Joe Biden and his administration are scrambling to address the growing threat, pressing Vladimir Putin in a highly anticipated meeting on Wednesday to take action against the rise of ransomware attacks. Biden said he gave Putin a list of 16 areas – mostly in critical infrastructure – that are “off limits” for cyberattacks.
Ransomware has long posed a cybersecurity threat to companies and infrastructure, but experts say the problem has exploded in recent years. Last year was especially egregious, with ransomware victims in the US paying out nearly $350m, according to the global security group the Institute for Security and Technology – a 311% increase over 2019.
The FBI director, Christopher Wray, highlighted this startling figure at a congressional hearing. “Ransomware alone, the total volume of amounts paid in ransomware has tripled over the last year,” Wray said. “We think the cyber threat is increasing almost exponentially.”
Experts attribute the surge to a number of factors, but they say one of the most critical has been the shift to remote working during the pandemic.
“When you are working from home, you are not behind the castle walls anymore,” said John Hammond, a cybersecurity researcher at the security firm Huntress. “You are working with your own devices, away from the safe perimeter of corporate networks.”
Criminals have found an increasingly lucrative path in ransomware attacks, in which a hacker breaks into a company or government’s network and seizes data or systems, demanding payment for their return. Employees on computers outside the safety of office networks face more risks. Company networks generally only allow trusted devices to connect, reducing the risk of outside actors or malware entering. They also often have stronger protections in place than the average consumer wifi network.
“The transition that we’re seeing to working from home has contributed dramatically to the rise in successful ransomware attacks,” said Israel Barak, the chief information security officer at the security firm Cybereason. “There are a lot more open doors to access networks now that employees are working remotely.”
One of the most consequential ransomware hacks in recent months, on the Colonial Pipeline – which shut down systems that supply 45% of the eastern United States’ fuel – has now been attributed to the breach of a virtual private network, commonly used by remote employees to connect to a company system.
VPNs are the most secure way for employees to connect to a corporate network from home, but they can pose their own risks if they are out of date or do not use multi-factor authentication.
A spokesman for Colonial Pipeline said the VPN that was compromised was an older model and not the VPN that employees were actively using to remotely access the Colonial network.
In June 2020, the justice department identified a Russian ransomware group that was deliberately targeting people who work from home during the pandemic to access corporate and government networks.
Corporate and government offices have a number of measures in place meant to keep bad actors out, said Joseph Carson, the chief security scientist at the cloud security firm Thycotic. That includes secure internet routers with unique passwords, firewalls that monitor incoming traffic and keep out threats, and company devices with additional security in place.
“Most of those protections are pretty much useless when the devices have been moved to the public internet,” he said.
Though not a ransomware attack, the hack of Twitter in 2020 July was more directly attributed to remote working. Hackers called several Twitter employees claiming to be IT department employeesandoffered to help connect through the company’s virtual private network being used by employees working from home. The 17-year-old hacker behind that heist collected $117,000 in bitcoin from the attack.
Security breaches at large have also been on the rise over the past year. The vast majority of IT teams – 82% – experienced an increase in cyberattacks in 2020, according to a survey from security firm Sophos.
Attacks are rising not only because of remote working but as criminals become more organized and ransomware attacks become easier to execute, said Rahul Telang, a professor of information systems at Carnegie Mellon. The rise of cryptocurrency, which is easier to send online and less traceable than traditional money orders, has facilitated the trend.
“Bitcoin has made it much easier for these people to extract money,” he said. “We have got the combination of information security getting significantly worse with the rise of cryptocurrency.”
Meanwhile, the House homeland security committee has recently advanced multiple bills aimed at enhancing cybersecurity in the wake of the Colonial Pipeline hack.
The Biden administration is also working to improve cybersecurity responses. It issued a letter to corporate executives and business leaders on what the private sector needs to be doing to protect against ransomware threats – including practices like multifactor authentication, encryption, and skilled security teams. Companies were also advised to back up data and test systems regularly.
“The threats are serious and they are increasing,” Anne Neuberger, a cybersecurity adviser at the National Security Council, said in the letter. “We urge you to take these critical steps to protect your organizations and the American public.”
A non-fungible token (NFT) marketplace has introduced policies to ban insider trading, after an executive at the company was discovered to be buying artworks shortly before they were promoted on the site’s front page.
OpenSea, one of the leading sites for trading the digital assets, will now prevent team members buying or selling from featured collections and from using confidential information to trade NFTs. Neither practice was previously banned.
“Yesterday we learned that one of our employees purchased items that they knew were set to display on our front page before they appeared there publicly,” said Devin Finzer, the co-founder and chief executive of the site.
