Aug 22 2023
How ubiquitous keyboard software puts hundreds of millions of Chinese users at risk

For millions of Chinese people, the first software they download on a new laptop or smartphone is always the same: a keyboard app. Yet few of them are aware that it may make everything they type vulnerable to spying eyes.

Since dozens of Chinese characters can share the same latinized phonetic spelling, the ordinary QWERTY keyboard alone is incredibly inefficient. A smart, localized keyboard app can save a lot of time and frustration by predicting the characters and words a user wants to type. Today, over 800 million Chinese people use third-party keyboard apps on their PCs, laptops, and mobile phones. 

But a recent report by the Citizen Lab, a University of Toronto–affiliated research group focused on technology and security, revealed that Sogou, one of the most popular Chinese keyboard apps, had a massive security loophole.

“This is an app that handles very sensitive information—specifically, every single thing that you type,” says Jeffrey Knockel, a senior research associate at the Citizen Lab and coauthor of the report. “So we wanted to look into that in greater detail and see if this app is properly encrypting this very sensitive data that it’s sending over the network—or, as we found, is it improperly doing it in a way that eavesdroppers could decipher?” 

Indeed, what he and his colleagues found was that Sogou’s encryption system could be exploited to intercept and decrypt exactly what people were typing, as they were typing it. 

Sogou, which was acquired by the tech giant Tencent in 2021, quickly fixed this loophole after the Citizen Lab researchers disclosed it to the company. 

“User privacy is fundamental to our business,” a Sogou spokesperson told MIT Technology Review. “We have addressed the issues identified by the Citizen Lab and will continue to work so that user data remains safe and secure. We transparently disclose our data processing activities in our privacy policy and do not otherwise share user data.”

But there’s no guarantee that this was the only vulnerability in the app, and the researchers did not examine other popular keyboard apps in the Chinese market—meaning the ubiquitous software will continue to be a security risk for hundreds of millions of people. And, alarmingly, the potential for such makes otherwise encrypted communications by Chinese users—in apps like Signal, for example—vulnerable to systems of state surveillance.

An indispensable part of Chinese devices

Officially called input method editors (IMEs), keyboard apps are necessary for typing in languages that have more characters than a common Latin-alphabet keyboard allows, like those with Japanese, Korean, or Indic characters.

For Chinese users, having an IME is almost a necessity. 

“There’s a lot more ambiguity to resolve when typing Chinese characters using a Latin alphabet,” says Mona Wang, an Open Technology Fund fellow at the Citizen Lab and another coauthor of the report. Because the same phonetic spelling can be matched to dozens or even hundreds of Chinese characters, and these characters also can be paired in different ways to become different words, a keyboard app that has been fine-tuned to the Chinese language can perform much better than the default keyboard.

Starting in the PC era, Chinese software developers proposed all kinds of IME products to expedite typing, some even ditching phonetic spelling and allowing users to draw or choose the components of a Chinese character. As a result, downloading third-party keyboard software became standard practice for everyone in China.

Released in 2006, Sogou Input Method quickly became the most popular keyboard app in the country. It was more capable than any competitor in predicting which character or word the user actually wanted to type, and it did that by scraping text from the internet and maintaining an extensive library of Chinese words. The cloud-based library was updated frequently to include newly coined words, trending expressions, or names of people in the news. In 2007, when Google launched its Chinese keyboard, it even copied Sogou’s word library (and later had to apologize).

In 2014, when the iPhone finally enabled third-party IMEs for the first time, Chinese users rushed to download Sogou’s keyboard app, leaving 3,000 reviews in just one day. At one point, over 90% of Chinese PC users were using Sogou.

Over the years, its market dominance has waned; as of last year, Baidu Input Method was the top keyboard app in China, with 607 million users and 46.4% of the market share. But Sogou still had 561 million users, according to iiMedia, an analytics firm

Exposing the loophole

A keyboard app can access a wide variety of user information. For example, once Sogou is downloaded and added to the iPhone keyboard options, the app will ask for “full access.” If it’s granted, anything the user types can be sent to Sogou’s cloud-based server. 

Connecting to the cloud is what makes most IMEs successful, allowing them to improve text prediction and enable other miscellaneous features, like the ability to search for GIFs and memes. But this also adds risk since content can, at least in theory, be intercepted during transmission. 

It becomes the apps’ responsibility to properly encrypt the data and prevent that from happening. Sogou’s privacy policy says it has “adopted industry-standard security technology measures … to maximize the prevention of leak, destruction, misuse, unauthorized access, unauthorized disclosure, or alteration” of users’ personal information.

