How Target’s air conditioning let in a cyberattack


Big businesses know they could be cybercrime targets, so they invest in cyber defenses like software, people and training. Now, cybercriminals have turned to their smaller suppliers as a way of getting to them. hacker:HUNTER Behind the Screens Episode 2 looks at supply chain attacks.

Supply chain attack targets retailer Target

The bigger the business, the more suppliers. And more internet-connected devices everywhere means cybercriminals have more ways in.

In this episode, Eliza-May Austin, CEO and co-founder of cybersecurity start-up th4ts3cur1ty.company (That Security Company,) explains how cybercriminals stole 40 million people’s card details from US retail giant Target with an attack that began in their air conditioning system.

You read that right. It started with an employee at Target’s air conditioning supplier clicking a link in a phishing email, injecting malware into their system. Target had remote access to monitor their air conditioning units, and that remote access was through the same network where cybercriminals could access personal data. They got inside point-of-sale devices and pulled customer card details from the machine’s memory. The attack cost Target some 61 million US dollars.

What is a supply chain attack?

These kinds of attacks aren’t new, but they’re becoming more common and harder to detect. Apple and computer hardware makers ASUS are among those who’ve been targeted.

Energetic Bear was a significant attack on critical energy infrastructure. Cybercriminals began the attack with spear phishing – targeting specific people with customized emails and making a hit list of potentially vulnerable suppliers.

In 2017, Kaspersky researchers discovered a ‘backdoor’ (dubbed ShadowPad) in server management software hundreds of large businesses use. When activated, the backdoor let attackers download malicious modules and steal data. The researchers notified the suppliers, NetSarang, who pulled down the compromised software and replaced it with an earlier clean version.

Sometimes, there is no clean version. Noushin Shabab, Senior Security Researcher at Kaspersky, explains how supply chain attacks can start as software is being developed. “Cyberattackers compromise software by getting inside software used by developers – the development environment. That way malicious code can end up on many businesses’ networks.”

How to protect against supply chain attacks

Eliza-May Austin works with suppliers to larger corporations to make sure the whole supply chain is ‘hardened,’ or better protected from attack.

Her advice is straightforward. “We can prevent about 80 percent of attacks with basic cyber-hygiene. Make sure your software and hardware is up to date. Limit your ‘attack surface’ – if something needn’t be online, don’t put it online. Audit passwords, making sure they’re complex. Have two-factor authentication. Employees can be the weakest link in a company, but if they have good cybersecurity training, they can be the strongest.”

For more videos talking to those dedicated to stopping cybercrime, subscribe to the Tomorrow Unlocked YouTube Channel or follow us on Instagram.

One web developer with an exceptional ability


Visualizing code

Romanian web developer Cosmin Ciolacu has the amazing ability to see code in his head and know if it will work. A wheelchair user who isn’t able to use his arms and hands to type, Cosmin composes scripts in his mind then mentally error-checks them before dictating word by word, character by character to an assistant.

Using assistive technologies, he reviews code on screen for any transcribing errors. And he’s been making some impressive tech of his own.

Tech for greater good

Cosmin’s first project was designing and developing a user-friendly e-learning platform. Inspired by YouTube and Netflix, teachers can use it to upload educational videos and interact with students. Cosmin wants to make sure the tech is easy to use so that it can help more people.

The potential of future tech excites Cosmin, especially Elon Musk’s Neuralink, which lets users control devices with their minds through an implanted ‘neural lace.’See more videos about Young Bright Minds on our YouTube channel or Instagram.

Would you have a brain implant that lets you control devices?

These police officers are lighting up the dark web


The Dark Web: home of fraud, fake COVID-19 vaccines and illicit marketplaces selling everything from personal data to narcotics and child sexual abuse images. 

In the first in our new series, Hacker: Hunter Behind the Screens, we head into the web’s criminal underbelly with the UK’s Yorkshire and Humber Regional Cybercrime Unit (RCCU).

Understanding the Dark Web

The Dark Web is a network of computers where web traffic is anonymized. Many use it to access marketplaces and other sites to facilitate and commit crime.

David Malkin, former Senior Investigating Officer at the RCCU, compares the Dark Web with taking a train. “On the Clear Web, you have a ticket from A to B. In between, someone can check your ticket and see where you’re coming from and where you’re going. On the Dark Web, tickets don’t give your origin or destination, and your route may be different each time.” 

This encryption – and the risk-free environment created by the cloak of anonymity – has led the Dark Web to become a space for criminality: Kaspersky research shows that fake Covid vaccination certificates are for sale for just $20 on the Dark Web, while Statista research suggests 59% of listings on Dark Web marketplaces are for illicit drugs and drug-related chemicals.

But alongside illegal drugs, counterfeit goods and weapons, the sale of personal data is big business on the Dark Web. Fraudsters can buy names, dates of birth, credit card information and more at alarmingly low prices ($40 for online banking logins according to Forbes.com.) 

The FBI reports losses from online fraud topped 4 billion US dollars in 2020, and these losses destroy lives. 

Chris Spinks, Detective Sergeant in the RCCU’s Web Operations Team, says, “We’ve heard of people who’ve lost tens of thousands of pounds through fraud committing suicide, all because their private information was sold.”

Kaspersky reports the dark web can also be used for good. Dissidents, whistleblowers and investigative journalists use it to communicate anonymously online, and others use it to avoid online data collection.

How to protect yourself from the Dark Web

Kaspersky explains how the Dark Web poses two key threats to everyday internet users – having your identity stolen or your device becoming infected with malware.

Any kind of personal data can be sold on the Dark Web, so be sure to keep your passwords, physical addresses, bank account details and social security numbers safe and protected from potential leaks. If you’re concerned about a personal data breach, use a Dark Web monitoring service like Have I Been Pwned to tell you if your data is up for sale.

The Dark Web is full of information that’s been stolen via malware – tools like keyloggers (that keep a record of everything you type on your keyboard without you realising) and spyware (code that steals your private information, like passwords) can infect your devices without warning. Consider installing anti-virus software like Kaspersky Security Cloud to stay safe online. For more videos about the people fighting cybercrime and how they do it, subscribe to Tomorrow Unlocked on YouTube or follow us on Instagram.

Should the dark web be illegal?

Stopping cyberattacks on humanitarian organizations

Cybercriminals stop at nothing


You’d think cybercriminals would hesitate before attacking organizations that care for the world’s poorest and most vulnerable – non-government organizations (NGOs,) humanitarian groups and healthcare institutions. But nothing could be further from the truth.

Cybercriminals know NGOs distribute billions in aid each year, and hold sensitive client and donor information. This makes them an attractive target.

With many people around the world relying on these vital organizations for food, work and education, a cyberattack can cost lives. CyberPeace Institute is out to protect those lives with creative ways to help NGOs protect themselves.

Mutual benefit from cyber help

Klara Jordan, Chief Public Policy Officer at CyberPeace Institute, says, “The not-for-profit sector, NGOs and healthcare institutions are under-resourced and under-equipped to deal with cyberthreats. The biggest risk is that an NGO will have to close.”

Stéphane Duguin, Chief Executive Officer, says cybercriminals often attack NGOs. “One in two NGOs have had a cyberattack, but four in five don’t have a cybersecurity plan.”

Data breaches are a particular risk because of the sensitive data NGOs and healthcare institutions hold. “NGOs need trust to operate. Without it, they can lose access to resources. If they can’t protect themselves from a cyberattack, they lose donors’ and funders’ trust,” says Jordan.

Founded in 2019, CyberPeace Institute has a unique way to help NGOs reduce their cyber risk. “Our program, CyberPeace Builders, means NGOs can get help from the private sector,” says Duguin. “Corporations want to exercise corporate social responsibility in cyberspace. We make sure their goodwill finds the right fit with NGOs in need.”

Asking world leaders to act

CyberPeace Institute is also concerned governments aren’t doing enough to fight cybercrime. Cybercrime gangs act with impunity from countries that shield them from prosecution and leaders don’t always have the political will to hold them accountable.

In May 2020, the Institute published a call to governments worldwide, demanding immediate action to stop cyberattacks on healthcare. They asked world leaders to work together to protect the critical sector.

Jordan believes secure technology can bring enormous benefits to all. “CyberPeace means the infrastructure we rely on is safe, secure and trustworthy. Then, we can benefit from these technologies without being endangered by using them. We can only unlock technology’s potential if it’s safe, secure and stable.”

Are world leaders doing enough to fight cybercrime?

7 of the best tech movies for Halloween

It’s spooky season again so grab the pumpkin juice and a bowl of spider’s eggs and check out our favourite thrilling, action-packed and scary movies with a tech twist…

Face/Off

This all-action John Woo thriller stars Nicholas Cage as an FBI agent undergoes pioneering high tech facial transplant surgery so that he can take on the identity of the criminal mastermind who murdered his only son. When the villain – played by John Travolta – wakes up prematurely, all hell breaks loose.

