Connect with us

Technology

Age of the cyber-attack: US struggles to curb rise of digital destabilization | Cybercrime

Voice Of EU

Published

on

It’s been 40 years since Lisa Donnan has queued for gas. But last month the cybersecurity expert found herself joining the long lines of cars across the east coast of the US looking for fuel after the latest in a series of cyber-attacks had shut down the pipeline that provides fuel to 45% of the region.

“The last time I did that was in the Iran crisis,” she said. “My dad had to wait with me.”

The hack of the Colonial Pipeline was just one of a series of cyber-attacks that have hit the US and elsewhere recently. Hackers have taken down JBS, the world’s largest meat processor, disrupting the global meat market, closed schools in Iowa and hit hospitals in Ireland in what experts say is a dangerous escalation of a crime wave that has swelled from the small-scale blackmail operations of a few years ago to major assaults that threaten the livelihoods – and potentially lives – of millions.

Many of the recent attacks have been sourced to operations in Russia and US officials say that Russia’s responsibility for ransomware attacks carried out from its territory would be a central issue when Joe Biden meets Vladimir Putin in Geneva next Wednesday.

“One of the things that President Biden will make clear to President Putin, when he sees him, is that states cannot be in the business of harboring those who are engaged in these kinds of attacks,” the secretary of state, Tony Blinken, told Congress this week.

Eric Green, the senior director for Russia and central Asia in the national security council, said that one of the expected outcomes from the Geneva summit was a routine dialogue between senior US and Russian officials aimed at bringing greater stability and predictability to the relationship. One of the issues in the dialogue would be ransomware attacks.

“When we talk about strategic stability cyber will also certainly be on the agenda,” Green said in a recent discussion organised by the Centre for a New American Security. “The recent ransomware attacks remind us that the cyber domain is prone to misperceptions and that there are dangerous escalation risks.”

US officials say America will be pushing for Nato to expand its involvement in cyberdefence at the alliance summit in Brussels. But the unanswered question is how to respond to ransomware attacks by criminal groups for whom their host countries deny responsibility.

“Putin will deny interfering in US politics or conducting cyber-attacks, asserting that Washington has no proof, while rejecting the legitimacy of US concerns about what happens within Russia,” said Steven Pifer, former deputy assistant secretary of state for European and Eurasian affairs and now a senior fellow at the Brookings Institution.

Joe Biden will raise the issue of ransomware attacks, some allegedly perpetrated by Russia-based hackers, at a summit with Vladimir Putin in Geneva this week.
Joe Biden will raise the issue of ransomware attacks, some allegedly perpetrated by Russia-based hackers, at a summit with Vladimir Putin in Geneva this week. Photograph: Sergei Ilyin/Tass

“Biden should not waste time arguing. He should aim instead to ensure that Putin has a clear understanding of what conduct is out of bounds.”

The pressure for Biden to act is rising. There has been a 62% increase in ransomware globally since 2019, and 158% spike in North America, according to the 2021 SonicWall Cyber Threat Report. Alongside that rise, the nature of the crimes and their targets are also changing.

“We are seeing more attacks, more sophisticated attacks, bigger attacks and the scary thing is we are seeing them more on supply chains,” said Donnan. “It used to be about financial exfiltration, stealing money, and reputational damage. It’s now in a life-threatening environment. That is a dramatic change.”

Now a partner at the cybersecurity private equity investor Option3Ventures, Donnan says she doesn’t expect to see any let-up in attacks. Nation states including Russia, China and North Korea are getting more ambitious in their attacks and the criminal enterprises that operate under their wings are getting more brazen.

“The landscape is ripe and ready for attack from a perfect storm of hackers, nation states and the average cybercriminal,” she said.

Part of the recent surge is down to the pandemic, which has helped the hackers by accelerating the digitization of business and giving them more access points as people and businesses have moved to work remotely.

On top of that there has been an explosion in software development, much of which was not built with security in mind from the beginning, said Donnan. “We still have a culture of get to market, be first. We are designing code without security in mind,” she said.

