Online sextortion within IoT a cybersecurity and privacy perspective

Abstract
This post aims to show how online sextortion happens within the realm of IoT when the devices, applications and services that part of IoT are compromised by malware and malicious actors. The impact sextortion has on the targeted victims and the motivations for the malicious perpetrators who carry these attacks is explained. The role of cyber security will be discussed in how technology, awareness and education is key when used together in a holistic manner is vital in preventing online sextortion from occurring. Finally, it will examine what is currently happening to prevent online sextortion attacks from happening within IoT and what future methods or solutions could better prevent online sextortion from occurring.
The post is based off a prior research project (The analysis of the Socio-Technical Environment (STE) of Online Sextortion using Case Studies and Published Reports from a Cybersecurity Perspective) and it brings in elements of human factors and user interactions to the IoT domain.


What is Sextortion?

Extortion is an old crime that has taken on a new dimension with developments in technology, that led to four men in 2016 taking their own lives. (Guardian 2016) With the advent of modern communication technology, there is now the potential to affect anyone who is targeted and becomes trapped in an online sextortion racket irrespective of the geographic and social distance between extortioner and extortionee. Online sextortion is on the rise in the UK and many other major countries. The Federal Bureau of Investigation (FBI) (fbi.gov 2017) describe sextortion as "a serious crime that occurs when someone threatens to distribute a person’s private and sensitive material if they don't provide the perpetrator with images of a sexual nature, sexual favours, or money". The perpetrator may also threaten to harm a targeted individual's friends or relatives by using the information they have obtained from that person's electronic devices or online profile unless the target complies with their demands. The FBI state that online predators work to gain the trust of the targeted victim by pretending to be someone they are not. Predators look for their prey by lurking in chat rooms and record users who post or live-stream sexually explicit images and videos of themselves, or they may hack into a target victims’ electronic devices using malware to gain access to their files and control their web camera and microphone without them knowing it.
A EUROPOL report (2017) from the law enforcement perspective of online sexual coercion and extortion form of crimes affecting children. Aimed to raise awareness and to contribute to the public debate. The report determined two broad perpetrator profiles.
Victim Profile:  Any person whose sexual material could be acquired by a perpetrator.

  • Usually female in case of sexually motivated perpetrators.
  • Usually male in case of financially motivated perpetrators. 
  • The characteristics in cases of online sexual coercion and extortion affecting children:
  • The naivety of the victims, either on a relational level or on a technical level.
  • The absence of parental control.
  • Willingness to share self-generated sexual content.
  • A significant amount of time spent online each day.
  • Use of social networks and other ways of online communication, especially through mobile devices.
  • Befriending strangers.
  • Sexualised conversions with strangers.
  • Lack of technical knowledge 
  • Offender Profile Sexual Motivation:
  • Male.
  • Operates alone but trades the acquired content.
  • May act on both international or national level.
  • Activity-driven by knowledge of languages.
  • Targets female victims.
  • May know the victim in person.
  • Goal to obtain sexual material.
  • Offender Profile Financial Motivation:
  • Both genders.
  • Members of an organised criminal enterprise.
  • Operates in teams based in developing countries.
  • May act at both international and national level.
  • Targets male victims in countries linked by language.
  • Does not know the victim in person.
  • Main goal: to obtain money.
The issues surrounding online sextortion doesn’t at first seem to link to the field of IoT if the narrow view of IoT as focusing on small internet connected devices and sensors isn't relevant. (internetofthingsagenda.techtarget.com, 2018) In cybersecurity this doesn’t take account into malicious actors targeting specific people cybersecurity but focuses more on protecting devices and securing data. But if you take the wider view of any internet connected device that can share data online sextortion is an attack which can happen within the area of IoT. (forbes.com, 2014) With IoT as a giant network of connected "things" and people. The relationships are people-people, people-things, and things-things. This means you need to bring into the cybersecurity toolkit the means to protect people from malicious actors regardless of the type of attack and the means it is carried out. 

 Internet Webcams – role of hacking and malware in online sextortion




Online Sextortion through Smartphones and game consoles




How Cybersecurity can and is preventing online sextortion 

 Encouragement of best security practice of Users
  • UK NCSC, Banks, Insurance Companies, Internet Safety Companies. Through education and awareness campaigns of end-users. The UK policy is also moving towards adopting a more active posture in defending the UK from cyber threat through the closer partnership between government, industry and law enforcement. (ncsc.gov.uk, 2016) This involves taking an active approach to blocking IP addresses as the host/node address of a source of malicious content to block phishing attacks, DDOS and malware sites. 
Secure by Default in connected devices
  • UK NCSC policy and co-ordination with Standards (ISO/ETSI) and device manufactories for example (ARM, Intel and AMD)
  • Technology which is Secure by Default has the best security it can without you even knowing it's there, or having to turn it on. Elements: No default passwords; Keep software updated; Securely store credentials and security-sensitive data; Communicate securely; Minimise exposed attack surfaces; Ensure software integrity; Ensure that personal data is protected; Make systems resilient to outages; Monitor system telemetry data; Make it easy for consumers to delete personal data.
Education and Awareness – limited
  • Schools, Charites and adult education.
  • To equip children and adults with the knowledge and ability to protect themselves from being socially engineered by perpetrators. 
  • To teach them what is best security practises and behaviour and to reinforce it to become conscientious cyber citizens.

Law enforcement Support
  • Interpol, Europol, UK NCA and the FBI. Co-ordinating action to tackle worldwide cases and criminal organisations. A case from Northern Ireland (psni.police.uk, 2017) spanned several countries and agencies' including Europol and NCA before the criminal was arrested and sentenced. 

Technology companies role
  • Facebook, Microsoft, Google, Internet Service Providers
  • Running online safety initiatives. (weprotect.org, 2017)
Future solutions to prevent Online Sextortion in IoT

Improved recording and auditing of digital evidence


  • Use by law enforcement and technology companies when dealing with cases of online sextortion. 
  • At the moment there is ongoing work to standardise the use and audit of trail of digital evidence.

Expanded use of IP blocking of known malicious addresses
  • Govt organisations, IPS, DNS providers and Technology companies.
  • Interfere with networks of criminal organisation prevent to the from functioning.

Greater co-operation between Government, NGOs and technology organisation to improve cyber safety and security education and awareness
  • Already moving in that direction but a slower focus on criminal investigations and prosecutions. GDPR related link better protection of people data and make people more aware of how there data is used and protected.
  • Improve peoples use and understanding of online service therefore they are hopefully less likely to be socially engineered.

Encourage better personal/household security behaviour through feedback applications.
  • Limited already but needs wider adoption to be effective children and adults at the moment people interested in cybersecurity will use it vulnerable people less likely. 
  • An example is the application ‘Oyoty’ (Oyoty.com, 2017) which is designed to identify risky behaviour of children on social networks. It detects issues that could potentially impact their reputation and safety. It alerts the child explains the nature of the risk and guides them to fix the issue. 
Bibliography 




Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more