Terminator 2: Judgment Day

Arguably THE archetypal cyborg movie. Arnold Schwarzenegger travels back in time to protect future resistance leader John Connor, pursued by a more advanced and powerful cyborg programmed to destroy them both. With time travel, human-cyborg relations and a glimpse into the future with the T-1000’s polymorphic technology this movie has tantalising tech running through its liquid metal core.
If Terminator 2 puts you in the mood for more thought provoking cyborg-related films, check out Imagine Beyond: Build me Somebody to Love on YouTube.

The Fly (1986)

The movie that spawned the iconic phrase “Be afraid. Be very afraid.” This cult classic tells the story of Seth Brundle, a scientist who gets transformed into a man / fly hybrid after one of his experiments goes horribly wrong. With the classic tech theme of matter transportation at the heart of this movie, The Fly is a sci-fi horror film that is chilling as well as gory – perfect for Halloween.

eXistenZ

Jennifer Jason Leigh plays a world-renowned developer of VR games played on consoles connected directly into the players’ spinal cord. When a demo of her new game eXistenZ is sabotaged by a counter-VR group, she’s cast into a harrowing journey through what may or may not be the game.This movie is eerie and mysterious, taking viewers on a head-scratching journey through the dark side of gaming.

Kairo / Pulse

After one of their group takes his own life, strange things begin happening to a group of young Tokyo residents. Is their friend trying to contact them from ‘the other side’ via the internet, or is something even more sinister occurring? Japanese cinema aficionados may already be fans of this movie but for the rest of us, Halloween is the perfect time to check out this cult classic.

For a look at the darker side of digital, check out hacker:HUNTER, a Tomorrow Unlocked original series that recaps the most notorious cybercrime cases of recent years.

Unfriended: Dark Web

When you find a laptop in the lost property of your local cafe do you take it, or leave it alone? Matias decides to take it and soon wishes he didn’t as he and his friends get sucked into a  deadly game of cat and mouse with the previous owner who will stop at nothing to get it back. Taking us on a journey into the dark web, this movie is perfect for Halloween with its mix of suspense, gore and terrifying view of humanity and technology.

Hard Candy

Some harrowing themes are exposed in Hard Candy as a vigilante 14-year-old lures an online sexual predator into a web of psychological and physical torture. With some brutal scenes and a tough moral question at its core, this is a film that’s sure to provoke debate.

To learn more about the fight against online child sexual exploitation, watch our Defenders of Digital profile of Susie Hargreaves, CEO, Internet Watch Foundation.

Before the clock strikes midnight…

These are just a selection of our personal favorites. But which Halloween horror films make your watch list? Let us know on our Instagram or Facebook before the sun rises.

Setting a new standard in email privacy

You may encrypt your internet traffic, but the provider you use to send emails can still read them, and so can cybercriminals and national security. It threatens freedom and democracy around the world. Bart Butler leads a team who developed ProtonMail as a private email service.

Who do you trust with that level of power?

In 2013, former US National Security Agency contractor Edward Snowdon turned whistleblower. He revealed a secret plan to develop mass global surveillance involving multiple countries and tech companies.

It was this event that triggered Bart Butler and others to crowdfund 500,000 US dollars to build the world’s first easy to use, fully encrypted email service provider. In the latest in Tomorrow Unlocked series Defenders of Digital, Bart talks about why ProtonMail is different and why his work matters.

Leveling up email privacy

Chief Technology Officer at Switzerland-based Proton Technologies, Bart Butler says, “A society in which everyone is being spied on all the time is not a free society. We can’t function if we can’t have private communications with people.”

Email might be the most democratic way of communicating the world has ever seen. Almost everyone who can access the internet also has an email address. And the accounts we use for all other internet services come back to our email address.

But email isn’t as secure as you might think. Bart says, “If you’re using a major email provider, your messages are sent with transfer-level encryption, but most email providers can read your messages. Your emails can be read if they have an interest in reading them, or if they’re compromised. It doesn’t matter who you are – you don’t want someone sifting through your life.”

Proton aims to provide alternatives to online communication tools that level-up our expectations around privacy.

Encryption at every level

In today’s world, corporations and nation states could control all access to communication. “No one can be trusted with that level of power,” says Bart. “At some point, the wrong people will gain control, and then free society is in danger.” 

Proton knew they had to make something as easy to use as regular email, but secure by default, with end-to-end encryption, where only the writer and receiver could read the email. They adapted existing email technology PGP to make it easier to use for everyday people and based their business and services in Switzerland to benefit from the country’s neutrality principles and world-leading privacy law.

The story continues…

Tomorrow Unlocked series Defenders of Digital highlights the people working every day for our digital safety and security. Watch other Defenders of Digital episodes.

Are there times when it’s OK for governments and corporations to read private emails?

iPod’s world-changing tech is 20 today

On October 23, 2001 the world changed forever when Apple launched the iPod. Since then, 35 billion songs have been downloaded onto 400 million iPods. Join us as we take a misty-eyed look back at the evolution of personal music players.

Where it all began: The Sony Walkman

In July 1979 Sony created an entirely new way to listen to music with the introduction of the TPS-L2, better known as the Walkman. Playing cassettes that could hold up to 90 minutes of music, the battery-powered Walkman introduced the concept of ‘music on the go.’ From launch to its retirement in 2010, about 200 million devices were sold and “Walkman” became a by-word for all portable music players. 

Going digital: The Sony Discman

In 1984, energised by the global dominance of the Walkman, Sony launched the first portable CD player: the Discman. Entering the world just two years after the first mass production of CDs, the Discman was arguably ahead of its time but went on to achieve huge global success.

The best thing you (probably) never had: The MiniDisc

In the early 90s some brands encouraged us to switch from cassette and CD to MiniDisc. Unlike CDs, MiniDiscs were skip-free and re-recordable. Despite offering superior quality – and many subsequent years of use in the music industry – MiniDisc failed to take off and production of personal MiniDisc players ended in 2011.

The MP3 pioneer: The MPMan F10

By the end of the 1990s the MP3 digital music format was with us, leading to a flood of portable MP3 players hitting the market. Some had screens, some didn’t, and capacity was often limited to a handful of albums. Launched in 1998, the MPMan by SaeHan Information Systems was available in 32Mb and 64Mb models (yes, that’s MEGABYTES – the 32Mb model could hold 8 to 10 songs) and sold for around $200.

The first dual-purpose device: The Samsung Uproar

Nowadays the idea of having a phone and music player as two separate devices seems crazy. But back in 2000, when Samsung launched the first mobile phone with a built-in MP3 player, the concept was totally fresh. Hailed by Time magazine as one of the top 100 gadgets of all time, the Uproar was able to hold up to an hour of digital music and laid the foundations for iPhone and countless other smartphones.

The game changer (part one): Apple iPodOctober 23, 2001: Steve Jobs stepped onto the stage at an Apple Music event and changed the world. By introducing the iPod, Apple gave anyone (with a spare $399, a price tag that clearly positioned it as a premium product) the ability to put “1,000 songs in your pocket” thanks to a device that was smaller, easier to use and offered much more storage than other MP3 players on the market. 

Two years later, Apple launched iTunes, sealing its dominance of the emerging digital music market. Now only one model exists – the iPod Touch – with many commentators predicting the iPod category will be retired soon.

The game changer (part two): The Apple iPhone

Several years after the iPod launch, with over 100 million sold, Apple introduced a second revolutionary device in 2007 – the iPhone. Combining a phone, email, web browser and music player into a single product, Apple reinvented the phone and changed our portable tech expectations overnight.

Into the intangible era: The rise of streaming

The advent of the smartphone led to the demise of physical media for playing music – although vinyl has enjoyed a welcome revival among music aficionados. Streaming now accounts for 83% of music industry revenue in the US, a huge rise from just 3% when Apple launched the iPhone in 2007, with Spotify the dominant service globally.

Into the future: What’s next?

With a raft of opinions about what the future holds for music tech – from embedded microchips connected to our brain stems that automatically play music matched to our mood, to AI replacing artists entirely, making a solid prediction isn’t for the faint-hearted. 

Whatever the future holds, we’re excited to see (and hear) it!

To explore a range of future tech topics, check out our audio series Fast Forward

Could giant extractor fans stop climate change?


In the battle to keep the climate from warming even more, storing carbon – known as carbon sequestration – will be crucial. Climeworks is capturing carbon from the air and storing it deep underground forever. And they’re doing it in a very cool way.

How do you remove carbon dioxide from the air?

Giant extractor fans. That’s right: Climeworks extractors suck in air, use a filter to trap carbon dioxide (CO2) and then store it. It’s called direct air capture. Founded by two engineers who decided they must do something about global warming’s impact on glaciers, in September 2021 Climeworks launched the world’s largest direct air capture plant in Iceland, trapping captured CO2 underground as stone.

The plant will store 4,000 tonnes of CO2 each year, equivalent to the emissions of 870 cars. Although its impact is modest, and it’s costly to run, the technology is at an early stage. The New York Times explores Climeworks’ challenges of reaching its ambitious target of removing 1% of the world’s annual CO₂ emissions. 

Climeworks work with companies that produce CO2 and sell CO2 removal subscriptions online to anyone. They’ve joined with renewable energy suppliers to make sure the energy running the process isn’t adding more CO2 to the environment.

In our short documentary, Climeworks co-founder and Chief Technology Officer, Carlos Haertel, explains what drives their tech-led climate initiative.

Why we must trap carbon

Why capture carbon at all? If we eat plant-based foods and use renewable energies, won’t that be enough?

Scientists say probably not. Climeworks’ website says, “The Intergovernmental Panel on Climate Change (IPCC)’s climate forecasts make clear we must remove carbon dioxide from the air to keep global warming below 1.5°C.” 

Direct air capture, like planting trees, goes further than reducing emissions, removing CO2 produced in the past. So, projects like Climeworks are a much-needed addition to everything else we do to fight climate change.

How the carbon capture tech works

The extractor fans are powered with renewable or waste energy. They’re modular, so can be stacked to make machines of any size.

Fans draw in air and capture CO2 on a selective filter. Once the filter is full, the collector closes and uses temperatures of 80 to 100°C to release the CO2 in a highly concentrated form, ready for storage.

There are many ways to permanently store CO2, but Climeworks prefers to focus on natural carbon sinks, like underground mineralization. They also work with companies using this pure carbon dioxide to produce renewable, carbon-neutral fuels and materials.

Alongside well-understood environmental wins like planting trees, carbon capture technologies will be an important part of ensuring the climate stays friendly to life on earth. We might’ve imagined a future of forests, but who would’ve thought it might also involve giant extractor fans? Innovation always has a few surprises up its sleeve.

For more videos about technologies that will change the future, see Tomorrow Unlocked on YouTube.

The Best International Cyber Short Films – Finalists


The Tomorrow Unlocked Film Festival (TUFF) provides up-and-coming filmmakers the opportunity to showcase their creativity and tell engaging stories about how technology influences our lives now, and in the future.

From so many entries from around the world, the film industry jury awarded this year’s winners:

Terra CeneWINNER

Terra Cene is a remembrance of things past and an observation of the interconnected nature of our time on Earth.

Directed by: Nono Ayuso

Country: UK

Are you still there? – RUNNER UP

Are we really connected? A young man passes out on a Skype call during lockdown but can anybody find and save him before it’s too late? Are we really connected? Is the internet a tool for unity or separation?

Directed by: Monica Zamora

Country: Spain

The Artificial Revolution – RUNNER UP

An artist investigates the recent advancements in creative artificial intelligence to see if we’re approaching the end of art.

Directed by: Elyas Masrour

Country: US

Hedy

A tech-savvy homeless girl creates a robot as a surrogate for her departed younger brother. Not everyone is happy with their partnership.

Directed by: Andy B Clarke

Country: Ireland

The InTEXTigator

Toronto Police help grieving widow Liz Brown solve her husband’s death. On the case: its newest recruit, Sherlock the AI.

Directed by: John Babu

Country: Canada

Cheat sheet for the princess

Cyber-actress Alena needs to impress in this movie role audition.

Directed by: Mikhail Salin

Country: Russia

#Perfake

She wants to be an actor. Tired of waiting, she amplifies her presence online. But the influencer life isn’t as easy as it looks.

Directed by: Ho Ting Yau

Country: Hong Kong

As long as I breathe

After the extinction of life on Earth, a man comes from space, looking for something amidst his delusions.

Directed by: Thiago Beckenkamp

Country: Brazil

Conversations with a monkey

Juan Siegman is an uninspired film director. He’s writing a science fiction script for his new film with the help of Ian, an anthropomorphic robot. 

Directed by: Grojo

Country: Spain

Spyglass

Paula is a young influencer who has organized a crazy new challenge. It consists of people trying to find out where she lives and calling the police before she drinks a glass of hydrochloric acid.

Directed by: Javi Prada 

Country: Spain