Connect with us

Opinion

New regulations are required to prevent hackers exploiting the growing number of woefully-insecure IoT devices

Published

on

woefully-insecure IoT devices

In its latest annual assessment of the cyber security landscape, Finland’s Nokia this week warned about the growing threat posed to both businesses and consumers by poorly-secured connected devices such as smart home gadgets. The firm’s 2019 Threat Intelligence Report revealed that Internet of Things (IoT) botnet activity accounted for 78% of all malware detection events in communication service provider networks this year. That was more than double the rate seen in 2016, when IoT botnet activity was first detected in a meaningful way. Hackers are able to create IoT botnets by taking control of multiple connected devices and then using them to harvest personal banking information from consumers, or to launch distributed denial-of-service (DDoS) attacks on companies’ websites.

While this may be a relatively new phenomenon, researchers have been warning for years about the possible dangers presented by the deluge of connected devices that are being rushed to market by firms that consider security a low priority. In light of Nokia’s latest findings, and a forecast over the summer from Sweden’s Ericsson that predicted there will be 3.5 billion IoT connections by 2023, it is clear things need to change if we are to avoid hackers having easy access to a global army of insecure devices they could easily use to steal personal information and launch DDoS attacks.

As it appears many connected device makers are more concerned with getting their products on sale quickly for as low a price as possible rather than investing the resources required to make sure their inventions are secure, the time has surely come for governments around the world to intervene. With the threat posed by insecure IoT devices growing, the industry needs to be properly regulated to ensure the items it sells meet minimum security standards. While regulators and think tanks in both the US and the EU have looked at the possibility of creating new rules to guarantee a minimum level of security in IoT devices, lawmakers across the globe have so  far managed to do little more than produce largely unenforceable guidelines for makers of connected products.

In October, the US state of California became the first jurisdiction to the pass meaningful laws on IoT security, but this only applies to devices sold locally, so will likely have little real impact on the behaviour of connected product manufacturers. It is however a step in the right direction, and one that lawmakers elsewhere should look to follow as it becomes clearer that IoT product designers will only act on security if forced to do so. A slew of recent examples show that issuing guidance just does not work.

At the end of September, researchers at antivirus frim Avast announced that they had discovered “the most sophisticated botnet they have ever seen”. They revealed that the Torii botnet was targeting insecure IoT devices, and that the malware behind it was way more sophisticated and advanced than that which was responsible for the creation of the Mirai botnet and its derivatives. Once Torii has compromised one device, it is capable of spreading to other connected products on a user’s network, and is also designed to silently mine cryptocurrencies such as Bitcoin. During the same month, researchers at Princeton University cautioned that hackers could use botnets to attack key national infrastructure, including power grids.

Away from the threat of botnets, insecure connected devices also pose a significant risk to both the security and privacy of consumers. In a report published in November, the Mozilla Foundation examined the safety and security of a number of connected devices that are likely to be a hit with shoppers over the holiday season this year. The company warned that a number of the connected devices it tested, particularly drones and smart speakers, could spy on users and their children, or expose their personal information. Highlighting the risk to children, of the 18 products reviewed in the toys and games category, Mozilla found that just five met its “minimum standards”.

This all goes to show that connected device makers are paying little if any attention to the guidance being offered by researchers and governments. Instead, they are continuing to pump out inadequately-secured devices that not only pose a threat to the consumers who buy them, but also to businesses that could be targeted in DDoS attacks, and in some cases even national security. On current evidence, it is clear that these companies simply will not act unless they are compelled to, making it vital that governments across the world move quickly to force their hand. With the number of connected devices expected to rocket over the coming years, particularly with the advent of 5G technology, failure to act now may hand hackers access to millions of devices that could be harnessed to commit all manner of cyber-enabled crimes.

Continue Reading

Opinion

How America’s methamphetamine crackdown enriched Mexican drug cartels and made the country’s problem with the drug worse

Published

on

America’s methamphetamine crackdown enriched Mexican drug cartels

Up until 2006, the overwhelming majority of methamphetamine consumed in the US was manufactured in domestic labs scattered across the country. Then, at what came to be considered the peak of the country’s meth use epidemic, new legislation was introduced that made it much more difficult for producers of the drug to get hold of the ingredients required to make it. The 2005 Combat Methamphetamine Epidemic Act included much stricter controls on the sale of ephedrine, pseudoephedrine and phenylpropanolamine, and resulted in a sharp fall in the amount of meth produced in the US.

Thanks to the introduction of laws such as these and numerous crackdowns on US methamphetamine manufacturers launched by the Drug Enforcement Administration (DEA), domestic production of the substance was almost eradicated during the latter part of the mid-2000s, save for small time producers using the highly dangerous so-called “shake-and-bake”. But rather than ending the country’s problem with the drug, these developments opened a huge opportunity for Mexican trafficking cartels, which have over the intervening years more than plugged the gap left in the market.

While the Combat Methamphetamine Epidemic Act did result in a fall in the number of meth users and hospital admissions related to use of the drug in the immediate aftermath of its introduction, the emergence of Mexican labs turning out huge quantities of what has come to be referred to as “super meth” soon began to reverse any gains. Having fallen to a low of 314,000 in 2008, the number of American’s using methamphetamine in 2018, the most recent year for which data is available, rose to 1.9 million, according to the 2018 National Survey on Drug Use and Health. This was equivalent to a rise from 0.1% of the US population to 0.7%. Experts agree that the drug’s extraordinary comeback is being driven almost exclusively by Mexican cartels skilful exploitation of US efforts to end domestic production of methamphetamine.

Unlike what was being produced in domestic labs, the meth coining into the US from Mexico is typically close to 100% pure and can cost as little as $5 a hit. The price of the drug has plummeted over recent years thanks to the sheer volumes the cartels are bringing into America, making it even more attractive to addicts looking to get as a long a high as possible for their money. In July of last year, federal drug data seen by NPR revealed that seizures of meth by US law enforcement agencies rose 142% between 2017 and 2018.

In November of last year, acting US Customs & Border Protection Commissioner Mark Morgan warned that super labs in Mexico were flooding America with ever cheaper and purer forms of meth. During a White House press briefing, Morgan said: “The illicit narcotics the transnational criminal organisations are flooding the US with are making their way to every town, city, and state in this country.  It isn’t just a border issue. Make no mistake: If your city, town, or state has a meth problem, it came from the southwest border.”

Away from National Survey on Drug Use and Health data, other indicators suggest super meth is beginning to take its toll on users. At the end of January, the US Centres for Disease Control and Prevention revealed that between 2012 and 2018, the rate of drug overdose deaths involving psychostimulants such as methamphetamine increased nearly five-fold. Separately, a study published by Millennium Health in the JAMA Network journal this January revealed that use of methamphetamine is rocketing across the US, with the number of urine samples testing positive for the drug rising from about 1.4% in 2013 to around 8.4% last year. The findings of the study suggested that “methamphetamine-related overdose deaths [especially] may continue to increase”.

As part of its efforts to stem the flow of methamphetamine flooding into the country, the DEA last week launched Operation Crystal Shield, which will see the agency target major methamphetamine trafficking hubs in locations such as Atlanta, Dallas, El Paso, Houston, Los Angeles, New Orleans, Phoenix and the St Louis Division. The DEA said in a statement that these locations accounted for 75% of all methamphetamine seizures made in the US last year.

But with the Mexican cartels coming up with evermore ingenious methods of sneaking their products into the country, including bringing methamphetamine into the US in liquid form, the DEA will have its work cut out. While well intentioned, the mid-2000s crackdown on America’s methamphetamine crisis not only appears to have opened up an extremely lucrative new line of business for Mexican trafficking gangs, but may very well also have made the country’s already disastrous relationship with the drug much worse.