“People generally had suspicions [about the security of keyboard apps] because they’re advertising [their] cloud service,” says Wang. “Almost certainly they’re sending some amount of keystrokes over the internet.” 

Nevertheless, users have continued to grant the apps full access. 

When the Citizen Lab researchers started looking at the Sogou Input Method on Windows, Android, and iOS platforms, they found that it used EncryptWall, an encryption system it developed itself, instead of Transport Layer Security (TLS), the standard international cryptographic protocol that has been in use since 1999. (Sogou is also used on other platforms like MacOS and Linux, but the researchers haven’t looked into them.)

One critical difference between the two encryption systems, the Citizen Lab found, is that Sogou’s EncryptWall is still vulnerable to an exploit that was revealed in 2002 and can turn encrypted data back into plain text. TLS was updated to protect against this in 2003. But when they used that exploit method on Sogou, the researchers managed to decrypt the exact keystrokes they’d typed. 

Example of recovered data; line 19 contains the user-typed text and line 2 contains the package name of the app in which the text is being typed.
THE CITIZEN LAB

The existence of this loophole meant that users were vulnerable to all kinds of hacks. The typed content could be intercepted when it went through VPN software, home Wi-Fi routers, and telecom providers. 

Not every word is transmitted to the cloud, the researchers found. “If you type in nihao [‘hello’ in Chinese] or something like that, [the app] can answer that without having to use the cloud database,” says Knockel. “But if it’s more complicated and, frankly, more interesting things that you’re typing in, it has to reach out to that cloud database.” 

Along with the content being typed, Knockel and his Citizen Lab colleagues also obtained other information like technical identifiers of the user’s device, the app that the typing occurred in, and even a list of apps installed on the device.

A lot of malicious actors would be interested in exploiting a loophole like this and eavesdropping on keystrokes, the researchers note—from cybercriminals after private information (like street addresses and bank account numbers) to government hackers. 

(In a written response to the Citizen Lab, Sogou said the transmission of typed text is required to access more accurate and extensive vocabularies on the cloud and enable a built-in search engine, and the uses are stated in the privacy agreement.)

This particular loophole was closed when Tencent updated the Sogou software across platforms in late July. The Citizen Lab researchers found that the latest version effectively fixed the problem by adopting the TLS encryption protocol. 

How secure messaging becomes insecure

Around the world, people who are at high risk of being surveilled by state authorities have turned to apps that offer end-to-end encryption. But if keyboard apps are vulnerable, then otherwise encrypted communication apps like Signal or WhatsApp are now also unsafe. What’s more, once a keyboard app is compromised, even an otherwise offline app, like the built-in notebook app, can be a security risk too. 

(Signal and WhatsApp did not respond to MIT Technology Review’s requests for comment. A spokesperson from Baidu said, “Baidu Input Method consistently adheres to established security practice standards. As of now, there are no vulnerabilities related to [the encryption exploit Sogou was vulnerable to] within Baidu Input Method’s products.”)

As early as 2019, Naomi Wu, a Shenzhen-based tech blogger known as SexyCyborg online, had sounded the alarm about the risk of using Chinese keyboard apps alongside Signal.

“The Signal ‘fix’ is ‘Incognito Mode’ aka for the app to say ‘Pretty please don’t read everything I type’ to the virtual keyboard and count on Google/random app makers to listen to the flag, and not be under court order to do otherwise,” she wrote in a 2019 Twitter thread. Since keyboard apps have no obligation to honor Signal’s request, “basically all hardware here is self-compromised 5 minutes out of the box,” she added. 

Wu suspects that the use of Signal was the reason some Chinese student activists talking to foreign media were detained by the police in 2018

In January 2021, Signal itself tried to clarify that its Incognito Keyboard feature (which only works for users on Android systems, which are more vulnerable than iOS) was not a foolproof privacy solution: “Keyboards and IME’s can ignore Android’s Incognito Keyboard flag. This Android system flag is a best effort, not a guarantee. It’s important to use a keyboard or IME that you trust. Signal cannot detect or prevent malware on your device,” the company added to its article on keyboard security.

The recent Citizen Lab findings lend further support to Wu’s theory. 

The security risk is particularly acute for users in China, since they are more likely to use keyboard apps and are under strict surveillance by their government. (Wu herself has disappeared from social media since the end of June, following a visit from police that was reportedly related to her online discussions of Signal and keyboard apps.) 

