As the year comes to a close and winter sets in, we like to look back at the year that was and do our best to prepare for the year ahead. What would the holiday season be without yuletide cheer, excessive commercialization and of course…security predictions? Yes, it’s time to join my colleagues in the security industry, peer into my magical crystal ball and provide a glimpse of what is to come. Grab a nice hot beverage, curl up next to the fire and enjoy!
PII is the new hotness
2015 continued the trend of major retail data breaches resulting in bulk debit and credit card theft, but it also marked a shift that will accelerate in 2016. In the coming year, expect attackers to move away from targeting financial information and instead target personally identifiable information (PII). In 2015, we continued to see credit/debit card theft at the likes of America’s Thrift Stores, The Trump Hotel Collection, Hilton Hotel properties, Service Systems Associates, Hershey Park, Harbortouch and White Lodging, but in 2015 we also learned of major breaches in the healthcare (Anthem and CareFirst BlueCross BlueShield) and government (Office of Personnel Management) sectors that targeted PII. The quest for PII is being driven by two separate groups of attackers. While nation states desire PII for espionage, criminals are also shifting to PII as it is generally more valuable than credit and debit cards, which are getting more challenging to harvest in bulk due to greater awareness of the problem and new technology. Why would a social security number be of greater value than a credit card number, which can be used directly to procure goods and services? PII is highly sought after in the underground as it can be leveraged to commit financial fraud such as applying for credit, submitting false medical/insurance claims or filing fraudulent tax refunds. Whereas credit cards can be easily cancelled, changing one’s name, address and social security number generally isn’t an option, so the stolen data remains valuable for a longer period of time. The shift will be motivated in part by the push to move to Chip and PIN (aka EMV) debit and credit cards, which combat RAM scraping malware with tokenization. Don’t however expect credit and debit card fraud to disappear entirely as EMV technology has seen slow adoption in the US, despite an October 2015 deadline and the technology does nothing to combat card not present (online) theft. In 2016, attackers will increasingly target sectors known to store bulk PII including finance, healthcare and government entities to harvest valuable PII.
Trusted Partner Attacks
Breaking in through the front door isn’t always the best option as it tends to be be well defended. The same is true in cyber attacks. A head on assault is expected, but companies rely on a plethora of technology partners and often communicate with them through trusted digital channels. History suggests that enterprises aren’t doing enough to ensure that trusted partners maintain their security to the same standards that would be demanded if those services were delivered internally. In the past we have seen this with the Target breach which occurred when Fazio Mechanical, an HVAC vendor was compromised. Likewise, the OPM breach began with a compromise at KeyPoint Government Solutions. Compromised partner networks aren’t always used to directly access another network but can also play an indirect role in a broader attack. For example, attackers that ultimately targeted JPMorgan Chase, Scottrade and E-Trade for money laundering also compromised G2 Web Services LLC, which specialized in monitoring and blocking fraudulent banking transactions. Once inside the G2 network, they could ensure that their money laundering schemes went undetected. Enterprises are increasingly outsourcing technology to streamline costs in areas that are not a core focus. For attackers targeting a supplier that often has lesser security controls than the larger entity that it serves, a successful compromise can be a gold mine. Not only does the breach provide a backdoor into the original target, but it also opens doors to other enterprises being serviced by the same vendor. Hackers have learned from successful attacks exploiting such relationships and will accelerate their focus in this area in 2016. Enterprises need to extend security policies and procedures beyond their own systems and personnel. Trusted partners should be expected to adhere to the same security controls and be subjected to audit and penetration tests to ensure that they are adhering to agreed upon standards.
Ransomware 2.0 goes corporate
Ransomware has managed to hit a sweet spot. Users are all too willing to begrudgingly pay an expensive but not excessive ransom in exchange for the return of their precious data. Even the FBI are recommending that it’s easier to pay than fight. The wildly profitable CryptoLocker has attracted many clones since it was largely knocked offline following Operation Tovar. Many of these clones, including more popular variants such as CryptoWall and TorrentLocker largely followed the proven formula but we’re starting to see variations such as ransomware focused on Linux and mobile platforms. The former is especially important as it’s more likely to impact the websites and code repositories of enterprises, who in our experience are also very willing to pay up rather than risk losing critical intellectual property. Expect ransomware to become increasingly corporate focused in 2016 and as it does, enterprises won’t get away with paying consumer rates. The criminals behind the ransomware campaigns are savvy and once they realize that they’ve locked up source code and financial documents that haven’t been properly backed up, you can expect prices to skyrocket…and be paid.