Continue Reading

Opinion

Islamist or far right, terrorist prisoners should remain behind bars if there is the slightest suspicion they could still pose a risk

Published

on

terrorist prisoners should remain behind bars

The British government last week very sensibly moved to make sure dangerous terrorist prisoners cannot be released halfway through their sentences to maim and murder innocent members of the public. In emergency legislation tabled in Parliament after two Islamists launched bloody attacks over the past few months having both been let out of jail early, UK government ministers sought to prevent extremists from being set free prior to serving at least two-thirds of their sentence. Even then, cases would need to be referred to the Parole Board for consideration before an inmate could be freed, according to the draft legislation. Under British law as it stands, terrorist suspects are automatically released from jail halfway through their sentences even if authorities believe they could still pose a threat.

The unveiling of the proposed new law prompted some commentators to complain that simply locking up terrorists and throwing away the key is no way to deal with radicalised individuals, as is often the case whenever stricter sentencing for these types of offences is floated as an idea. In reality though, while the suggested new measures may be a start, they go nowhere near far enough.

While the multiple terror attacks the UK endured throughout 2017 were not enough to force any meaningful change, one need only look at the events of the past few months to see how desperately reform of current legislation is needed. In November of last year, an Islamist extremist who had been let out of jail early after being convicted of plotting to launch attacks on several London landmarks stabbed two people to death while attending a conference on rehabilitating offenders in Fishmongers’ Hall near London Bridge.

If it were not for the bravery of members of the public, who tackled Usman Khan before armed police arrived on the scene and shot him dead, it is likely that many more victims would have lost their lives. Khan was handed an indeterminate prison sentence for “public protection” with a minimum jail term of eight years after he was convicted of a range of terrorist offences in 2012, including plotting an attack on the London Stock Exchange. Despite this, he was freed in December 2018, less than a year before he launched his deadly attack.

Just months later, another Islamist extremist stabbed two people in the London suburb of Streatham after being released halfway through a terror-related prison sentence just days earlier. Sudesh Amman was shot dead by a police officer who was part of team keeping him under surveillance due to worries about the danger he posed. Amman was set free after being jailed for possessing documents containing terrorist information and disseminating terrorist publications. If nothing else, the fact the 20-year-old jihadist was released from custody despite being considered so dangerous that he required police surveillance demonstrated just how wrong-headed current UK law is.

How can it be the case that a potentially violent extremist can be let out of prison when he is considered such a threat that he requires a team of detectives to monitor his movements? While it is of course a good thing that officers were on hand to neutralise Amman after he launched his attack, would it not have been better for all concerned if he was not been freed in the first place?

Over the approaching months, scores of convicted terrorists will be coming up for release in Britain, which is one of the reasons the UK government is so keen to push through its new legislation as soon as possible. But while the new law might buy ministers some breathing space by keeping dangerous extremists off the streets in the short term, all it effectively does is kick the problem into the long grass. Even if some extremists are forced to serve the whole of their tariff behind bars, there will be no guarantee they will not hold the same views that inspired their original crimes once they are eventually released from jail. This will be the case whether the offender of is an Islamist or a member of a far-right organisation, although the former group is by some margin a more worrying concern in the UK at present.

As such, the law must act accordingly. A system under which terrorists are handed determinate sentences is no longer fit for purpose, as has been demonstrated repeatedly not only in the UK but also elsewhere. Members of the public deserve to be protected from dangerous extremists, which means none should be allowed to walk the streets until any suspicion that they might pose a risk has been completely discounted. The long and short of the matter is that so long as those harbouring dangerous extremist attitudes are not allowed back on the streets, their chances of acting out their ideological impulses will be much diminished, and you and I will feel safer going  about our business without the fear of being stabbed in the neck by a convicted terrorist whose rightful place is behind bars.

