Held for ransom by the digital ‘mob’

Experts say ransomware is the future of consumer cybercrime. But you don’t have to be a helpless victim, if you are willing to invest in security

1 2 Page 2
Page 2 of 2

Howard, speaking on the Georgetown panel, said at least one auto manufacturer has a Linux box in the dashboard that not only provides access to music services like Pandora and social media like Facebook, but also controls the brakes and the airbags. “I can’t imagine what a DoS attack will do, when both your Pandora and your brakes stop working,” he said.

James Arlen, director, risk and advisory services at Leviathan Security Group, said he thinks it could start with home automation systems. “The one to watch for is a vulnerability in a thermostat – it has direct safety and financial costs associated with it,” he said. “Cycling the temperature up and down is a great scenario, used with great effect as part of the Heinlein novel ‘The Moon is a Harsh Mistress,’ published in 1966.”

Of course, not everybody has to have a home automation system that puts control of everything from thermostats to door and window locks and major appliances onto the Internet.

But it may be difficult for consumers to buy a new car that is not connected.

“The black-box functionality in a modern automobile is very difficult to get rid of without resorting to, ‘hack the car and hope it stays hacked,’” Arlen said.

Howard, in an interview, said disabling the connected features of cars will be, “too complicated for the average Joe.

“As an industry, we have not been able to convince general consumers to change their password from ‘password’ to something meaningful,” he said. “What are the odds that we will convince them that the dangers of running Internet services on a moving automobile might be more important then the convenience of listening to Pandora on their sound system? Not high I think.”

[ The 'autonomous,' hackable car ]

The future doesn’t necessarily have to be that bleak. But experts say there will have to be greater security consciousness from manufacturers, better awareness from consumers, and a willingness from both to invest in it.

Howard said he sees, “a huge opportunity for some entrepreneur who can build the infrastructure for the IoT to run on. This will probably fall to the big guys like AT&T and Verizon. They could provide safe and secure connection services to all those IoT manufacturers.”

Arlen said it is possible to create a more secure online world, but it will take money. “There are plenty of firms able to help ensure security from the silicon up through to the service,” he said. “It just requires that they decide to invest up front. Currently, this is not a pressure being applied by angel or seed investors.”

Consumers can also take measures to avoid being the so-called “low-hanging fruit” as well, they said.

“You don’t have to succumb to the thieves of the world,” Shaker said. “If consumers protect themselves with an endpoint security solution, don’t play with the settings and keep it running right, your percent chance of being compromised go way down. Most of it (consumer malware) is automated, not targeted.

Arlen has similar advice, but notes that it will come at a price. “Don’t settle for ‘cheap equals good,’” he said. “When consumers demand things like ‘five nines,’ (99.999% availability) dual WAN redundant firewall/router, UPS (uninterruptible power supply), commercial scale/grade WiFi, and the like, we get to the point where good security can happen.

“This is going to turn into a $2,000 capital investment and $200 a month in services, but compared to the WiFi box you got at Wal-Mart for $14.95 that will never be patched, or the thing the Telco gave you that 'does everything in one box' and is never patched, it's the difference between not being held hostage and where you'd better get really good at using Bitcoin from your neighbor's computer.”

Howard said he doesn’t think either manufacturers or consumers are at that point, however. “Something significant has to happen to the space – some event where a large portion of the population is affected – before this will change,” he said. “For example, if people start dying because hackers compromise moving automobiles, that might cause the industry to do something.”

Or, maybe it will just take the masses being hit with ransom demands, even if they are relatively small.

“Ransomware is going to touch you hard,” Howard said, speaking on the panel. “The consumer is going to feel it. We’re going to see a lot more complaints about that, once EMV reduces card-present fraud, which gets covered by the banks. Wait until they start poking you for $20 a month to start your car.”

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Microsoft's very bad year for security: A timeline