized computer or data access. From a computer scientist’s perspective, “hackathon” probably sounds innovative, intensive and maybe a little disruptive, but in a helpful rather than criminal way. </p>
<p>The issue is that members of the public do not interpret “hack” the way that computer scientists do. </p>
<p>Our team, and many others, have performed research studies to understand the public’s interests and concerns when health data are used for research and innovation. In all of these studies, we are not aware of any positive references to “hack” or related terms. But studies from <a href="https://doi.org/10.9778/cmajo.20180099">Canada</a>, <a href="https://www.arc-gm.nihr.ac.uk/media/Resources/ARC/Digital%20Health/Citizen%20Juries/New%2012621_NIHR_Juries_Report_WEB.pdf">the United Kingdom</a> and <a href="https://doi.org/10.1111/hex.13268">Australia</a> have all found that members of the public consistently raise hacking as a major concern for health data.</p>
<h2>Fear of hacking</h2>
<p>It is not hard to figure out where negative associations with the word “hack” come from. There is a regular stream of news headlines, like: “<a href="https://www.nytimes.com/2021/11/12/world/canada/newfoundland-cyberattack.html">As Hackers Take Down Newfoundland’s Health-Care System, Silence Descends</a>”; “<a href="https://www.theglobeandmail.com/business/international-business/us-business/article-t-mobile-says-hackers-accessed-personal-data-of-another-53-million/">T-Mobile Says Hackers Accessed Personal Data of an Additional 5.3 Million Customers</a>”; and “<a href="https://www.wired.com/story/vastaamo-psychotherapy-patients-hack-data-breach/">They Told Their Therapists Everything. Hackers Leaked It All</a>.”</p>
<p>Taking the research studies and news headlines together, there are strong reasons to think that the term hackathon will be perceived as negative to members of the public. Based on the common use and understanding of hacking, the term hackathon could even be perceived as threatening if it is misinterpreted as referring to an event where computer scientists do unauthorized things with data.</p>
<p>Language is important when talking about health data — it helps to create transparency and build trust around managing people’s information and privacy. As such, words must be chosen carefully, and should be guided by the preferences and concerns of the people whose data are being used for research and innovation.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/plain-language-about-health-data-is-essential-for-transparency-and-trust-123319">Plain language about health data is essential for transparency and trust</a>
</strong>
</em>
</p>
<hr>
<h2>Alternatives to hackathon</h2>
<p>There are alternatives to the term hackathon, but they are used much less frequently. For example, a Google search conducted in July 2022 returned 58.7 million results for “hackathon” compared to 617,000 results for “datathon” and 54,700 results for “code fest.” There were more than 90 references to “hackathon” for every “datathon” reference that the Google search identified. </p>
<p>In the research literature there is a slightly higher frequency of alternative terms, but hackathon still dominates. For example, a July 2022 Google Scholar search identified 30 times more scholarly “hackathon” publications than there were “datathon” publications.</p>
<p>Widespread use of the term hackathon may be reinforced by software libraries and dictionaries that perpetuate outdated and harmful terminology. For example, in the current version of Microsoft Word, “hackathon” is a recognized word but “datathon” is flagged as a spelling mistake. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Justin Trudeau addresses a large group of university students in a tiered lecture hall" src="https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=401&fit=crop&dpr=1 600w, https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=401&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=401&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/473754/original/file-20220713-16-i1b7wc.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Prime Minister Justin Trudeau speaks to students attending Hack The North, Canada’s largest hackathon, in Waterloo, Ont., on Sept. 15, 2017.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Hannah Yoon</span></span>
</figcaption>
</figure>
<h2>Trustworthy language</h2>
<p>We are not saying that hackathons are bad, just that the label most commonly used for them is problematic. And it’s not as though we lack alternatives to the term hackathon. Another way of looking at the Google search results is that the term datathon has been used hundreds of thousands of times, including by well-known organizations such as the <a href="https://op.europa.eu/en/web/eudatathon">EU Datathon</a>.</p>
<p>Given public concerns about hacking and data, we recommend that datathon and other alternatives to hackathon be used more often. Words matter and using language like datathon can help organizations that hold or provide access to data show that they are attentive to the concerns of the people and communities that the data is about.</p><img src="https://counter.theconversation.com/content/177727/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>P. Alison Paprica receives funding from the Canadian Institutes for Health Research (CIHR) and other provincial and federal Canadian research funders.</span></em></p><p class="fine-print"><em><span>Kimberlyn McGrail receives funding from the Canadian Institutes for Health Research and other funding agencies. </span></em></p><p class="fine-print"><em><span>Michael J. Schull receives funding from the Canadian Institutes for Health Research and the Ontario Ministry of Health.</span></em></p>“Hackathons” can imply breaching security and privacy. To more accurately reflect their creative and constructive intent, they can be referred to instead as “datathons” or “code fests.”P. Alison Paprica, Professor (adjunct) and Senior Fellow, Institute for Health Policy, Management and Evaluation, Dalla Lana School of Public Health, University of TorontoKimberlyn McGrail, Professor of Health Services and Policy Research, University of British ColumbiaMichael J. Schull, Professor, Department of Medicine, University of TorontoLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1830412022-05-27T05:24:25Z2022-05-27T05:24:25ZThere are systems ‘guarding’ your data in cyberspace – but who is guarding the guards?<figure><img src="https://images.theconversation.com/files/465616/original/file-20220527-12-tn6xzn.jpeg?ixlib=rb-1.1.0&rect=247%2C166%2C3587%2C1988&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>We use internet-connected devices to access our bank accounts, keep our transport systems moving, communicate with our colleagues, listen to music, undertake commercially sensitive tasks – and order pizza. Digital security is integral to our lives, every day. </p>
<p>And as our IT systems become more complex, the potential for vulnerabilities increases. More and more organisations are being breached, leading to financial loss, interrupted supply chains and identity fraud. </p>
<p>The current best practice in secure technology architecture used by major businesses and organisations is a “zero trust” approach. In other words, no person or system is trusted and every interaction is verified through a central entity. </p>
<p>Unfortunately, absolute trust is then placed in the verification system being used. So breaching this system gives an attacker the keys to the kingdom. To address this issue, “decentralisation” is a new paradigm that removes any single point of vulnerability.</p>
<p>Our work investigates and develops the algorithms required to set up an effective decentralised verification system. We hope our efforts will help safeguard digital identities, and bolster the security of the verification processes so many of us rely on.</p>
<h2>Never trust, always verify</h2>
<p>A zero trust system implements verification at every possible step. Every user is verified, and every action they take is verified, too, before implementation.</p>
<p>Moving towards this approach is considered so important that US President Joe Biden made an <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">executive order</a> last year requiring all US federal government organisations to adopt a zero trust architecture. Many commercial organisations are following suit. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/zero-trust-security-assume-that-everyone-and-everything-on-the-internet-is-out-to-get-you-and-maybe-already-has-160969">Zero-trust security: Assume that everyone and everything on the internet is out to get you – and maybe already has</a>
</strong>
</em>
</p>
<hr>
<p>However, in a zero trust environment absolute faith is (counter intuitively) placed in the validation and verification system, which in most cases is an Identity and Access Management (IAM) system. This creates a single trusted entity which, if breached, gives unencumbered access to the entire organisations systems. </p>
<p>An attacker can use one user’s stolen credentials (such as a username and password) to impersonate that user and do anything they’re authorised to do – whether it’s opening doors, authorising certain payments, or copying sensitive data. </p>
<p>However, if an attacker gains access to the entire IAM system, they can do anything the system is capable of. For instance, they may grant themselves authority over the entire payroll. </p>
<p>In January, identity management company Okta was hacked. Okta is a single-sign-on service that allows a company’s employees to have one password for all the company’s systems (as large companies often use multiple systems, with each requiring different login credentials). </p>
<p>When Okta was hacked, large companies who use their services, including FedEx, were <a href="https://www.reuters.com/technology/authentication-services-firm-okta-says-it-is-investigating-report-breach-2022-03-22/">concerned</a> their accounts could be compromised. The attacker accessed some data, but <a href="https://www.okta.com/blog/2022/04/okta-concludes-its-investigation-into-the-january-2022-compromise/">did not</a> gain control over any accounts. </p>
<p>So long as IAM systems are a central point of authority over organisations, they will continue to be an attractive target for attackers. </p>
<h2>Decentralising trust</h2>
<p>In our latest work, we refined and validated algorithms that can be used to create a decentralised verification system, which would make hacking a lot more difficult. Our industry collaborator, <a href="https://tide.org/">TIDE</a>, has developed a prototype system using the validated algorithms.</p>
<p>Currently, when a user sets up an account on an IAM system, they choose a password which the system should encrypt and store for later use. But even in an encrypted form, stored passwords are attractive targets. And although multi-factor authentication is useful for confirming a user’s identity, it can be circumvented.</p>
<p>If passwords could be verified without having to be stored like this, attackers would no longer have a clear target. This is where decentralisation comes in. </p>
<p>Instead of placing trust in a single central entity, decentralisation places trust in the network as a whole, and this network can exist outside of the IAM system using it. The mathematical structure of the algorithms underpinning the decentralised authority ensure that no single node that can act alone. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=250&fit=crop&dpr=1 600w, https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=250&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=250&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=314&fit=crop&dpr=1 754w, https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=314&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/465614/original/file-20220527-16-qism61.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=314&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Decentralisation (the same concept which underpins the blockchain) refers to a transference of authority within a system, from a central point of control, to several different entities.</span>
<span class="attribution"><span class="source">Shutterstock</span></span>
</figcaption>
</figure>
<p>Moreover, each node on the network can be operated by an independently operating organisation, such as a bank, telecommunication company or government departments. So stealing a single secret would require hacking several independent nodes. </p>
<p>Even in the event of an IAM system breach, the attacker would only gain access to some user data – not the entire system. And to award themselves authority over the entire organisation, they would need to breach a combination of 14 independently operating nodes. This isn’t impossible, but it’s a lot harder.</p>
<p>But beautiful mathematics and verified algorithms still aren’t enough to make a usable system. There’s more work to be done before we can take decentralised authority from a concept, to a functioning network that will keep our accounts safe.</p>
<hr>
<p><em>Correction: this article was updated to reflect that, while the Okta data breach gave hackers access to certain data, follow-up investigations found they did not gain control over clients’ systems.</em></p><img src="https://counter.theconversation.com/content/183041/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Joanne Hall collaborated with TIDE foundation on this project. She received funding from the Australian National University (acting in partnership with the Defence Science Technology Group (DTSG)) to report on and present this project. Dr Hall is also recving funding from the Australian Women in Security Network.</span></em></p><p class="fine-print"><em><span>Dr. Geetika Verma collaborated with TIDE foundation on this project. She received funding from the Australian National University (acting in partnership with the Defence Science Technology Group (DTSG)) to report on and present this project. In past, Dr. Geetika Verma has worked on a mathematics research project at University of South Australia funded by ARC Discovery Grant . </span></em></p><p class="fine-print"><em><span>Matthew P. Skerritt collaborated with TIDE foundation on this project. He received funding from from the Australian National University (acting in partnership with the Defence Science Technology Group (DTSG)) to report on and present this project.</span></em></p>Many organisations abide by a “zero trust” rule wherein absolute trust is placed in nothing, apart from a central identity and access management system. But what happens when this system is breached?Joanne Hall, Senior Lecturer in Mathematics and Cybersecurity, RMIT UniversityGeetika Verma, Lecturer in Mathematics, RMIT UniversityMatthew P. Skerritt, Lecturer, RMIT UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1822862022-05-04T20:06:56Z2022-05-04T20:06:56ZWe tracked election ad spending for 4,000 Facebook pages. Here’s what they’re posting about – and why cybersecurity is the bigger concern<figure><img src="https://images.theconversation.com/files/460727/original/file-20220502-17-vmttm6.jpg?ixlib=rb-1.1.0&rect=0%2C27%2C6006%2C3980&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>Have you noticed your Facebook and Instagram feed filling up with political ads lately?</p>
<p>The social media strategies of many parties and candidates aim to bypass mainstream media to speak directly to voters, but they are often not as sophisticated as is assumed. </p>
<p>As part of a <a href="https://election-ad-data.uq.edu.au">team studying the digital campaign</a>, we have been tracking what the parties and candidates are doing with their Facebook and Instagram ad spend during the election campaign.</p>
<p>Using ads collected from the <a href="https://www.facebook.com/ads/library">Facebook Ad Library API</a> (containing sponsored posts declared by the advertiser as political), we are <a href="https://election-ad-data.uq.edu.au/faq">tracking the ad spend for close to 4,000 pages</a>. We gather fresh data every six hours.</p>
<p>At the halfway point in the election campaign, some clear themes are emerging in the ways the parties and candidates are campaigning online.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-wentworth-project-allegra-spenders-profile-rises-but-polarises-182275">The Wentworth Project: Allegra Spender's profile rises, but polarises</a>
</strong>
</em>
</p>
<hr>
<h2>A big spend by ‘teals’ and Labor – and political fragmentation</h2>
<p>The first is the really significant spend from the “teal” Independents. Historically, many successful federal Independents (such as Tony Windsor, Rob Oakeshott or Cathy McGowan) have come from regional areas.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=1188&fit=crop&dpr=1 600w, https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=1188&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=1188&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=1493&fit=crop&dpr=1 754w, https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=1493&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/460715/original/file-20220502-21-jvct6u.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=1493&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Thus far, Labor is spending more than the Coalition on Facebook ads.</span>
<span class="attribution"><a class="source" href="https://election-ad-data.uq.edu.au/">UQ Election Ad Data Dashboard</a></span>
</figcaption>
</figure>