“This is incredibly disappointing. We want to be clear that this behaviour does not represent our values as a team. We are taking this very seriously and are conducting an immediate and thorough third-party review of this incident so that we have a full understanding of the facts and additional steps we need to take.”
NFTs are digital assets whose ownership is recorded and traced using a bitcoin-style blockchain. The NFT market boomed earlier this year as celebrities including Grimes, Andy Murray and Sir Tim Berners-Lee sold collectibles and artworks using the format. But the underlying technology has questionable utility, with some dismissing the field as a purely speculative bubble.
The insider trading came to light thanks to the public nature of the Ethereum blockchain, on which most NFT trades occur. Crypto traders noticed that an anonymous user was regularly buying items from the public marketplace shortly before they were promoted on the site’s front page, a prestigious slot that often brings significant interest from would-be buyers. The anonymous user would then sell the assets on, making vast sums in a matter of hours.
One trade, for instance, saw an artwork called Spectrum of a Ramenification Theory bought for about £600. It was then advertised on the front page and sold on for $4,000 a few hours later.
One Twitter user, ZuwuTV, linked the transactions to the public wallet of Nate Chastain, OpenSea’s head of product, demonstrating, using public records, that the profits from the trades were sent back to a wallet owned by Chastain.
While some, including ZuwuTV, described the process as “insider trading”, the loosely regulated market for NFTs has few restrictions on what participants can do. Some critics argue that even that terminology demonstrates that the sector is more about speculation than creativity.
“The fact that people are responding to this as insider trading shows that this is securities trading (or just gambling), not something designed to support artists,” said Anil Dash, the chief executive of the software company Glitch. “There are no similar public statements when artists get ripped off on the platform.
“If Etsy employees bought featured products from creators on their platform (or Patreon or Kickstarter workers backed new creators etc) that’d be great! Nobody would balk. Because they’d be supporting their goal,” Dash added.
Sir Clive Sinclair died on Thursday at home in London after a long illness, his family said today. He was 81.
The British entrepreneur is perhaps best known for launching the ZX range of 8-bit microcomputers, which helped bring computing, games, and programming into UK homes in the 1980s, at least. This included the ZX80, said to be the UK’s first mass-market home computer for under £100, the ZX81, and the trusty ZX Spectrum. A whole generation grew up in Britain mastering coding on these kinds of systems in their bedrooms.
And before all that, Sir Clive founded Sinclair Radionics, which produced amplifiers, calculators, and watches, and was a forerunner to his Spectrum-making Sinclair Research. The tech pioneer, who eventually sold his computing biz to Amstrad, was knighted during his computing heyday, in 1983.
“He was a rather amazing person,” his daughter, Belinda Sinclair, 57, told The Guardian this evening. “Of course, he was so clever and he was always interested in everything. My daughter and her husband are engineers so he’d be chatting engineering with them.”
Sir Clive is survived by Belinda, his sons, Crispin and Bartholomew, aged 55 and 52 respectively, five grandchildren, and two great-grandchildren. ®
‘AI tech can have negative, even catastrophic, effects if they are used without sufficient regard to how they affect people’s human rights.’
The UN’s human rights chief Michelle Bachelet called for a moratorium on the sale and use of artificial intelligence technology until safeguards are put in place to prevent potential human rights violations.
Bachelet made the appeal on Wednesday (15 September) to accompany a report released by the UN’s Human Rights Office, which analysed how AI systems affect people’s right to privacy. The violation of their privacy rights had knock-on impacts on other rights such as rights to health, education and freedom of movement, the report found.
“Artificial intelligence can be a force for good, helping societies overcome some of the great challenges of our times. But AI technologies can have negative, even catastrophic, effects if they are used without sufficient regard to how they affect people’s human rights,” Bachelet said.
“Artificial intelligence now reaches into almost every corner of our physical and mental lives and even emotional states,” Bachelet added.
The report was critical of justice systems which had made wrongful arrests because of flawed facial recognition tools. It appealed to countries to ban any AI tools which did not meet international human rights standards. A 2019 study from the UK found that 81pc of suspects flagged by the facial recognition technology used by London’s Metropolitan Police force were innocent.
Bachelet also highlighted the report’s concerns on the future use of data once it has been collected and stored, calling it “one of the most urgent human rights questions we face.”
The UN’s report echoes previous appeals made by European data protection regulators.
The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) called for a ban on facial recognition in public places in June. They urged EU lawmakers to consider banning the use of such technology in public spaces, after the European Commission released its proposed regulations on the matter.
The EU’s proposed regulations did not recommend an outright ban. The commission instead emphasised the importance of creating “trustworthy AI.”