Still, other governments seem to have been paying attention to vulnerabilities with encrypted data transmission as well. A 2012 document leaked by Edward Snowden, for instance, shows that the Five Eyes intelligence alliance—comprising Canada, the US, Britain, Australia, and New Zealand—had been discreetly exploiting a similar loophole in UC Browser, a popular Chinese program, to intercept certain transmissions. 

Beyond being targeted by state actors, there are other ways keystroke information acquired via keyboard apps can be sold, leaked, or hacked. In 2021, it was reported that advertisers were able to access personal information through Sogou, as well as Baidu’s keyboard and similar apps, and use it to push customized ads. And in 2013, a loophole was found that made multimedia files that users uploaded and shared through Sogou searchable on Bing. 

These security problems are not unique to Chinese apps. In 2016, users of SwiftKey, an IME that was acquired by Microsoft that year, found that the app was auto-filling other people’s email addresses and personal information, as a result of a bug with its cloud sync system. The following year, a virtual keyboard app accidentally leaked 31 million users’ personal data.

Even though the specific loophole identified by the Citizen Lab was fixed quickly, given all these breaches, it feels somewhat inevitable that another security flaw in a keyboard app will be revealed soon. 

As Knockel notes, using Sogou and similar apps always poses security risks, particularly in China, since all Chinese apps are legally required to surrender data if asked by the government. 

“If that’s something that’s concerning to you,” he says, “you might also just reconsider using Sogou, period.”

Ecommerce MGMT 0 Comments
Nov 29 2022
What’s next in cybersecurity

This story is a part of MIT Technology Review’s What’s Next series, where we look across industries, trends, and technologies to let you know what to expect in the coming year.

In the world of cybersecurity, there is always one certainty: more hacks. That is the unavoidable constant in an industry that will spend an estimated $150 billion worldwide this year without being able, yet again, to actually stop hackers. 

This past year has seen Russian government hacks aimed at Ukraine; more ransomware against hospitals and schools—and against whole governments too; a seemingly endless series of costly crypto hacks; and high-profile hacks of companies like Microsoft, Nvidia, and Grand Theft Auto maker Rockstar Games, the last hack allegedly carried out by teenagers.

All these types of hacks will continue next year and in the near future, according to cybersecurity experts who spoke to MIT Tech Review. Here’s what we expect to see more of in the coming year: 

Russia continues its online operations against Ukraine

Ukraine was the big story of the year in cybersecurity as in other news. The industry turned its attention to the embattled country, which suffered several attacks by Russian government groups. One of the first ones hit Viasat, a US satellite communications company that was being used by civilians and troops in Ukraine. The hack caused “a really huge loss in communications in the very beginning of war,” according to Victor Zhora, the head of Ukraine’s defensive cybersecurity agency. 

There have also been as many as six attacks against Ukrainian targets involving wiper malware, malicious computer code designed to destroy data. 

These were all in support of military operations, not acts of war per se, which could still mean that “cyberwarfare is a very misleading term and the cyberwar, as such, will not really happen,” says Stefano Zanero, an associate professor at the computer engineering department of Politecnico di Milano. 

According to Lesley Carhart, a researcher at industrial cybersecurity company Dragos and a US Air Force veteran, these attacks show that “[cyber] is just a piece of warfare,” which can still play an important role and will continue to do so. 

“I used to say that nearly everything that people just described as cyber war is actually cyber espionage,” says Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation. “And I would say that over the last several years, that is increasingly not the case.”

Initial expectations were that Russian hacks might lead directly to physical damage. But that has not panned out. 

One of the reasons cyber hasn’t played a bigger role in the war, according to Carhart, is because “in the whole conflict, we saw Russia being underprepared for things and not having a good game plan. So it’s not really surprising that we see that as well in the cyber domain.”

Moreover, Ukraine, under the leadership of  Zhora and his cybersecurity agency, has been working on its cyber defenses for years, and it has received support from the international community since the war started, according to experts. Finally, an interesting twist in the conflict on the internet between Russia and Ukraine was the rise of the decentralized, international cyber coalition known as the IT Army, which scored some significant hacks, showing  that war in the future can also be fought by hacktivists. 

Ransomware runs rampant again

This year, other than the usual corporations, hospitals, and schools, government agencies in Costa Rica, Montenegro, and Albania all suffered damaging ransomware attacks too. In Costa Rica, the government declared a national emergency, a first after a ransomware attack. And in Albania, the government expelled Iranian diplomats from the country—a first in the history of cybersecurity—following a destructive cyberattack.

