Your next car will be hacked. Will autonomous vehicles be worth it?

Self-driving cars could cut road deaths by 80%, but without better security they put us at risk of car hacking and even ransoms, experts at SXSW say

Youre about to drive to work. You turn on the ignition and a message on the dash lights up. Weve hacked your car! Pay 10 bitcoin to get it back.

Hacking into software and then demanding a ransom to release it whats known as ransomware is not new. Finnish security expert Mikko Hypponen fully expects it to become a reality as self-driving or autonomous cars start to become more commonplace.

Already, one hacker claims to have taken control of some systems on board a passenger plane he was on, getting as far as issuing a climb command that he accessed through the entertainment system. Another pair of hackers caused a Jeep to crash in July 2015 by accessing some of the cars software through another poorly protected entertainment system. At the Defcon hacking conference, as far back as 2011, hackers were asking if they could write a virus that would be transmitted car to car.

Hypponen, chief research officer at the Finnish security firm F-Secure, told an audience at SXSW that in the 25 years he had worked in Cybersecurity, he had seen a big shift in the type of people who do the hacking, as well their motivations. When I entered this field, the hackers had no real motive they were doing it because they could.

He says there are now generally five types of hackers:

Good white hat hackers, who break security so that a weakness can be found, fixed and ultimately improved

Activist hackers, like Anonymous, who are politically but not perennially motivated

Nation-states and foreign intelligence agencies, a growing issue over the past ten years

Supporters of extremism of which Isis is the only really credible threat thus far

Criminals, who Hypponen says now make as much as 95% of all malware, using hacking to make millions of dollars

It is the criminals motivated by money that present the biggest threat and are likely to increasingly target self-driving cars; the multiple components in cars and lack of rigour by carmakers has made this a pressing issue. Legacy manufacturers who build cars have a long history of safety but not of security, and thats why they are starting learn the hard way. Now they take it seriously and last year was a wake-up call, he said of the Jeep hack.

Robert Hartwig, president of the Insurance Information Institute (III), says the US market for cyber insurance is growing massively, from $2bn in 2015 to a predicted $7.5bn in 2020. This is America, and if you have a breach of personal data, you are absolutely positively going to be sued. The legal fees and settlement costs will be more than the cost of the attack.

The III estimates that by 2030, 25% of all cars sold will be autonomous, marking a slightly slower pace than Google et al might have you believe. Hartwig also said that there will be an estimated 80% fewer traffic accidents because of the increased safety of autonomous cars. Data will be critical to this, allowing policies to be based on precise driving habits, safety and how many miles people actually drive not just what they say they do.

Jonathan Matus, CEO of the company behind the Zendrive app, explained how it uses the built-in motion and positioning sensors in smartphones to monitor driving, including rapid acceleration, sharp turns, stop signal compliance and phone use, which is a major factor in the number of global road deaths each year. Despite car ownership peaking, the number of deaths is actually increasing, he said.

New cars already have complex electrical diagnostic systems that include various monitoring systems so dont tell a cop you havent been speeding, because your car wont back you up, said Hartwig.

He pointed out that the road might actually be the last place to be overhauled for autonomous vehicles; Norway is already exploring an autonomous ferry, while planes are already so automated, even for takeoff and landing, that the skills of pilots are atrophying, Hartwig said.

Human-controlled cars will eventually be forbidden to drive on the road, Hypponen said, except for on race tracks. Matus said the same was certainly true of horses, suggesting yet another future threat to electronically controlled cars that could be harder to detect. If you wanted to slow US GDP, all you would have to do is increase the commute time in every urban environment by 15 minutes. Just tweak a few cars, or get one to put on the brake even if these things happen a few times, it will affect the confidence of consumers.

Even though he sees bad things happen all the time, Hypponen remains positive about self-driving cars, he said. The internet has brought us more good than bad. Overall, technology improves our lives and business, even with the risks. And Ill be able to watch cat videos on YouTube while Im driving.

Read more: www.theguardian.com

A $50 Million Hack Just Showed That the DAO Was All Too Human

Sometime in the wee hours Friday, a thief made off with $50 million of virtual currency.

The victims are investors in a strange fund called the DAO, or Decentralized Autonomous Organization, who poured more than $150 million of a bitcoin-style currency called Ether into the project.

Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

The people who created the DAO saw it as a decentralized investment fund. Instead of leaving decisions to a few partners, anyone who invested would havea say in which companies to fund. The more you contributed, the more weight your vote carried. And the distributed structure meant no one could run off with the money.