<p>But they rarely had the resources to execute a campaign of the scale we’re seeing from inner city “teals” like Monique Ryan (running in the seat of Kooyong against Treasurer Josh Frydenberg). </p>
<p>Some are spending A$4,000-$5,000 a week on Facebook and Instagram ads. That is enormous. Very few candidates from the major parties would normally spend that amount. Frydenberg is doing so to try to retain his seat.</p>
<p>The second theme emerging is that, so far, Labor is spending more than the Coalition. That’s a product of Labor’s post-2019 election review, which was damning of their digital campaign and emphasised a digital first strategy.</p>
<p>Thirdly, we’re seeing a real diversity of spending across a range of parties and candidates – Jacqui Lambie in Tasmania, Rex Patrick in South Australia, the Liberal Democrats and the United Australia Party in Queensland, for example. </p>
<p>That reflects the broader fragmentation of the political landscape in Australia. Federal elections in Australia are increasingly complex and multi-dimensional, the campaign online is indicative of this trajectory. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=373&fit=crop&dpr=1 600w, https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=373&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=373&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=468&fit=crop&dpr=1 754w, https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=468&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/460713/original/file-20220502-98897-7sivyi.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=468&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Spending in the seat of Kooyong and Wentworth has been high.</span>
<span class="attribution"><a class="source" href="https://election-ad-data.uq.edu.au/">UQ Election Ad Data Dashboard</a></span>
</figcaption>
</figure>
<h2>What are candidates and parties posting about?</h2>
<p>In inner city seats where teal independents are running, the number one issue is overwhelmingly climate change. But “environment” or “climate” is not one of they key terms we have found for the major parties across Australia. Instead, jobs, Medicare and health are more prominent.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=427&fit=crop&dpr=1 600w, https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=427&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=427&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=536&fit=crop&dpr=1 754w, https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=536&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/460724/original/file-20220502-24-3tdoxn.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=536&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">‘Lies’ is one of the top terms showing up in posts.</span>
<span class="attribution"><a class="source" href="https://election-ad-data.uq.edu.au/">UQ Election Ad Data Dashboard</a></span>
</figcaption>
</figure>
<p>For those in outer metropolitan and regional areas, the data suggests the cost of living is the key issue parties have identified as determining their vote.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=750&fit=crop&dpr=1 600w, https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=750&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=750&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=943&fit=crop&dpr=1 754w, https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=943&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/460705/original/file-20220502-18-uk7ybc.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=943&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">An ad from the Liberal Party of Australia Facebook page.</span>
<span class="attribution"><a class="source" href="https://www.facebook.com/photo?fbid=550350769782587&set=a.344989720318694">Liberal Party of Australia Facebook page</a></span>
</figcaption>
</figure>
<p>Negative campaigning is showing up, too. One of the top terms appearing in ads from the major parties is “lies”.</p>
<h2>Take talk of ‘microtargeting’ with a grain of salt</h2>
<p>While there is always talk of fine-grained and sophisticated microtargeting strategies, there is good reason to be wary of such claims. </p>
<p>There’s a perception we live in this incredible digital age where each message is tailored to our interests or our personalities. But the reality is quite different. </p>
<figure class="align-left zoomable">
<a href="https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=750&fit=crop&dpr=1 600w, https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=750&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=750&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=943&fit=crop&dpr=1 754w, https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=943&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/460707/original/file-20220502-16-n5siej.jpeg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=943&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Lying is a common theme in many digital ads.</span>
<span class="attribution"><a class="source" href="https://www.facebook.com/photo.php?fbid=531724981645348&set=pb.100044235528995.-2207520000..&type=3">The Australian Labor Party Facebook page.</a></span>
</figcaption>
</figure>
<p>In fact, a great deal of digital campaigning isn’t that targeted at all. Clive Palmer’s campaign is an extreme example of this, “carpet bombing” the electorate with messages about “freedom”. (A reasonable rebuttal might be: can I be free to not receive these messages?) </p>
<p>The reality is that most political advertising online is little more than what I describe in my <a href="https://link.springer.com/book/10.1007/978-3-030-68234-7">recent book</a> as a form of “<a href="https://en.wikipedia.org/wiki/Narrowcasting">narrowcasting</a>”, where targeting is based on a basic segmentation of voters into demographic or geographic groups. </p>
<p>While many of the techniques we see in Australian election campaigns have been used overseas, particularly in the US and the UK, our electoral system and electoral rules are different; a mixed electoral system and compulsory voting changes the dynamic enormously. </p>
<p>In the US and the UK, the primary focus is to “get out the vote” rather than persuade voters. But <a href="https://link.springer.com/article/10.1007/s11109-022-09781-7">the evidence</a> suggests the effects of digital campaigns on mobilisation are limited. For persuasion, it is <a href="https://journals.sagepub.com/doi/full/10.1177/20531680221076901">even less</a>.</p>
<p>Most parties also lack the resources to engage in highly differentiated and targeted campaign activity.</p>
<p>In research I recently completed with colleagues from six advanced democracies, <a href="https://journals.sagepub.com/doi/full/10.1177/13540688221084039">we showed</a> most campaign activity builds on pre-existing techniques and are far less sophisticated than is often assumed. </p>
<p>Digital campaigning matters, as voters are online. It educates, it informs, it drives the conversation and it can have effects on social cohesion.</p>
<p>But the idea digital campaigning is the canary in the coalmine of electoral manipulation in Australia is hyperbole.</p>
<h2>Data privacy is the broader concern</h2>
<p>Two significant digital campaigning issues we should be concerned about are data privacy and cybersecurity. </p>
<p>Australia is one of the few advanced democracies where political parties are completely <a href="https://theconversation.com/how-did-politicians-and-political-parties-get-my-mobile-number-and-how-is-that-legal-168750">exempt from privacy legislation</a>. </p>
<p>They are able to acquire all sorts of data about you, from the Australian Electoral Commission, from data they collect when they speak to voters and from digital tracking data.</p>
<p>Should we be comfortable with parties collecting this information about us, especially when much of it provides <a href="https://www.cambridge.org/core/books/hacking-the-electorate/C0D269F47449B042767A51EC512DD82E">limited campaigning or educational value</a> to <a href="https://www.jstor.org/stable/23723484">parties</a>?</p>
<p>The privacy concerns are significant but so is the broader risk of domestic or foreign actors seeking to acquire this data to sow discord.</p>
<p>Since 2016, political parties in countries such as <a href="https://www.theguardian.com/australia-news/2019/feb/18/australia-political-parties-hacked-sophisticated-state-actor">Australia</a>, the <a href="https://labour.org.uk/about-your-data/">UK</a>, the <a href="https://www.reuters.com/article/uk-usa-election-cyber-biden-exclusive-idUKKBN2610IG">US</a>, <a href="https://www.wsj.com/articles/german-parties-targeted-in-cyberattack-1474470695">Germany,</a> <a href="https://www.reuters.com/article/us-italy-politics-5star-idUSKBN1CA1TM">Italy </a>and <a href="https://www.thestar.com/politics/federal/2019/04/08/canadian-political-parties-already-targeted-by-foreign-hacking-electronic-spy-agency-says.html?rf">Canada</a> have been the targets of cybersecurity attacks. Many see political parties as the <a href="https://www.politico.eu/article/european-election-security-political-parties-cybersecurity/">weak link in the election security</a> of democracy.</p>
<p>That represents a broader risk for all of us. </p>
<p>It is important for us to track what parties and candidates are doing online during a campaign.</p>
<p>But we also need to identify where the real vulnerabilities are, as the threats online are only likely to increase. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/below-the-line-will-different-cultural-groups-favour-one-side-of-politics-this-federal-election-podcast-182236">Below the Line: Will different cultural groups favour one side of politics this federal election? – podcast</a>
</strong>
</em>
</p>
<hr>
<img src="https://counter.theconversation.com/content/182286/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Glenn Kefford receives funding from the ARC.</span></em></p>The social media strategies of many parties and candidates aim to bypass mainstream media to speak directly to voters, but they are often not as sophisticated as is assumed.Glenn Kefford, Senior Lecturer (Political Science), The University of QueenslandLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1805272022-04-06T13:31:04Z2022-04-06T13:31:04ZHow the Russia-Ukraine conflict has put cryptocurrencies in the spotlight<figure><img src="https://images.theconversation.com/files/456140/original/file-20220404-12-54otej.jpg?ixlib=rb-1.1.0&rect=53%2C0%2C5963%2C3963&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Members of Congress give Ukrainian President Volodymyr Zelensky a standing ovation during a speech by videoconference on Capitol Hill in Washington, D.C., on March 16, 2022. Ukraine says it is pioneering a new source of financial support: cryptocurrency.
</span> <span class="attribution"><span class="source">(Sarahbeth Maney/The New York Times via AP)</span></span></figcaption></figure><p>Just days before the Russian invasion of Ukraine, thousands of people in Canada joined a truckers’ protest movement called the “<a href="https://www.wsj.com/articles/freedom-convoy-canada-trucker-protest-what-11644441237">freedom convoy</a>” to oppose government health measures.</p>
<p>To support the protest movement organizers launched a fundraising campaign on the GoFundMe platform. However, the social funding platform seized the approximately $10 million in donations that were raised, <a href="https://www.bbc.com/news/world-us-canada-60267840">alleging that the movement failed to both prohibit the promotion of violence and harassment</a> and <a href="https://fortune.com/2022/02/21/canada-ottawa-freedom-convoy-protest-ends-truckers-arrest-covid-vaccine-mandate/">adhere to sanctions Canadian authorities had imposed</a>.</p>
<p>Organizers responded quickly by <a href="https://www.cbc.ca/news/canada/ottawa/freedom-convoy-cryptocurrency-asset-seizure-1.6389601">turning to the world of cryptocurrency</a> to evade seizures and continue funding their movement. They raised <a href="https://www.cbc.ca/news/canada/ottawa/freedom-convoy-cryptocurrency-asset-seizure-1.6389601">nearly $1 million</a> in a matter of days.</p>
<p>This Canadian story is a perfect example of how cryptocurrency can play a dual role of social support, but can also be used to evade sanctions.</p>
<p>At the same time, in Ukraine the <a href="https://fortune.com/2022/02/28/ukraine-crypto-donations-tweet-bitcoin-ethereum-usdt-russia-invasion/">Kyiv government has shown enthusiasm about using cryptocurrency</a>, which has enabled the country to get significant financial support for its defence extremely quickly.</p>
<p>Our work examining the digital transformation of the accounting profession has led us to delve into the world of cryptocurrency to explore how it operates and how it is regulated. As the armed conflict between Ukraine and Russia rages on, countries’ interest in regulating cryptocurrency has never been so urgent.</p>
<p>The conflict between Ukraine and Russia is not just a war of bombs and bullets. It is also a <a href="https://www.wired.com/story/ukraine-digital-ministry-war/">digital war</a> of which cryptocurrency <a href="https://www.euronews.com/next/2022/03/18/inside-ukraine-s-digital-war-deputy-minister-bornyakov-on-resisting-with-tech-crypto-and-h">is just one of many components</a>.</p>
<p>Ukraine’s Ministry of Digital Transformation is getting lots of press for the ingenious way it is <a href="https://nationalinterest.org/blog/techland-when-great-power-competition-meets-digital-world/ukraine%E2%80%99s-%E2%80%98digital-army%E2%80%99-battling">supporting the country’s resistance to the Russian invasion</a>. This is being done through a sophisticated use of social media to promote Ukrainian interests around the world at hackathons, where hackers are rewarded with US$100,000 for successfully attacking Russian systems.</p>
<h2>Funds available quickly</h2>
<p>After a Ukrainian government official <a href="https://twitter.com/ukraine/status/1497594592438497282">tweeted that the country would now accept international aid via cryptocurrency</a>, <a href="https://nationalinterest.org/blog/techland-when-great-power-competition-meets-digital-world/ukraine%E2%80%99s-%E2%80%98digital-army%E2%80%99-battling">more than US$100 million was reportedly raised</a> this way. Two funds were initially set up: one for humanitarian and the other for military purposes. However, as the violence escalated the funds were merged and directed entirely toward supporting the Ukrainian military, where there were used to purchase <a href="https://www.euronews.com/next/2022/03/18/inside-ukraine-s-digital-war-deputy-minister-bornyakov-on-resisting-with-tech-crypto-and-h">body armour, night vision goggles, helmets, medicine and food for frontline fighters</a>.</p>
<p>The government has stated that although the amount received in cryptocurrency is modest with respect to the total funds granted from international agencies, it was able to receive these funds much more quickly because of the absence of intermediaries.</p>
<p>Bank transfers can, indeed, take several days to arrive in the Ukrainian government’s accounts. The cryptocurrency was deposited <a href="https://www.euronews.com/next/2022/03/18/inside-ukraine-s-digital-war-deputy-minister-bornyakov-on-resisting-with-tech-crypto-and-h">within a few minutes</a>.</p>
<p>This demonstrates the undeniable usefulness of cryptocurrency — the way it presently operates and is regulated — in <a href="https://www.forbes.com/sites/lawrencewintermeyer/2022/03/21/ukraine-demonstrates-that-cryptocurrency-is-a-potent-tool-for-marshaling-grassroots-support/?sh=6c79649662d4">supporting, in particular, the financial and economic systems of countries in distress</a>.</p>
<h2>Using cryptocurrency to evade international sanctions</h2>
<p>However, while digital warfare can benefit some people in human and military terms, particularly by overcoming the slowness of conventional financial systems, it can make it possible for others to circumvent the international sanctions that have been imposed on them. In this regard, it should be noted that according to some sources, cryptocurrency is also serving as a <a href="https://theconversation.com/are-russias-elite-really-using-cryptocurrency-to-evade-sanctions-179559">safe haven for many ordinary Russian citizens who are trying to hang on to their savings</a> inside a banking system that has numerous restrictions and vulnerabilities, as the value of the ruble collapses. </p>
<p>Economic sanctions against Russia are not new. <a href="https://www.consilium.europa.eu/en/infographics/eu-sanctions-against-russia-over-ukraine/">A number have been put in place</a> since the country annexed Crimea in 2014. The current Russian invasion of Ukraine has resulted in <a href="https://www.theguardian.com/world/2022/mar/02/sanctions-boycotts-west-response-russian-invasion-ukraine">new financial and economic sanctions that penalize Russian organizations and individuals, including oligarchs</a>. As a result, the value of the Russian ruble is falling to the point where several <a href="https://www.france24.com/en/live-news/20220301-european-subsidiary-of-russia-s-sberbank-to-enter-bankruptcy">Russian subsidiaries of European banks are reportedly on the verge of bankruptcy</a>.</p>
<p>However, here again, proceeding through the lightly regulated cryptocurrency world could help Russian organizations, governments and oligarchs <a href="https://theconversation.com/are-russias-elite-really-using-cryptocurrency-to-evade-sanctions-179559">evade sanctions and carry on their financial activities</a>. Since the start of the war, <a href="https://www.coindesk.com/markets/2022/02/28/ruble-denominated-bitcoin-volumes-surges-to-9-month-highs/">the conversion of Russian rubles into cryptocurrency has literally exploded</a>.</p>