Lastly there are few consequences to cybercrime. Cryptocurrencies are the preferred payment for ransoms and are as hard to track as the origins of the hack. With the authorities unlikely to crack the case anytime soon – if ever – for many targets not paying is a difficult choice. Joseph Blount, Colonial’s chief executive, told Congress last week that he decided to pay the $4.4m bitcoin ransom to get the pipeline back online after he saw “pandemonium going on at the markets”.

Politicians hit out at Blount for the company’s failure to stop the hack. But the government itself has also failed to stop numerous hacks and not paying the ransom can be more expensive than paying up and potentially leave companies open to further assaults. JBS paid $11m in bitcoin to its hackers, even though it had mostly fixed its problems, hoping the payment would prevent further issues arising from the attack.

Joseph Blount, president and CEO of Colonial Pipeline, explains to the Senate homeland security and government affairs committee why his company paid a $4.4m ransom.
Joseph Blount, president and CEO of Colonial Pipeline, explains to the Senate homeland security and government affairs committee why his company paid a $4.4m ransom. Photograph: REX/Shutterstock

In 2019 Baltimore was hit with a cyber-attack that seized control of parts of its government. The hackers demanded $760,000 in bitcoin but the mayor, Bernard “Jack” Young, refused to pay. The cost of rebuilding its systems has now reached $18.2m.

Publicly the FBI advises victims not to pay a ransom in order to discourage perpetrators from targeting more victims. But privately they will tell targets that they understand if they feel the need to pay.

In the Colonial case the FBI managed to seize the majority of the bitcoin payment – a hopeful sign that may discourage some attackers, according to experts – but the fact remains that most of these crimes go unpunished.

“It’s very difficult to prosecute, it takes a long time, it takes cooperation geopolitically because most of these attacks come from offshore,” said Donnan. “The government only has so many resources. It doesn’t take a lot of tools or brain capacity to do these things,” she said. “You can buy a tool kit on the dark web.”

One irony of the current wave of hacks is that the US is under attack by tools developed by its own National Security Agency (NSA). In 2016 an online group called the Shadow Brokers claimed to have infiltrated the Equation Group, the NSA’s own private hacking group, and obtained malware used by the US to target its enemies.

The Shadow Brokers claimed responsibility for the release of NSA software that facilitated May 2017’s WannaCry ransomware attack, which triggered more than 45,000 attacks in 99 countries and crippled parts of Britain’s National Health Service. Researchers believe that attack originated in North Korea.

In June 2017 the same cyber-attack tool developed by the NSA, called EternalBlue, was used to launch a series of attacks on Ukraine, affecting the government, banks and transportation systems and taking the radiation monitoring system at Chernobyl offline. That attack then spread around the world, hitting companies that had offices in Ukraine including FedEx, the advertising agency WPP, pharmaceutical company Merck and consumer goods maker Reckitt Benckiser.

The US, UK and other researchers blamed Russia for that attack, arguing it was not designed to make money but to damage Ukraine’s economy.

The escalation in cases comes even as spending on security is rising dramatically. The US is the number one country for cybercrime and also spends the most on cybersecurity.

In 2015 the US Office of Personnel Management (OPM) announced it was hacked in 2015, one of the largest data thefts in history. Since then the US has spent $115bn on cybersecurity and the White House is asking Congress to commit roughly $10bn to civilian government cybersecurity next year – a jump of nearly 14%. Industry spent $41bn on cybersecurity in 2019 and is expected to have spent $53bn in 2020.

JBS, the world’s largest meat processing company, recently paid ransomware hackers $11m.
JBS, the world’s largest meat processing company, recently paid ransomware hackers $11m. Photograph: Jeff Kowalsky/AFP/Getty Images

Even after all that money has been spent, said Donnan “we are still exposed because there is no consequence.”

But there are rewards.

Three years ago Paul Ferrillo, a partner at New York law firm Seyfarth Shaw who specialises in cybersecurity, says he was settling ransomware hacks for five bitcoin (about $6,000 per bitcoin then and currently around $36,000 each). “Now you are lucky if it’s 75 bitcoin or 100. I heard of one demand recently for $140m,” he said.

“If this is the new normal, they are winning,” he said. “These criminal actors are well-funded and smart whether they are state-funded or not. We need to be as smart as they are.”

Ferrillo said there was no silver bullet that would solve the crisis and that everyone from the government to the private citizen had to play a part. Companies have to get better at managing their data, storing backups offline and making sure it is harder to get into their systems.

He also wants to see more transparency from industry. Companies have often hidden hacks because they don’t want to look like “doofuses”, he said. “But when industry shares information, we all get smarter. We understand where we should look and how we should do better.”

But tackling this explosion in hacking will take action from everyone, he said, from government to private citizens. “Cybersecurity is a shared responsibility. We are all in this together,” he said.

Source link

Technology

W3C overrules Google, Mozilla’s objections to identifiers • The Register

Voice Of EU

Published

on

The World Wide Web Consortium (W3C) has rejected Google’s and Mozilla’s objections to the Decentralized Identifiers (DID) proposal, clearing the way for the DID specification to be published a W3C Recommendation next month.

The two tech companies worry that the open-ended nature of the spec will promote chaos through a namespace land rush that encourages a proliferation of non-interoperable method specifications. They also have concerns about the ethics of relying on proof-of-work blockchains to handle DIDs.

The DID specification describes a way to deploy a globally unique identifier without a centralized authority (eg, Apple for Sign in with Apple) as a verifying entity.

“They are designed to enable individuals and organizations to generate their own identifiers using systems they trust,” the specification explains. “These new identifiers enable entities to prove control over them by authenticating using cryptographic proofs such as digital signatures.”

The goal for DIDs is to have: no central issuing agency; an identifier that persists independent of any specific organization; the ability to cryptographically prove control of an identifier; and the ability to fetch metadata about the identifier.

These identifiers can refer to people, organizations, documents, or other data.

DIDs conform to the URI schema: did:example:123456789abcdefghi. Here “did” represents the scheme, “example” represents the DID method, and “123456789abcdefghi” represents the DID method-specific identifier.

“DID methods are the mechanism by which a particular type of DID and its associated DID document are created, resolved, updated, and deactivated,” the documentation explains.

This would be expressed in a DID document, which is just a JSON Object that contains other key-value data describing things like how to verify the DID controller (the entity able to change the DID document, typically through control of cryptographic keys) in order to have a trusted, pseudonymous interaction.

What Google and Mozilla object to is that the DID method is left undefined, so there’s no way to evaluate how DIDs will function nor determine how interoperation will be handled.

“DID-core is only useful with the use of ‘DID methods’, which need their own specifications,” Google argued. “… It’s impossible to review the impact of the core DID specification on the web without concurrently reviewing the methods it’s going to be used with.”

A DID method specification represents a novel URI scheme, like the http scheme [RFC7230] but each being different. For example, there’s the trx DID method specification, the web DID method specification, and the meme DID method specification.

These get documented somewhere, such as GitHub, and recorded in a verifiable data registry, which in case you haven’t guessed by now is likely to be a blockchain – a distributed, decentralized public ledger.

However, there is a point of centralization: the W3C DID Working Group, which has been assigned to handle dispute resolution over DID method specs that violate any of the eight registration process policies.

Mozilla argues the specification is fundamentally broken and should not be advanced to a W3C Recommendation.

“The DID architectural approach appears to encourage divergence rather than convergence & interoperability,” wrote Tantek Çelik, web standards lead at Mozilla, in a mailing list post last year. “The presence of 50+ entries in the registry, without any actual interoperability, seems to imply that there are greater incentives to introduce a new method, than to attempt to interoperate with any one of a number of growing existing methods.”

