Your next car will be hacked. Will autonomous vehicles be worth it?

Self-driving cars could cut road deaths by 80%, but without better security they put us at risk of car hacking and even ransoms, experts at SXSW say

Youre about to drive to work. You turn on the ignition and a message on the dash lights up. Weve hacked your car! Pay 10 bitcoin to get it back.

Hacking into software and then demanding a ransom to release it whats known as ransomware is not new. Finnish security expert Mikko Hypponen fully expects it to become a reality as self-driving or autonomous cars start to become more commonplace.

Already, one hacker claims to have taken control of some systems on board a passenger plane he was on, getting as far as issuing a climb command that he accessed through the entertainment system. Another pair of hackers caused a Jeep to crash in July 2015 by accessing some of the cars software through another poorly protected entertainment system. At the Defcon hacking conference, as far back as 2011, hackers were asking if they could write a virus that would be transmitted car to car.

Hypponen, chief research officer at the Finnish security firm F-Secure, told an audience at SXSW that in the 25 years he had worked in Cybersecurity, he had seen a big shift in the type of people who do the hacking, as well their motivations. When I entered this field, the hackers had no real motive they were doing it because they could.

He says there are now generally five types of hackers:

Good white hat hackers, who break security so that a weakness can be found, fixed and ultimately improved

Activist hackers, like Anonymous, who are politically but not perennially motivated

Nation-states and foreign intelligence agencies, a growing issue over the past ten years

Supporters of extremism of which Isis is the only really credible threat thus far

Criminals, who Hypponen says now make as much as 95% of all malware, using hacking to make millions of dollars

It is the criminals motivated by money that present the biggest threat and are likely to increasingly target self-driving cars; the multiple components in cars and lack of rigour by carmakers has made this a pressing issue. Legacy manufacturers who build cars have a long history of safety but not of security, and thats why they are starting learn the hard way. Now they take it seriously and last year was a wake-up call, he said of the Jeep hack.

Robert Hartwig, president of the Insurance Information Institute (III), says the US market for cyber insurance is growing massively, from $2bn in 2015 to a predicted $7.5bn in 2020. This is America, and if you have a breach of personal data, you are absolutely positively going to be sued. The legal fees and settlement costs will be more than the cost of the attack.

The III estimates that by 2030, 25% of all cars sold will be autonomous, marking a slightly slower pace than Google et al might have you believe. Hartwig also said that there will be an estimated 80% fewer traffic accidents because of the increased safety of autonomous cars. Data will be critical to this, allowing policies to be based on precise driving habits, safety and how many miles people actually drive not just what they say they do.

Jonathan Matus, CEO of the company behind the Zendrive app, explained how it uses the built-in motion and positioning sensors in smartphones to monitor driving, including rapid acceleration, sharp turns, stop signal compliance and phone use, which is a major factor in the number of global road deaths each year. Despite car ownership peaking, the number of deaths is actually increasing, he said.

New cars already have complex electrical diagnostic systems that include various monitoring systems so dont tell a cop you havent been speeding, because your car wont back you up, said Hartwig.

He pointed out that the road might actually be the last place to be overhauled for autonomous vehicles; Norway is already exploring an autonomous ferry, while planes are already so automated, even for takeoff and landing, that the skills of pilots are atrophying, Hartwig said.

Human-controlled cars will eventually be forbidden to drive on the road, Hypponen said, except for on race tracks. Matus said the same was certainly true of horses, suggesting yet another future threat to electronically controlled cars that could be harder to detect. If you wanted to slow US GDP, all you would have to do is increase the commute time in every urban environment by 15 minutes. Just tweak a few cars, or get one to put on the brake even if these things happen a few times, it will affect the confidence of consumers.

Even though he sees bad things happen all the time, Hypponen remains positive about self-driving cars, he said. The internet has brought us more good than bad. Overall, technology improves our lives and business, even with the risks. And Ill be able to watch cat videos on YouTube while Im driving.

Read more:

‘Accidental hero’ halts ransomware attack and warns: this is not over

Expert who stopped spread of attack by activating softwares kill switch says criminals will change the code and start again

The accidental hero who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Fridays attack wreaked havoc on organisations including FedEx and Telefnica, as well as the UKs National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a kill switch in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.

I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit, he told the Guardian. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to just as if it was looking up any website and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain, he said. But the following hours were an emotional rollercoaster.

Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it, he said.

MalwareTech said he preferred to stay anonymous because it just doesnt make sense to give out my personal information, obviously were working against bad guys and theyre not going to be happy about this.

He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.

He warned people to patch their systems, adding: This is not over. The attackers will realise how we stopped it, theyll change the code and then theyll start again. Enable windows update, update and then reboot.

He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.

Its always been a hobby to me, Im self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. Ive been working there a year and two months now.

But the dark knight of the dark web still lives at home with his parents, which he joked was so stereotypical. His mum, he said, was aware of what had happened and was excited, but his dad hadnt been home yet. Im sure my mother will inform him, he said.

Its not going to be a lifestyle change, its just a five-minutes of fame sort of thing. It is quite crazy, Ive not been able to check into my Twitter feed all day because its just been going too fast to read. Every time I refresh it its another 99 notifications.

Proofpoints Ryan Kalember said the British researcher gets the accidental hero award of the day. They didnt realise how much it probably slowed down the spread of this ransomware.

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Play Video

Theresa May: ‘This is not targeted at the NHS, its an international attack’ video

The kill switch wont help anyone whose computer is already infected with the ransomware, and its possible that there are other variants of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of cyber weapons from the National Security Agency (NSA).

Ransomware is a type of malware that encrypts a users data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WanaCrypt0r 2.0 or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

MalwareTech (@MalwareTechBlog)

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

May 13, 2017

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the payment will be raised after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

This was eminently predictable in lots of ways, said Kalember. As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldnt be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefnica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

Read more:

WannaCry ransomware has links to North Korea, cybersecurity experts say

Similarities spotted between details of last weeks massive cyber-attack and code used by a prolific cybergang with links to North Korean government

Two top security firms have found evidence linking the WannaCry ransomware to the prolific North Korean cybergang known as Lazarus Group.

Kaspersky and Symantec both said on Monday that technical details within an early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81m heist on a Bangladeshi bank in 2016. Lazarus Group has also been known to use and target Bitcoin in its hacking operations. The similarities were first spotted by Google security researcher Neal Mehta and echoed by other researchers including Matthieu Suiche from UAE-based Comae Technologies.

Matthieu Suiche (@msuiche)

Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta – Is DPRK behind #WannaCry ?

May 15, 2017

Shared code doesnt always mean the same hacking group is responsible an entirely different group may have simply re-used Lazarus groups backdoor code from 2015 as a false flag to confuse anyone trying to identify the perpetrator. However the re-used code appears to have been removed from later versions of WannaCry, which according to Kaspersky gives less weight to the false flag theory.

We believe its important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry, said Kaspersky Lab in a blogpost, pointing out that in the early days of the Bangladesh bank attack, there were scant clues linking it to the Lazarus group. However, over time researchers found more clues to build the case against the North Korea-linked cybergang.

Kaspersky is among the research teams to have been studying Lazarus Group for years, and in April it published a detailed under the hood report exposing the groups modus operandi.

This level of sophistication is something that is not generally found in the cybercriminal world. Its something that requires strict organization and control at all stages of operation. Thats why we think that Lazarus is not just another advanced persistent threat actor, said Kaspersky, which also found attacks originating from IP addresses in North Korea.

The WannaCry ransomware attack has now now hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses.

The links to North Korea come at a time when security researchers and technology companies are criticizing the US government for stockpiling cyberweapons including the malicious software used in WannaCry.

The WannaCry exploits used in the attack were drawn from a cache of exploits stolen from the NSA by the Shadow Brokers in August 2016. The NSA and other government agencies around the world create and collect vulnerabilities in popular pieces of software (such as Windows) and cyberweapons to use for intelligence gathering and cyberwarfare.

Once these vulnerabilities were leaked by the Shadow Brokers, they became available for cybercriminals to adapt for financial gain by creating ransomware. This ransomware spread rapidly on Friday by exploiting a vulnerability contained in the NSA leak, targeting computers running Microsofts Windows operating system, taking over users files and demanding $300 to restore them.

Employees monitor possible ransomware cyber-attacks at the Korea Internet and Security Agency (Kisa) in Seoul, South Korea, on 15 May. Photograph: YONHAP/EPA

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem, said Brad Smith, president and chief legal officer of Microsoft, in a blogpost.

Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.

The blogposts mentions that vulnerabilities stockpiled by the CIA also ended up in the public domain via Wikileaks.

