The effects of climate change on cybersecurity

AWARENESS
The effects of climate change on cybersecurity

Posted: March 13, 2020 by Pieter Arntz


Outside the coronavirus pandemic and its related healthcare and economic fallout, climate change and cybersecurity are seen by many as the two most urgent problems facing our planet now and in the near future. They are two distinct and separate problems, to be sure. There are some areas, however, where security and climate change overlap, interlock, and influence one another. Let’s have a look.

To understand how climate change and the methods to counteract its rapid ascent will affect cybersecurity, we first have to look at how computing contributes to global warming. Your first instinct about their relationship is probably right: computing involves energy consumption and heat production. As long as we cannot produce enough “clean energy” to satisfy our needs for electricity, the energy consumed by computing—and security within it—will continue to contribute to global warming.
The big energy consumers

There are a few fields in computing and cybersecurity that guzzle up huge amounts of energy and produce heat as a byproduct:
Supercomputers
Blockchain mining
Data centers
The Internet as a whole

Before you dismiss the problem of the supercomputers (because you assume there are only a few of them)—even I was astounded to find out that there are over 500 systems that deliver a petaflop or more on the High Performance Linpack (HPL) benchmark. Most of these supercomputers consume vast amounts of electrical power and produce so much heat that large cooling facilities must be constructed to ensure proper performance. But in recent years, vendors have started to produce supercomputers that are more energy efficient.

In 2019, the mining of Bitcoin alone consumed more energy than the entire nation of Switzerland, which equals about one quarter percent of the world’s entire energy consumption. There are many more blockchains and cryptocurrencies, although Bitcoin is by far the largest energy consumer among them. This is mostly due to their operation on the proof-of-work concept and the high value of Bitcoin.

While cybercrime experienced a huge jolt in cryptomining in 2018, the frenzy has mostly died down as Bitcoin value dipped and plateaued. However, cryptomining continues as both a legitimate and illegitimate activity—especially because miners can switch to other cryptocurrencies when Bitcoin drops off.

An even bigger impact on energy consumption are data centers, which already use over 2 percent of the world’s total energy consumption, and that number is expected to rise fast. The prediction is based on the growing number of content delivery networks (CDN), more Internet of Things (IoT) devices, the growth of the cloud, and other colocation services. So, not only do computer centers consume massive amounts of energy, their use is expected to grow astronomically.

The Internet can’t be completely separated from the data centers that enable it. But despite the overlap, it’s still worth mentioning that the total energy consumption of the Internet as a whole lies at around 10 percent, which is more than the world’s total energy production from renewable sources such as wind and solar.

However, it’s fair to note that the Internet has taken over a lot of tasks that would have cost more energy or created a greater carbon footprint if they had been performed in the “old ways.” Consider, for example, the energy saved by working remote: the energy expended on the Internet and inside one’s home is far less damaging than the carbon monoxide released into the atmosphere by fossil fuels from a daily commute to the office.
Global warming’s trickle down effects

Conversely, global warming and its effects on the climate, environment, and economy do have a direct impact on our everyday lives, and that trickles down to cybersecurity. Some of the projected dangers include:
Flooding of certain areas
Prolongation of the wild-fire season
Spread of diseases
Economic costs
Scarcity of fresh water in certain areas

By 2030, climate change costs are projected to cost the global economy $700 billion annually, according to the Climate Vulnerability Monitor. And The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050.

Climate change and its implications will act as a destabilizing factor on society. When livelihoods are in danger, this will spark insecurity and drive resource competition. This does not only have implications for physical security, but in modern society, this also has an impact on cybersecurity and its associated threats.

From a big picture, worst-case-scenario perspective, climate change could trigger profound international conflicts, which go hand-in-hand with cyberwar. Beyond nation-state activity, individuals that have no other means of providing for their families could turn to cybercrime, which is often seen as a low-risk activity with a potentially high yield.

But on a smaller scale, we’re already seeing the impacts of climate change on cybersecurity, whether via social engineering scare tactics embraced by threat actors or disruptions to Internet-connected home heating and cooling devices meant to track energy consumption.
Global warming scams

NO, we’re not saying that climate change is a hoax or a scam. But we want to issue a warning related to the subject. As with any newsworthy topic, there are and will be scammers trying to make a profit using the feeling of urgency that gets invoked by matters like climate change.

For example, the Intergovernmental Panel on Climate Change (IPCC) issued a warning against several scams abusing their name.


“IPCC has been made aware of various correspondences, being circulated via e-mail, from Internet Web sites, and via regular mail or facsimile, falsely stating that they are issued by, or in association with, IPCC and/or its officials. These scams, which may seek to obtain money and/or in many cases personal details from the recipients of such correspondence, are fraudulent.”

Natural disaster scams are increasing in the same frequency as natural disasters themselves, often claiming to be collecting donations for a particular cause but putting money in their own pockets instead. We’ve seen social engineering tricks ranging from phishing emails and malspam to social media misinformation campaigns on hurricanes, tornadoes, fires, and flooding. Expect this sort of gross capitalization on tragedy and fear to continue as the effects of climate change become more dramatic.
Improving efficiency and preparing for changes

The number of datacenters is down, but their size has grown to meet the demand. This is potentially a step in the right direction since it decreases the power needed for the overhead, but not as big as the step that could be made if they would actually work on their power efficiency.

Online companies typically run their facilities at maximum capacity around the clock, regardless of the demand. As a result, data centers are wasting 90 percent or more of their power. Smart management could make a substantial difference in energy consumption and costs.

Cryptomining could improve on energy consumption if the most popular currencies would not be based on proof of work but proof of stake. Proof of work rewards the largest number of CPU cycles with that the highest energy consumption.

NEO and Hyperledger are next generation blockchain technologies with much lower electricity cost. NEO uses what it calls delegated Byzantine Fault Tolerance (dBFT), which is an optimized proof-of-stake model. Hyperledger Fabric centralizes block creation into a single resource pool and has multiple validators in the participants. It’s an enterprise collaboration engine, using blockchain smart contracts, where validation is much easier than creation, and creation will be centralized on a single, optimized platform.

More effective methods of cooling would both help supercomputers and large data centers. At the moment, we are (ironically) using electricity to power cooling systems to control the heat caused by electricity usage. In fact, cooling gobbles up about 35 percent of the total power in high performance computing with air cooled systems. Hot-water liquid cooling might be a key technology in future green supercomputers as it maximizes cooling efficiency and energy reuse.
Interaction between climate change and cybersecurity

As we have seen, there are opportunities for those in security and computing to slow the progression of climate change. But there are also opportunities for those in cybercrime to take advantage of the destabilization caused by climate change, as some already have through related scams and malware campaigns. As long as we don’t drop security in attempts to counteract global warming, we’ll be able to protect against some of the more advanced threats coming down the pike. But while we still can, let’s rein in our carbon footprint, improve on computing efficiency, and remember our cybersecurity lessons when criminals come calling.

Stay safe, everyone!

Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware

Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware
By Sergiu Gatlan March 17, 2020 03:30 PM 0






Microsoft says that Windows 10 Secured-core PCs can successfully defend their users against malware designed to take advantage of driver security flaws to disable security solutions.

"Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines," Microsoft says.

However, according to Microsoft, endpoint devices can be defended against such attacks if you are using a Secured-core PC that comes with built-in protection against firmware attacks that have been increasingly used by both state-sponsored hacking attacks and commodity malware.

Secured-core PCs were released as a solution to the number of increasing firmware security issues that attackers can exploit to bypass a Windows machine's Secure Boot, as well as to the lack of visibility at the firmware level commonly present in today's endpoint security solutions.
Malware abusing vulnerable firmware and drivers

"In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as 'wormhole drivers'), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs," Microsoft adds.

"In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers."

One instance of a threat actor abusing firmware vulnerabilities is the Russian-backed APT28 cyber-espionage group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a Unified Extensible Firmware Interface (UEFI) rootkit dubbed LoJax during some of its 2018 operations.

More recently, the operators behind the RobbinHood Ransomware exploited a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers that allowed them to terminate antivirus and security software processes on compromised systems.
RobbinHood Ransomware attack chain (Microsoft)

"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos researchers explained at the time.

"This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."

This tactic enabled the attackers to circumvent anti-ransomware defenses by killing the antivirus software before deploying the ransomware executable used to encrypt the victim's documents.

Sophos was unable to fully analyze this ransomware sample so far therefore the processes and services that are being targeted are currently unknown.
Secured-core PCs feature built-in protection

As Microsoft says, however, Windows 10 comes with hardware and firmware protection features that can successfully fight against attacks such as the one that infected victims with Lojax and RobbinHood Ransomware.

Moreover, Secured-core PCs introduced by Microsoft in October 2019 in partnership with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac can block firmware-level attacks as they come with these hardware-backed security features enabled by default removing the need for users to make the required BIOS and OS settings changes manually.

"Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers," Microsoft adds, with the following features being turned on all Secured-core PCs:

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled


However, users of other devices can also take advantage of similar protection if they configure their hardware and Windows security features correctly.

"Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard," Microsoft explains.

"With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security."

CovidLock: Mobile Coronavirus Tracking App Coughs Up Ransomware

Tarik SalehSenior Security Engineer & Malware Researcher


Cybercriminals like to exploit people when they are at their most vulnerable. They use dramatic events that cause people to be emotional or fearful to drive their profits. Any time there are major news cycles happening on a topic that stirs a strong reaction, cybercriminals will not be far behind.

The Coronavirus is no different. Shortly after the first cases were confirmed, DomainTools’ researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. These registrations have peaked significantly in the past few weeks and many of them are scams.

The security research team has continuously been monitoring these suspicious domains. The DomainTools security research team discovered a domain (coronavirusapp[.]site) that claims to have a real-time Coronavirus outbreak tracker available via an app download.
Malicious Website (coronavirusapp[.]site)





The domain prompts users to download an Android App that will give them access to a Coronavirus map tracker that appears to provide tracking and statistical information about COVID-19, including heatmap visuals.
Malicious COVID19 Tracker App





In reality, the app is poisoned with ransomware. This Android ransomware application, previously unseen in the wild, has been titled “CovidLock” because of the malware’s capabilities and its background story. CovidLock uses techniques to deny the victim access to their phone by forcing a change in the password used to unlock the phone. This is also known as a screen-lock attack and has been seen before on Android ransomware.
COVID-19 Tracker App Ransom Note





The ransomware requests $100 in bitcoin in 48 hours on the ransom note. It threatens to erase your contacts, pictures and videos, as well as your phone's memory. It even claims that it will leak your social media accounts publicly.

Since Android Nougat has rolled out, there is protection in place against this type of attack. However, it only works if you have set a password. If you haven't set a password on your phone to unlock the screen, you're still vulnerable to the CovidLock ransomware.

The DomainTools security research team has reverse engineered the decryption keys and will be sure to post the key publicly. The team also has the BTC wallet and is monitoring its transactions. Further technical details will be released soon.
How To Increase Your Ransomware Immunity


Be sure to only use trusted information sources from government and research institution’s websites. Don’t click on anything in your email that’s health related. In general, be sure to follow all of the basic phishing recommendations—be aware that people are trying to capitalize on fear here.
Ensure that you download Android applications only from the Google Play store. There is a much higher risk of downloading malware from untrusted 3rd party stores.
Research Conducted By:

Chad Anderson, Senior Security Researcher

Tarik Saleh, Senior Security Engineer & Malware Researcher

Ψεύτικο app ανίχνευσης κορωνοϊού εγκαθιστά το “Covidlock” Ransomware

16 Μαρτίου, 2020, 10:52 πμ by Absenta Mia




Η πανδημία του κορωνοϊού, συνεχίζει να εξαπλώνεται ραγδαία. Μέχρι τώρα ο ιός έχει μολύνει 153.000 ανθρώπους και έχει στοιχίσει τη ζωή σε 5.800 άτομα παγκοσμίως. Κι ενώ η κατάσταση έχει σπείρει τον τρόμο, οι κακόβουλοι παράγοντες προσπαθούν να εκμεταλλευτούν το κλίμα ανασφάλειας που επικρατεί, για να μολύνουν συσκευές smartphone με το Covidlock ransomware.