The extortion data breach
The Sony Pictures, Ashley Madison and Hacking Team breaches all share a common theme – the goal of the attacks was to humiliate the respective companies and perhaps inflict financial damage. There did not however appear to be a profit motive in any of the attacks. Sony Pictures, after already having proven to be a vulnerable target after two successful attacks against the Play Station Network, had it’s dirty laundry aired by hackers allegedly backed by the North Korean government as retaliation for producing a satirical movie about their leader. Ashley Madison and Hacking Team are believed to be the victims of hacktivists that disagreed with their corporate philosophies. Despite what has been stated by the media, there is little to suggest that these were sophisticated attacks. Rather, once the attackers were able to gain access to the internal network, they were able to roam freely and collect troves of sensitive data from email and file servers, which was then dumped online. Criminals have no doubt taken notice of the extreme damage that small teams have been able to achieve and know all too well that some would be willing to pay millions to stay out of the headlines. This is one prediction that is likely already taking place but we’ve yet to hear about it as the attackers have held up their part of the bargain to remain quiet in exchange for the hush money.
No AV? No problem.
Foreshadowing the death of antivirus (AV) is hardly a bold prediction. Even AV executives are calling for it. While you won’t see a sudden wholesale move away from AV, as it remains the first line of defense for corporate PCs, we’re now hearing with some regularity, CTOs shifting away from paid AV solutions to ‘good enough’ free AV or solutions baked in at the O/S level, such as Microsoft’s Windows Defender or Apple’s File Quarantine (aka XProtect). As enterprises adapt to the Post-PC era, running an end user device without AV is no longer seen as a risky bet. OS X machines rarely run AV in a corporate environment and on iOS devices it’s not even an option. Enterprises realize that AV is focused on known vulnerabilities and they must free budget dollars to shift to more dynamic security controls capable of identifying and protecting against 0day and targeted attacks. With limited budgets, expect fewer enterprises to open the checkbook for host based AV, instead reallocating the funds to solutions such as network/cloud based sandboxing solutions.
Android finally cleans up it’s act
Android is well on it’s way to becoming the Windows of the mobile malware world. With 99% of mobile infections, Android is the only game in town when it comes to infected tablets and smartphones. Love it or hate it, Apple’s walled garden and refusal to allow downloads from third party app stores has paid security dividends. Sure, Google Play has Bouncer and he’s done a fine job of keeping the miscreants out, but that’s of limited value when users are willing to go to shady Chinese app stores to save a buck on Candy Crush. Google clearly knows that this will hurt them in the long run, especially in the enterprise space and began making changes with Marshmallow, the latest Android flavor when they switched to Granular App Permissions to make it more clear what control an app ultimately gains when installed. This however was a small step and Google will need to get much more aggressive going forward. Not wanting to lose ground in the enterprise, where Apple has now pivoted, they have little choice. While cutting off third party app store access altogether would alienate too much of the user base, expect the next iteration of Android to to start cracking down on third party app stores. Since Jelly Bean 4.2, embedded cloud based anti-virus scanning was added through the Verify Apps feature. While yet another improvement, this is clearly not enough as we regularly identify and blog about apps from alternate Android app stores that are malicious in nature. Google will need to take more drastic steps and a likely change is restricting the permissions available to apps not vetted through the Google Play submission process. Expect side-loaded apps requesting Administrator permissions to become a thing of the past. Some developers will push back, but Google will have little choice if they want to get malware under control. Google will also begin to mandate acceptable timeframes for patches and firmware upgrades, which are now largely under the control of the OEM partners. It does little good when new security features are added, but they’re unavailable to users with non-Nexus devices. These steps won’t eliminate Android malware, especially with Android’s slow O/S upgrade cycle, but they will raise the bar for third party app stores, just as Bouncer did for Google Play.