<h2>Cryptocurrency leaves traces</h2>
<p>But is it really an effective and definitive way to dodge sanctions? Probably not, especially when it comes to the very large sums held by Russian oligarchs and large organizations. It is very unlikely that <a href="https://globalnews.ca/news/8657096/ukraine-russia-cryptocurrency-sanctions-ruble/">these sums could be entirely absorbed</a> by the different types of cryptocurrency in circulation at the moment.</p>
<p>Moreover, the usefulness of cryptocurrency for these types of transactions is temporary. The sums used to obtain cryptocurrency <a href="https://www.uvic.ca/news/topics/2022+expert-qa-cryptocurrency+expert-advisory">actually become traceable — and thus, subject to sanctions — as soon as they land in traditional bank accounts</a>. <a href="https://www.wsj.com/articles/untraceable-bitcoin-is-a-myth-11623860828">Cyrptocurrency is also becoming less and less untraceable</a> thanks to <a href="https://www.justice.gov/opa/pr/two-arrested-alleged-conspiracy-launder-45-billion-stolen-cryptocurrency">the increasing expertise of law enforcement</a>.</p>
<hr>
<p>
<em>
<strong>
À lire aussi :
<a href="https://theconversation.com/are-russias-elite-really-using-cryptocurrency-to-evade-sanctions-179559">Are Russia's elite really using cryptocurrency to evade sanctions?</a>
</strong>
</em>
</p>
<hr>
<h2>The war will accelerate regulation</h2>
<p>From this perspective, the current digital war between Ukraine and Russia will likely serve as a catalyst to accelerate the regulatory takeover of the anarchic cryptocurrency world. It will then be up to each country to find mechanisms that will allow them to regulate virtual currencies — in <a href="https://www.weforum.org/press/2022/01/unifying-cryptocurrency-esg-efforts-key-to-boost-global-adoption/">hopes that the whole process will acquire a certain cohesion, internationally</a>.</p>
<p>In this sense, it appears to be essential for legislators in different countries to consider creating a balanced framework. The goal must be minimizing the possibilities of using the cryptocurrency universe as an illegal means of evasion without removing the efficiency that cryptocurrency offers — particularly the speed it provides for processing transactions. Striking this balance will not be easy.</p><img src="https://counter.theconversation.com/content/180527/count.gif" alt="La Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Simon Dermarkar is a member of the Ordre des CPA du Québec. He has received funding from the Canadian Academic Accounting Association (CAAA) and CPA Canada for a project he is conducting on the digital transformation of the accounting profession.</span></em></p><p class="fine-print"><em><span>Mouna Hazgui ne travaille pas, ne conseille pas, ne possède pas de parts, ne reçoit pas de fonds d'une organisation qui pourrait tirer profit de cet article, et n'a déclaré aucune autre affiliation que son organisme de recherche.</span></em></p>Cryptocurrency allows Ukraine to get quick financial support, and Russia, to bypass international sanctions and protect some of its economic interests.Simon Dermarkar, Associate professor, HEC MontréalMouna Hazgui, Associate professor, Financial Accounting and IFRS, HEC MontréalLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1780342022-03-01T03:07:32Z2022-03-01T03:07:32ZThe hacker group Anonymous has waged a cyber war against Russia. How effective could they actually be?<figure><img src="https://images.theconversation.com/files/449089/original/file-20220301-25-ckck4y.jpeg?ixlib=rb-1.1.0&rect=1%2C0%2C953%2C625&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Screenshot/Twitter</span></span></figcaption></figure><p>A <a href="https://theconversation.com/as-russia-wages-cyber-war-against-ukraine-heres-how-australia-and-the-rest-of-the-world-could-suffer-collateral-damage-177909">spate of cyber attacks</a> has affected Ukraine’s digital systems since Russia’s invasion began. It soon became clear Russia’s “boots on the ground” approach would be supplemented by a parallel cyber offensive.</p>
<p>Last week Ukraine <a href="https://www.reuters.com/world/exclusive-ukraine-calls-hacker-underground-defend-against-russia-2022-02-24/">called on its citizens</a> to take to their keyboards and defend the country against Russia’s cyber threat. At the same time, a campaign was underway among the hacktivist collective Anonymous, calling on its global army of cyber warriors to target Russia. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1496965766435926039"}"></div></p>
<h2>Who is Anonymous?</h2>
<p>Anonymous is a global activist community that has been <a href="https://www.theguardian.com/technology/2012/sep/08/anonymous-behind-masks-cyber-insurgents">operating since at least 2008</a>. It brings a potential for significant cyber disruption in the context of Russia’s invasion of Ukraine.</p>
<p>The group has previously claimed responsibility for acts of hacktivism against a wide range of targets, including against <a href="https://www.theguardian.com/technology/2012/nov/22/anonymous-cyber-attacks-paypal-court">big businesses</a> and governments. Anonymous’s activities are often <a href="https://www.bbc.com/news/technology-52879000">aligned to major events</a>, and the group claims to have an “anti-oppression” agenda.</p>
<p>The collective has no defined structure or leadership. Acts are simply undertaken under the banner “Anonymous”, with some reports of limited <a href="https://books.google.com.au/books?id=ncGVPtoZPHcC">rules of engagement</a> being used to guide actions (although these are likely fluid). </p>
<p>As Anonymous is a movement, with no formal legal status or assets, responsibility for actions shifts to individuals. But there remains a <a href="https://www.digitalshadows.com/blog-and-research/cyber-attacks-the-challenge-of-attribution-and-response/">fundamental issue of attribution</a> in cyber security incidents, wherein it’s difficult to determine a specific source for any attack.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/a-decade-since-the-year-of-the-hacktivist-online-protests-look-set-to-return-163329">A decade since 'the year of the hacktivist', online protests look set to return</a>
</strong>
</em>
</p>
<hr>
<h2>What are they threatening to do?</h2>
<p>On February 16, Anonymous TV posted a video message with a series of recommendations and threats. Leaning on the stereotypical “hacker” image, the masked speaker issues a serious warning to Russia:</p>
<blockquote>
<p>If tensions continue to worsen in Ukraine, then we can take hostage […] industrial control systems. Sole party to be blamed if we escalate on that will be the same one who started it in the very first place with troop buildups, childish threats and waves of unreasonable ultimatums. </p>
</blockquote>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1493718462207832065"}"></div></p>
<p>Several Russian <a href="https://www.abc.net.au/news/science/2022-02-25/hacker-collective-anonymous-declares-cyber-war-against-russia/100861160">government websites and media outlets</a> have since been targeted, with Anonymous taking credit on its <a href="https://twitter.com/YourAnonTV">Twitter channel</a>. </p>
<p>The attacks have leveraged the same <a href="https://www.radware.com/security/ddos-knowledge-center/ddospedia/ddos-attack/">distributed denial of service</a> techniques used in many previous cyber attacks, including attacks on Ukrainian banking and government websites. In such attacks, the attacker knocks targeted websites offline by flooding them with bot traffic.</p>
<p>Further incidents have included the theft and publication of Russian Department of Defence <a href="https://cybernews.com/news/anonymous-leaks-database-of-the-russian-ministry-of-defence/">data</a>, which may contain sensitive information useful to fighters in Ukraine. Emails from <a href="https://cybernews.com/news/hero-hackers-claim-to-have-breached-belarusian-weapons-firm/">Belarusian weapons manufacturer Tetraedr</a> and data from the <a href="https://twitter.com/YourAnonNews/status/1498242200332906500">Russian Nuclear Institute</a> have also reportedly been accessed. </p>
<p>It’s too early to determine how useful these data may be. Most of the stolen information will be in Russian, <a href="https://securityaffairs.co/wordpress/128527/hacktivism/anonymous-hit-russian-nuclear-institute.html">which means translators</a> will be needed to help examine it.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1497510954921254915"}"></div></p>
<p>Russian TV channels <a href="https://inews.co.uk/news/world/anonymous-hacker-group-russia-tv-channels-broadcast-ukrainian-songs-1486735">were also attacked</a> and made to play Ukrainian music and display uncensored news of the conflict from news sources outside Russia.</p>
<p>It’s hard to be certain that Anonymous did carry out the cyber attacks for which it has claimed responsibility. The movement is founded on anonymity, and there are no viable means of verification. But the tactics, targets and theatrics on show are consistent with previous attacks claimed by the group.</p>
<p>Also, even if some attacks are not a direct consequence of Anonymous’s actions, one could argue this doesn’t really matter. Anonymous is all about being perceived as having an impact. </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1497571513482063874"}"></div></p>
<h2>Will it make a difference?</h2>
<p>It’s unlikely the cyber attacks claimed by Anonymous will have a significant impact on Russia’s intent or military tactics. That said, these actions could provide key intelligence about specific tactics Russia is using, which would be valuable to the Ukrainians and their allies. </p>
<p>A further benefit is that the impact of the invasion on Ukrainian people is getting more publicity – especially within Russia, where news is significantly censored. This could help counter Russia’s domestic <a href="https://theconversation.com/what-can-the-west-do-to-help-ukraine-it-can-start-by-countering-putins-information-strategy-177912">propaganda machine</a>, and present a more balanced view of events.</p>
<p>Cyber attacks will likely continue to escalate on both sides, involving both state and non-state actors. Russia’s National Computer Incident Response and Coordination Center has raised its <a href="https://interfax.com/newsroom/top-stories/74176/">threat level to “critical”</a>, indicating concerns about Russian infrastructure being <a href="https://tass.com/defense/1410737">targeted through cyber attacks</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/as-russia-wages-cyber-war-against-ukraine-heres-how-australia-and-the-rest-of-the-world-could-suffer-collateral-damage-177909">As Russia wages cyber war against Ukraine, here's how Australia (and the rest of the world) could suffer collateral damage</a>
</strong>
</em>
</p>
<hr>
<h2>Citizen hackers</h2>
<p>Alongside Anonymous, large numbers of Ukrainian cyber professionals have volunteered to assist with Ukraine’s cyber defence. The volunteers are being organised through <a href="https://www.wired.com/story/ukraine-it-army-russia-war-cyberattacks-ddos/">Telegram channels and other encrypted apps</a>. </p>
<p>Their goals include defending Ukraine’s critical infrastructure, helping the government with cyber espionage, taking down Russian disinformation from the web, and targeting Russian infrastructure, banks and government websites.</p>
<p>But despite reports of some 175,000 joining the cyber army’s Telegram channel, its impact so far remains unclear.</p><img src="https://counter.theconversation.com/content/178034/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>There’s an alleged global network of cyber activists operating under the Anonymous name. Knowing who is responsible for what will become increasingly difficult as more cyber attacks happen.Jennifer Medbury, Lecturer in Intelligence and Security, Edith Cowan UniversityPaul Haskell-Dowland, Professor of Cyber Security Practice, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1756752022-01-26T15:13:54Z2022-01-26T15:13:54ZWordle has been hacked – but that’s not going to ruin the fun<figure><img src="https://images.theconversation.com/files/442715/original/file-20220126-13-1yp7czw.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5991%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/portland-usa-jan-18-2022-daily-2109580778">Tada Images/Shutterstock</a></span></figcaption></figure><p>There’s no question about it. <a href="https://www.powerlanguage.co.uk/wordle/">Wordle</a>, the simple English-language word game created by software engineer <a href="https://www.powerlanguage.co.uk/">Josh Wardle</a>, is a viral hit.</p>
<p>If you’ve tried Wordle, there’s a good chance that, like me, you’re hooked. Since the game quietly hit the internet in October 2021, the number of people playing has <a href="https://www.theguardian.com/games/2022/jan/11/wordle-creator-overwhelmed-by-global-success-of-hit-puzzle">grown exponentially</a>: from some 90 players in November 2021, to 300,000 at the start of January, to more than <a href="https://www.bbc.co.uk/newsround/59992098">3 million today</a>. As you can see in the graph below, the number of people looking up Wordle on Google has increased rapidly over the past month.</p>
<p><strong>Google searches for ‘wordle’</strong></p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A Google trends chart showing the popularity of the search term 'wordle' increasing rapidly since December 26, 2021." src="https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=211&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=211&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=211&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=265&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=265&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442720/original/file-20220126-21-1t4dxsh.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=265&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><a class="source" href="https://trends.google.com/trends/explore?date=today%201-m&q=wordle">Google trends</a></span>
</figcaption>
</figure>
<p>The objective is to guess a five-letter word. Players get six tries, and on each attempt receive feedback indicating which letters are in the correct spot (green), in the word but in the wrong spot (yellow), or not in the word at all (grey). With these coloured prompts, most words can be determined in fewer than six guesses. There’s a new word to guess every day.</p>
<p>A number of <a href="https://screenrant.com/wordle-source-code-hack-every-word-revealed/">computer experts</a> have now managed to <a href="https://www.varsity.co.uk/news/22868">hack Wordle</a> – meaning they’ve been able to access the complete catalogue of upcoming solutions embedded in the game’s code. </p>
<p>This probably doesn’t sound like good news, particularly if you’re a Wordle fanatic and don’t want your fun spoiled. But actually, it shouldn’t really matter.</p>
<p>So, how has Wordle become such a viral hit? What makes it so uniquely addictive? And why is the fact that it’s been hacked unlikely to detract from our enjoyment of the game?</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-wordle-craze-why-do-we-love-puzzles-and-are-they-good-for-our-brains-175227">The Wordle craze: Why do we love puzzles, and are they good for our brains?</a>
</strong>
</em>
</p>
<hr>
<h2>Wordle is unique</h2>
<p>The games market is crowded and fierce. Most games, of course, seek to make money. Asking players to pay for a digital game outright risks low uptake, so many games are offered for free, with revenue coming from advertising and in-game purchases. Waning player interest results in diminishing revenue so there’s significant focus on techniques to increase time spent playing and keep players coming back.</p>
<p>These techniques typically target the brain’s reward centres, flooding the <a href="https://www.britannica.com/science/amygdala">amygdala</a> and <a href="https://www.britannica.com/science/hippocampus">hippocampus</a> with dopamine, which generates feelings of happiness and a desire to keep playing. By hijacking primal tendencies such as competitiveness, excitement (or stress) and achievement, game and app developers can stimulate a <a href="https://www.liebertpub.com/doi/pdf/10.1089/cyber.2013.0024">craving for more</a>.</p>
<p>Wordle, however, was not created for financial gain (Wardle actually developed the game as a gift for his partner). And presumably, little attention was paid to making it addictive. But the game clearly does have a certain draw.</p>
<p>As a player enters each guess, they learn more information. This provides <a href="https://digitalcommons.andrews.edu/cgi/viewcontent.cgi?article=1651&context=luh-pubs">a sense of</a> gradual achievement, which is heightened if there’s a feeling of having improved or <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2462316">applied skill</a>. The positive feelings associated with the achievement peak with the accomplishment of deciphering the word correctly.</p>
<p>In terms of excitement (or stress), the game is limited to one word per day, which gives both a time limit for completing the puzzle, and anticipation for the next word. As the game records your streak of words guessed correctly, if a day is missed there’s also the <a href="https://www.sciencedirect.com/science/article/abs/pii/S0747563217303886">minor punishment</a> since you lose the winning streak. </p>
