Report: IoT is the next frontier for ransomware
The growth of the Internet of Things will offer new ransomware opportunities for cybercriminals, according to a report released Thursday by Symantec
By Maria Korolov Aug 7, 2015
LAS VEGAS -- The growth of the Internet of Things will offer new ransomware opportunities for cybercriminals, according to a report released Thursday by Symantec.
Researchers were able repackage existing Android ransomware -- Android.Simplocker -- inside a new Android Wear project, and when the phone was infected, so was a paired smartwatch. Once executed, the ransomware made the watch unusable, and also encrypted files stored on the watch’s SD card.
According to a report by Symantec researcher Kevin Savage, cybercriminals switch their focus to a different malware type approximately every two or three years of reaching a peak.
“The patterns… suggest that crypto ransomware growth is already at, or close to, its peak,” he said. “This means it may soon plateau before finally entering a declining phase.”
This could be because of increasing crackdowns by law enforcement or changes in international law or financial regulations, he said.
In addition, ransomware might not be as difficult to protect against as commonly thought, according to Engin Kirda, co-founder and chief architect of security firm Lastline, and a cyber security professor at Northeastern University.
Kirda presented a paper at Black Hat on Thursday that analyzed 1,359 samples of ransomware and determined that 61 percent only affected user desktops and did not touch stored files at all, 35 percent deleted files -- most without actually wiping the data from the disk -- and around 5 percent used encryption.
But the most effective of the crypto-based ransomware, such as Cryptowall and Cryptolocker, use the strong encryption that is built into Windows. This means that defenders can monitor for particular behaviors, like access to the encryption libraries.
Plus, all ransomware has one additional weakness, said Kirda -- ransomware has to show the ransom note to the user, while quickly looking for files in the background for encryption or deletion. “The behavior that the ransomware shows is quite predictable,” he said. “It aims to infect people and extort money as soon as possible.”
While current antivirus software does a bad job at catching it, behavior-based techniques should be more effective, he said.
“We should be able to do a better job of mitigation,” he said.
“This does not mean that it will go away,” said Symantec’s Savage. “Instead it is likely that crypto ransomware may enter a decay phase within two years but the decay phase will be drawn out and never reach zero.”
One possible new avenue of exploration for criminal gangs is the Internet of Things, which includes, in addition to smartwatches, smart TVs, smart clothing, smart fridges, smart locks and Internet-enabled cars.
“All of these devices are effectively connected computers which could potentially be hijacked by cybercriminals and held to ransom,” Savage wrote in his report. “Imagine a scenario your smart house lock refuses to allow entry to your own house or where your car is taken over by ransomware and refuses to start, allow entry, speed up, or slow down until a ransom is paid.”
Some devices, such as network-attached storage devices, have already been hit by criminals, while researchers have shown the ability to gain remote access to a moving Jeep Cherokee and take over lights, steering, transmission, and brakes.
“It’s not happening yet, but it’s something we might see in the future because it’s not something that’s too difficult to do,” said Lastline’s Kirda.
In addition to going after consumers, attackers might also target industrial control systems, hospitals, and other targeted organizations, he said -- but this might pose some logistical problems for attackers. If they warn organizations that an attack is coming, the organization might take steps to protect itself.
“But if they shut stuff down, the damage is already done, so why pay up?” he said.
How secure is your smartwatch?
By Karl Thomas posted 15 Apr 2015
Last week’s Apple Watch launch has put the spotlight back on the ‘smart’ inter-connected watches that are expected to change how we interact with each other and the internet. But how secure are they?
Despite the buzz around the Apple Watch, which launches in the US on April 24, the smartwatch boom has been some time coming. The first models date back to the 20th century but it wasn’t until late 2013 that smartwatches caught the eye of hardware manufacturers and the public alike.
Pebble kick-started the trend before Samsung, Sony, Motorola and others arrived on the scene, promising smartwatches offering a glance-like view of your notifications, an ability to quickly send and view messages, make calls, control music and even monitor your fitness.
These are the wearable computers of the future, and they’re here today, but there are still some security concerns.
Another target for attackers
Wearables, including smartwatches, represent another attack target for the cybercriminals who are currently enjoying the opportunities presented by mobile devices.
Over the last year, there has been almost a two-fold rise in Android malware and iOS attacks and vulnerabilities, while attackers have more recently sought to compromise internet-connected sensors. One proof-of-concept attack late last year showed that white-hat hackers could compromise the Google Nest internet-connected thermostat in 15 seconds.
An attack has also been demonstrated where attackers could compromise a Samsung Gear Live smartwatch paired with Google Nexus 4, and expose plaintext conversations, after a brute force attack on Bluetooth passcodes.
It is early days, and as such in the wild attacks are few and far between, but you can be sure attackers will see smartwatches as another door to stealing data, money and even identities – especially when so many breaches owe to poor patch management, vulnerable third-party apps and company insiders.
Bring Your Own Device
Enterprise IT security teams are still reeling from the Bring Your Own Device (BYOD) trend, where employees are choosing to use their own iPhones, iPads and Android smartphones for work. A number of firms still don’t have adequate policies, controls or even the right technology.
That could continue with smartwatches. Earlier this year, in a survey of more than 1,000 employees from 100 organizations, Accellion found that over half (53 percent) of IT decision makers are yet to consider the possible impact of wearable technology on data security, despite 81 percent acknowledging that increase in wearable devices will pose a security risk.
What’s more less than a half (41 percent) believe they currently have a BYOD policy in place that can be extended to wearables, while an alarming 77 percent don’t consider wearable technology as part of their broader mobile security strategy.
Security risks might usurp those of privacy, but that could change in future as these devices gain extra controls to take photographs, record audio and video. Samsung’s Galaxy Gear Live can already record audio and video clips, and there are numerous apps on Android Wear store promising to do the same.
As a result, there could be concerns on data leakage, data loss and industrial espionage – especially if a disgruntled employee happens to be wearing a smartwatch.
The UK has both the Data Protection Act and the CCTV Code of Practice to refer to when considering this, but information security professionals urge companies to enforce sensible guidelines around the use of wearables like smartwatches in the workplace.
But all is not lost
The good news is that, despite the concerns, hardware manufacturers have made a strong start.
The Apple Watch for example, like all iOS devices, has an opt-in password which requires users to enter this each time they put the Apple Watch back on their wrist. The sensors in the watch will therefore tell if someone is wearing it. Crucially, the password becomes mandatory if Apple Pay is set-up on the Apple Watch, while Pay accounts can be deactivated remotely via iCloud.
In short, this means that, if you did lose your iWatch, someone wouldn’t instantly be able to go shopping on your dime.
The other standard security features are also relatively up to task. Bluetooth, the low-energy technology used to pair most smartwatches with users’ phones, is not often targeted (although, as proven above, could be open to brute force attacks) while both Android Wear and WatchOS are based heavily on the Android and iOS mobile operating systems that have made huge strides on security over the last year, especially on end-to-end encryption and authentication.
Even the third-party apps that go through the app stores have greatly improved, with Apple and Google vetting for malware more so now than ever before.
These are early days for the smartwatch, as illustrated by the excitement and nervousness. On the security front, experts believe that encrypting data passing over Bluetooth, containerizing corporate data – as seen on Samsung’s Knox – and enforcing better policy control will help security going forward. But only time will tell if smartwatch security becomes serious business or a serious afterthought.
Image by CSO