Paul McLellan

Community Member

Blog Activity
Options

RSA: Emerging Threats, Ransomware, and IoT

4 minute read

breakfast bytes logo I attended the recent RSA Conference in San Francisco. I wrote a post about some of the opening sessions, and the closing session, in RSA 2020: From Sulu to Penn & Teller.

The Monday of the conference had some special sessions. The one I attended was titled Emerging Threats. Many people spoke but there was a lot of commonality in what they said. There were presentations by cities, lawyers, law enforcement, security companies, and more. I'll cover a couple of the most relevant presentations. The two threats that were most discussed were ransomware and security aspects of the internet of things (IoT).

As Rohit Gai (president of RSA) would point out in the opening keynote the following day, nearly three-quarters of all threat actors are financially motivated.

Ransomware

I'm going to summarize the presentation by Dick O'Brien and Jon DiMaggio of Symantec (now owned by Broadcom) titled Targeted Ransomware: A Potent Threat Begins to Proliferate. Ransomware is an attack that encrypts a user or an enterprise's files and then demands payment to decrypt them. Organizations from the British National Health Service to the city of Atlanta, GA to individual schools have been attacked. The image above is something that you do not want to see on your own computer, let alone on all the computers across a large enterprise, city, or service.

They started looking behind the headlines to the graph above. The good news is on the left, the number of ransomware attacks has actually decreased. But the number of targeted ransomware attacks has increased a lot, from a base of almost zero a couple of years ago (this data was collected late last year, 2019). The old way to do ransomware was to blast out an exploit all over the net, encrypting files on any vulnerable machine found. Targeted ransomware is directed at a specific organization.

They think that the reason for this shift falls into two categories. Consumers being less attractive and enterprises being more attractive:

  • Consumers
    • Fewer PCs and more mobile devices
    • Critical data backed-up in the cloud
    • Less email, more chat
  • Enterprise
    • Higher payouts
    • Paying can be a business tradeoff decision
    • Cyber insurance might cover losses

One of the key enablers has been Bitcoin. The big weakness in any ransom scheme is the need to collect the money. In the past, large sums of money in cash would be moved by an army of couriers on planes, but that is expensive (the couriers have to be paid) and requires a lot of trust (the couriers might steal the money). Bitcoin makes it easy to move large sums of money almost anonymously. Not entirely. A presentation by the FBI covered breaking a case where they tracked down some bitcoin transactions. It was somewhat of a pyrrhic victory since they put out arrest warrants for the two perpetrators who are Russians in Russia but who are unlikely to show up in the USA to be arrested. Also, having teased the RSA audience with the big picture, they refused to dive into any of the cybersecurity details since the case was still active.

His final call to action was:

IoT Vulnerabilities

David Sancho from Trend Micro gave a talk titled IoT Monetization Schemes from the Cybercrime Underground. He pointed out that the mainstream press writes stories about IoT that make for a fun read but are not really the root of the problem. Think of "My toaster hacked the Pentagon" or "Hackers can hijack Hello Barbie to spy on your children". The more serious problems are using large networks of IoT devices to extort money. Much of the technology is available for sale all over the net, so it doesn't require technical expertise to do this. The above picture shows an ad selling an exploit that can take over wireless printers (waste paper and ink, disable completely, change the password, and so on).

His overall message is that:

Designing IoT Systems

Those of us in the semiconductor, IP, and EDA industries need to do our part to make it easier to build secure IoT devices. Almost by definition, most IoT products are built by small companies without a strong in-house security organization. Inevitably, these devices have a lot of vulnerabilities. This is then compounded by users who also lack a security mindset. If you are reading Breakfast Bytes, then you are presumably at least somewhat technical. Do you know how to change the password on your home router? On any security cameras you may have? A few years ago, the Mirai botnet spread to hundreds of thousands of devices simply by looking for IoT devices (mostly security cameras) where the default password that the product shipped with had never been changed. For more details, see my post Video Cameras: No Service for You.

IoT devices are an especially difficult case because they:

  • Have small microprocessors or microcontrollers without a lot of spare computing power for security/encryption, etc
  • Are often designed by small companies without strong security knowledge
  • Are often installed by consumers with zero security knowledge
  • Are attached by Bluetooth or WiFi to a router, and hence the internet
  • Have to be cheap to manufacture (and consumers won't pay extra for security)

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.