<p>These mechanics, however, don’t explain why the game has so suddenly become a viral sensation. In a large part, this is down to Elizabeth S, an early Wordle player from New Zealand who began to <a href="https://slate.com/culture/2022/01/wordle-game-creator-wardle-twitter-scores-strategy-stats.html">tweet her results</a> as a sequence of coloured square emojis (therefore avoiding spoiling the solutions). </p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1475543274207145987"}"></div></p>
<p>This prompted Wardle to create a “share” button once you solve the puzzle, allowing players to show how well they did by tweeting a pattern of coloured tiles. This drives competitive reward-seeking among players – and acts as free advertising.</p>
<h2>The hack</h2>
<p>Software developers like to poke around in others’ work, so it was only a matter of time until someone <a href="https://www.varsity.co.uk/news/22868">spilled the beans</a>: the Wordle word list is included in the source code that displays the game on your device. </p>
<p>If you open the developer console on any modern computer browser (often by pressing F12, or by selecting the relevant option from a drop-down menu) you can inspect the code that tells your computer how to present the website to you. </p>
<p>This is because the entire game runs in your browser, rather than on a remote server. So anyone who knows where to look can find the word for today or a future date. You can even play a future word by changing the date on your device.</p>
<figure class="align-center ">
<img alt="The JavaScript source code from the Wordle game showing the first items on the word list." src="https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=194&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=194&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=194&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=243&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=243&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442551/original/file-20220125-25-1lk2g0p.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=243&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">This screenshot shows the first words on the list.</span>
<span class="attribution"><a class="source" href="https://www.powerlanguage.co.uk/wordle/">Wordle</a>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>Some people have taken advantage of this. Some players may play words ahead of their intended release and, of course, some will likely use the word list to cheat. A <a href="https://www.theverge.com/2022/1/24/22899339/wordle-twitter-spoilers-banned-word-puzzle-answers">short-lived Twitter bot</a> was set up to automatically spoil the following day’s word as a reply whenever someone tweeted their score. </p>
<h2>What can we learn from this?</h2>
<p>Those who create software should take note that code running on the user’s machine is inherently unsafe. Consider online purchases: if payments were processed on the user’s computer, it would be possible to falsify a successful transaction. So close attention should be paid to where code runs. </p>
<p>In hindsight, maybe Wardle would have chosen a different architecture for the game. But perhaps it really doesn’t matter. In my view, cheating on Wordle doesn’t carry much appeal.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/codecracking-community-and-competition-why-the-word-puzzle-wordle-has-become-a-new-online-obsession-174878">Codecracking, community and competition: why the word puzzle Wordle has become a new online obsession</a>
</strong>
</em>
</p>
<hr>
<p>Cheating inherently stimulates the brain’s reward centres less than using skill. Cheaters lose out on achievement and excitement rewards for the “<a href="https://books.google.co.uk/books?id=XbcNAUxUajAC&printsec=frontcover#v=onepage&q&f=false">cultural capital</a>” gained through competitiveness. But the culture around Wordle seems to be more of decency and fun for the sake of having fun.</p>
<p>The game is providing pleasure to a huge number of daily players. The opportunity to share that pleasure and engage in a collective experience is, especially at a time when people are in need of some optimism, a great thing.</p>
<p>So is Wordle broken? Probably not. Long live Wordle, I say. Or at least until word 2,314 – the last in the word list.</p><img src="https://counter.theconversation.com/content/175675/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>John Dixon does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>This deceptively simple online word guessing game has captured the English-speaking world.John Dixon, Lecturer, Computer Science, University of HullLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1698042021-11-01T12:26:32Z2021-11-01T12:26:32ZYou know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks<figure><img src="https://images.theconversation.com/files/427635/original/file-20211020-18-dqgrxx.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5041%2C3343&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">If your gut says something is off about an email message, stop and investigate.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/photo/close-up-of-mature-man-with-laptop-scratching-head-royalty-free-image/57226133">Jose Luis Pelaez Inc/DigitalVision via Getty Images</a></span></figcaption></figure><p>An employee at <a href="https://www.cbc.ca/news/canada/edmonton/macewan-university-phishing-scam-edmonton-1.4270689">MacEwan University got an email</a> in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals. </p>
<p>Fake emails that try to get people to do things they wouldn’t normally do, such as send money, <a href="https://www.wsj.com/articles/how-a-u-s-utility-got-hacked-1483120856">run dangerous programs</a> or <a href="https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html">give out passwords</a>, are known as <a href="https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams">phishing</a> emails. Cybersecurity experts often <a href="https://doi.org/10.1177%2F0269758015571471">blame the people</a> who receive such messages for not noticing that the emails are fake. </p>
<p>As a <a href="https://scholar.google.com/citations?user=ef0ApTwAAAAJ&hl=en">cybersecurity researcher</a>, I’ve found that most <a href="https://www.usenix.org/conference/soups2021/presentation/wash">people are good at almost all of the skills</a> that computer security experts use to notice fake emails in their inboxes. Making up the difference comes down to listening to your instincts.</p>
<h2>How the pros do it</h2>
<p>In earlier research, I found that when cybersecurity experts <a href="https://doi.org/10.1145/3415231">received a phishing email message</a>, they, like most people, assumed the email was real. They initially took everything in the email at face value. They tried to figure out what the email was asking them to do, and how it related to things in their life.</p>
<p>As they read, they noticed small things that seemed off, or different from what would typically be in similar email messages. They noticed things like typos in a professional email, or the lack of typos from a busy executive. They noticed things like a bank providing account information in an email message instead of the standard notification that the recipient had a message waiting for them in the bank’s secure messaging system. They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.</p>
<p>But noticing these signs isn’t enough to figure out the email is a fraud. Instead, the experts just became uncomfortable with the email message. It wasn’t until they saw something in the message that reminded them of phishing that they became suspicious. They would see an anomaly like a link that the email was trying to get them to click. In their minds, these are commonly associated with phishing emails.</p>
<p>Combined with the uncomfortable feeling about the email message, this reminder prompted the experts to recognize that phishing might explain the weird things they noticed. They became suspicious of the message and investigated to figure out if it was a fraud.</p>
<h2>Good instincts</h2>
<p>If that’s how experts do it, then what do regular people do? When I interviewed people without computer security experience, I found <a href="https://www.ieee-security.org/TC/SPW2021/ConPro/papers/nthala-conpro21.pdf">a similar process</a>. Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated. </p>
<p>My research found that people are good at the first two steps: noticing things in the email that seem weird, and becoming uncomfortable. Almost everyone I talked to noticed multiple problems when they saw a fake email, and told me about feeling uncomfortable with the message. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="screenshot of an email message with overlaid annotations" src="https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=499&fit=crop&dpr=1 600w, https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=499&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=499&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=627&fit=crop&dpr=1 754w, https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=627&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/429191/original/file-20211028-23-ttwp60.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=627&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Aspects of an email message that seem off should prompt you to consider the possibility of phishing. The trick is remembering that phishing exists.</span>
<span class="attribution"><span class="source">Rick Wash</span>, <a class="license" href="http://creativecommons.org/licenses/by-nd/4.0/">CC BY-ND</a></span>
</figcaption>
</figure>
<p>And if people thought about phishing, they were also good at investigating. Instead of looking at technical details, though, most people either contacted the sender or asked others for help. But they were still able to correctly figure out whether an email message was a phishing attack.</p>
<h2>Phishing stories</h2>
<p>Most phishing training teaches people to look for problems in email. But for most people, the hard part about phishing isn’t noticing the weird things in an email message. People often deal with weird but real emails. Many messages feel a little bit off. Sometimes your boss is having a bad day, or the bank changes its polices. No email message is perfect, and people are often attuned to that. </p>
<p>[<em>You’re smart and curious about the world. So are The Conversation’s authors and editors.</em> <a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=youresmart">You can read us daily by subscribing to our newsletter</a>.]</p>
<p>The challenge for most people was remembering that phishing exists, and recognizing that phishing might explain those weird things. Without that awareness of phishing, the weirdness in phishing messages can be lost in everyday email weirdness.</p>
<p>Most people I interviewed know about phishing in general. But the people who were good at noticing phishing messages reported stories about specific phishing incidents they had heard about. They told me about a time when someone at their organization fell for a phishing email, or about a news story of an incident like the one at MacEwan University. </p>
<p>Familiarity with specific phishing incidents helps people remember phishing generally and recognize that it might explain the weird things they notice in an email. These stories are key to people going from “something’s fishy” to “is this phishing?”</p><img src="https://counter.theconversation.com/content/169804/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Rick Wash receives funding from the National Science Foundation and from Google. He is affiliated with Association for Computing Machinery and the USENIX Association.</span></em></p>Weirdness is a clue about fraudulent email messages. But it takes more than a sense that something’s wrong to get people to investigate.Rick Wash, Associate Professor of Information Science and Cybersecurity, Michigan State UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1653822021-08-09T12:26:14Z2021-08-09T12:26:14ZWhat is Pegasus? A cybersecurity expert explains how the spyware invades phones and what it does when it gets in<figure><img src="https://images.theconversation.com/files/415046/original/file-20210806-90251-104b4rt.jpg?ixlib=rb-1.1.0&rect=8%2C0%2C5455%2C3645&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A woman holds a phone in front of the office of NSO Group, which makes a tool that can see and hear everything a phone is used for.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/an-israeli-woman-uses-her-iphone-in-front-of-the-building-news-photo/596871396">Jack Guez/AFP via Getty Images</a></span></figcaption></figure><p>End-to-end encryption is technology that scrambles messages on your phone and unscrambles them only on the recipients’ phones, which means anyone who intercepts the messages in between can’t read them. Dropbox, Facebook, Google, Microsoft, Twitter and Yahoo are among the companies whose apps and services <a href="https://www.eff.org/encrypt-the-web-report">use end-to-end encryption</a>.</p>
<p>This kind of encryption is good for protecting your privacy, but <a href="https://www.washingtonpost.com/politics/2021/03/04/cybersecurity-202-fbi-renews-attack-encryption-ahead-another-possible-attack-capitol/">governments don’t like it</a> because it makes it difficult for them to spy on people, whether tracking criminals and terrorists or, as some governments have been known to do, snooping on dissidents, protesters and journalists. Enter an Israeli technology firm, <a href="https://www.nsogroup.com/">NSO Group</a>.</p>
<p>The company’s flagship product is Pegasus, <a href="https://techterms.com/definition/spyware">spyware</a> that can stealthily enter a smartphone and gain access to everything on it, including its camera and microphone. Pegasus is designed to infiltrate devices running Android, Blackberry, iOS and Symbian <a href="https://techterms.com/definition/operating_system">operating systems</a> and turn them into surveillance devices. The company says it sells Pegasus <a href="https://www.nsogroup.com/about-us/">only to governments</a> and only for the purposes of tracking criminals and terrorists.</p>
<h2>How it works</h2>
<p><a href="https://economictimes.indiatimes.com/tech/trendspotting/what-is-pegasus-spyware-and-how-it-works/articleshow/84607533.cms">Earlier version of Pegasus</a> were installed on smartphones through <a href="https://nvd.nist.gov/vuln">vulnerabilities</a> in commonly used apps or by <a href="https://www.trendmicro.com/vinfo/us/security/definition/spear-phishing">spear-phishing</a>, which involves tricking a targeted user into clicking a link or opening a document that secretly installs the software. It can also be installed over a wireless <a href="https://www.pcmag.com/encyclopedia/term/transceiver">transceiver</a> located near a target, or manually if an agent can steal the target’s phone.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="Close-up of an icon on a smartphone screen" src="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=502&fit=crop&dpr=1 754w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=502&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/415050/original/file-20210806-19-17pnxr8.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=502&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Pegasus can infiltrate a smartphone via the widely used messaging app WhatsApp without the phone’s user noticing.</span>
<span class="attribution"><a class="source" href="https://flickr.com/photos/140988606@N08/25076398627/">Christoph Scholz/Flickr</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>Since 2019, Pegasus users have been able to install the software on smartphones with a <a href="https://economictimes.indiatimes.com/tech/trendspotting/what-is-pegasus-spyware-and-how-it-works/articleshow/84607533.cms">missed call on WhatsApp</a>, and can even delete the record of the missed call, making it impossible for the the phone’s owner to know anything is amiss. Another way is by simply sending a message to a user’s phone that produces no notification. </p>
<p>This means the latest version of this spyware does not require the smartphone user to do anything. All that is required for a successful spyware attack and installation is having a particular vulnerable app or operating system installed on the device. This is known as a <a href="https://www.news18.com/news/tech/explained-what-are-zero-click-hacks-and-why-are-they-such-a-menace-3988664.html">zero-click exploit</a>.</p>
<p>Once installed, Pegasus can theoretically <a href="https://www.documentcloud.org/documents/4599753-NSO-Pegasus.html">harvest any data</a> from the device and transmit it back to the attacker. It can steal photos and videos, recordings, location records, communications, web searches, passwords, call logs and social media posts. It also has the capability to activate cameras and microphones for real-time surveillance without the permission or knowledge of the user. </p>
<h2>Who has been using Pegasus and why</h2>
<p>NSO Group says it builds Pegasus solely for governments to use in counterterrorism and law enforcement work. The company markets it as a targeted spying tool to track criminals and terrorists and not for mass surveillance. The company does not disclose its clients.</p>
<p>The <a href="https://www.ynetnews.com/articles/0,7340,L-5444330,00.html">earliest reported use</a> of Pegasus was by the Mexican government in 2011 to track notorious drug baron Joaquín “El Chapo” Guzmán. The tool was also reportedly used to <a href="https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/">track people</a> close to murdered Saudi journalist Jamal Khashoggi.</p>
<p>It is unclear who or what types of people are being targeted and why. However, <a href="https://www.bbc.com/news/technology-57881364">much of the recent reporting</a> about Pegasus centers around a list of 50,000 phone numbers. The list has been attributed to NSO Group, but the list’s origins are unclear. A statement from Amnesty International in Israel stated that <a href="https://twitter.com/KimZetter/status/1418212758185648146">the list contains phone numbers</a> that were marked as “of interest” to NSO’s various clients, though it’s not known if any of the phones associated with numbers have actually been tracked. </p>
<p>A media consortium, <a href="https://forbiddenstories.org/case/the-pegasus-project/">the Pegasus Project</a>, analyzed the phone numbers on the list and identified over 1,000 people in over 50 countries. The findings included people who appear to fall outside of the NSO Group’s restriction to investigations of criminal and terrorist activity. These include politicians, government workers, journalists, human rights activists, business executives and Arab royal family members. </p>
<h2>Other ways your phone can be tracked</h2>
<p>Pegasus is breathtaking in its stealth and its seeming ability to take complete control of someone’s phone, but it’s not the only way people can be spied on through their phones. Some of the ways phones <a href="https://ssd.eff.org/en/playlist/privacy-breakdown-mobile-phones">can aid surveillance and undermine privacy</a> include location tracking, eavesdropping, <a href="https://techterms.com/definition/malware">malware</a> and collecting data from sensors. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="An electronic device with handles on either side of a front panel containing buttons and lights and a graphic representation of a stingray" src="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=384&fit=crop&dpr=1 600w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=384&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=384&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=482&fit=crop&dpr=1 754w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=482&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/415049/original/file-20210806-90685-1xfv372.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=482&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Law enforcement agencies use cell site simulators like this StingRay to intercept calls from phones in the vicinity of the device.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/WashingtonSuspectedPhoneSpying/4e99d5e5bd054437abaf4ae4981894a0/photo">U.S. Patent and Trademark Office via AP</a></span>
</figcaption>
</figure>
<p>Governments and phone companies can track a phone’s location by tracking cell signals from cell tower transceivers and <a href="https://www.eff.org/pages/cell-site-simulatorsimsi-catchers">cell transceiver simulators</a> like the <a href="https://www.engadget.com/2015-04-08-erie-county-police-stingray-spy.html">StingRay</a> device. Wi-Fi and Bluetooth signals can also be <a href="https://arstechnica.com/tech-policy/2020/08/beware-of-find-my-phone-wi-fi-and-bluetooth-nsa-tells-mobile-users/">used to track phones</a>. In some cases, apps and web browsers can determine a phone’s location. </p>
<p>Eavesdropping on communications is harder to accomplish than tracking, but it is possible in situations in which encryption is weak or lacking. Some types of malware can compromise privacy by accessing data.</p>
<p>The National Security Agency has sought agreements with technology companies under which the companies would give the agency special access into their products via <a href="https://techterms.com/definition/backdoor">backdoors</a>, and has <a href="https://www.reuters.com/article/us-usa-security-congress-insight/spy-agency-ducks-questions-about-back-doors-in-tech-products-idUSKBN27D1CS">reportedly built backdoors on its own</a>. The companies say that backdoors <a href="https://www.zdnet.com/article/coalition-of-tech-giants-hit-by-nsa-spying-slams-encryption-backdoors/">defeat the purpose of end-to-end encryption</a>.</p>
<p>The good news is, depending on who you are, you’re unlikely to be targeted by a government wielding Pegasus. The bad news is, that fact alone does not guarantee your privacy.</p>
<p>[<em>Understand new developments in science, health and technology, each week.</em> <a href="https://theconversation.com/us/newsletters/science-editors-picks-71/?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=science-understand">Subscribe to The Conversation’s science newsletter</a>.]</p><img src="https://counter.theconversation.com/content/165382/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bhanukiran Gurijala does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A tool made for tracking criminals and terrorists has potentially been used against politicians, dissidents and journalists. Here’s how the spyware works.Bhanukiran Gurijala, Assistant Professor of Computer Science & Information Systems, West Virginia UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1647812021-07-20T20:10:35Z2021-07-20T20:10:35ZHow does the Pegasus spyware work, and is my phone at risk?<figure><img src="https://images.theconversation.com/files/412089/original/file-20210720-19-1dkrvnr.jpeg?ixlib=rb-1.1.0&rect=75%2C0%2C4528%2C3071&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Shutterstock</span></span></figcaption></figure><p>A major <a href="https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/">journalistic investigation</a> has found evidence of malicious software being used by governments around the world, including allegations of spying on prominent individuals. </p>
<p>From a list of more <a href="https://www.amnesty.org/en/latest/news/2021/07/pegasus-project-apple-iphones-compromised-by-nso-spyware/">50,000 phone numbers</a>, journalists identified more than 1,000 <a href="https://www.smh.com.au/world/middle-east/journalists-activists-and-leaders-targets-of-mass-pegasus-hacks-20210719-p58au7.html">people in 50 countries</a> reportedly under surveillance using the Pegasus spyware. The software was developed by the Israeli company NSO Group and sold to government clients.</p>
<p>Among the reported targets of the spyware are journalists, politicians, government officials, chief executives and human rights activists. </p>
<p>Reports thus far allude to a surveillance effort reminiscent of an <a href="https://books.google.com.au/books?hl=en&lr=&id=8OVYU1dze2wC&oi=fnd&pg=PT3&dq=orwell+1984+big+brother+surveillance&ots=ExHVODf95v&sig=8uF9PHt-bw8JV2ZVZucEcoxEfZM&redir_esc=y#v=onepage&q=orwell%201984%20big%20brother%20surveillance&f=false">Orwellian nightmare</a>, in which the spyware can capture keystrokes, intercept communications, track the device and use the camera and microphone to spy on the user.</p>
<h2>How did they do it?</h2>
<p>The Pegasus spyware can infect the phones of victims through a variety of mechanisms. Some approaches may involve an SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device. </p>
<p>Others use the more concerning “<a href="https://9to5mac.com/2021/07/19/zero-click-imessage-exploit/">zero-click</a>” attack where vulnerabilities in the iMessage service in iPhones allows for infection by simply receiving a message, and no user interaction is required. </p>
<p>The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices). </p>
<p>Usually, <a href="https://www.digitaltrends.com/mobile/how-to-root-android/">rooting</a> on an Android device is done by the user to install applications and games from non-supported app stores, or re-enable a functionality that was disabled by the manufacturer.</p>
<p>Similarly, a <a href="https://www.digitaltrends.com/mobile/how-to-jailbreak-your-iphone/">jailbreak</a> can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “<a href="https://www.diffen.com/difference/Tethered_Jailbreak_vs_Untethered_Jailbreak">tethered jailbreak</a>”).</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/holding-the-world-to-ransom-the-top-5-most-dangerous-criminal-organisations-online-right-now-163977">Holding the world to ransom: the top 5 most dangerous criminal organisations online right now</a>
</strong>
</em>
</p>
<hr>
<p>Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code.</p>
<p>In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware.</p>
<p>Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but <a href="https://www.kaspersky.com.au/blog/pegasus-spyware/14604/">isn’t as effective</a> as it relies on a rooting technique that isn’t 100% reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417188924087160841"}"></div></p>
<h2>But aren’t Apple devices more secure?</h2>
<p>Apple devices are <a href="https://us.norton.com/internetsecurity-mobile-android-vs-ios-which-is-more-secure.html">generally considered more secure</a> than their Android equivalents, but neither type of device is 100% secure.</p>
<p>Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed-system often referred to as “<a href="https://www.bcs.org/content-hub/security-through-obscurity/">security by obscurity</a>”. Apple also exercises complete control over when updates are rolled out, which are then quickly <a href="https://9to5mac.com/2020/09/21/ios-14-adoption-after-5-days/">adopted by users</a>.</p>
<p>Apple devices are frequently updated to the latest iOS version via automatic patch installation. This helps improve security and also increases the value of finding a workable compromise to the latest iOS version, as the new one will be used on a large proportion of devices globally.</p>
<p>On the other hand, Android devices are based on open-source concepts, so hardware manufacturers can <a href="https://www.makeuseof.com/tag/android-differs-hardware-manufacturer/">adapt the operating system</a> to add additional features or optimise performance. We typically see a large number of Android devices running a variety of versions — inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).</p>
<p>Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment means there is a greater chance of success at a significant scale.</p>
<p>While many Android devices will likely be vulnerable to compromise, the diversity of hardware and software makes it more difficult to deploy a single malicious tool to a wide user base.</p>
<h2>How can I tell if I’m being monitored?</h2>
<p>While the leak of more than 50,000 allegedly monitored phone numbers seems like a lot, it’s unlikely the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active. </p>
<p>It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.</p>
<p>The (relatively) easy way to determine this is to use the <a href="https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/">Amnesty International Mobile Verification Toolkit (MVT)</a>. This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analysing a backup taken from the phone. </p>
<p>While the analysis won’t confirm or disprove whether a device is compromised, it detects “<a href="https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso">indicators of compromise</a>” which can provide evidence of infection.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1417235912677855240"}"></div></p>
<p>In particular, the tool can detect the presence of specific <a href="https://github.com/AmnestyTech/investigations/blob/master/2021-07-18_nso/processes.txt">software (processes)</a> running on the device, as well as a range of <a href="https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso">domains</a> used as part of the global infrastructure supporting a spyware network.</p>
<h2>What can I do to be better protected?</h2>
<p>Unfortunately there is no current solution for the zero-click attack. There are, however, simple steps you can take to minimise your potential exposure — not only to Pegasus but to other malicious attacks too.</p>
<p><strong>1)</strong> Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. And this is the same technique used by <a href="https://link.springer.com/article/10.1007/s12117-020-09397-5">many cybercriminals</a> for both malware distribution and less technical scams. The same advice applies to links sent via email or other messaging applications.</p>
<p><strong>2)</strong> Make sure your device is updated with any relevant patches and upgrades. While having a standardised version of an operating system creates a stable base for attackers to target, it’s still your <a href="https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html">best defence</a>. </p>
<p>If you use Android, don’t rely on notifications for new versions of the operating system. Check for the latest version yourself, as your device’s manufacturer <a href="https://www.avg.com/en/signal/why-is-my-android-phone-not-getting-updates">may not be providing updates</a>.</p>
<p><strong>3)</strong> Although it may sound obvious, you should limit physical access to your phone. Do this by enabling pin, finger or face-locking on the device. The <a href="https://www.esafety.gov.au/key-issues/domestic-family-violence/video-library">eSafety Commissioner’s website</a> has a range of videos explaining how to configure your device securely.</p>
<p><strong>4)</strong> Avoid public and free WiFi services (<a href="https://www.techrepublic.com/article/wi-fi-security-fbi-warns-of-risks-of-using-wireless-hotel-networks/">including hotels</a>), especially when accessing sensitive information. The use of a VPN is a good solution when you need to use such networks.</p>
<p><strong>5)</strong> <a href="https://spreadprivacy.com/how-to-encrypt-devices/">Encrypt your device data</a> and enable <a href="https://www.lifewire.com/install-or-enable-remote-wipe-on-your-smartphone-2377851">remote-wipe features</a> where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.</p>
<hr>
<p><em>Correction: this article was changed to reflect reports iPhone users targeted with the Pegasus spyware seem to have been targeted specifically with zero-click attacks.</em></p><img src="https://counter.theconversation.com/content/164781/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>It’s reported the Pegasus spyware can capture a user’s keystrokes, intercept communications, track their device and tap into their camera and microphone.Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan UniversityRoberto Musotto, Research fellow, Edith Cowan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1632612021-07-19T14:33:16Z2021-07-19T14:33:16ZImproving cybersecurity means understanding how cyberattacks affect both governments and civilians<figure><img src="https://images.theconversation.com/files/409810/original/file-20210706-13-1qz219h.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5800%2C3400&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Cybersecurity is a growing global threat.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><p>For nearly two years, <a href="https://www.un.org/disarmament/open-ended-working-group/">68 United Nations member states</a> — along with private enterprises, non-governmental organizations, technical communities and academics — participated in an open-ended working group on developments in information and telecommunications in international security (Cyber OEWG). The working group deliberated on responsible state behaviour in cyberspace. </p>
<p>In March 2021, the working group produced a <a href="https://front.un-arm.org/wp-content/uploads/2021/03/Final-report-A-AC.290-2021-CRP.2.pdf">final report</a>. The report comes at a critical time in light of the high-profile cyberattacks on <a href="https://theconversation.com/the-solarwinds-hack-was-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-and-what-can-be-done-about-it-153084">SolarWinds</a> and <a href="https://theconversation.com/security-flaws-in-microsoft-email-software-raise-questions-over-australias-cybersecurity-approach-156864">Microsoft Exchange Server</a>, as well as ransomware attacks on critical civilian infrastructures and <a href="https://www.wsj.com/articles/cyberattacks-cost-hospitals-millions-during-covid-19-11614346713">essential public services</a>.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyber-attacks-can-shut-down-critical-infrastructure-its-time-to-make-cyber-security-compulsory-160991">Cyber attacks can shut down critical infrastructure. It's time to make cyber security compulsory</a>
</strong>
</em>
</p>
<hr>
<h2>Multi-stakeholder inclusion</h2>
<p>The Cyber OEWG was established in 2018. It was tasked to <a href="https://undocs.org/A/RES/73/27">continue cybersecurity negotiations in a more democratic, inclusive and transparent way</a>. The process is <a href="https://dig.watch/processes/un-gge">open to all interested member states</a>. </p>
<p>The Cyber OEWG publicly consults with non-state organizations over concerns about new threats posed by communications technologies. These include online interference in electoral processes, cyberattacks on supply chains and infrastructure and ransom attacks on medical facilities. </p>
<p>Civil society organizations have raised concerns with Cyber OEWG about <a href="https://front.un-arm.org/wp-content/uploads/2020/10/joint-civil-society-groups-feedback-on-oewg-norms-proposals.pdf">the potential humanitarian consequences of malicious activities related to information and communications technologies (ICT)</a>. They demand considering the societal impacts of cyber threats in favour of merely focusing on the economic and political impacts.</p>