That was the plan, anyway.

The DAO is built on Ethereum, a system designed for building decentralized applications. Its creators hoped to prove you can build a more democratic financial institution, one without centralized control or human fallibility. Instead, the DAO led to a heist that raises philosophical questions about the viability of such systems. Code was supposed to eliminate the need to trust humans. But humans, it turns out, are tough to take out of the equation.

A Never-Ending ATM

DAO developers and Ethereum enthusiasts are trying to figure out how they mightreverse the theft. The good news is that time is on their side. The thief transferred the stolen funds into a clone of the DAO that likely includes code that, as in the original system, delays payouts for a few weeks.

Stephan Tual, the COO of Slock.it, the company that built the DAO, says the thiefprobably never expected to be able to spend the ether. Each unit of ether is unique and traceable. If the hacker tries to sell any of the stolen ether in a cryptocurrency market, the system will flag it.

“It’s like stealing the Mona Lisa,” he says. “Great, congratulations, but what do you do with it? You can’t sell it, it’s too big to be sold.”

The DAO is a piece of software known as a “smart contract”–essentially an agreement that enforces itself via code rather than courts. But like all software, smart contracts do exactly what their makers program them to doand sometimes those programs have unintended consequences.

It’s not clear yet exactly how the hack worked, says Andrew Miller, a PhD student at the University of Maryland who studies smart contracts and helped audit Ethereum’s code last year. But he says the attacker probably exploited a programming mistake that’s exceedingly common in smart contracts.

Let’s say you have $50 in the bank and you want to withdraw that from an ATM. You insert your card, punch in your PIN number and then request that $50. Before the machine spits out the cash it will check your balance. Once it spits out the cash, it will debit $50 from that balance. Then the machine asks you if you’d like to process another transaction. You tap “yes” and try to take $50 again. But the ATM sees that your balance is now $0 and refuses. It asks you again if you want to process another transaction, so this time you say “no.” Your session ends.

Now imagine that the ATM didn’t record your new balance until you ended the session. You could keep requesting $50 again and again until you finally told the machine you didn’t want to process any more transactionsor the machine ran out of money.

The DAO hacker was probably able to run a transaction that automatically repeated itself over and over again before the system checked the balance, Miller says. That would allow anyone to pull far more money out of the fund than they put in.

The programming language that Ethereum developers use to write smart contracts, Solidity, makes it really easy to make this sort of mistake, says Emin Gun Sirer, a Cornell University computer scientist who co-authored a paper earlier this year pointing out a number of potential pitfalls in the DAO’s design. Others have previously spotted places in the DAO code that would have made such a theft possible. Sirer says the DAO developers have tried to be vigilant about preventing such flaws, but because it’s such an easy mistake to make, it’s not surprising that instances of the bug escaped notice.

All Too Human

As bad as the bug was, Sirer still thinks that both the DAO and Ethereum are worthwhile experiments. The DAO helped raise awareness of the idea of smart contracts, which Sirer thinks will eventually become extremely important to how the world conducts transactions. The project has also called attention to some of the biggest technical challenges.

“This is a rite of passage for the project,” he says.

The Ethereum team is now debating how, and whether, to refund the stolen funds. Ethereum works much like Bitcoin does: the system records each transaction in a global ledger that resides on every Ethereum user’s computer. The Ethereum team could release a new version of the software that tweaks this ledger to essentially reverse all of the DAO heist transactions. If enough people installed this version, it would be like the hack never happened. That’s exactly what many people in the community, including Ethereum creator Vitalik Buterin and the Slock.it team would like to see happen.

‘No one wants to see this fail.’

“Fourteen percent of all ether is in the DAO,” Tual says. “No one wants to see this fail.”

But others think that reversing the transactions could have a damaging effect on people’s perceptions of ether an cryptocurrencies in general.

Alex Van de Sande, a user experience designer who has contributed to several Ethereum-related projects, and who put money into the DAO, says he believes other ways exist to retrieve the missing funds. Because the thief transferred the pilfered ether into a clone of the DAO, de Sande points out, it may well have the exact same security vulnerability as the original. Developers could just steal the ether back.

The idea behind Ethereum, much like Bitcoin, was to create a computer system that facilitated transactions using the immutable rules of mathematics. The code would eliminate the need to trust anyone. If people can simply reverse transactions they didn’t mean to make, it proves that people, not mathematics are really in charge of the system, de Sande says. If the code did something people didn’t mean it to do, then people will have to live the consequences.

The fact that a fork is being discussed at all proves that despite the Ethereum team’s best efforts, machines will always be subject to the messy politics of the human world. But that also might end up saving the project. The heist has divided people and exposed the inevitability of human weakness. But it’s also bringing people together to fix things. Humanity is making that possible, not mathematics.

Read more:

Hackers hit esports site Battlefy and release 89,000 users’ data

A hacker last week breached the systems ofBattlefy, a Vancouver esports management startup, and leaked nearly 90,000 users’ personal information.

Following the breach at Battlefywhich in 2014 received $1.3 million in seed funding fromtech venture capitalists including formerRiot Gameschairman Jarl Mohnthe hacker released 89,270 emails, account names, and hashed passwords in a text file.

The owner of the @ciadotgovTwitter account claimed responsibility for the hack and asked for Bitcoin donations for his work. The account wasallegedly behind the hack of AllWomensTalk.comearlier this year.

Battlefy, which says its user base grew 750 percent in the last year, apologized to users in an email on Sunday, several days after the breach took place and the data was posted publicly online. At press time, the data remained online.

“The perpetrator gained unauthorized access to a test environment hosting an old version of our database,” Battlefy CEO Jason Xu told the Daily Dot. “Once discovered, we immediately closed the vulnerability and launched a full investigation into the breach. There was no unauthorized access to our production servers.”

The nearly 90,000 affected users represent a “small portion” of the overall user base, according to Xu.

“We protect our user’s passwords by encrypting them with a ten round bcrypt hashing scheme, which is a non-reversible algorithm,” he said.

On its website, Battlefy boasts that it is trusted by gaming industry leaders such as Riot (League of Legends), Blizzard (StarCraft), and Turtle Rock Studios (Counter-Strike).

Battlefy recommends that users who share passwords across multiple accounts change those login credentials immediately.

The company is currently conducting an investigation into both the breach and its security systems.

Photo viaJakob Wells/Flickr (CC BY 2.0)

Esports news moves fast and so do we. Check out today’s Quick Cast!


Read more:

The FBI just warned Americans about a serious new online extortion scam

The Federal Bureau of Investigation issued an alert late Wednesday night warning about attempts to extort victims of recent data breaches.

When hackers steal data from private companies or government agencies, they often advertise it for sale on various Dark Net websites. Criminals then purchase the information and threaten affected users, forcing them to essentially pay a new form of hush money if they don’t want their leaked, sensitive information broadcast to the world.

“The recipients are told that personal information, such as their name, phone number, address, credit card information, and other personal details, will be released to the recipient’s social media contacts, family, and friends if a ransom is not paid,” the FBI said in its alert.

If you think this amount is too high, consider how expensive a divorce lawyer is.

There have been many recent reports of data breaches, some of them relating to years-old attacks but all of them emphasizing how many people’s sensitive personal information has been compromised.

The FBI said that its Internet Crime Complaint Center had received many reports about the extortion emails, with the requested payments ranging from 2 to 5 bitcoins, or $250 to $1,200 at current exchange rates. Criminals typically ask for payment in bitcoins, the bureau said, because the cryptocurrency “provides a high degree of anonymity to the transactions.”

The FBI provided examples of extortion emails ranging from relatively tame missiveslike a hacker glibly noting that they could contact the victim’s friendsto more ominous suggestions about how failing to pay up would wreak havoc on the victim’s personal life.

If you think this amount is too high, consider how expensive a divorce lawyer is, one extortionist wrote to their victim. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.

Unsurprisingly, federal agents believe that multiple individuals are involved in these extortion campaigns because the emails do not follow a consistent format.

In its alert, the FBI reiterated its longstanding warnings against opening suspicious attachments and storing “sensitive or embarrassing photos” online or on a mobile device. It also warned victims not to pay the extortion fee, as doing so would facilitate continued criminal activity.

Read more:

‘$300m in cryptocurrency’ accidentally lost forever due to bug

User mistakenly takes control of hundreds of wallets containing cryptocurrency Ether, destroying them in a panic while trying to give them back

More than $300m of cryptocurrency has been lost after a series of bugs in a popular digital wallet service led one curious developer to accidentally take control of and then lock up the funds, according to reports.

