Monday, January 4, 2016
Well, if you thought you had it rough
in 2014 because of big, bad Poodles and an irritating case of Heartbleed,
things only got worse this year. Rather than intrusions permeating our IT
systems and stealing our data, attacks got a bit more personal in 2015. Not
only were privacy and civil liberties put at risk by legislators pushing
overbearing rules based on an underwhelming knowledge of computers, but hackers
and security research were squarely in the crosshairs of government and law
enforcement. It was a rough year.
What’s ahead? Who
knows? Who saw Wassenaar coming? Or Going Dark? Or backdoors in enterprise networking gear? Nonetheless,
2016 can be better with some prep work against a best guess of what we might be
in for as the new year turns.
Activism is Job 1
Security
researchers and advocates have certainly grown up in the last two years.
Emerging from the shadows of SOCs and IT labs, researchers spurred on by the
assault on crypto, privacy and overall integrity of legitimate hacking, have
evolved into a tidy and effective group of activists. Hopefully this trend
continues, because with legislators and law enforcement convinced that things
like CISA and Wassenaar and exceptional access are good ideas, there needs to
be more voices from the security wilderness. Many of you have stood up and
shouted about the lunacy of some of these ideas, and in the case of Wassenaar
for example, a spate of rational, well thought-out comments put a temporary halt to the U.S. implementation of the
rules. This was a victory that can be emulated on many fronts in 2016.
Securing Things
Brush off securing the Internet of Things as a fad,
tomorrow’s problem, perhaps. But that’s foolhardy. Against the kicking and
screaming of those who know better, we continue to embed tiny, networked
computers in just about everything without clearly mapping out security and
privacy implications. Just like mobile and client-server architectures before
it, IoT has been rushed to market and security is flailing its arms desperately
trying to catch up. Thankfully, we had our first inflection point in 2015
demonstrating the need to slow down—literally. Charlie Miller and Chris
Valasek’s car-hacking research put a real face on the
problem of IoT security. Their ability to remotely manipulate a moving
automobile’s controls forced a recall of 1.4 million vehicles, and in the bigger
picture, caused an entire industry to stand up and take notice.
The Kids Are Not
Alright
Predicting
at the start of 2015 that there would be a major health care
data breach was a cakewalk. Five weeks into the year and we had Anthem, and shortly thereafter CareFirst Blue Cross. Health care data is the new
hacker black, and attackers are taking advantage of organizations still behind
in securing patient data and electronic health care systems.
For next year, shudder to think it, but cybercrime is going to continue to
target personal data in a big way and they’re going to go younger. We’ve
already seen VTech and Hello Kitty breaches impacting the personal data of tens
of thousands of children, giving hackers a long shelf life of identities to be
exploited for fraud. Expect more of it in 2016.
Money On The Move
Now that mobile
payment services like Apple Pay and Google Wallet have turned your
smartphone into an extension of your wallets and bank accounts, expect hackers
to turn out en masse against these systems. The juicy target for hackers may
not be on the transaction side of mobile payments, but in the personal payment
card data that lives on your device. An attacker with access to that data is a
short hop away from being able to spoof your identity and payment data, and
this is a shortcoming that needs to addressed next year.
Bury The Ghosts of
APTs
Advanced persistent
threats, a.k.a sophisticated nation-state sponsored targeted attacks, a.k.a
China/Russia/the NSA, aren’t necessarily going away, but they are going to look
different. Researchers at Kaspersky Lab say APT gangs are making strategic and
tactical changes to their activities—likely since so many have been outed in
the past 24 months. Expect to see more attacks with roots in memory-resident or
fileless malware, Kaspersky says. APTs will be harder to detect because there
will be fewer cookie crumbs for investigators to follow. The security company
also said that APT gangs have likely invested enough in building custom malware
and rootkits and commodity attacks will be repurposed more often.
Samy Time
Is there a more
creative hacker than Samy Kamkar? He’s been around for a long time, but it’s
likely he’d be hard-pressed to remember a year when he had as much fun tackling
new problems. Very few hackers can say their resume includes the use of a
child’s messaging toy to open garage doors on a whim, or game vehicles’ OnStar systems to gain persistent
access to vehicles. Thrown in his take on the ProxyGambit attack, and Rolljam, another device
that steal vehicular lock codes, and Kamkar had a busy year. Predicting what’s
next is a crapshoot, but nothing in the