<h2>Impacts of malicious cyber activities</h2>
<p>Increasingly, rampant cyberattacks target critical civilian infrastructures, including <a href="https://theconversation.com/australian-hospitals-are-under-constant-cyber-attack-the-consequences-could-be-deadly-150164">health facilities</a>, <a href="https://theconversation.com/colonial-pipeline-forked-over-4-4m-to-end-cyberattack-but-is-paying-a-ransom-ever-the-ethical-thing-to-do-161383">pipelines</a>, <a href="https://edition.cnn.com/2021/02/13/us/florida-hack-remote-access/index.html">water plants</a> and <a href="https://theconversation.com/the-increase-in-ransomware-attacks-during-the-covid-19-pandemic-may-lead-to-a-new-internet-162490">food supply chains</a>. Attacks on <a href="https://www.cbc.ca/news/world/cyberattack-ransomware-kaseya-1.6089578">technology firms</a> have also become commonplace.</p>
<p>These cyber incidents have impacted <a href="https://www.businessinsider.com/microsoft-exchange-hack-us-organizations-krebs-thousands-2021-3">organizations of all sizes</a>, including those with less awareness and capacity to defend themselves, such as <a href="https://www.accessnow.org/who-is-shutting-down-the-internet-in-2021/">civil society organizations</a> and <a href="https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf">small businesses</a>. Civilians may also be affected through ensuing <a href="https://www.bloomberg.com/news/articles/2021-03-07/hackers-breach-thousands-of-microsoft-customers-around-the-world">personal data breaches</a> and <a href="https://www.washingtonpost.com/technology/2021/07/08/ransomware-human-impact/">disrupted public services</a>.</p>
<p>Harm to individuals resulting from a data breach can be <a href="https://www.theguardian.com/world/2015/aug/24/toronto-suicides-ashley-madison-hack">physical</a>, <a href="https://www.cnbc.com/2018/12/06/this-map-shows-where-in-the-us-cyber-crime-costs-people-the-most.html">financial</a>, <a href="https://www.bbc.com/news/technology-54692120">emotional</a> or reputational. Disrupted public services have also resulted in death by <a href="https://www.wired.co.uk/article/ransomware-hospital-death-germany">delaying treatment</a>.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/nhzAlPotXB8?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">In Dec. 2019, millions of Canadians had their personal information breached after an attack on LifeLabs.</span></figcaption>
</figure>
<h2>Centering civilian security</h2>
<p>People experience cyber threats, incidents and harms <a href="https://citizenlab.ca/2020/08/threats-facing-women-activists-in-colombia-and-costa-rica/">differently</a> depending on their gender identity, ethnicity, race and other social and cultural hierarchies. Those who are in vulnerable and marginalized positions may be <a href="https://www.accessnow.org/who-is-shutting-down-the-internet-in-2021/">disproportionately harmed</a> by cyberattacks. </p>
<p>Organizations such as <a href="https://unidir.org/publication/gender-approaches-cybersecurity">the UN Institute for Disarmament Research</a> and <a href="https://www.apc.org/en/pubs/why-gender-matters-international-cyber-security">the Association for Progressive Communications</a> examine these uneven aspects of cybersecurity. Addressing these inequalities in cybersecurity requires human-centric and inclusive approaches to cybersecurity.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/with-cyberattacks-growing-more-frequent-and-disruptive-a-unified-approach-is-essential-162219">With cyberattacks growing more frequent and disruptive, a unified approach is essential</a>
</strong>
</em>
</p>
<hr>
<p>A <a href="https://doi.org/10.1017/S0892679418000618">human-centric approach</a> to cyber-security prioritizes people when assessing cybersecurity threats, incidents, technologies and practices. It recognizes that people’s intersecting identities shape their cybersecurity needs and experience of cyber incidents. Consequently, cybersecurity measures and instruments should be designed to address structural inequalities which lead to insecurity.</p>
<p>Disaggregated data by socio-economic factors on people’s participation in cybersecurity fields and on victims of cyber incidents need to be collected. Efforts to increase underrepresented and minority groups’ participation in cybersecurity workforce should go beyond providing access to education and skills development. Further, cybersecurity skills-building should be tailored to the specific needs and capabilities of targeted population groups, including people with disabilities, the elderly and children.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/A3DDrrbMGBQ?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The UN warns that civilians must also remain vigilant in dealing with cybersecurity.</span></figcaption>
</figure>
<h2>Building a cyber-resilient society</h2>
<p>The exploitation of vulnerabilities in ICT systems and their weakening of encryption standards can undermine trust and confidence in cyberspace overall. When any one sector or state is more secure, we all reap the benefits. On the other hand, enabling <a href="https://theconversation.com/insecure-by-design-lessons-from-the-meltdown-and-spectre-debacle-90629">insecurity by design</a> and <a href="https://www.washingtonpost.com/national-security/russia-us-un-cyber-norms/2021/06/12/9b608cd4-866b-11eb-bfdf-4d36dab83a6d_story.html">malicious ICT acts</a> degrade the entire security of the cyber ecosystem.</p>
<p>Threats to cybersecurity can emanate from any sector within society, due to human error, natural disaster, technical issues or cyberattacks. The effect can cascade across sectors and levels in unanticipated ways — as demonstrated in the cyberattacks targeted at <a href="https://theconversation.com/security-flaws-in-microsoft-email-software-raise-questions-over-australias-cybersecurity-approach-156864">giant tech firms</a>. </p>
<p>To address the origins and systemic effect of cybersecurity threats, we need to build societal cyber resilience. This would require equal distribution of the resources needed to build cyber capacity and the broad, participation of all affected stakeholders — governmental, private sector and civil society — to shape cybersecurity research, policy and practice. </p>
<p>While <a href="https://www.cfr.org/blog/eliminating-blind-spot-effect-cyber-conflict-civil-society">facing the same persistent cyber threats</a> experienced by states and private entities, civil society organizations are equipped with far fewer resources to defend themselves. Addressing such cross-sectoral cybersecurity resource inequalities could be done through establishing cyber-incident response teams that cater to the need of all affected stakeholders, not just firms operating critical infrastructures. </p>
<p>Cybersecurity funding for <a href="https://cltc.berkeley.edu/wp-content/uploads/2018/07/CLTC_Defending_Politically_Vulnerable_Organizations_Online.pdf">financially constrained</a> sectors, such as civil society organizations and small businesses, is also needed. It is crucial to provide cyber skills building programs for employees in these organizations, including awareness of cyber threats, the importance of cyber hygiene habits and how to respond to cyber incidents.</p>
<p>Good practices at the national level include <a href="https://collections.unu.edu/view/UNU:7760">formalizing civil society organizations’ participation</a> in shaping cybersecurity-related legislation and policies. This would include developing measures to deter cyberattacks, designing cyber capacity building programs and sharing information about cyber threats. </p>
<p>States have started to embrace this inclusive approach to cybersecurity. Several Asia-Pacific countries, including Australia, the Philippines and Sri Lanka, <a href="https://collections.unu.edu/view/UNU:7760">have established national cyber incident response teams that accept reporting from civilians</a>. </p>
<p>Recently, Canada, Australia, New Zealand, the United Kingdom and the United States — <a href="https://www.publicsafety.gc.ca/cnt/ntnl-scrt/fv-cntry-mnstrl-en.aspx">an intelligence alliance knows as the Five Eyes</a> — <a href="https://www.beehive.govt.nz/sites/default/files/2021-04/Five%20Country%20Ministerial%20Statement%20Regarding%20the%20Threat%20of%20Ransomware.pdf">committed to develop a collective response against the threat of ransomware</a>.</p>
<p>The UN is making incremental progress towards multi-stakeholder inclusion and prioritizing civilian security in cybersecurity negotiations. However, much work still needs to be done to follow up on the Cyber OEWG’s proposed actions. Future cybersecurity discussions must establish an accountability mechanism for states’ cyber operations and resolve how international law applies to cyberspace.</p><img src="https://counter.theconversation.com/content/163261/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Debora Irene Christine is a researcher for the Smart Citizens Cyber Resilience project at the United Nations University Institute in Macau funded by the Science and Technology Development Fund of Macau (FDCT). </span></em></p>A UN working group on cybersecurity is making incremental progress in highlighting the importance of including and protecting civilians.Debora Irene Christine, Researcher, United Nations University Insitute in Macau (UNU-CS), United Nations UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1619462021-06-04T14:31:45Z2021-06-04T14:31:45ZIt’s far too easy for abusers to exploit smart toys and trackers<figure><img src="https://images.theconversation.com/files/404523/original/file-20210604-13-u44na8.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C5439%2C3620&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/little-boy-using-smartwatch-call-parents-1017040465">JpegPhotographer/Shutterstock</a></span></figcaption></figure><p>The wearable technology market is booming, with <a href="https://news.strategyanalytics.com/press-releases/press-release-details/2021/Strategy-Analytics-Half-Billion-Wearables-Sold-Worldwide-in-2020/default.aspx">half a billion wearables</a> sold globally in 2020. Apps on these devices, or the devices themselves, often claim to monitor our health to spot illnesses, track our workouts to help us reach our fitness goals, or keep an eye on our children’s whereabouts to enhance their safety.</p>
<p>But they’re also divisive. Supporters of wearable technology claim that health trackers should be <a href="https://theconversation.com/why-the-nhs-should-prescribe-wearable-fitness-trackers-60817">prescribed by the NHS</a> and could even deliver an <a href="https://theconversation.com/wearable-fitness-devices-deliver-early-warning-of-possible-covid-19-infection-143388">early warning</a> of a possible COVID-19 infection. GPS tracking devices designed to be worn by children, meanwhile, are seen as a <a href="https://www.abc.net.au/news/2019-04-04/digitally-tracking-kids-more-parents-use-devices/10957906">safety asset</a> for parents. </p>
<p>Yet studies have found fitness trackers to be too <a href="https://theconversation.com/why-fitness-trackers-may-not-give-you-all-the-credit-you-hoped-for-128585">inaccurate</a> and <a href="https://theconversation.com/do-fitness-trackers-make-you-fitter-52404">misleading</a> to be used by <a href="https://eu.usatoday.com/story/tech/2019/08/14/how-doctors-really-feel-data-your-apple-watch-fitbit/1900968001/">medical professionals</a>, and that, because they’ve been rushed to market, wearables of all kinds are an insecure “<a href="https://theconversation.com/why-health-apps-are-like-the-wild-west-with-apple-just-riding-into-town-103512">Wild West</a>” region of technology that requires urgent regulation.</p>
<p>In <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/978692/The_UK_code_of_practice_for_consumer_IoT_security_-_PETRAS_UCL_research_report.pdf">a recent report</a>, we looked at the security risks associated with wearable devices, as well as “smart toys” that can record children in their homes. We found a concerning lack of security – especially for devices aimed at children – which lack even the most basic cybersecurity precautions, leaving them open to abuse.</p>
<h2>Fitness trackers and personal data</h2>
<p>One key issue with wearables is the data they generate and share. For instance, many fitness trackers rely on data on a person’s location to map their workouts. That’s great if you’re keen to track the distance of your jogs, but it’s not especially sensible if you’re embarking on those jogs <a href="https://www.bbc.co.uk/news/technology-42853072">from a military base</a> in hostile territory.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"957318498102865920"}"></div></p>
<p>Beyond that specific example, which caused some embarrassment for the US military in 2018, it’s clear that sharing your location publicly, even in a safe civilian setting, comes with significant risks. </p>
<p>And it’s not just the real-time tracking of your running route that could expose your whereabouts. Because these trackers upload your workouts to an app and share them publicly, it’s possible for predators to use historic running, biking or hiking routes to predict where you might be at a given time. This safety issue isn’t only restricted to workouts. Even something as innocuous as <a href="https://www.wareable.com/wearable-tech/terms-and-conditions-privacy-policy-765">sharing a photo through your Apple watch</a> can give away your geolocation. </p>
<h2>Are trackers safe for children?</h2>
<p>Even more concerning are devices designed to be worn by children, sales of which are expected to reach <a href="https://www.prnewswire.com/in/news-releases/global-kids-smartwatch-market-valued-at-364-3-million-us-in-2018-and-will-reach-873-5-million-us-by-the-end-of-2025-at-a-cagr-of-13-19-between-2019-2025-valuates-reports-814713277.html">$875 million (£620 million)</a> by 2025. These watches are marketed as wearable tech to keep kids safe, tracking their location and alerting parents when the watch’s onboard “SOS” button is pressed – or if the child travels beyond a geofenced area. </p>
<p>Smart watches as safety devices on children’s wrists may sound like a <a href="https://www.cbsnews.com/news/wearable-gps-tracking-for-children-to-ease-parents-minds/">boon for anxious parents</a>, but a <a href="https://fil.forbrukerradet.no/wp-content/uploads/2017/10/watchout-rapport-october-2017.pdf">2017 survey</a> of children’s smart watches found that the all-important “SOS” button either got stuck or didn’t work at all in most cases.</p>
<p>Additionally, flaws in some smart watches’ accompanying apps have raised <a href="https://www.which.co.uk/news/2019/11/which-tests-for-security-flaws-in-kids-smartwatches/">serious safety concerns</a>. <a href="https://consumerfed.org/wp-content/uploads/2017/10/smart-watch-security-assessment.pdf">Security researchers</a> have found they could not only easily access children’s historical route data – like their path to and from school – and monitor their geolocation in real time, but they could also speak directly to the child, through the watch, without the call being reported in the parent’s app.</p>
<h2>Connected toys</h2>
<p>Fears that internet of things devices can give people unauthorised access to children also extend to <a href="https://theconversation.com/4-ways-internet-of-things-toys-endanger-children-94092">the “smart toy” market</a>. Some of these toys contain hidden cameras and microphones which, if hacked, could be used to record the interior of your home, including children’s rooms.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/4-ways-internet-of-things-toys-endanger-children-94092">4 ways 'internet of things' toys endanger children</a>
</strong>
</em>
</p>
<hr>
<p>In 2017, German regulators recognised this danger by <a href="https://www.bbc.co.uk/news/world-europe-39002142">banning the sale</a> of the Cayla “smart doll”, labelling it as the kind of “de facto espionage device” that Germany’s <a href="https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2017/17022017_cayla.html">Telecommunications Act</a> legislates against. In an unusual and unsettling move, the regulator went further by asking parents who’d bought one to <a href="https://www.dw.com/en/german-regulator-tells-parents-to-destroy-spy-doll-cayla/a-37601577">destroy the doll</a> to prevent illicit surveillance.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"832974523095986176"}"></div></p>
<p>Even if the manufacturers of smart toys and children’s smart watches can guarantee far better security than that which led to the Cayla ban, there remain other surveillance concerns. In 2019, a <a href="https://www.unicef.org/innovation/reports/memoAIchildrights">UNICEF-led report</a> highlighted how children’s rights – to creativity, freedom of choice and self-determination – are challenged by smart devices. Present in schools, at home, and on the wrist, this kind of round-the-clock surveillance, the report argues, restricts carefree childhood and hurts kids’ development.</p>
<h2>Making trackers safer</h2>
<p>Trackers and toys can be made safer. Before we allow these devices to flood the market, it’s essential <a href="https://discovery.ucl.ac.uk/id/eprint/10117734/">we standardise</a> the minimum security requirements that manufacturers must comply with – no matter where in the world these devices are made. </p>
