From bit­coin to bio­met­rics: new tech brings same old se­cu­rity risks

Irish Independent - Business Week - - TECHNOLOGY - Richard Gold BIT­COIN BIO­MET­RICS IN­TER­NET of THINGS (IoT) CON­CLU­SIONS

AS Stephen King wrote in ‘The Colorado Kid’: “Sooner or later, ev­ery­thing old is new again.” This say­ing will be a re­li­able guide while ex­plor­ing what the fu­ture holds when it comes to new tech­nolo­gies. De­spite their early prom­ise, th­ese have sig­nif­i­cant prob­lems which of­ten come from a lack of con­sid­er­a­tion of the past.

De­spite the hype around crypto cur­ren­cies in gen­eral and Bit­coin in par­tic­u­lar, Bit­coin suf­fers from sev­eral no­table draw­backs, in­clud­ing a trend to­wards cen­tral­i­sa­tion, ex­ces­sive elec­tric­ity us­age, price volatil­ity and sus­cep­ti­bil­ity to theft.

Bit­coin, when brought down to its sim­plest form, is a set of cryp­to­graphic keys on a com­puter. Th­ese keys are stored as files known as wal­lets. It is the ease with which th­ese wal­lets can be stolen which makes them such an at­trac­tive tar­get for Black Hat hack­ers.

The web­site ‘Blockchain Grave­yard’ de­tails at least 62 Bit­coin-re­lated in­sti­tu­tions which have closed down as a re­sult of be­ing hacked. Th­ese are just the in­ci­dents that have be­come pub­lic knowl­edge. Many more in­di­vid­u­als have had their wal­lets stolen by a va­ri­ety of means and been left with noth­ing and no means of re­dress.

The meth­ods with which this fu­ture tech­nol­ogy can be at­tacked are the well-known stal­warts of other at­tack­ers: phish­ing, un­patched soft­ware and ma­li­cious in­sid­ers. Th­ese tech­niques are well-known pre­cisely be­cause they work and have de­liv­ered re­sults for hack­ers for many years. New tech­nol­ogy plat­forms ig­nore them at their peril.

Whilst th­ese hack­ing tech­niques are con­sid­ered ba­sic, mit­i­gat­ing against them is not. No or­gan­i­sa­tion can claim 100pc se­cu­rity and so­cial en­gi­neer­ing at­tacks such as phish­ing can of­ten sneak through the net.

Although th­ese hack­ing tech­niques have been suc­cess­fully used for many years, we are see­ing changes in the types of groups that use them. The Lazarus Group, at­trib­uted by the US gov­ern­ment to North Korea, tar­geted Bit­coin ex­changes with back­doored trad­ing soft­ware and in­di­vid­u­als with ma­li­cious Mi­crosoft Of­fice doc­u­ments.

The us­age of bio­met­rics to strengthen au­then­ti­ca­tion sys­tems has be­come more wide­spread with the ad­vent of fin­ger­print and fa­cial recog­ni­tion for smart­phones.

Iden­tity theft, which may be more ac­cu­rately called “in­ad­e­quate au­then­ti­ca­tion”, is a grow­ing con­cern as more on­line ser­vices and ac­counts can be taken over with only a bare min­i­mum of in­for­ma­tion about the vic­tim. Bio­met­rics are fre­quently touted as the so­lu­tion to this iden­tity theft epi­demic; how­ever, we should be con­cerned about the se­cu­rity of th­ese bio­met­ric sys­tems them­selves. Th­ese con­cerns are not hy­po­thet­i­cal ei­ther.

The Of­fice of Per­son­nel Man­age­ment (OPM) in the United States was hacked and at least 5.6 mil­lion fin­ger­prints were leaked as a re­sult, ac­cord­ing to the ‘Wash­ing­ton Post’, as well as many other types of sen­si­tive data.

Whilst this stolen bio­met­ric data may only have limited util­ity now, the big­gest trou­ble is yet to come.

As our fin­ger­prints do not change sig­nif­i­cantly through­out our life, we are vul­ner­a­ble to what­ever tech­nol­ogy changes are to come in the fu­ture.

Es­ti­mates range wildly on the num­bers of phys­i­cal sen­sors with In­ter­net con­nec­tions, typ­i­cally re­ferred to

IoT, but con­ser­va­tive es­ti­mates range around the 20 bil­lion mark in 2020. While the ideas be­hind IoT may ap­pear to be mod­ern, the tech­nol­ogy is any­thing but. IoT de­vices fall prey to the kind of hack­ing tech­niques which have been known for decades: de­fault cre­den­tials, un­patched soft­ware and unau­then­ti­cated up­dates.

Us­ing the same set of cre­den­tials (user­name and pass­word) for ev­ery sin­gle shipped de­vice is a prac­tice long frowned-upon by se­cu­rity pro­fes­sion­als, but this is still com­mon prac­tice for many IoT de­vices. The Mi­rai bot­net suc­cess­fully in­fected many IoT de­vices sim­ply by hav­ing a list of de­fault user­names and pass­words which it tried against In­ter­net-con­nected de­vices. Once in­fected, the at­tack­ers were able to gen­er­ate a DDoS (Dis­trib­uted De­nial of Ser­vice) at­tack of over 1Tb/s, one of the largest ob­served at­tacks to date.

IoT de­vices are not typ­i­cally up­dated as fre­quently as desk­top and lap­tops or even smart­phones. As a re­sult, vul­ner­a­bil­i­ties take a long time to be patched which gives at­tack­ers more chances to suc­cess­fully ex­ploit them. At least 500,000 IoT de­vices, typ­i­cally home routers, have been com­pro­mised by the VPNFil­ter mal­ware which has fea­tures for both es­pi­onage and de­struc­tion. Th­ese kinds of de­vices are of­ten for­got­ten about by or­gan­i­sa­tions and in­di­vid­u­als as they are un­ob­tru­sive and run in the back­ground with­out in­ter­rup­tion. Any de­vice with an In­ter­net con­nec­tion re­quires at­ten­tion and is a po­ten­tial se­cu­rity con­cern.

Although new tech­nolo­gies pro­lif­er­ate at an alarm­ing rate, we should keep in mind that the core tech­nolo­gies of­ten do not change as quickly as we might think. Se­cu­rity is­sues and vul­ner­a­bil­i­ties have re­mained the same and at­tack­ers know how to take ad­van­tage of them. While the types of at­tack­ers have grown, the meth­ods to pro­tect against them are well-known: rais­ing aware­ness of phish­ing and other so­cial en­gi­neer­ing at­tacks, patch­ing vul­ner­a­ble soft­ware and fire­walling ser­vices off from the In­ter­net un­less strictly nec­es­sary.

Dr Richard Gold is head of se­cu­rity en­gi­neer­ing at Dig­i­tal Shad­ows. He is a speaker at Dublin In­for­ma­tion Sec 2018, Ire­land’s cy­ber­se­cu­rity con­fer­ence which takes place on Mon­day,

Oc­to­ber 15 at the RDS. In­for­ma­tion

Sec is an INM event. For tick­ets and more in­for­ma­tion see in­de­pen­dent. ie/in­fosec18. For to­day only, a 25pc dis­count ap­plies to tick­ets

Bit­coin-re­lated hacks and stolen ‘wal­lets’ have put dozens of firms out of busi­ness

Newspapers in English

Newspapers from Ireland

© PressReader. All rights reserved.