This is an emerging pattern in 2017, Smith said, adding that the latest attack represents a completely unintended but disconcerting link between nation-state action (the NSA) and organized criminal action (the ransomware creator).

The governments of the world should treat this attack as a wake-up call, said Smith, urging nations to treat cyber weapons in the same way that physical weapons are treated.

We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.

Jeremy Wittkop, chief technology officer of security company Intelisecure, argues that if governments are to stockpile weapons they need to secure them better.

The government has a responsibility like with nuclear weapons to make sure they dont fall into the hands of the wrong people, he said. If you are going to create something that can cause this much damage you have to protect it.

Microsoft has called for a Digital Geneva Convention requiring governments to report vulnerabilities to the creators of the software instead of stockpiling, selling or exploiting them.

Read more:

Bad Rabbit: Game of Thrones-referencing ransomware hits Europe

NotPetya-style malware infects Kievs metro system, Odessa airport and Russian media, demanding bitcoin for decryption key

A major ransomware attack is hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled Bad Rabbit malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (250) for the decryption key. The ransom demand is phrased similarly to that of Junes outbreak, and researchers at Russian security firm Kaspersky say that the malware uses methods similar to those used during the NotPetya attack.

Among the affected organisations are Kievs metro system, Russian media organisation Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage, since its servers were taken offline for a number of hours.

Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones and the character Gray Worm used as names for scheduled tasks. A list of passwords that the malware tries while attempting to spread also includes love, sex, god and secret, which were dubbed the four most common passwords by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.

Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones. Photograph: HBO/2017 Home Box Office, Inc. All

Our observations suggest that this been a targeted attack against corporate networks, Kasperskys researchers said, again suggesting a link between this outbreak and Junes. The NotPetya outbreak began through the release of a compromised version of a popular Ukrainian accounting program, spreading automatically throughout corporate networks.

The strongest link between the two attacks is based on the web servers which were used to distribute the initial software. Kaspersky researcher Costin Raiu told Forbes magazine that a network of hacked sites initially linked to NotPetya in July was now being used to host secondary distribution channels for Bad Rabbit.

But the two attacks contain a number of notable differences, as well. Where NotPetya was targeted at Ukraine, Bad Rabbit appears to have primarily hit Russian businesses. It was initially seeded through a fake Adobe Flash update placed on at least three hacked Russian media outlets, and from that initial foothold has spread through Russia and Ukraine, as well as other eastern European countries including Poland and Bulgaria.

The attack is also different from NotPetya in its mode of distribution. The fake Adobe Flash update which initially installs it doesnt use any software exploits to run, instead relying on old-fashioned trickery to convince a user to open it themselves. Also, once installed, the software doesnt use the famous EternalBlue exploit, believed to have been developed by the NSA before being stolen by a hacking group known as The Shadow Brokers, to spread within corporate networks. That decision may have limited the dispersal of the outbreak.

Perhaps the biggest difference between the two is that Bad Rabbit does not appear to be a wiper, as was suspected of NotPetya. That malware was basically impossible to remove, even for users who attempted to actually pay the ransom, leading to suspicions it had been created more to cause damage and destruction than raise revenue for its developers. Bad Rabbit, by contrast, reportedly does decrypt the hard drive upon entry of the correct password.

The UKs National Cyber Security Centre said in a statement, We are aware of a cyber incident affecting a number of countries around the world. The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.

Carl Leonard, a principal analyst at Forcepoint, said: We will continue to see massive attacks with economic, employee and public safety ramifications. And the methods will continue to evolve, including the evasive methods to hide their activity as well as their true intent.

The trick will be to better understand the human points in these attacks. The intent or motivations of the attackers can range broadly including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies.

Anton Ivanov (@antonivanovm)

Unlike #ExPetr, #BadRabbit is not a wiper.

October 24, 2017

Initially, few security products were capable of stopping the outbreak: a sample of the malware uploaded to analysis service VirusTotal showed just four products correctly flagging it as malicious as of 4:30pm on Tuesday, including ones made by Kaspersky and Symantec. By then, the outbreak was well and truly underway. As of Wednesday morning, almost two thirds of updated security products correctly identify the malware.

Users without working antivirus protection can also reportedly protect themselves with a vaccine by creating a file on their computer before the malware does.

Amit Serper (@0xAmit)

Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now…

October 24, 2017

Read more: