Held for ransom by the digital 'mob'

Held to ramsom

Held to ramsom

Everybody has heard of business owners forced to pay "rent" to mobsters to ensure that their building doesn't "accidentally" burn to the ground or suffer some other deliberate misfortune.

But it could soon be average consumers who have to shell out $20 or more in Bitcoin every month to various digital "mobsters", just to make sure their car will start in the morning or the brakes won't fail on the highway, or so their home will stay locked during the day when they're at work.

That was the dystopian future envisioned by a group of experts earlier last month at a panel discussion titled, "High Tech Crimes of Tomorrow" -- part of a Georgetown Law School conference titled, "Cybercrime 2020: The Future of Online Crime and Investigations."

[ Ransomware takes malware from bad to worse ]

They have seen the future of consumer cybercrime, and its name is "ransomware."

Not that ransomware is new -- it exists now, but mainly at the enterprise or government level. "We've already seen it in network storage devices," said panelist Dino Dai Zovi, hacker-in-residence at New York University's Polytechnic School of Engineering.

In those cases, hackers generally break into a system, encrypt the data and then demand a ransom in exchange for the key to unlock the data.

Robert Shaker, senior manager, incident response at Symantec (not on the panel), agreed that this is a big problem at the enterprise level. "I can't tell you how many customers have called with this problem," he said. "It's rampant."

But now it is expected to trickle down to the consumer level, where Dai Zovi predicted that the payment demand would be small -- more of a nuisance than a crippling financial hit -- but offer enormous potential profit for criminals, given that billions more smart devices are connecting to the Internet every year.

There are several reasons for the predicted shift in crime tactics, panelists said. First, the U.S. is finally moving toward making its credit card system more secure, with so-called EMV or "Chip-and-PIN" technology. That will make credit card fraud more difficult.

Consumer ransomware is, "a business model that's going to scale, especially as we get control over more traditional cybercrime business models," Dai Zovi said. "They're (cyber criminals) basically entrepreneurs, and they're going to shift when a new market gives them better returns than an existing market, or their existing market goes away."

Another reason is that, as has been clear for some time, just because a device is "smart," does not mean it is secure. And embedded devices in the Internet of Things (IoT) are notoriously insecure.

Another panelist, Rick Howard, CSO of Palo Alto Networks, observed that even companies like Microsoft, which are good at security, have trouble with their software. "Car manufacturers have no idea how to do this," he said.

That was the message a year ago from Craig Heffner, a vulnerability researcher with Tactical Network Solutions. In a discussion of the "connected home" a year ago at a conference hosted by the Federal Trade Commission (FTC), he said that, "consumer devices typically don't have any security, at least not by today's standards."

Finally, with the FTC predicting that the number of embedded sensors or devices will hit 50 billion or more by 2020, it is obvious that they could offer an almost unlimited attack surface.

So far, this is not a major problem. But experts say it is coming.

Shaker said the chances of being "held up" for ransom today before you can start your car are "pretty small. But the vulnerability to hacking is already obvious, he said, since, "we're already seeing cars where people can start it with their mobile device."

And as Chris Hadnagy, founder, CEO and chief human hacker at Social-Engineer notes, "Any device that connects to the Internet or uses Bluetooth with weak encryption is susceptible to an attack.

"Imagine a world where a whole network can be compromised from a coffee machine," he said. "You don't have to -- I have seen it first hand. Network-enabled devices means that someone can alter, adjust, spy, listen and use that device in any way they want if they compromise it."

Howard, speaking on the Georgetown panel, said at least one auto manufacturer has a Linux box in the dashboard that not only provides access to music services like Pandora and social media like Facebook, but also controls the brakes and the airbags. "I can't imagine what a DoS attack will do, when both your Pandora and your brakes stop working," he said.

James Arlen, director, risk and advisory services at Leviathan Security Group, said he thinks it could start with home automation systems. "The one to watch for is a vulnerability in a thermostat -- it has direct safety and financial costs associated with it," he said. "Cycling the temperature up and down is a great scenario, used with great effect as part of the Heinlein novel 'The Moon is a Harsh Mistress,' published in 1966."

Of course, not everybody has to have a home automation system that puts control of everything from thermostats to door and window locks and major appliances onto the Internet.

But it may be difficult for consumers to buy a new car that is not connected.

"The black-box functionality in a modern automobile is very difficult to get rid of without resorting to, 'hack the car and hope it stays hacked,'" Arlen said.

Howard, in an interview, said disabling the connected features of cars will be, "too complicated for the average Joe.

"As an industry, we have not been able to convince general consumers to change their password from 'password' to something meaningful," he said. "What are the odds that we will convince them that the dangers of running Internet services on a moving automobile might be more important then the convenience of listening to Pandora on their sound system? Not high I think."

[ The 'autonomous,' hackable car ]

The future doesn't necessarily have to be that bleak. But experts say there will have to be greater security consciousness from manufacturers, better awareness from consumers, and a willingness from both to invest in it.

Howard said he sees, "a huge opportunity for some entrepreneur who can build the infrastructure for the IoT to run on. This will probably fall to the big guys like AT&T and Verizon. They could provide safe and secure connection services to all those IoT manufacturers."

Arlen said it is possible to create a more secure online world, but it will take money. "There are plenty of firms able to help ensure security from the silicon up through to the service," he said. "It just requires that they decide to invest up front. Currently, this is not a pressure being applied by angel or seed investors."

Consumers can also take measures to avoid being the so-called "low-hanging fruit" as well, they said.

"You don't have to succumb to the thieves of the world," Shaker said. "If consumers protect themselves with an endpoint security solution, don't play with the settings and keep it running right, your percent chance of being compromised go way down. Most of it (consumer malware) is automated, not targeted.

Arlen has similar advice, but notes that it will come at a price. "Don't settle for 'cheap equals good,'" he said. "When consumers demand things like 'five nines,' (99.999% availability) dual WAN redundant firewall/router, UPS (uninterruptible power supply), commercial scale/grade WiFi, and the like, we get to the point where good security can happen.

"This is going to turn into a $2,000 capital investment and $200 a month in services, but compared to the WiFi box you got at Wal-Mart for $14.95 that will never be patched, or the thing the Telco gave you that 'does everything in one box' and is never patched, it's the difference between not being held hostage and where you'd better get really good at using Bitcoin from your neighbor's computer."

Howard said he doesn't think either manufacturers or consumers are at that point, however. "Something significant has to happen to the space -- some event where a large portion of the population is affected -- before this will change," he said. "For example, if people start dying because hackers compromise moving automobiles, that might cause the industry to do something."

Or, maybe it will just take the masses being hit with ransom demands, even if they are relatively small.

"Ransomware is going to touch you hard," Howard said, speaking on the panel. "The consumer is going to feel it. We're going to see a lot more complaints about that, once EMV reduces card-present fraud, which gets covered by the banks. Wait until they start poking you for $20 a month to start your car."

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksespionagesecurityNew York Universityransomware

More about CSOFacebookFederal Trade CommissionFTCLinuxMicrosoftPalo Alto NetworksSymantecVerizonWal-MartYork University

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts