Thursday, May 12, 2016

Jackware: coming soon to a car or truck near you?

As 2016 rolls on, look for headlines declaring it to be "The Year of Ransomware!" But what kind of year will 2017 be? Will it be "The Year of DDos" or some other form of "cyber-badness" (kudos to my ESET colleague Cameron Camp for coining that term). Right now I'm worried that, as the years roll on we could see "The Year of Jackware" making headlines.

What is jackware?

Jackware is malicious software that seeks to take control of a device, the primary purpose of which is not data processing or communications, for example: your car. Think of jackware as a specialized form of ransomware. With ransomware, the malicious code encrypts your documents and demands a ransom to unlock them. The goal of jackware would be to lock up a car or other piece of equipment until you pay up. Fortunately, and I stress this: jackware is currently, pretty much, as far as I know, theoretical, not yet "in the wild".

Update: Jackware in the news...

Unfortunately, based on past form, I don't have much faith in the world's ability to stop jackware being developed and deployed. So far the world has failed abysmally when it comes to cybercrime deterrence. There has been a collective international failure to head off the establishment of a thriving criminal infrastructure in cyberspace that now threatens every innovation in digital technology you can think of, from telemedicine to drones to big data to self-driving cars.

Consider where we are right now, mid-May, 2015. Ransomware is running rampant. Hundreds of thousands of people have already paid money to criminals to get back the use of their own files or devices. And all the signs are that ransomware will continue to grow in scale and scope. Early ransomware variants failed to encrypt shadow copies and connected backup drives, so some victims could recover fairly easily. Now we're seeing ransomware that encrypts or deletes shadow copies and hunts down connected backup drives to encrypt them as well.

At first, criminals deploying ransomware relied on victims clicking links in emails, opening attachments, or visiting booby-trapped websites. Now we're also seeing bad guys using hacking techniques like SQL injection to get into a targeted organization's network, then strategically deploy the ransomware, all the way to servers (many of which aren't running anti-malware).

The growing impact of ransomware would also seem to be reflected in people's reading habits. Back in 2013, one of my colleagues at ESET, Lysa Myers wrote an article about dealing with the ransomware scourge. For the first few weeks it got 600-700 views a week. Then things went quiet. Now it is clocking 4,000-5,000 hits a week and the war stories from victims keep rolling in.

But how do we get from ransomware to jackware? Well, it certainly seems like a logical progression. When I told Canadian automotive journalist David Booth about ransomware on laptops and servers, I could see him mentally write the headline: Ransomware is the future of car theft. I knew David would see where this could be headed. He's written about car hacking before, going deeper into the subject than most of the automotive press.

The more I think about this technology myself, the more I think that the point at which automotive malware becomes serious jackware, and seriously dangerous, will be the conjunction of self-driving cars and vehicle-to-vehicle networks. Want a nightmare scenario? You're in a self-driving car. There's a drive-by infection, silent but effective. Suddenly the doors are locked with you inside. You're being driven to a destination not of your choosing. A voice comes on the in-car audio and calmly informs you of how many Bitcoins it's going to take to get you out of this mess.

Why give the bad guys ideas?

Let's be clear, I didn't coin the term jackware to cause alarm. There are many ways in which automobile companies could prevent this nightmare scenario. And I certainly didn't write this article to give the bad guys ideas for new crimes. The reality is that they are quite capable of thinking up something like this for themselves.

Can I be sure there's not some criminal out there who's going to read this and go tell his felonious friends? No, but if that happens it's quite probable that his friends will sneer at him because they know someone who's already done a feasibility study of something like jackware-like (yes, the cybercrime underworld does operate a lot like a fully evolved corporate organism). We are not seeing jackware yet because the time's not right. After all, there's no need to switch from plain old ransomware as long as people keep paying up.

Right now, automotive jackware is still under "future projects" on the cybercrime whiteboards and prison napkins. Technically it's still a stretch today, and tomorrow's cars could be even better protected, particularly if FCA has learned from the Jeep hack and VW has learned from the emissions test cheating scandal and GM's bug bounty program gets a chance to work.

Unfortunately, there's this haunting refrain I can't quite get out of my head, something about "when will they ever learn..."

Sunday, May 08, 2016

White paper on US data privacy law and legislation

Recently I put together a 15 page white paper titled Data privacy and data protection: US law and legislation. Among the 80 or so references at the end of the paper you will find links to a lot of the federal privacy laws, and some of the articles I cited.

Back in 2002 when I published a book on
data privacy, I asked the cat to "look shy"
and
she struck this pose (honest!)
I figured this would be a handy resource for folks looking to learn more about how data privacy works in the US. Of course, some would say data privacy doesn't work in the US, and the white paper is written with that opinion in mind. Frankly, the whole subject is pretty complex and in writing this paper I found out I had been wrong, or at least, not quite right, about quite a few things.

Knowing how data privacy protection has evolved in the US so far should help inform its further progression. Clearly, data protection will continue to evolve in the EU and US with the arrival of the General Data Protection Regulation (GDPR), also known as the European Data Protection Regulation (the GDPR is not discussed in the white paper – the subject probably merits one of its own – I have been clipping news on GDPR here and tweeting it here)

For more on the white paper, which was made possible by ESET, visit the We Live Security website, and be sure to sign up for regular news on all manner of data privacy and cybersecurity topics by email.

If a white paper is too much and you're just getting started in your data privacy reading, here are some good places to start: