The perils of operating in a brave new digital world

NET RESULTS: Hacked computers? We all know about that problem, and it's scary enough. But how about hacking a pacemaker to make it malfunction? Or a hospital drip? Sound crazy? It's not and anyone with sufficient knowledge could do it today.

That was one of the more frightening scenarios presented at this year’s RSA Data Security Conference in San Francisco last week, and one that is generally not acknowledged by the device-manufacturing sector, leaving billions of devices vulnerable.

The issue first arose during the conference’s regular, and popular, Cryptographers’ Panel. Dan Boneh, professor of computer science at Stanford University, noted that the fact that pacemakers had been shown to be wirelessly programmable and had no security protection built in was the “killer argument” (pun intended, he said) for the continuing need for cryptography to secure communications.

He also noted that accelerometers – which are in many smartphones and other devices these days – have a unique fingerprint, due to tiny individual flaws, which can be used to securely identify and control an individual device.

Stuart McClure, chief executive and president of Cylance, demonstrated how a drip might be accessed by attaching a hospital pressure pump to a water bottle, causing it to explode on stage. Last year, he warned that malicious data packets might be sent wirelessly via antennae to pacemakers during a large event such as a sports match, with terrifying results.

It may sound like a Batman plot, but the Department of Homeland Security sent out a warning about the issue in mid-2012, noting it wasn’t so wacky: the Department of Veterans Affairs had already filed reports on 181 incidents between 2009 and 2011 involving hacked medical devices. In response, the VA isolated more than 50,000 devices from the main VA network so they couldn’t be easily accessed.

While such reports must make securing our growing world of wireless devices a priority, it was clear that the primary security issues remain some pretty basic and well-understood routes on often poorly protected computers.

Up to 98 per cent of attacks begin with “spear phishing”, or targeted attacks that deceive a computer user into visiting a rogue website loaded with malware, downloading a malicious file, often a pdf, clicking open an infected email, or some similar route, said Ed Skoudis, chief executive of Counter Hack.

“Phishing is really big and growing every year. From 2011 to 2012, there was 59 per cent more, which is huge,” RSA cybercrime communications specialist Limor Kessem said in a briefing. “Malware, such as banking trojans and ransomeware [where criminals demand a ransom after using malware to lock a user’s computer] was having a great year in 2012 and again in 2013. It started in Europe and is pushing over into the US.”

These attacks bring in big money to criminals. A small gang in Eastern Europe was seen to be taking in €1 million annually. Other investigations revealed that pirated prepaid cards were earning gangs €20 million and a Facebook ring was taking in €525 million, she said.

Ireland, she noted, is the European centre for gangs to swipe credit card information and clone it onto cards sold outside the country. The problem, she said, is that credit cards were designed for a physical, not digital world, and have inadequate security.

But as lucrative as such activities seem, they pale when seen against the bigger picture of international espionage, where there’s strong evidence that some states are buying data and hacking tools and services from criminals, according to Uri Rivner, vice president of business development and cyberstrategy at BioCatch.

Advanced tools that can compromise websites and penetrate deep into networks cost as little as €375, he said in a session. The detection rates for such “advanced persistent threats” is only 6 per cent, and he noted a report from Mandiant, a cybersecurity company, that said attackers stay an average of 416 days once inside a network. Botnets – networks of a thousand or more compromised personal computers used to stage attacks – are not only being used by nation states but sometimes are offered for hire to nation states by criminal gangs, he said.

It’s almost enough to make you press the off button on everything digital, isn’t it?