These types of attacks were at an all-time high in 2022, a trend that will likely continue next year, according to Allan Liska, a researcher who focuses on ransomware at cybersecurity firm Recorded Future. 

“[Ransomware is] not just a technical problem like an information stealer or other commodity malware. There are real-world, geopolitical implications,” he says. In the past, for example, a North Korean ransomware called WannaCry caused severe disruption to the UK’s National Health System and hit an estimated 230,000 computers worldwide

Luckily, it’s not all bad news on the ransomware front. According to Liska, there are some early signs that point to “the death of the ransomware-as-a-service model,” in which ransomware gangs lease out hacking tools. The main reason, he said, is that whenever a gang gets too big, “something bad happens to them.”

For example, the ransomware groups REvil and DarkSide/BlackMatter were hit by governments; Conti, a Russian ransomware gang, unraveled internally when a Ukrainian researcher appalled by Conti’s public support of the war leaked internal chats; and the LockBit crew also suffered the leak of its code.  

“We are seeing a lot of the affiliates deciding that maybe I don’t want to be part of a big ransomware group, because they all have targets on their back, which means that I might have a target on my back, and I just want to carry out my cybercrime,” Liska says. 

“Adversaries are starting to realize that they don’t want to be under a specific name that brings the attention of the US government or other international partners,” says Katie Nickels, director of intelligence at Red Canary. 

Also, both Liska and Brett Callow, a security researcher at Emsisoft who specializes in ransomware, stress that law enforcement action, including international cooperation among  governments, was more frequent and effective this year, hinting that perhaps governments are starting to make inroads against ransomware. 

Yet the war in Ukraine may make international cooperation more difficult. In January of this year, the Russian government said it was cooperating with the US when it announced the arrests of 14 members of REvil, as well as the seizure of computers, luxury cars, and more than $5 million. But this unprecedented cooperation wouldn’t last. As soon as Russia invaded Ukraine, there could be no more cooperation with Vladimir Putin’s government. 

“When it comes to really cutting off ransomware from the source, I think we took a step back, unfortunately,” said Christine Bejerasco, the chief technology officer at cybersecurity company WithSecure.  

Crypto is still going to crypto, baby

The crypto didn’t just flow from ransomware victims to hackers; in 2022 it also flowed straight out of crypto projects and Web3 companies. This was the year cryptocurrency hacks, which have been occurring since cryptocurrencies were invented, became mainstream, with hackers stealing at least $3 billion in crypto during the year, according to blockchain tracking company Chainalysis. (Elliptic, another crypto tracking company, estimated the theft total at $2.7 billion.)

There were more than 100 large-scale victims in the world of crypto; there are now websites and Twitter accounts specifically dedicated to tracking these hacks, which seemed to happen almost daily. Perhaps the most significant of them all was the hack on the Nomad protocol, where a hacker found a vulnerability and started draining funds. Because the hacker’s transactions were public, others noticed and just copy-pasted the exploit, leading to “the first decentralized robbery” in history. Just a few weeks ago, hackers accessed the server where the crypto exchange Deribit held its wallets, draining $28 million from them

There was some good news in crypto too. Stephen Tong, a cofounder of blockchain security company Zellic, said that a “big new wave” of cybersecurity pros will keep coming to the crypto industry and create “the infrastructure, tooling, and practices needed to do things in a secure way.”

Tal Be’ery, a cybersecurity veteran who now works as CTO of the crypto wallet app ZenGo, says there are “building blocks” in place to make cybersecurity solutions specific to crypto and blockchains, which “hint that the future would be safer.”

“I think that we will start to see some hints of solutions in 2023,” Be’ery says. “But the advantage will still be with the attackers.”

One cohort of attackers that had an outsized success this year was the group known as Lapsus$. The hackers targeted software supply chain providers such as Okta, a company that provides identity and access management to other companies. That allowed the hackers to infiltrate big-name companies like Microsoft, Nvidia, and Rockstar Games. 

“Attackers look for the path of least resistance, and some infrastructure suppliers are one of these paths,” Zanero says, stressing that supply chain attacks are both the present and the future, because some suppliers—especially cybersecurity companies—have a large footprint across several industries.

“Adversaries continue to be able to make a significant impact,” Nickels says, “without necessarily having to use advanced capabilities.”

