‘It was written in Mandarin’: Cybersecurity specialist analyses malware sources
With entry to the Cambridge Independent Science and Technology Awards 2020 now open, we’re highlighting the work of some of the nominees. Here, we talk to PureID, whose password-free online authentication system significantly boosts security against cyberattack.
Activity in cyberspace has reached new peaks this year, with the pandemic shunting whole industries online, giving new and existing hostile actors the perfect opportunity to cause mayhem. ‘’
So who is orchestrating these increased attacks? Is it corporations, individuals or national actors? As cyberattacks increase, the malware can be identified, says Sumit ‘Sid’ Siddharth, a director of Sawston-based cybersecurity specialist PureID and founder of cyber-incubator disruptrs.io.
“The Australian prime minister has openly said ‘we are seeing ongoing sophisticated state-sponsored cyber hacks’,” says Sid, referring to Scott Morrison’s comments last month that a “sophisticated state-based cyber-actor” was behind attacks on Australia’s spate of cyberattacks, “so I think obviously we’re living in the digital age... there’s an angle to steal coronavirus vaccines from medical institutions and that requires just one of the key staff to be compromised to get in.”
“The malware tries to guess the password or find a leak,” says Sid’s colleague, PureID’s founder Ajit Hatti. “China and Australia are having these problems and there are political reasons for why they are being discussed.”
“We can’t point the finger at anyone but China has been called out, and Russia, but who’s pointing the finger?” queries Sid.
“Attribution is difficult because it can be made up,” notes Ajit, “but we’ve found that credential-stealing apps are sending credentials to China.”
How can you be sure?
“We analysed the software and it was written in Mandarin,” says Ajit.
“As a background to this,” adds Sid, “Google recently banned 25 apps from its Play Store as they were malicious, and we analysed the apps and found some of these apps were asking users to grant excess permissions, so for example if you’re using the app and your Facebook is open it takes the keystrokes so it has access to your Facebook profile. These 25 apps are taking data from other apps.”
PureID is one of two specialists taken on board by new Sawston-based incubator, disruptrs (the other is RedHunt Labs, which focuses on data leaks). Disruptrs is run by Sid, a serial infosec entrepreneur and an angel investor.
PureID’s proposition focuses on passwordless authentication, as Sid and Ajit - a regular speaker at leading IT security, cryptography and blockchain conferences - explained during a Zoom interview. So how did the project get going?
“Me and Ajit both went to the Black Hat USA conference in California as speakers,” says Sid of the initial link-up. “Ajit had the product and the patent for nearly a year. Disruptr has given him the seed funding and the next step is to raise awareness, because people don’t necessarily understand the need for passwordless authentication it’s also a bit of an educational process.”
The educational process is essential because the ID/password convention is ubiquitous - but it is so anachronistic it has become a liability.
“What we’re doing is game-changing in terms of applications,” says Sid, who was head of penetration for 7safe in the UK and is a speaker and author on IT security. “Typically security involves a user name and a password, but over the years that has proved to be not secure enough so two-factor authentication has been added, which is another level of security above a name and password – but even with two-factor authentication it’s not all that secure, so what we are saying is that you don’t have to have a password to begin with.
“It’s association-based identity – your association is checked when you request access.”
PureID has two linked software products available – PureAUTH and VR5 app. PureAUTH is the cloud-based application, and the access is granted via the VR5 app on your phone (Apple or android).
PureAUTH generates a QR code which is presented to your phone and your phone authenticates who you are.
“If you are a user you have the VR5 app and your organisation enrols that app for you, so this app knows you are connected,” says Sid. “You open the app and scan the QR code, which changes every 20 seconds. That lets you in, so this takes away from the pain of a password and even if you are hacked you are still not compromised.
“Passwords are a big, big problem today. There’s a need for this technology. Disruptrs has given PureID seed funding, and it came out of stealth last month and is now in talks with fintech and education customers including universities providing education services online.”
The fact that people use one password for access to several different platforms has meant that sophisticated hackers can sweep through your whole internet history and gain access to all the platforms you use with that one password. This is called ‘password spraying’.
Most users use the same password across multiple sites (corporate sites, social media, e-shopping etc), so if an attacker can compromise any single site and gain access to its users accounts, they can then spray that credential across your entire internet history and find out where else it is valid - and thus gain access to information from those sites too.
“As long as the world has passwords the world will have phishing,” says Ajit. “Our solution is frictionless so it ticks that box as well. And no matter how much pressure is put on the system [by hackers/malware], even if any part of the system is breached none of our services can be compromised.
“While there are a few passwordless products out there that do similar things, PureID is different as we do not save any user information on our servers. We use digital signatures and dynamic tokens to verify users which do not involve any PII – personally identifiable information.”
Digital signatures will clearly help against the malware, which is increasing both in quantity and in sophistication. The attacks are now well co-ordinated by sophisticated actors, as was recently reported in the Cambridge Independent earlier this month in an article headline ‘Darktrace’s cybercrime warning over compromised devices as offices reopen’. Sid suggests that people are going back to their workplaces with the laptops compromised from home use. But surely, I ask, most corporations use a VPN (virtual private network)?
“Using a VPN is not a solution to everything,” says Sid, “and it can create problems, so if I send you a malicious link and you open it I can reach your office network.”
“There’s a chance you’ve not updated the latest patch and your laptop has become vulnerable,” adds Ajit. “A lot depends on how the laptop has been configured and updated. And internet usage has gone up this year, so we’re using the office network for eight hours then we’re at home and using the same laptop.”
Cybersecurity needs to step up to meet the proliferation of online hacks, attacks, breaches and theft - and PureID’s solution is optimised because the cybersecurity service it sells doesn’t save any user information on its servers.
Just 5 per cent of businesses used digital signatures in 2018, says a report by research and advisory company Gartner, which predicts that, by 2022, 60 per cent of large and global enterprises and 90 per cent of midsize enterprises will implement passwordless methods in more than 50 per cent of use cases.
Sign up to our weekly newsletter for a digest of the best stories straight to your inbox.