Continue Reading

Opinion

How virtual credit card skimmers successfully target blue-chip firms that should have the resources to repel their attacks

Published

on

virtual credit card skimmers

Despite the banking industry’s best efforts and the launch of a multitude of awareness-raising campaigns by law enforcement agencies across the globe, criminals are still able to use ATM machine and point-of-sale (POS) payment system skimmers to harvest consumers’ credit card details with relative ease. In just the past few weeks, a French-Brazilian man was handed a suspended jail sentence in Australia after being convicted of using an ATM skimmer to fleece victims of tens of thousands of dollars, while police in numerous states across the US have reported increased incidents of credit card skimming devices being found attached to payment consoles at petrol station pumps.

If it were not bad enough that the makers of cash machines and POS devices appear to be completely unable to prevent a scam that now seems relatively low-tech in nature, hackers are increasingly turning to a virtual version of credit card skimming that targets information entered by buyers during the checkout process on ecommerce platforms.

Earlier this week, Interpol revealed that it had supported an operation that resulted in the arrest of three suspects in Indonesia who are alleged to have used digital skimming code to steal the personal credit card information of consumers using multiple ecommerce platforms. The international law enforcement agency said the three suspects went on to use the card details they stole to buy electrical equipment before selling it on at a profit.

In collaboration with online security firm Group-IB, Interpol also identified several servers associated with this type of crime and a number of infected websites in six countries in the ASEAN region. The results of the operation demonstrated the relative ease with which virtual credit card skimmers can be deployed, highlighting the fact that they can be difficult to detect and can be bought and deployed by hackers easily for as little as $250.

This type of cyber crime activity is often referred to as Magecart, an umbrella term coined to describe the act of using so-called JavaScript sniffer malware to target ecommerce websites built on the Magento platform. By maliciously injecting a simple yet effective code into such websites, Magecart hackers are able to steal consumers’ card details and personal information as they go through checkout pages at the end of the purchasing process.

Much in the same way as physical skimmers capture credit card information and PINs at ATM and POS machines, JavaScript sniffers record payment card details and personal information such as names, addresses and phone numbers and then send this on to servers controlled by the hackers behind the scam. As well as using this information to make purchases, cyber criminals can also put credit card details on sale in bulk on the dark web, or use the information they steal to commit identity fraud.

While consumers will more often than not get their money back if their credit card information is compromised by JavaScript sniffer malware, companies targeted in such scams can suffer lasting reputational damage, and can in some cases face fines for failing to protect their customers’ data. Despite the potential consequences, businesses that one would assume would have more than adequate resources to direct towards ensuring the security of their IT systems have fallen victim to Magecart-style attacks, including British Airways and Ticketmaster.

This comes down to the fact that JavaScript sniffer code can be so difficult to detect once it has been injected into a website. At the end of December, Malwarebytes security researcher Jérôme Segura explained in a blog post how JavaScript sniffer code can be hidden in such seemingly innocuous website components as wieldy-used boilerplate “free shipping”  image files. Segura noted that media files are good places for hackers to hide such code on account of the fact that most web crawlers and scanners concentrate on HTML and JavaScript files.

While it may seem strange to some observers that the banking industry and global law enforcement agencies have failed to neutralise the threat posed by physical credit card skimmers, the ease with which Magecart hackers can compromise companies’ IT systems makes the threat posed by JavaScript sniffers all the more pernicious. While the success of Interpol’s recent operation demonstrates that it is possible to identify and bring Magecart cyber criminals to justice, the fact that it can take as little as one line of code to compromise ecommerce platforms makes it very difficult to head off these types of attacks before they start producing results.

In March of last year, Group-IB revealed that Magecart malware that took the form of just one line of code had comprised more than 800 websites, including one run in the UK by apparel maker FILA. With finding such code being like searching for a needle in a haystack, it seems likely that Magecart attacks will live as long and happy a life as physical credit card skimming.

 

Continue Reading

Newsletter

Sign up for our mailing list to receive updates and information on events

Social Widget

Latest articles

Press review

Follow us on Twitter

Trending

Shares