Ecommerce MGMT 0 Comments
Nov 12 2022
Big Tech could help Iranian protesters by using an old tool

After the Iranian government took extreme measures to limit internet use in response to the pro-democracy protests that have filled Iranian streets since mid-September, Western tech companies scrambled to help restore access to Iranian citizens. 

Signal asked its users to help run proxy servers with support from the company. Google offered credits to help Iranians get online using Outline, the company’s own VPN. And in response to a post by US Secretary of State Antony Blinken on Iran’s censorship, Elon Musk quickly tweeted: “Activating Starlink …

But these workarounds aren’t enough. Though the first Starlink satellites have been smuggled into Iran, restoring the internet will likely require several thousand more. Signal tells MIT Technology Review that it has been vexed by “Iranian telecommunications providers preventing some SMS validation codes from being delivered.” And Iran has already detected and shut down Google’s VPN, which is what happens when any single VPN grows too popular (plus, unlike most VPNs, Outline costs money).

What’s more, “there’s no reliable mechanism for Iranian users to find these proxies,” Nima Fatemi, head of global cybersecurity nonprofit Kandoo, points out. They’re being promoted on social media networks that are themselves banned in Iran. “While I appreciate their effort,” he adds, “it feels half-baked and half-assed.”

There is something more that Big Tech could do, according to some pro-democracy activists and experts on digital freedom. But it has received little attention—even though it’s something several major service providers offered until just a few years ago.

“One thing people don’t talk about is domain fronting,” says Mahsa Alimardani, an internet researcher at the University of Oxford and Article19, a human rights organization focused on freedom of expression and information. It’s a technique developers used for years to skirt internet restrictions like those that have made it incredibly difficult for Iranians to communicate safely. In essence, domain fronting allows apps to disguise traffic directed toward them; for instance, when someone types a site into a web browser, this technique steps into that bit of browser-to-site communication and can scramble what the computer sees on the back end to disguise the end site’s true identity.

In the days of domain fronting, “cloud platforms were used for circumvention,” Alimardani explains. From 2016 to 2018, secure messaging apps like Telegram and Signal used the cloud hosting infrastructure of Google, Amazon, and Microsoft—which most of the web runs on—to disguise user traffic and successfully thwart bans and surveillance in Russia and across the Middle East.

But Google and Amazon discontinued the practice in 2018, following pushback from the Russian government and citing security concerns about how it could be abused by hackers. Now activists who work at the intersection of human rights and technology say reinstating the technique, with some tweaks, is a tool Big Tech could use to quickly get Iranians back online.

Domain fronting “is a good place to start” if tech giants really want to help, Alimardani says. “They need to be investing in helping with circumvention technology, and having stamped out domain fronting is really not a good look.”

Domain fronting could be a critical tool to help protesters and activists stay in touch with each other for planning and safety purposes, and to allow them to update worried family and friends during a dangerous period. “We recognize the possibility that we might not come back home every time we go out,” says Elmira, an Iranian woman in her 30s who asked to be identified only by her first name for security reasons.

Still, no major companies have publicly said they will consider launching or restoring the anti-censorship tool. Two of the three major service providers that previously allowed domain fronting, Google and Microsoft, could not be reached for comment. The third, Amazon, directed MIT Technology Review to a 2019 blog post in which a product manager described steps the company has taken to minimize the “abusive use of domain fronting practices.”

“A cat-and-mouse game”

By now, Iranian citizens largely expect that their digital communications and searches are being combed through by the powers of the state. “They listen and control almost all communications in order to counter demonstrations,” says Elmira. “It’s like we’re being suffocated.”

This isn’t, broadly speaking, a new phenomenon in the country. But it’s reached a crisis point over the past two months, during a growing swell of anti-government protests sparked by the death of 22-year-old Mahsa Amini on September 16 after Iran’s Guidance Patrol—more commonly known as the morality police—arrested her for wearing her hijab improperly.

“The world realized that the matter of hijab, which I myself believe is a personal choice, could become an incident over which a young girl can lose her life,” Elmira says. 

According to rights groups, over 300 people, including at least 41 children, have been killed since protests began. The crackdown has been especially brutal in largely Kurdish western Iran, where Amini was from and Elmira now lives. Severely restricting internet access has been a way for the regime to further crush dissent. “This is not the first time that the internet services have been disrupted in Iran,” Elmira says. “The reason for this action is the government’s fear, because there is no freedom of speech here.”

