From bitcoin to biometrics: new tech brings same old security risks
AS Stephen King wrote in ‘The Colorado Kid’: “Sooner or later, everything old is new again.” This saying will be a reliable guide while exploring what the future holds when it comes to new technologies. Despite their early promise, these have significant problems which often come from a lack of consideration of the past.
Despite the hype around crypto currencies in general and Bitcoin in particular, Bitcoin suffers from several notable drawbacks, including a trend towards centralisation, excessive electricity usage, price volatility and susceptibility to theft.
Bitcoin, when brought down to its simplest form, is a set of cryptographic keys on a computer. These keys are stored as files known as wallets. It is the ease with which these wallets can be stolen which makes them such an attractive target for Black Hat hackers.
The website ‘Blockchain Graveyard’ details at least 62 Bitcoin-related institutions which have closed down as a result of being hacked. These are just the incidents that have become public knowledge. Many more individuals have had their wallets stolen by a variety of means and been left with nothing and no means of redress.
The methods with which this future technology can be attacked are the well-known stalwarts of other attackers: phishing, unpatched software and malicious insiders. These techniques are well-known precisely because they work and have delivered results for hackers for many years. New technology platforms ignore them at their peril.
Whilst these hacking techniques are considered basic, mitigating against them is not. No organisation can claim 100pc security and social engineering attacks such as phishing can often sneak through the net.
Although these hacking techniques have been successfully used for many years, we are seeing changes in the types of groups that use them. The Lazarus Group, attributed by the US government to North Korea, targeted Bitcoin exchanges with backdoored trading software and individuals with malicious Microsoft Office documents.
The usage of biometrics to strengthen authentication systems has become more widespread with the advent of fingerprint and facial recognition for smartphones.
Identity theft, which may be more accurately called “inadequate authentication”, is a growing concern as more online services and accounts can be taken over with only a bare minimum of information about the victim. Biometrics are frequently touted as the solution to this identity theft epidemic; however, we should be concerned about the security of these biometric systems themselves. These concerns are not hypothetical either.
The Office of Personnel Management (OPM) in the United States was hacked and at least 5.6 million fingerprints were leaked as a result, according to the ‘Washington Post’, as well as many other types of sensitive data.
Whilst this stolen biometric data may only have limited utility now, the biggest trouble is yet to come.
As our fingerprints do not change significantly throughout our life, we are vulnerable to whatever technology changes are to come in the future.
Estimates range wildly on the numbers of physical sensors with Internet connections, typically referred to
IoT, but conservative estimates range around the 20 billion mark in 2020. While the ideas behind IoT may appear to be modern, the technology is anything but. IoT devices fall prey to the kind of hacking techniques which have been known for decades: default credentials, unpatched software and unauthenticated updates.
Using the same set of credentials (username and password) for every single shipped device is a practice long frowned-upon by security professionals, but this is still common practice for many IoT devices. The Mirai botnet successfully infected many IoT devices simply by having a list of default usernames and passwords which it tried against Internet-connected devices. Once infected, the attackers were able to generate a DDoS (Distributed Denial of Service) attack of over 1Tb/s, one of the largest observed attacks to date.
IoT devices are not typically updated as frequently as desktop and laptops or even smartphones. As a result, vulnerabilities take a long time to be patched which gives attackers more chances to successfully exploit them. At least 500,000 IoT devices, typically home routers, have been compromised by the VPNFilter malware which has features for both espionage and destruction. These kinds of devices are often forgotten about by organisations and individuals as they are unobtrusive and run in the background without interruption. Any device with an Internet connection requires attention and is a potential security concern.
Although new technologies proliferate at an alarming rate, we should keep in mind that the core technologies often do not change as quickly as we might think. Security issues and vulnerabilities have remained the same and attackers know how to take advantage of them. While the types of attackers have grown, the methods to protect against them are well-known: raising awareness of phishing and other social engineering attacks, patching vulnerable software and firewalling services off from the Internet unless strictly necessary.
Dr Richard Gold is head of security engineering at Digital Shadows. He is a speaker at Dublin Information Sec 2018, Ireland’s cybersecurity conference which takes place on Monday,
October 15 at the RDS. Information
Sec is an INM event. For tickets and more information see independent. ie/infosec18. For today only, a 25pc discount applies to tickets
Bitcoin-related hacks and stolen ‘wallets’ have put dozens of firms out of business