Terrorists catch the hacking bug
This last prediction is one that saddens me to write, but I feel is inevitable and one that can’t be ignored. Terror organizations are continually searching for new avenues to instill fear and they require significant funding to further their hateful agendas. Skilled hackers can aid on both fronts. Cyber attacks can clearly be used by terrorists to obtain intelligence for future attacks and we’re already seeing early signs of cyber attacks being used to cause physical damage. Last year, hackers caused significant damage to a German steel mill when they disabled systems responsible for controlling a blast furnace. This wasn’t just kids playing around either, as the attacks reportedly required substantial knowledge of industrial control systems in order to succeed. With almost all industries reliant on computerized systems, the potential attack surface is enormous. Hacking is also extremely lucrative. The CrytoLocker ransomware authors for example were able to make millions in just a few short months. Such potential is surely in the sights of terror organizations, especially those such as ISIS, which have shown a new affinity for being tech savvy when it comes to recruiting and propaganda. Sadly, terrorists won’t necessarily need to acquire the necessary skills themselves as there are no shortage of cyber criminals all too willing to rent their skills out to the highest bidder and look the other way.
Password reuse attacks decline
And now for some good news. Password reuse attacks will begin to decline. Attackers are quite happy to compromise virtually any site even if it’s not the endgame as they can generally recover information and resources that will aid in other attacks. It’s always of great benefit for an attacker when they’re able to uncover a database of unencrypted usernames and passwords, because human nature suggests that those same credentials are used at many, many other sites. Most people use a handful of passwords at best, therefore attackers will write scripts to attempt automated logins at popular social networking, banking, etc. sites to see if the credentials can be reused. This presents a real challenge for end users as they have no control over how their credentials are stored or secured once they’re turned over and in the event of a compromise, changing passwords to every site where those same credentials were used is generally an impossibility. Think of your favorite password that you’ve used over the years. How many sites have you used it on? You lost count, didn’t you. Fortunately, this is starting to change thanks in large part to the smartphone. Smartphones can be many things but they make for a handy secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password, LastPass, etc., as they have user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach. Advancements in biometrics are also helping the cause with consumer grade fingerprint scanners now becoming a standard feature on modern smartphones. This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether. While not as user friendly, most major Internet layers are also adding two-factor authentication as a standard option. Finally, the average user has realistic authentication options that don’t involve sticky notes.
Say goodbye to browser plugins
The love affair with browser plugins has been on the decline and we’re finally at a point where the average user can do away with them once and for all. Flash had a particularly tough year after Firefox disabled the plugin by default after the Hacking Team breach revealed the existence of new Flash 0days. Facebook’s Security Chief also piled on asking “Adobe to announce an end-of-life date for Flash”. This after Steve Jobs famously refused to include Flash on iOS, claiming that it had been the “number one reason Macs crash” and had “one of the worst security records”. The bashing certainly isn’t unfounded with browser plugins remaining the number one way that Exploit Kit authors target PCs, primarily targeting Java, Flash and PDF vulnerabilities. At least for websites, Flash is on life support, Java died a couple of years ago and PDF plugins are no longer required as bowser vendors have baked in native support. Competitors like SilverLight never fully caught on and web apps that would historically have used custom plugins for playing video or screen sharing, have now migrated to HTML5. Not supporting plugins was one things that mobile browsers got right from the get go. In 2016, expect all major browsers to get serious about finally killing off plugin support by default.
The encryption showdown
Encrypted communications have long been the bane of law enforcement and those in the intelligence communities. As privacy concerns mount, thanks in part to the Snowden revelations, leveraging strong encryption for messaging and data storage is no longer the realm of geek speak. It is an expected feature and is quickly becoming a differentiating feature. iOS now encrypts data by default and Android while lagging behind, is fighting to get there. Popular chat applications like WhatsApp tout encryption as a key feature and Apple’s iMessage app, which features end-to-end encryption and no central key store, is often referenced by law enforcement when arguing for a ‘back door’. 2016 will be the year this battle comes to a head. While politicians used to dance gingerly around the topic given the privacy abuses exposed by the Snowden revelations, recent terrorist attacks have brought this issue front and center. Multiple pieces of legislation are sure to be introduced that will propose weakened encryption protocols or procedures to grant law enforcement access to decrypted communications as needed. As we’ve learned however, you can’t be ‘mostly secure’ any more than you can be ‘kind of pregnant’. Weakening encryption to benefit law enforcement will also reduce security for everyone and if the US government mandates a ‘backdoor’, you can be rest assured that China, Russia, [pick a country] will be demanding the same for their citizens. This is one battle that will have serious repercussions for years to come. Here’s to hoping that Apple, Google, Microsoft, Yahoo! and the like manage to prevail.
Should be another action packed year on the cyber security front. See you next year!