The seeds of today’s digital repression trace back to 2006, when Iran announced plans to craft its own intranet—an exclusive, national network designed to keep Iranians off the World Wide Web. 

“This is really hard to do,” says Kian Vesteinsson, a senior analyst for the global democracy nonprofit Freedom House. That’s because it requires replicating global infrastructure with domestic resources while pruning global web access.

The payoff is “digital spaces that are easier to monitor and to control,” Vesteinsson says. Of the seven countries trying to isolate themselves from the global internet, Iran is the furthest along today.

Iran debuted its National Information Network in 2019, when authorities hit a national kill switch on the global web amid protests over gas prices. During a week when the country was electronically cut off from the rest of the world, the regime killed 1,500 people. The Iranian economy, which relies on broader connectivity to do business, lost over a billion US dollars during the bloody week. 

While recently Iran has intermittently cut access to the entire global internet in some regions, it hasn’t instituted another total global web shutdown. Instead, it is largely pursuing censorship strategies designed to crush dissent while sparing the economy. Rolling “digital curfews” are in place from about 4 p.m. into the early morning hours—ensuring that the web becomes incredibly difficult to access during the period when most protests occur.

The government has blocked most popular apps, including Twitter, Instagram, Facebook, and WhatsApp, in favor of local copycat apps where no message or search is private.

“The messaging apps we use, like WhatsApp, have a certain level of protection embedded in their coding,” Elmira says. “We feel more comfortable using them. [The government] cannot have control over them, and as a result, they restrict access.”

The Iranian regime is also aggressively shutting down VPNs, which were a lifeline for many Iranians and the country’s most popular censorship workaround. About 80% of Iranians use tools to bypass censorship and use apps they prefer. “Even my grandpa knows how to install a VPN app,” an Iranian woman who requested anonymity for safety reasons tells me. 

To crush VPN use, Iran’s government has invested heavily in “deep packet inspection,” a technology that peers into the fine print of internet traffic and can recognize and shut down nearly any VPN with time.

That’s created a “cat-and-mouse game,” says Alimardani, the internet researcher. “You need to be offering, like, thousands of VPNs,” she says, so that some will remain available as Iran diligently recognizes and blocks others. Without enough VPNs, activists aren’t left with many secure communication options, making it much harder for Iranians to coordinate protests and communicate with the outside world as death tolls climb.

Domain fronting to beat censors

Domain fronting works by concealing the app or website a user ultimately wants to reach. It’s sort of like putting a correctly addressed postcard in an envelope with a different, innocuous destination—then having someone at the fake-out address hand-deliver it.

The technique is attractive because it’s implemented by service providers rather than individuals, who may or may not be tech savvy. It also makes censorship more painful for governments to pursue. The only way to ban a domain-fronted app is to shut down the entire web hosting provider the app uses—bringing an avalanche of other apps and sites down with it. And since Microsoft, Amazon, and Google provide hosting services for most of the digital world, domain fronting by those companies would force countries to crash much of the internet in order to deny access to an undesired app.

“There’s no way to just pick out Telegram. That’s the power of it,” says Erik Hunstad, a security expert and CTO of the cybersecurity company SixGen.

Nevertheless, in April 2018, Russia blocked Amazon, Google, and a host of other popular services in order to ban the secure-messaging app Telegram, which initially used domain fronting to beat censors. These disruptions made the ban broadly unpopular with average Russians, not just activists who favored the app. 

The Russian government, in turn, exerted pressure on Amazon and Google to end the practice.

In April 2018, the companies terminated support for domain fronting altogether. “Amazon and Google just completely disabled this potentially extremely useful service,” Alimardani says. 

Google made the change quietly, but soon afterwards, it described domain fronting to the Verge as a “quirk” of its software. In its own announcement, Amazon said domain fronting could help malware masquerade as standard traffic. Hackers could also abuse the technique—the Russian hacker group APT29 has used domain fronting, alongside other means, to access classified data.

Still, Signal, which began using domain fronting in 2016 to operate in several Middle Eastern countries attempting to block the app, issued a statement at the time: “The censors in these countries will have (at least temporarily) achieved their goals.”

“While domain fronting still works with domains on smaller networks, this greatly limits the current utility of the technique,” says Simon Migliano, a digital privacy expert and head of research at Top10VPN, an independent VPN review website.

(Microsoft announced a ban on domain fronting in 2021, but the cloud infrastructure that enables the technique is intact. Earlier this week, Microsoft wrote that, going forward, it will “block any HTTP request that exhibits domain fronting behavior.”)