Unlike most cryptocurrency hacks, however, the money wasnt deliberately taken: it was effectively destroyed by accident. The lost money was in the form of Ether, the tradable currency that fuels the Ethereum distributed app platform, and was kept in digital multi-signature wallets built by a developer called Parity. These wallets require more than one user to enter their key before funds can be transferred.

On Tuesday Parity revealed that, while fixing a bug that let hackers steal $32m out of few multi-signature wallets, it had inadvertently left a second flaw in its systems that allowed one user to become the sole owner of every single multi-signature wallet.

Q&A

What is cryptocurrency?

A cryptocurrency is a form of digital asset, created through a canny combination of encryption and peer-to-peer networking.

Bitcoin, the first and biggest cryptocurrency, is part of a decentralised payment network. If you own a bitcoin, you control a secret digital key which you can use to prove to anyone on the network that a certain amount of bitcoin is yours.

If you spend that bitcoin, you tell the entire network that you’ve transferred ownership of it, and use the same key to prove that you’re telling the truth. Over time, the history of all those transactions becomes a lasting record of who owns what: that record is called the blockchain.

After bitcoin’s creation in 2009, a number of other cryptocurrencies sought to replicate its success but taking its free, public code and tweaking it for different purposes.

Some, such as Filecoin, have a very defined goal. It aims to produce a sort of decentralised file storage system: as well as simply telling the network that you have some Filecoins, you can tell the network to store some encrypted data and pay Filecoins to whoever stores it on their computer.

Others are more nebulous. Ethereum, using the Ether token, is now the second biggest cryptocurrency after bitcoin and essentially a cryptocurrency for making cryptocurrencies. Users can write “smart contracts”, which are effectively programs that can be run on the computer of any user of the network if they’re paid enough Ether.

Of course, to many, the purpose is secondary. The only really important thing is that the value of an Ether token increased 2,500% over 2017, meaning some are hoping to jump on the bandwagon and get rich. Bubble or boom? That’s the $28bn question.

The user, devops199, triggered the flaw apparently by accident. When they realised what they had done, they attempted to undo the damage by deleting the code which had transferred ownership of the funds. Rather than returning the money, however, that simply locked all the funds in those multisignature wallets permanently, with no way to access them.

This means that currently no funds can be moved out of the multi-sig wallets, Parity says in a security advisory.

Effectively, a user accidentally stole hundreds of wallets simultaneously, and then set them on fire in a panic while trying to give them back.

We are analysing the situation and will release an update with further details shortly, Parity told users.

Hard fork

Some are pushing for a hard fork of Ethereum, which would undo the damage by effectively asking 51% of the currencys users to agree to pretend that it had never happened in the first place. That would require a change to the code that controls ethereum, and then that change to be adopted by the majority of the user base. The risk is that some of the community refuses to accept the change, resulting in a split into two parallel groups.

Such an act isnt unheard of: another hack, two years ago, of an Ethereum app called the DAO resulted in $150m being stolen. The hard fork was successful then, but the money stolen represented a much larger portion of the entire Ethereum market than the $300m lost to Parity.

The lost $300m follows the discovery of bug in July that led to the theft of $32m in ether from just three multisignature wallets. A marathon coding and hacking effort was required to secure another $208m against theft. Patching that bug led to the flaw in Paritys system that devops199 triggered by accident.

Parity says that it is unable to confirm the actual amount lost, but that the $300m figure is purely speculative. The company also disputes that the currency is lost, arguing that frozen is more accurate. But if it is frozen, it appears that no-one has the ability to unfreeze the funds.

The Parity vulnerability was the result of an incorrectly coded smart contract used by the Parity wallet to store tokens on the Ethereum network, said Dominic Williams, founder of blockchain firm DFINITY. The vulnerability made it possible for anyone to freeze the tokens held by that smart contract, making them immovable. At this time, the only method we are aware of to unfreeze tokens held by the vulnerable smart contract would be to create a new hard fork Ethereum client that deploys a fix. This would require every full node on the Ethereum network to upgrade by the date of the hard fork to stay in sync, including all miners, wallets, exchanges, etc.

Ethereum has rapidly become the second most important cryptocurrency, after Bitcoin, with its price increasing more than 2,500% over the past year. One token of Ether is now worth a little over $285, up from $8 in January.