Mozilla significantly undercounted. There are currently 135 entities listed by the W3C’s DID Working Group, up from 105 in June 2021 and 86 in February 2021 as the spec was being developed. If significant interest develops in creating DID methods, the W3C – which this week said it is pursuing public-interest non-profit status – may find itself unprepared to oversee things.

Google and Mozilla also raised other objections during debates about the spec last year. As recounted in a mailing list discussion by Manu Sporny, co-founder and CEO of Digital Bazaar, Google representatives felt the spec needed to address DID methods that violate ethical or privacy norms by, for example, allowing pervasive tracking.

Both companies also objected to the environmental harm of blockchains.

“We (W3C) can no longer take a wait-and-see or neutral position on technologies with egregious energy use,” Çelik said. “We must instead firmly oppose such proof-of-work technologies including to the best of our ability blocking them from being incorporated or enabled (even optionally) by any specifications we develop.”

Despite these concerns, as well as resistance from Apple and Microsoft, the W3C overruled the objections in a published decision, a requirement for advancing the spec’s status. ®

Source link

Continue Reading

Technology

Irish student wins $40,000 at global entrepreneurship competition

Voice Of EU

Published

on

Nick Cotter co-founded Cotter Agritech with his brother Jack. The Limerick-based start-up has been picking up prizes at home and abroad.

University College Cork student Nick Cotter has scooped the top prize at this year’s Global Student Entrepreneur Awards.

Cotter is the CEO and co-founder of Cotter Agritech, a Limerick-based business that specialises in targeted tech and treatment systems for sheep.

The Global Student Entrepreneur Awards are an annual competition for students around the world who own and operate a business while attending college or university.

The 22-year-old law and business student saw off competition from more than 1,000 applicants in 40 countries following a year-long nomination, application and pitch process.

His prize is $40,000 courtesy of the competition’s organisers, Entrepreneurs’ Organization, to invest in his business.

“It’s much more than I ever thought was possible, becoming global champion,” said Cotter, commenting on his win.

“Each stage of the competition is quite intense, and you hope. It’s an incredible achievement and pure joy for me,” he added, thanking his mentors and the judges.

This is not Cotter’s first time to be recognised for the business he started with his brother Jack.

The pair won the Engineers Ireland Student Innovator of The Year Award in 2019 and best agri-engineering start-up at the 2019 Enterprise Ireland Innovation Arena Awards.

More recently, Cotter placed third in this year’s Ideate Ireland business competition, which rewards entrepreneurial skills and new ideas from undergraduate and postgraduate students. He shared his third-place prize of €5,000 with Dr Fiona McGillicuddy and Dr Rachel Byrne of MetHealth.

Earlier in the year, Cotter Agritech participated in the inaugural AgTechUCD Agccelerator Programme, which was dedicated to early-stage agritech and food-tech start-ups. At the end of the 12-week programme, Cotter Agritech was named the winner of the AIB and Yield Lab AgTech Start-up 2022 Award, winning €10,000.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Technology

EU moves to rein in ‘wild west’ of crypto assets with new rules | Cryptocurrencies

Voice Of EU

Published

on

The EU has moved to rein in the “wild west” of crypto assets by agreeing a groundbreaking set of rules for the sector, adding to pressure on the UK and US to introduce their own curbs.

Representatives from the European parliament and EU states inked an agreement late on Thursday that contains measures to guard against market abuse and manipulation, as well as requiring that crypto firms provide details of the environmental impact of their assets.

“Today, we put order in the wild west of crypto assets and set clear rules for a harmonised market,” said Stefan Berger, the German MEP who led negotiations on behalf of the parliament.

Referring to the recent slump in cryptocurrency prices – the total value of the market has fallen from $3tn (£2.5tn) last year to less than $900bn – Berger added: “The recent fall in the value of digital currencies shows us how highly risky and speculative they are and that it is fundamental to act.”

