Terrorism researchers, AI developers, government scientists, threat-intelligence specialists, investors and startups gathered at the second annual WIRED conference to discuss the changing face of online security. These are the people who are keeping you safe online. Their discussions included Daesh's media strategy, the rise of new forms of online attacks, how to protect infrastructure, the threat of pandemics and the dangers of hiring a nanny based on her Salvation Army uniform.
Daesh may be losing the ground war but the virtual caliphate's online branding and propaganda is still winning converts, Charlie Winter, senior research fellow at the International Centre for the Study of Radicalisation, told the room.
Winter spends hours monitoring jihadist chat on encrypted messaging app Telegram – the new home of the virtual caliphate. Its complex propaganda machine involves "hundreds and hundreds of media products, videos, magazines and bulletins, in lots of different languages coming out every single day", he explained. "Daesh supporters are addicted to its propaganda and the group tries to propagate that interdependence."
Winter suggested partially closing the network to make it more difficult. That could mean making parts of the internet inhospitable, but "not so much that they start using things impossible to monitor", he added.
The Kremlin is also wrestling with the challenges of digital platforms, Russian investigative journalist Andrei Soldatov told the conference. Russia initially denied invading Ukraine, until Russian soldiers started posting pictures of the invasion online. Now Vladimir Putin is regaining control, using methods of intimidation from the Soviet era with a modern outsourcing approach to hacking groups such as Fancy Bear.
Echoing Winter's views, anonymity researcher Sarah Jamie Lewis told the conference that monitoring illicit traffic is getting harder. Lewis uses OnionScan to map the dark web by scanning links and encryption keys. She explained that in 2016, large hosting sites such as Freedom Hosting II were taken down by the hacking group Anonymous. "We are starting to see peer-to-peer technology taking over the dark web – which is far harder to track," she said. "If there's no central hub, then there's nowhere to start. The dark web is changing underneath us and it's certainly not going to stop any time soon."
In the cut-throat world of online florists, rival firms have resorted to crashing competitors' websites on key dates such as Valentine's Day, Cloudflare CTO John Graham-Cumming told a morning crowd.
With governments blocking protest sites using court orders or just shutting off the internet, it's becoming easy to close down the web, he explained - "so we need to help people hurt by these kind of attacks".
In a bid to keep the internet open, Cloudflare, which supplies online security to companies large and small, has launched Project Galileo, which mitigates DDoS attacks. Cloudflare has also developed the error code 451 for official government takedowns. "If we're forced to block a site, we use code 451 to explain why," he said. "We help people decide whether their government is doing the right thing."
The moment you think you're most secure is the moment you're most vulnerable, Beyza Unal, research fellow with the International Security Department at Chatham House, said.
This is potentially catastrophic for critical infrastructure. Among others, Unal has studied an attack on the UK energy grid in July 2017 by government-backed hackers."We don't see terrorists in critical infrastructure yet," she said. "It's mainly the US, Russia, North Korea and China." But critical-infrastructure firms haven't grasped the scope of the risks.
Her recommendations included raising awareness at board level by persuading firms to set up a team to find vulnerabilities.
If critical-infrastructure attacks damage the health service, Alaa Murabit warned, then the world is unprepared to deal with a pandemic. Murabit, executive director of health-security group Phase Minus 1, said that traditional responses, such as deploying troops, made things worse in high-risk areas. She called for support at ground level: "We can't have old, imperialist structures telling developing nations what to do," she added.
There is a new kind of online attack known as pseudo-ransomware - and it has even outraged some hacker groups, Raj Samani, chief scientist at McAfee, warned the conference.
Samani classified WannaCry – the May 2017 virus that crippled the NHS – and NotPetya, which struck in June, as pseudo-ransomware attacks since neither collected vast amounts of ransom. "If you want to make money, surely the first thing to fix is your payment mechanism," he argued. "WannaCry made $150,000 (£114,000) from ransomware. Cryptowall, on the other hand, made $325 million infecting the same number of computers."
McAfee believes WannaCry and NotPetya were designed to disrupt, which irritates the real ransomware criminals who are still after money. When asked about their motives, one operator said they'd been paid by an unnamed Fortune 500 company to disrupt the competition, Samani explained. Such tactics often cost less than a cup of coffee, he added.
The internet of things presents a new threat - ransomware could lock down connected cars. "My 11-year-old daughter could buy stolen credit cards, medical data, even hire a hitman," he warned. "Unless we do something about it, that's our future…"
When Rachel Botsman's parents advertised for a nanny, they were taken in by a woman called Doris's Salvation Army uniform, thick glasses and Scottish accent, the author and lecturer told the room. Ten months later they discovered that she was a major London drug dealer and had used the Botsman family car in an armed robbery.
"My parents faced something called the trust gap," Botsman explained. "They thought they had enough information, but there was a lot they didn't know. The illusion of information can be more dangerous than ignorance." Our need for online trust, in particular, has increased dramatically, she argued, with the spread of platforms such as Tinder and Airbnb. "We've outsourced our capacity to trust to algorithms," she warned. Botsman said that the Sun is setting on platforms that claim to only connect people to meet supply with demand.
"Platforms have to take responsibility for what happens," she insisted. "They should be proactive to reduce the risk of bad things happening and reactive in taking responsibility when things go wrong." She criticised Uber's tactics after TfL removed its licence in September. "Don't point the finger, don't blame anyone - gut the organisation and fix it," she said. "It's an opportunity to redesign."
Babysitting apps are getting this right, she added. Urban Sitter runs background checks via vetting platform Checkr, which are so thorough that 75 per cent of applicants are rejected. "If my parents could have used Checkr, they'd have found Doris was a crook," she said. "Trust is a human process, but when tech gets it right, the information makes us smarter than ever."
This article was originally published by WIRED UK