Σύμφωνα με την εταιρεία ασφαλείας DomainTools, ένας ιστότοπος υπόσχεται ότι προσφέρει έγκυρη πληροφόρηση σχετικά με τα περιστατικά του κορωνοϊού, μέσω της Android εφαρμογής του, αλλά στην πραγματικότητα εγκαθιστά το Covidlock ransomware.

Ο ιστότοπος, γνωστός ως “coronavirusapp [.] Site” παρουσιάζει πιστοποιήσεις από τον Παγκόσμιο Οργανισμό Υγείας (WHO) και από τα Κέντρα Ελέγχου και Πρόληψης Νοσημάτων (CDC). Επιπλέον, υποστηρίζει ότι η εφαρμογή του έχει πάνω από 6 εκατομμύρια κριτικές και βαθμολογία 4,4 αστέρων.

Η εφαρμογή υπόσχεται να στείλει ειδοποιήσεις στον χρήστη, όταν εντοπίζει κάποιο κρούσμα κορωνοϊού που βρίσκεται κοντά στην περιοχή του. Μόλις όμως ο χρήστης εγκαταστήσει την εφαρμογή και δώσει έγκριση για διάφορα δικαιώματα στη συσκευή του, δέχεται επίθεση από το Covidlock, το οποίο τον αναγκάζει να αλλάξει το κλείδωμα οθόνης του.


Στη συνέχεια το θύμα λαμβάνει ένα μήνυμα που του δίνει διορία 48 ώρες, για να πληρώσει τα λύτρα που του ζητάει. Το μήνυμα απειλεί το χρήστη ότι αν δεν πληρώσει έγκαιρα, θα σβήσει όλα τα δεδομένα από τη συσκευή του και επιπλέον θα διαρρεύσει τους λογαριασμούς των social media του. Το ποσό που ζητούν οι hacker είναι $100 σε bitcoin.

Μέχρι τώρα δεν έχει γίνει γνωστή κάποια περίπτωση που να έχουν καταβληθεί τα λύτρα. Εν τω μεταξύ, η εταιρεία ασφαλείας ισχυρίζεται ότι χρησιμοποίησε αντίστροφη μηχανική και ανακάλυψε τα κλειδιά αποκρυπτογράφησης και σκοπεύει να τα δημοσιεύσει σύντομα.

Φυσικά δεν είναι το μόνο περιστατικό που εκμεταλλεύεται την κατάσταση τρόμου που επικρατεί. Πριν λίγες μέρες κυκλοφόρησε ένας ψεύτικος χάρτης εντοπισμού του κορωνοϊού που εγκαθιστούσε ένα malware στους υπολογιστές για να κλέψει κωδικούς.

Η DomainTools σημειώνει ότι ένας ανησυχητικός αριθμός domain, καταχωρείται γύρω από τον κορωνοϊό. “Αυτές οι καταχωρήσεις έχουν αυξηθεί σημαντικά τις τελευταίες εβδομάδες και πολλές από αυτές είναι απάτες”.

Ένα παρόμοιο περιστατικό συνέβη πρόσφατα στο Ιράν, όπου ένα app υποσχόταν να ενημερώνει τους ανθρώπους σε περίπτωση που έχουν προσβληθεί από τον κορωνοϊό. Όμως στην πραγματικότητα αυτό που έκανε ήταν να συλλέγει τα δεδομένα τοποθεσίας των πολιτών του Ιράν.

Coronavirus COVID-19 Global Cases by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU)

 Professor Lauren Gardner, a civil and systems engineering professor at Johns Hopkins University, built the dashboard with her graduate student, Ensheng Dong. It is maintained at the Center for Systems Science and Engineering at the Whiting School of Engineering, with technical support from ESRI and the Johns Hopkins University Applied Physics Laboratory. Gardner is co-director of the CSSE.

CSSE : PC version  

 

Coronavirus COVID-19 Global Cases by Johns Hopkins CSSE Mobile Version