The markets in crypto assets (MiCA) law is expected to come into force at about the end of 2023. Globally, crypto assets are largely unregulated, with national operators in the EU required only to show controls for combating money laundering.

Cryptocurrency is the term for a group of digital assets that share the same underlying structure as bitcoin: a publicly available “blockchain” that records ownership without having any central authority in control.

The sector’s supporters have said it represents a good investment because, for instance, it carries low fees and, unlike conventional currencies, is not tied to governments. Nevertheless, its detractors say a lack of regulatory oversight or implicit government support, because of crypto and bitcoin’s independent origins, make it susceptible to scams and wild fluctuations in price.

MiCA will be the first comprehensive regime for crypto assets in the world and will contain strong measures to guard against market abuse and manipulation, Ernest Urtasun, a Green party MEP, said.

The new law gives issuers of crypto assets and providers of related services a “passport” to serve clients across the EU from a single base, while meeting capital and consumer protection rules. Non-fungible tokens (NFTs), a $40bn market last year, are not covered by MiCA.

The EU negotiations on Thursday also focused on issues such as supervision and energy consumption of crypto assets. “We have agreed that crypto asset providers should in future disclose the energy consumption and environmental impact of assets,” Berger said.

The UK and US, two significant crypto centres, have yet to approve similar rules, although regulators in both countries have warned of the need for stronger safeguards in the sector.

The MiCA law is expected to set a benchmark for other regulatory regimes for crypto globally, although one expert said the all-encompassing nature of the EU regime might not be replicated.

Harry Eddis, the global co-head of fintech at Linklaters, a London-based law firm, said the EU had “nailed its crypto colours to the mast” with the law.

“Other jurisdictions have shown little appetite to date in following their lead in implementing such an all-encompassing regulation, although we can surely expect to see other financial services centres upping their game in regulating the crypto community, albeit in a more piecemeal fashion.”

Q&A

What is a stablecoin?

Show

A stablecoin, like the name suggests, is a type of cryptocurrency that is supposed to have a stable value, such as US$1 per token. How they achieve that varies: the largest, such as tether and USD Coin, are effectively banks. They hold large reserves in cash, liquid assets, and other investments, and simply use those reserves to maintain a stable price.

Others, known as “algorithmic stablecoins”, attempt to do the same thing but without any reserves. They have been criticised as effectively being backed by Ponzi schemes, since they require continuous inflows of cash to ensure they don’t collapse.

Stablecoins are an important part of the cryptocurrency ecosystem. They provide a safer place for investors to store capital without going through the hassle of cashing out entirely, and allow assets to be denominated in conventional currency, rather than other extremely volatile tokens.

Thank you for your feedback.

In the UK, the financial watchdog is weighing proposals on marketing crypto products to consumers that could lead to significant restrictions on crypto exchanges operating in the country.

In May, the Treasury declared it wants a regime in place for dealing the collapse of a stablecoin, a cryptocurrency that is backed by traditional assets such as short-term debt and therefore could pose a risk to the wider financial system.

Crypto assets came under pressure after the collapse of the TerraUSD stablecoin project in May, with the major US cryptocurrency lending company Celsius Network freezing withdrawals and transfers. However, the sector has also proven susceptible to wider economic factors.

These include stock market declines linked to rising inflation and ensuing increases in interest by central banks. Raising rates – a path taken by the US, UK and Swiss central banks last month – can make risky assets less attractive.

Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk

For instance, certain tech stocks, whose price can be based on expectations of strong future earnings over many decades, can be less appealing than the fixed returns on offer immediately from investments such as bonds, which become more attractive in a higher lending rate environment.

The regulatory breakthrough came as India’s central bank said cryptocurrencies were based on “make believe”. The bank’s latest financial stability report said cryptocurrencies were no more than “sophisticated speculation”.

The bank’s governor, Shaktikanta Das, wrote: “Cryptocurrencies are a clear danger. Anything that derives value based on make believe, without any underlying [value], is just speculation under a sophisticated name.”

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!