Wednesday, August 05, 2020

Quick update: malware, cybercrime, cybersecurity, and a worrying lack of trust in tech firms

Photo of Journal of National Security Law & Policy with Stephen Cobb smiling
As John Oliver—that other bloke from the West Midlands—might say: "Just time for a quick update."

This one's about what I've been writing and talking about recently, as in "during lock down," or "while sheltering in place." In addition to the articles posted here on the blog, I have published items on Medium and LinkedIn. I have also been quoted by Bleeping Computer and Business Insider.

And yes, my first law journal article—part of a research project that began over a year ago—finally appeared in print! As you can see from the photo on the right, I am quite pleased about this (that's my happy face). 

In addition to several copies of the journal, I received a stack of professionally bound copies of my article, nice to hand to friends and colleagues or students or clients attending in-person seminars, IF the world ever gets back to doing that sort of thing. Yes, I could pop them in the post—but the US mail service is struggling at the moment (see this LA Times editorial: Attacking the U.S. Postal Service before an election is something a terrorist would do).

In the meantime the Journal of National Security Law & Policy has graciously made the article available online: Advancing Accurate and Objective Cybercrime Metrics.

Lack of trust in tech firms starts to bite

I have long been concerned that a constant drumbeat of headlines about cybercrime attacks and data privacy breaches could undermine technology adoption and use (not to mention the debilitating effects of those attacks on people and organizations victimized by them). In recent years that drumbeat tended to drown out voices like mine warning that this was a problem. So, as a sort of sanity check I conducted a couple of surveys.

The results? Right now there appears to be a serious trust deficit and I wrote about this on Medium: Not even 10% of us trust tech firms to protect our personal information. My hot take? "This could be a big problem for current efforts to recruit technology to solve a range of problems created by the COVID-19 pandemic." In other words, "Deploying technology to tackle a pandemic—or any of a range of "tech-to-the-rescue" challenges—can quickly become problematic if people don't trust tech firms to protect their personal information."

I wrote more about the survey results on LinkedIn: What's next if only 9% of us trust tech firms to protect our personal information? (Why write about the same topic in more than one place? I'm trying to determine which platform works best for different topics and perspectives.)

Malware, Cybercrime, and COVID-19

Something else I posted on LinkedIn was a look at the relationship between the coronavirus and criminal activity that employs malicious code: The Covid Effect means we can no longer ignore the Malware Factor. For this topic I did something I've never done before: I created a narrated version and put it on YouTube. This has not been wildly popular, but I'm going to try it again with some other articles, mainly so there is a spoken version of the work.

Open society, open-source, open to attack

Obviously I'm someone who sees a lot of troubling things in the world—and who has been that way since long before the current pandemic—but I'm not blind to hopeful signs. One category of such signs is editors willing to commission writing about difficult topics, and journalists who rise to the challenge. An example is this article by Ax Sharma in Bleeping Computer. public safety systems can be abused by nation state actors

According to Stephen Cobb, an independent security researcher based in the UK, the growing use of remotely-controlled and autonomous vehicles for public safety and surveillance opens up a worrying new set of attack vectors and opportunities for criminal abuse.

"A few years ago, I coined the term jackware for a category of malware-based attacks that include hijacking of self-driving cars, but this can also apply to autonomous or remotely-controlled vehicles—in the air or on land—that are deployed for public safety purposes."

"Just as a police car or ambulance can be turned into a weapon, so can a surveillance drone or security robot. Use of autonomous or remotely-controlled vehicles for public safety is a troubling new attack vector because this technology is not in my opinion sufficiently shielded from abuse," said Cobb.

Commenting on the state of affairs we have seen in the past two decades, Cobb additionally expressed how cybersecurity efforts are frequently not prioritized for attack vectors like these until grave consequences occur.

"Detailed historical analysis of previous technology deployments strongly suggests that appropriate levels of protection will not be put in place until malicious abuse occurs at scale."

No Surprise: China Blamed for 'Big Data' Hack of Equifax

Just before lockdown I spoke to Mathew Schwartz for an article in Bank InfoSecurity, but I only just realized that I had supplied the "pull quote" near the top of the article
"Absent major progress toward international norms in cyberspace, crimes like this will continue to be committed." 
Given that this is something I firmly believe, and also something that I believe to be very important, it was exciting to see it given some exposure.

Is COVID-19 Driving a Surge in Unsafe Remote Connectivity?

In March, I was quoted in another Mathew Schwartz article, this time on the lockdown-driven increase in remote access to systems. Here's part of what I said: 

"Past experience predicts that a significant percentage of that [recently enabled] access will be weakly protected at best, and we know that criminals have a wide range of tools at their disposal to take advantage of such access, whether for extortion, ransomware, data theft or sabotage...Sadly, the sense of being 'all in this together' in the fight against coronavirus is not felt by all criminals, and some will have no ethical qualms about abusing RDP for profit regardless of the impact on victims."

The Amazon Dot Com of Cybercrime

Also in March, journalist Jeff Elder from Business Insider called me about the arrest of "Russian Cyber Hacker Kirill Victorovich Firsov." Allegedly, Firsov ran an illegal online marketplace called Deer.io that was "selling usernames and passwords from around the web." I characterized Deer.io as "an Amazon dot com of cybercrime." 

The article began like this: "When the FBI arrested the alleged leader of an illegal online marketplace last week, they may have made a small dent in what one expert calls "the Amazon.com of cybercrime." Here's the part that cites me directly: ""This is the Amazon.com of cybercrime, with easy-to-use, easy-to-access availability and participation – as a buyer or vendor," says independent threat researcher Stephen Cobb, who previously tracked illegal marketplace activity for ESET, a cybersecurity company."

I wrote up the backstory to this term and the phenomenon it describes on this blog, including a look back at that time I took Marketplace host Kai Ryssdal on a guided tour of the dark web "to demonstrate why cybercrime is easier than ever before."