<p>Key among these standards should be the removal of <a href="https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/971440/Code_of_Practice_for_Consumer_IoT_Security_October_2018_V2.pdf">factory-default passwords</a> on devices – which, like “admin” or “1234”, are easily guessed or discovered by even the most novice hacker. Manufacturers should also publish a <a href="https://www.iotsecurityfoundation.org/expanding-the-view-of-consumer-vulnerability-disclosure-practice/">vulnerability disclosure</a> to help users understand risks, and make regular software updates in response to vulnerabilities unearthed by security researchers.</p>
<p>Clearly, monitoring people’s health via wearable trackers has the potential to radically improve access to medical care. Likewise, every parent wants their child to be safe, and smart devices, like mobile phones before them, could be a reliable tool for checking in with them. But without safety standards, these devices have the potential to cause more harm than they offset. Regulators must act fast to stop this growing market from leading to significant harms.</p><img src="https://counter.theconversation.com/content/161946/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Saheli Datta Burton receives funding from UK Engineering and Physical Sciences Research Council grant number EP/S035362/1 for the PETRAS National Centre of Excellence for IoT Systems Cybersecurity, a consortium of leading UK universities dedicated to understanding critical issues in the privacy, ethics, trust, reliability, acceptability, and security of the Internet of Things. Funding for PETRAS is provided by the UKRI’s Strategic Priorities Fund as part of the Security of Digital Technologies at the Periphery (SDTaP) programme.</span></em></p><p class="fine-print"><em><span>Madeline Carr receives funding from receives funding from UK Engineering and Physical Sciences Research Council grant number EP/S035362/1 for the PETRAS National Centre of Excellence for IoT Systems Cybersecurity, a consortium of leading UK universities dedicated to understanding critical issues in the privacy, ethics, trust, reliability, acceptability, and security of the Internet of Things. Funding for PETRAS is provided by the UKRI’s Strategic Priorities Fund as part of the Security of Digital Technologies at the Periphery (SDTaP) programme.. </span></em></p>We believe fitness trackers keep us healthy, and connected toys keep children safe – but such devices are easily abused.Saheli Datta Burton, Research Fellow, Department of Science Technology Engineering and Public Policy, UCLMadeline Carr, Professor of Global Politics and Cybersecurity, UCLLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1612262021-05-21T15:44:48Z2021-05-21T15:44:48ZA Chinese hacking competition may have given Beijing new ways to spy on the Uyghurs<figure><img src="https://images.theconversation.com/files/402132/original/file-20210521-23-z2uzc3.jpeg?ixlib=rb-1.1.0&rect=0%2C0%2C5184%2C3888&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/companies-hacked-by-chinese-hackers-cyber-1261948831">Herr Loeffler/Shutterstock</a></span></figcaption></figure><p>When Apple announced in a 2019 <a href="https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/">blog post</a> that it had patched a security vulnerability in its iOS operating system, the company sought to reassure its customers. The attack that had exploited the vulnerability, Apple said, was “narrowly focused” on websites featuring content related to the Uyghur community.</p>
<p><a href="https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/">It has since emerged</a> that the vulnerability in question was discovered at China’s principal hacking competition, <a href="https://www.theregister.com/2020/11/09/tianfu_cup/">the Tianfu Cup</a>, where a professional hacker won a prize for his work in uncovering it. The normal protocol would be to inform Apple of the vulnerability. But it’s alleged that, instead, the breach was kept secret, with the Chinese government acquiring it to <a href="https://www.technologyreview.com/2021/05/06/1024621/china-apple-spy-uyghur-hacker-tianfu/">spy on the country’s Muslim minority</a>.</p>
<p>Hacking competitions are an established way for technology companies like Apple to locate and attend to weaknesses in their software’s cybersecurity. But with <a href="https://www.itpro.co.uk/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">state-backed hacks</a> on the rise, the suggestion that the Tianfu Cup is feeding Beijing new ways to perform surveillance is concerning – especially seeing as Chinese competitors have dominated international hacking competitions for years.</p>
<h2>Hacking competitions</h2>
<p>When software is hacked, it’s often because attackers have found and exploited a cybersecurity vulnerability that the software vendor didn’t know existed. Finding these vulnerabilities before they’re spotted by <a href="https://www.zdnet.com/article/cybercrime-and-cyberwar-a-spotters-guide-to-the-groups-that-are-out-to-get-you/">cyber-criminals or state-backed hackers</a> can save technology providers a huge amount of money, time and public-relations firefighting.</p>
<p>That’s why hacking competitions exist. Tech companies provide the <a href="https://www.zerodayinitiative.com/blog/2021/1/25/announcing-pwn2own-vancouver-2021">prize money</a> and cybersecurity researchers – or professional hackers – compete to win it by finding the security weaknesses hidden in the world’s most-used software. The likes of Zoom and Microsoft Teams were <a href="https://www.forbes.com/sites/thomasbrewster/2021/04/08/microsoft-teams-and-zoom-hacked-in-1-million-competition/">successfully hacked</a> in April’s Pwn2Own event, for instance, which is regarded as the top hacking competition in North America.</p>
<p>Until 2017, Chinese hackers walked away with a <a href="https://news.cgtn.com/news/3d59544e32417a4d/share_p.html">high proportion of prizes</a> offered at Pwn2Own. But after a Chinese billionaire <a href="https://tech.sina.cn/i/gn/2017-09-12/detail-ifykusey8931658.d.html?vt=4">argued</a> that Chinese hackers should “stay in China” because of the strategic value of their work, Beijing responded by <a href="https://www.cyberscoop.com/pwn2own-chinese-researchers-360-technologies-trend-micro/">banning Chinese citizens</a> from competing in overseas hacking competitions. China’s Tianfu Cup was set up shortly after, in 2018.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"444519072299233280"}"></div></p>
<p>In its first year, a hacker competing in the Tianfu Cup produced a prize-winning hack he called “<a href="https://threatpost.com/chaos-iphone-x-jailbreak/141104/">Chaos</a>”. The hack could be used to remotely access even the latest iPhones – the kind of breach that could easily be used for surveillance purposes. <a href="https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html">Google</a> and <a href="https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/">Apple</a> both spotted the hack “in the wild” two months later, after it had been used in a targeted way against Uyghur iPhone users.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/JznReTetgOI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">A video demonstration of the ‘Chaos’ iPhone hack.</span></figcaption>
</figure>
<p>Though Apple mitigated the hack within two months, this case shows that exclusive national hacking competitions are dangerous – especially when they take place in countries that <a href="https://www.hrw.org/world-report/2020/country-chapters/global">require citizens to cooperate</a> with government demands. </p>
<p>Hacking competitions are designed to expose “zero-day” vulnerabilities – security weaknesses that software vendors haven’t located or foreseen. Prize-winning hackers are supposed to share the techniques they used so that the vendors can devise ways to patch them up. But keeping zero-day exploits private, or passing them on to government institutions, significantly increases the chance they’ll be used in state-backed zero-day attacks.</p>
<h2>Zero-day attacks</h2>
<p>We’ve seen examples of such attacks before. <a href="https://www.csoonline.com/article/3616699/the-microsoft-exchange-server-hack-a-timeline.html">Early in 2021</a>, four zero-day vulnerabilities in the Microsoft Exchange server were used to launch widespread attacks against <a href="https://www.wsj.com/articles/china-linked-hack-hits-tens-of-thousands-of-u-s-microsoft-customers-11615007991?mod=tech_lead_pos1">tens of thousands of organisations</a>. The attack has been <a href="https://www.itpro.co.uk/security/zero-day-exploit/358760/microsoft-exchange-zero-day-hack">linked with Hanium</a>, a Chinese government-backed hacking group.</p>
<p>A year earlier, <a href="https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12?op=1">the SolarWinds hack</a> compromised the security of multiple US federal agencies, including the <a href="https://www.bbc.com/news/world-us-canada-55265442">Treasury and Commerce Department</a> and the <a href="https://www.chathamhouse.org/2021/02/solarwinds-hack-valuable-lesson-cybersecurity?gclid=Cj0KCQjwo-aCBhC-ARIsAAkNQivQecAKCMQKg23wXNavyLrz5r6xn9tFy2XUwmYK08r5GT0ReriiKOwaAqtKEALw_wcB">Energy Department</a>, which is in charge of the country’s nuclear stockpile. The hack has been linked to <a href="https://attack.mitre.org/groups/G0016/">APT29</a>, also known as “<a href="https://www.independent.co.uk/news/uk/home-news/cozy-bear-russia-hacking-coronavirus-vaccine-oxford-imperial-college-a9623361.html">Cozy Bear</a>”, which is the hacking arm of Russia’s foreign intelligence service, the <a href="https://www.bbc.com/news/10447308">SVR</a>. The same group was reportedly involved in the <a href="https://www.wired.co.uk/article/russia-hack-coronavirus-vaccine">attempted hacking</a> of organisations holding information about COVID-19 vaccines in July 2020. </p>
<p>In Russia and China at least, <a href="https://www.ibtimes.co.uk/nation-state-hackers-vs-cybercriminal-gangs-separation-tactics-no-longer-exists-1611556">evidence suggests</a> that gangs of cybercriminals are working closely, and sometimes interchangably, with state-sponsored hacking groups. With the advent of the Tianfu Cup, China appears to have access to a new talent pool of expert hackers, motivated by the competition’s prize money to produce potentially harmful hacks that Beijing may be willing to use both at home and abroad.</p><img src="https://counter.theconversation.com/content/161226/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Elochukwu Ukwandu received funding from Scottish Entreprise. </span></em></p><p class="fine-print"><em><span>Chaminda Hewage does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>In its inaugural contest, the Tianfu Cup produced an iPhone hack that was allegedly used to spy on China’s Uyghur minority.Chaminda Hewage, Reader in Data Security, Cardiff Metropolitan UniversityElochukwu Ukwandu, Lecturer in Computer Security, Department of Computer Science, Cardiff Metropolitan UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1606612021-05-10T18:20:48Z2021-05-10T18:20:48ZThe Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable – why national cyber defense is a ‘wicked’ problem<figure><img src="https://images.theconversation.com/files/399798/original/file-20210510-5687-6h8vxa.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C2588%2C1722&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Military units like the 780th Military Intelligence Brigade shown here are just one component of U.S. national cyber defense.</span> <span class="attribution"><a class="source" href="https://www.flickr.com/photos/ftmeade/43693064352/">Fort George G. Meade Public Affairs Office/Flickr</a></span></figcaption></figure><p><strong>Takeaways:</strong></p>
<p>· <strong>There are no easy solutions to shoring up U.S. national cyber defenses.</strong></p>
<p>· <strong>Software supply chains and private sector infrastructure companies are vulnerable to hackers.</strong></p>
<p>· <strong>Many U.S. companies outsource software development because of a talent shortage, and some of that outsourcing goes to companies in Eastern Europe that are vulnerable to Russian operatives.</strong></p>
<p>· <strong>U.S. national cyber defense is split between the Department of Defense and the Department of Homeland Security, which leaves gaps in authority.</strong></p>
<p>The <a href="https://www.reuters.com/business/energy/top-us-fuel-pipeline-operator-pushes-recover-cyberattack-2021-05-09/">ransomware attack</a> on Colonial Pipeline on May 7, 2021, exemplifies the huge challenges the U.S. faces in shoring up its cyber defenses. The private company, which controls a significant component of the U.S. energy infrastructure and supplies nearly half of the East Coast’s liquid fuels, was vulnerable to an all-too-common type of cyber attack. The FBI has attributed the attack to a<a href="https://www.msn.com/en-us/news/us/colonial-pipeline-hack-claimed-by-russian-group-darkside-spurs-emergency-order-from-white-house/ar-BB1gzKHS?ocid=uxbndlbing"> Russian cybercrime gang</a>. It would be difficult for the government to mandate better security at private companies, and the government is unable to provide that security for the private sector.</p>
<p>Similarly, the <a href="https://www.cnn.com/2020/12/14/politics/us-agencies-hack-solar-wind-russia/index.html">SolarWinds hack</a>, one of the most devastating cyber attacks in history, which came to light in December 2020, exposed vulnerabilities in global software supply chains that affect government and private sector computer systems. It was a <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">major breach of national security</a> that revealed gaps in U.S. cyber defenses.</p>
<p>These gaps include inadequate security by a major software producer, fragmented authority for government support to the private sector, blurred lines between organized crime and international espionage, and a national shortfall in software and cybersecurity skills. None of these gaps is easily bridged, but the scope and impact of the SolarWinds attack show how critical controlling these gaps is to U.S. national security. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A chain-link fence topped with barbed wire in the foreground, large pipes and valves in front of a large white storage tank labeled Colonial Pipeline Co" src="https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=502&fit=crop&dpr=1 754w, https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=502&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/399806/original/file-20210510-5687-1oa54yp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=502&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Cyber defenses for critical infrastructure are considerably more challenging to implement than installing barbed wire fences around fuel storage depots.</span>
<span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/fuel-tanks-are-seen-at-colonial-pipeline-baltimore-delivery-news-photo/1232808413?adppopup=true">Jim Watson/AFP via Getty Images</a></span>
</figcaption>
</figure>
<p>The <a href="https://us-cert.cisa.gov/ncas/alerts/aa20-352a">SolarWinds breach</a>, likely carried out by a <a href="https://www.reuters.com/article/us-global-cyber-solarwinds/solarwinds-hackers-linked-to-known-russian-spying-tools-investigators-say-idUSKBN29G0XT?mc_cid=4c17adaecd&mc_eid=464227173b">group affiliated with Russia’s FSB security service</a>, compromised the software development supply chain used by SolarWinds to update 18,000 users of its Orion network management product. SolarWinds sells software that organizations use to manage their computer networks. The hack, which allegedly began in early 2020, was discovered only in December when cybersecurity company <a href="https://www.fireeye.com/">FireEye revealed</a> that it had been hit by the malware. More worrisome, this may have been <a href="https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601">part of a broader attack</a> on government and commercial targets in the U.S.</p>
<p>The Biden administration is <a href="https://www.npr.org/2021/04/29/991333036/biden-order-to-require-new-cybersecurity-standards-in-response-to-solarwinds-att">preparing an executive order</a> that is expected to address these software supply chain vulnerabilities. However, these changes, as important as they are, would probably not have prevented the SolarWinds attack. And preventing ransomware attacks like the Colonial Pipeline attack would require U.S. intelligence and law enforcement to infiltrate every organized cyber criminal group in Eastern Europe.</p>
<h2>Supply chains, sloppy security and a talent shortage</h2>
<p>The vulnerability of the software supply chain – the collections of software components and software development services companies use to build software products – is a well-known problem in the security field. In response to a 2017 <a href="https://www.whitehouse.gov/presidential-actions/presidential-executive-order-assessing-strengthening-manufacturing-defense-industrial-base-supply-chain-resiliency-united-states/">executive order</a>, a <a href="https://media.defense.gov/2018/Oct/05/2002048904/-1/-1/1/ASSESSING-AND-STRENGTHENING-THE-MANUFACTURING-AND-DEFENSE-INDUSTRIAL-BASE-AND-SUPPLY-CHAIN-RESILIENCY.PDF">report by a Department of Defense-led interagency task force</a> identified “a surprising level of foreign dependence,” workforce challenges and critical capabilities such as printed circuit board manufacturing that companies are moving offshore in pursuit of competitive pricing. All these factors came into play in the SolarWinds attack.</p>