Read more: https://www.theguardian.com/technology/2017/nov/08/cryptocurrency-300m-dollars-stolen-bug-ether

Bad Rabbit: Game of Thrones-referencing ransomware hits Europe

NotPetya-style malware infects Kievs metro system, Odessa airport and Russian media, demanding bitcoin for decryption key

A major ransomware attack is hitting computers in Russia and Ukraine, bearing similarities to the NotPetya outbreak that caused billions of pounds of damage in June.

The self-titled Bad Rabbit malware encrypts data on infected machines before demanding a payment of 0.05 bitcoin (250) for the decryption key. The ransom demand is phrased similarly to that of Junes outbreak, and researchers at Russian security firm Kaspersky say that the malware uses methods similar to those used during the NotPetya attack.

Among the affected organisations are Kievs metro system, Russian media organisation Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage, since its servers were taken offline for a number of hours.

Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones and the character Gray Worm used as names for scheduled tasks. A list of passwords that the malware tries while attempting to spread also includes love, sex, god and secret, which were dubbed the four most common passwords by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.

Unusually,
Unusually, the malwares code is peppered with pop culture references including the names of two dragons from Game of Thrones. Photograph: HBO/2017 Home Box Office, Inc. All

Our observations suggest that this been a targeted attack against corporate networks, Kasperskys researchers said, again suggesting a link between this outbreak and Junes. The NotPetya outbreak began through the release of a compromised version of a popular Ukrainian accounting program, spreading automatically throughout corporate networks.

The strongest link between the two attacks is based on the web servers which were used to distribute the initial software. Kaspersky researcher Costin Raiu told Forbes magazine that a network of hacked sites initially linked to NotPetya in July was now being used to host secondary distribution channels for Bad Rabbit.

But the two attacks contain a number of notable differences, as well. Where NotPetya was targeted at Ukraine, Bad Rabbit appears to have primarily hit Russian businesses. It was initially seeded through a fake Adobe Flash update placed on at least three hacked Russian media outlets, and from that initial foothold has spread through Russia and Ukraine, as well as other eastern European countries including Poland and Bulgaria.

The attack is also different from NotPetya in its mode of distribution. The fake Adobe Flash update which initially installs it doesnt use any software exploits to run, instead relying on old-fashioned trickery to convince a user to open it themselves. Also, once installed, the software doesnt use the famous EternalBlue exploit, believed to have been developed by the NSA before being stolen by a hacking group known as The Shadow Brokers, to spread within corporate networks. That decision may have limited the dispersal of the outbreak.

Perhaps the biggest difference between the two is that Bad Rabbit does not appear to be a wiper, as was suspected of NotPetya. That malware was basically impossible to remove, even for users who attempted to actually pay the ransom, leading to suspicions it had been created more to cause damage and destruction than raise revenue for its developers. Bad Rabbit, by contrast, reportedly does decrypt the hard drive upon entry of the correct password.

The UKs National Cyber Security Centre said in a statement, We are aware of a cyber incident affecting a number of countries around the world. The NCSC has not received any reports that the UK has been affected by this latest malware attack. We are monitoring the situation and working with our partners to better understand the threat.

Carl Leonard, a principal analyst at Forcepoint, said: We will continue to see massive attacks with economic, employee and public safety ramifications. And the methods will continue to evolve, including the evasive methods to hide their activity as well as their true intent.

The trick will be to better understand the human points in these attacks. The intent or motivations of the attackers can range broadly including financial gain, revenge, political or hacktivism. Understanding these intentions can help shape our security strategies.

Anton Ivanov (@antonivanovm)

Unlike #ExPetr, #BadRabbit is not a wiper. pic.twitter.com/JeBnD8q9DV

October 24, 2017

Initially, few security products were capable of stopping the outbreak: a sample of the malware uploaded to analysis service VirusTotal showed just four products correctly flagging it as malicious as of 4:30pm on Tuesday, including ones made by Kaspersky and Symantec. By then, the outbreak was well and truly underway. As of Wednesday morning, almost two thirds of updated security products correctly identify the malware.

Users without working antivirus protection can also reportedly protect themselves with a vaccine by creating a file on their computer before the malware does.

Amit Serper (@0xAmit)

Vaccination for the Ukraine round 2? Wanna stop #badrabbit?
Create a file called c:\windows\infpub.dat and remove all write permissions for it. This should keep the malware from encrypting. Testing it now… pic.twitter.com/3MSSH8WKPb

October 24, 2017

Read more: https://www.theguardian.com/technology/2017/oct/25/bad-rabbit-game-of-thrones-ransomware-europe-notpetya-bitcoin-decryption-key