Migliano echoes Google in describing domain fronting as “essentially a bug,” and he admits it has “very real security risks.” It is “certainly a shame” that companies are revoking it, he says, “but you can understand their position.”

But Hunstad, who also works in cybersecurity, says there are ways to minimize the cybersecurity risks of domain fronting while preserving its use as an anti-censorship tool. He explains that the way networks process user requests means Google, Amazon, or Microsoft could easily greenlight the use of domain fronting for certain apps, like WhatsApp or Telegram, while otherwise banning the tactic.

Rather than technical limitations, Hunstad says, it’s a “prisoner’s dilemma situation [for] the big providers” that is keeping them from re-enabling domain fronting—they’re stuck between pressure from authoritarian governments and an outcry from activists. He speculates that financial imperatives are part of the calculus as well. 

“If I’m hosting my website with Google, and they decide to enable this for Signal and Telegram, or maybe across the board, and multiple countries decide to remove access to all of Google because of that—then I have potentially less reach,” Hunstad says. “I’ll just go to the provider that’s not doing it, and Google is going to have a business impact.” 

The likelihood that Amazon or Google will reinstate domain fronting depends on “how cynical you are about their profit motives versus their good intentions for the world,” Hunstad adds. 

What’s next

While Fatemi, from Kandoo, argues that restoring domain fronting would be helpful for Iranian protesters, he emphasizes that it wouldn’t be a silver bullet. 

“In the short term, if they can relax domain fronting so that people, for example, can use Signal, or people can connect to VPN connections, that would be phenomenal,” he says. He adds that to move solutions along more quickly, companies like Google could collaborate with nonprofits that specialize in deploying tech in vulnerable situations. 

But Big Tech companies also need to commit a bigger slice of their resources and talent to developing technologies that can beat internet censorship, he says: “[Domain fronting is] a Band-Aid on a much larger problem. If we want to go at a much larger problem, we have to dedicate engineers.” 

Until the world finds an enduring solution to authoritarian attempts to splinter the global web, tech companies that want to help people will be left scrambling for reactive tactics. 

“There needs to be a whole toolkit of different kinds of VPNs and circumvention tools right now, because what they are doing is highly sophisticated,” Alimardani says. “Google is one of the richest and most powerful companies in the world. And offering one VPN is really not enough.”

So for now, seven weeks into Iran’s protests, internet and VPN access remain throttled, restrictions show no sign of slowing, and domain fronting remains dead. And it’s the citizens on the front lines who have to carry the biggest burden.

“The conditions are dire here,” Elmira tells me. The lack of connectivity has made massacres difficult to verify and has complicated efforts to sustain protests and other activism. 

“To counter the demonstrations, they cut off our access to the internet and social media,” she says. 

But Elmira is resolute. “I, myself, and many of my friends now go out with no fear,” she says. “We know that they might shoot us. But it is worth taking this risk and to go out and try our best instead of staying home and continuing taking this.”

Ecommerce MGMT 0 Comments
Oct 13 2022
Cyber resilience melds data security and protection

Ransomware attacks—malware intrusions that block an organization’s access to its own data until a ransom is paid—are taking on alarming new aspects. As people’s work habits, daily routines, geographic locations, and trust in institutions have changed against a backdrop of global political shifts and the covid-19 pandemic, ransomware attacks have taken advantage of the opportunity to grow more sophisticated and pervasive.

Though the basic tools of ransomware remain the same, attackers are using global uncertainty as cover to evolve techniques that make extortion attempts more effective. In a “double extortion” attack, for example, bad actors both block the organization’s access to data and threaten to release or sell that data.

“Triple extortion” or “quadruple extortion” attacks, which additionally incorporate distributed denial of service (DDoS) attacks or threats to third parties, are now also part of the modern risk landscape, according to Alexander Applegate of cybersecurity firm ZeroFox.

Meanwhile, attempted attacks have also grown so prevalent as to be virtually guaranteed. According to a 2022 Sophos survey, 66% of companies experienced a ransomware attack in the last year, nearly double the 2020 figure. A 2022 report by Enterprise Strategy Group (ESG) put the figure at 79% of organizations affected in the last year.

ESG practice director and senior analyst Christophe Bertrand inserts this troubling addition: “I question the 21% who say they did not experience an attack, because I think the ransomware virus is probably dormant in their systems.”

Ransomware attacks have grown more virulent

Ransomware threats have become more damaging in several dimensions: attacks are on the rise, cybercriminals are demanding more ransom, successful intrusions are being leveraged to compromise multiple data streams, and attacks are spreading beyond IT systems into critical infrastructure essential to business functioning.

A 2022 Sophos report identified a new trend: a franchise business model (“ransomware-as-a-service”) in which gangs sell ransomware kits to other cybercriminals, who launch the attacks and then return a portion of the proceeds back to the gang. “When ransomware started, it was a small business picking on users who weren’t sophisticated and who would probably pay a couple of hundred dollars to get their data back,” says Hu Yoshida, chief technology officer at Hitachi Vantara. “But now the game has changed dramatically.”

The utility industry has become an enticing target, as disrupting power, water, or critical infrastructure can be detrimental to the public. The 2021 ransomware attack against Colonial Pipeline, for example, spurred gas shortages in the northeastern United States. And though Colonial Pipeline paid the $4.4 million ransom, the decryption tool provided by the hackers was so ineffective that the company ended up using its own business continuity systems to slowly get back up and running.

Governments and public services also have become ransomware targets. A U.S. Senate committee report noted more than 2300 known ransomware attacks on local governments, schools, and healthcare providers in the U.S. in 2021. In April and May 2022, a series of ransomware attacks crippled dozens of Costa Rican government agencies, including the Ministry of Finance and the social security system, spurring the president to declare a national emergency.

Download the full report.

This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.

Ecommerce MGMT 0 Comments
Oct 7 2022
Moving money in a digital world

The rising adoption of digital financial services—mobile banking, online purchasing, and peer-to-peer payments—means that these days, money most often passes not through human hands but from computer to computer. No cash, no plastic cards, no paper bills or checks or envelopes or stamps. Digital is no longer just another way to move money. Every organization that moves money must meet users via computers, smartphones, and other devices, and offer rapid, secure payment services.

The covid-19 pandemic gave a boost to digital money movement, from online purchases to contactless payments and smartphone wallets, as consumers worldwide sought to shop without touching anything or going anywhere.

“The common denominator across almost all post-pandemic behavioral shifts is the growing importance of digital payments,” says Paul Fabara, executive vice president and chief risk officer at Visa, whose worldwide networks handled an estimated $13 trillion worth of transactions last year.

“Covid forced a market that was already growing to greatly accelerate,” says Fabara. As of 2021, 76% of adults globally have an account with a financial institution or mobile money provider, up from 68% in 2017 and 51% in 2011, according to the World Bank’s Global Findex Database. That number includes 71% of adults in developing countries. In high-income economies, nearly 95% of adults either made or received digital payments in 2021. In India, 80 million adults made their first digital payment during the pandemic; in China, 100 million.

Fraudsters famously go where the money is, and their online activities are expanding right along with the growth in digital transactions. Annual losses from cybercrime in the U.S. nearly doubled between 2019 and 2021, from $3.5 billion to $6.9 billion, according to the FBI’s Internet Crime Report for 2021. Fortifying cyberspace against theft and fraud has always been urgent, and the post-pandemic boom in transactions intensified matters.

Driving digital transactions

Business-to-business customers are beginning to insist on the same seamless real-time transactions they expect as consumers, says Aaron Press, research director of worldwide payment strategies at IDC, who tracks the development and adoption of real-time payments. “If you think about the way you shop online for personal things or pay your friends using a mobile-to-mobile app, those expectations are finding their way into the business environment,” he says.

End-to-end digital transactions are here to stay. An MIT Technology Review Insights survey of global business leaders found high interest in digital payment technologies across all types and sizes of businesses. Although 36% of respondents are just getting started with digital payments, 43% expect to expand their offerings over the next 18 months, and many are venturing into cross-border transactions (37%) and cryptocurrency (18%).

What’s driving businesses to all-digital payments? The largest share of survey replies, 70%, indicate businesses prioritize improving customer experience by offering multiple payment options and saving customers time. Respondents want the benefits of operational improvements (48%) and reductions in processing costs (37%). Many want expanded options for securing payments (36%) and personalized offers to customers (35%).

“Digital payments are more efficient and dramatically reduce errors,” says Press. “You’re much less likely to fill out something the wrong way, because there are checks and balances within the system.”

Download the full report.

This content was produced by Insights, the custom content arm of MIT Technology Review. It was not written by MIT Technology Review’s editorial staff.

Ecommerce MGMT 0 Comments