<p>SolarWinds, driven by its growth strategy and plans to <a href="https://www.channelfutures.com/business-models/solarwinds-msp-business-spinoff-expected-by-mid-2021">spin off its managed service provider business</a> in 2021, <a href="https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack">bears much of the responsibility</a> for the damage, according to cybersecurity experts. I believe that the company put itself at risk by <a href="https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html?searchResultPosition=1">outsourcing its software development to Eastern Europe</a>, including a <a href="https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html">company in Belarus</a>. Russian operatives have been known to use companies in former Soviet satellite countries to insert malware into software supply chains. Russia used this technique in the 2017 <a href="https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/">NotPetya attack</a> that cost global companies more than US$10 billion.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/ljT4AcCza9Q?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Software supply chain attacks explained.</span></figcaption>
</figure>
<p>SolarWinds also <a href="https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12">failed to practice basic cybersecurity hygiene</a>, according to a cybersecurity researcher. </p>
<p>Vinoth Kumar reported that the <a href="https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12">password</a> for the software company’s development server was allegedly “solarwinds123,” an egregious violation of fundamental standards of cybersecurity. SolarWinds’ sloppy password management is ironic in light of the Password Management Solution of the Year <a href="https://www.solarwindsmsp.com/about-us/press/press-releases/solarwinds-wins-password-management-solution-year-award-2019">award the company received</a> in 2019 for its Passportal product.</p>
<p>In a <a href="https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/">blog post</a>, the company admitted that “the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies, and the federal government.”</p>
<p>The larger question is why SolarWinds, an American company, had to turn to foreign providers for software development. A Department of Defense <a href="https://media.defense.gov/2018/Oct/05/2002048904/-1/-1/1/ASSESSING-AND-STRENGTHENING-THE-MANUFACTURING-AND-DEFENSE-INDUSTRIAL-BASE-AND-SUPPLY-CHAIN-RESILIENCY.PDF">report about supply chains</a> characterizes the lack of software engineers as a crisis, partly because the education pipeline is not providing enough software engineers to meet demand in the commercial and defense sectors. </p>
<p>There’s also a shortage of <a href="https://www.lawfareblog.com/cyber-strategy-and-talent">cybersecurity talent</a> in the U.S. Engineers, software developers and network engineers are among the <a href="https://www.cyberseek.org/heatmap.html">most needed skills across the U.S.</a>, and the lack of software engineers who focus on the security of software in particular is acute. </p>
<h2>Fragmented authority</h2>
<p>Though I’d argue SolarWinds has much to answer for, it should not have had to defend itself against a state-orchestrated cyber attack on its own. The <a href="https://fcw.com/articles/2018/09/20/wh-cyber-policy.aspx">2018 National Cyber Strategy</a> describes how supply chain security should work. The government determines the security of federal contractors like SolarWinds by reviewing their risk management strategies, ensuring that they are informed of threats and vulnerabilities and responding to incidents on their systems.</p>
<p>However, this official strategy split these responsibilities between the Pentagon for defense and intelligence systems and the Department of Homeland Security for civil agencies, continuing a fragmented approach to information security that <a href="https://www.gao.gov/products/T-IMTEC-87-2">began in the Reagan era</a>. Execution of the strategy relies on the DOD’s <a href="https://www.cybercom.mil/">U.S. Cyber Command</a> and DHS’s <a href="https://www.cisa.gov/">Cyber and Infrastructure Security Agency</a>. DOD’s <a href="https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF">strategy</a> is to “defend forward”: that is, to disrupt malicious cyber activity at its source, which proved effective in the <a href="https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html">runup to the 2018 midterm elections</a>. The Cyber and Infrastructure Security Agency, established in 2018, is responsible for providing information about threats to <a href="https://www.cisa.gov/critical-infrastructure-sectors">critical infrastructure sectors</a>. </p>
<p>Neither agency appears to have sounded a warning or attempted to mitigate the attack on SolarWinds. The government’s response came only after the attack. The Cyber and Infrastructure Security Agency issued <a href="https://us-cert.cisa.gov/ncas/current-activity/2021/01/06/cisa-updates-emergency-directive-21-01-supplemental-guidance-and">alerts and guidance</a>, and a <a href="https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-incident">Cyber Unified Coordination Group</a> was formed to facilitate coordination among federal agencies. </p>
<p>These tactical actions, while useful, were only a partial solution to the larger, strategic problem. The fragmentation of the authorities for national cyber defense evident in the SolarWinds hack is a strategic weakness that complicates cybersecurity for the government and private sector and invites more attacks on the software supply chain.</p>
<h2>A wicked problem</h2>
<p>National cyber defense is an example of a “<a href="https://www.stonybrook.edu/commcms/wicked-problem/about/What-is-a-wicked-problem">wicked problem</a>,” a policy problem that has no clear solution or measure of success. The <a href="https://theconversation.com/government-cybersecurity-commission-calls-for-international-cooperation-resilience-and-retaliation-133610">Cyberspace Solarium Commission</a> identified many inadequacies of U.S. national cyber defenses. In its 2020 report, the commission noted that “There is still not a clear unity of effort or theory of victory driving the federal government’s approach to protecting and securing cyberspace.” </p>
<p>Many of the factors that make developing a centralized national cyber defense challenging lie outside of the government’s direct control. For example, economic forces push technology companies to get their products to market quickly, which can lead them to take shortcuts that undermine security. Legislation along the lines of the <a href="https://www.congress.gov/106/plaws/publ102/PLAW-106publ102.pdf">Gramm-Leach-Bliley Act</a> passed in 1999 could help deal with the need for speed in software development. The law placed security requirements on financial institutions. But software development companies are likely to push back against additional regulation and oversight.</p>
<p>The Biden administration appears to be taking the challenge seriously. The president has appointed a <a href="https://www.politico.com/news/2021/01/06/biden-white-house-cybersecurity-neuberger-455508">national cybersecurity director</a> to coordinate related government efforts. It remains to be seen whether and how the administration will address the problem of fragmented authorities and clarify how the government will protect companies that supply critical digital infrastructure. It’s unreasonable to expect any U.S. company to be able to fend for itself against a foreign nation’s cyberattack. </p>
<h2>Steps forward</h2>
<p>In the meantime, software developers can apply the <a href="https://www.nccoe.nist.gov/sites/default/files/NIST-SSDF-Webinar.pdf">secure software development approach</a> advocated by the National Institute of Standards and Technology. Government and industry can prioritize the development of artificial intelligence that can identify malware in existing systems. All this takes time, however, and hackers move quickly.</p>
<p>Finally, companies need to aggressively assess their vulnerabilities, particularly by engaging in more “<a href="https://resources.infosecinstitute.com/topic/red-teaming-overview-assessment-methodology/">red teaming</a>” activities: that is, having employees, contractors or both play the role of hackers and attack the company. </p>
<p>Recognizing that hackers in the service of foreign adversaries are dedicated, thorough and not constrained by any rules is important for anticipating their next moves and reinforcing and improving U.S. national cyber defenses. Otherwise, Colonial Pipeline is unlikely to be the last victim of a major attack on U.S. infrastructure and SolarWinds is unlikely to be the last victim of a major attack on the U.S. software supply chain.</p>
<p><em>This is an updated version of an <a href="https://theconversation.com/the-solarwinds-hack-was-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-and-what-can-be-done-about-it-153084">article</a> originally published on February 9, 2021.</em></p>
<p>[<em>Deep knowledge, daily.</em> <a href="https://theconversation.com/us/newsletters/the-daily-3?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=deepknowledge">Sign up for The Conversation’s newsletter</a>.]</p><img src="https://counter.theconversation.com/content/160661/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Terry Thompson does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Fragmented authority for national cyber defense and the vulnerabilities of private companies that control software and infrastructure stack the deck against US cybersecurity.Terry Thompson, Adjunct Instructor in Cybersecurity, Johns Hopkins UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1591642021-05-05T10:55:24Z2021-05-05T10:55:24ZFour ways to make sure your passwords are safe and easy to remember<figure><img src="https://images.theconversation.com/files/397072/original/file-20210426-13-1l50s80.jpg?ixlib=rb-1.1.0&rect=181%2C107%2C5277%2C3474&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Many still make their passwords too simple.</span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/strong-weak-easy-password-note-pad-1197236665">Shutterstock/Vitalii Vodolazskyi</a></span></figcaption></figure><p>For more than 15 years, there have been various predictions from tech leaders about the death of passwords. Bill Gates predicted it <a href="https://www.cnet.com/news/gates-predicts-death-of-the-password/">back in 2004</a> and Microsoft has <a href="https://www.neowin.net/news/microsoft-2021-is-the-year-passwords-die/">predicted it for 2021</a>. There have been numerous similar proclamations in between, alongside ongoing criticism of passwords as an inadequate means of protection. </p>
<p>Yet passwords remain a common aspect of cybersecurity, something people use every day. What’s more, passwords show little sign of disappearing yet. But many people <a href="https://theconversation.com/from-password-to-1234-why-we-still-fail-the-online-security-test-22357">still use them badly</a> and seem unaware of recommended good practice.</p>
<p>It’s very common for cybersecurity experts and <a href="https://theconversation.com/online-security-wont-improve-until-companies-stop-passing-the-buck-to-the-customer-75274">companies to blame users</a> for using passwords poorly, without recognising that systems permit their poor choices. </p>
<p>Many websites offer no upfront guidance on how to choose the passwords they require us to have, perhaps assuming we know these things already or can find it out elsewhere. But the fact that people persist <a href="https://nordpass.com/most-common-passwords-list/">in using weak passwords</a> suggests this is an optimistic view.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/four-steps-to-a-simpler-safer-password-system-27471">Four steps to a simpler, safer password system</a>
</strong>
</em>
</p>
<hr>
<h2>Outdated advice</h2>
<p>In addition to lacking guidance, it’s common to find websites enforcing outdated password requirements. You’re probably familiar with systems insisting on password complexity, by requiring upper case letters, numbers or special characters to make passwords stronger (our response to which often mirrors the video below). </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/aHaBH4LqGsI?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>However, <a href="https://pages.nist.gov/800-63-3/sp800-63b.html">the current guidance</a> is to allow complexity but not to require it, and to basically regard password strength as synonymous with password length. </p>
<p>The <a href="https://www.ncsc.gov.uk/">National Cyber Security Centre</a> recommends creating a long password by combining three random words, enabling something longer and more memorable than many standard choices.</p>
<h2>My password attempts</h2>
<p>Also unhelpful is that, rather than giving guidance and requirements at the outset, many sites only reveal rules in response to us trying things that aren’t allowed. I tried creating a password for one such site. Most of my attempts received feedback requiring further action, until I settled on a final choice, which was accepted without complaint. But the password that was accepted, steve!, was short and rather predictable. </p>
<figure class="align-center ">
<img alt="A screenshot of four attempts to create a password." src="https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=312&fit=crop&dpr=1 600w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=312&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=312&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=392&fit=crop&dpr=1 754w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=392&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/397073/original/file-20210426-17-1b519le.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=392&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Wrestling with rules.</span>
<span class="attribution"><span class="source">Steven Furnell</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>When I played around a bit more, various other weak choices were accepted. For example 1234a!, abcde1 and qwert! all satisfied the rules, as did Furnell1 – which isn’t particularly strong, especially as I already entered Furnell as my last name elsewhere on the sign-up form. </p>
<p>Meanwhile, the rules often mean we can’t use passwords our devices auto-generate for us, or ones we might create for ourselves by following current guidance.</p>
<figure class="align-center ">
<img alt="Screenshot of an attempt to use a generated password." src="https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=257&fit=crop&dpr=1 600w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=257&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=257&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=324&fit=crop&dpr=1 754w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=324&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/397075/original/file-20210426-21-1viiqjm.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=324&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Many websites don’t allow generated passwords.</span>
<span class="attribution"><span class="source">Steven Furnell</span></span>
</figcaption>
</figure>
<p>Some sites seem to think they can compensate for a lack of guidance by using techniques such as password meters to rate our choices. However, while these give feedback, they’re not a substitute for providing guidance on what good looks like. </p>
<p>Using another site, I entered a poor password (the word password), and the only feedback I received was that the password is very weak. If a user was genuinely offering this password as an attempt, what they need to be told is why it’s weak. While you can doubtless find some sites giving better and more informative feedback, this example is unfortunately representative of many others.</p>
<h2>Rules to follow</h2>
<p>Of course, having highlighted the lack of effective guidance, it would be remiss to end without actually offering some. <a href="https://www.ncsc.gov.uk/cyberaware/home">The NCSC’s guidance</a> about choosing and using passwords are listed and briefly explained below:</p>
<ol>
<li>Use a strong and separate password for your email – as this is often your route to accessing other accounts.</li>
<li>Create strong passwords using three random words – this will give you stronger and more memorable passwords.</li>
<li>Save your passwords in your browser – this prevents you forgetting or losing them.</li>
<li>Turn on two-factor authentication – this adds an extra element of protection even if your password is compromised.</li>
</ol>
<p>It’s useful to supplement this with additional reminders not to <a href="https://theconversation.com/four-steps-to-a-simpler-safer-password-system-27471">use the same password</a> across multiple accounts for fear that a breach of one leads to breach of all, not to share them with other people because then it’s no longer your password, and not to keep a discoverable record of them. Storing them in a protected location, such as a password manager tool, is fine. </p>
<p>It’s worrying to think that passwords have been around for decades and we’re still getting it wrong. And they’re just one aspect of cybersecurity that we need to be using properly. This doesn’t bode well for cybersecurity more widely.</p><img src="https://counter.theconversation.com/content/159164/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Steven Furnell does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Passwords have been around for decades and we’re still getting it wrong.Steven Furnell, Professor of Cyber Security, University of NottinghamLicensed as Creative Commons – attribution, no derivatives.