Home / Blogs

A Cynic's View of 2015 Security Predictions - Part 4

Gunter Ollmann

Lastly, and certainly not the least, part four of my security predictions (see previous parts: one, two & three) takes a deeper dive into mobile threats and what companies and consumer can do to protect themselves.

Mobile Threats

If there is one particular threat category that has been repeatedly singled out for the next great wave of threats, it has to be the mobile platform — in particular, smartphones.

The antivirus companies, armed with a new assortment of smartphone protection apps (and subscription models), are obviously keen for consumers to shore up their defenses against the impending onslaught of mobile malware.

Not much has changed in the 2015 predictions as opposed to the previous five years. Various sources of statistics were cited in which mobile malware volumes are increasing, that the second-tier app markets are heavily infested with malware and back-doored clones of premium apps from the primary markets, and that the sophistication of the malware will continue to increase. The general consensus of prediction was that we're (once again) on the cusp of a pandemic threat.

Ringing in the changes

A handful of predictions focused on the growth of digital payment and virtual currency systems that could become more popular in 2015 and consequently draw additional attention of cyber criminals.

In theory the technologies and capabilities of current mobile malware are sufficient to perpetuate this level of threat, but the reality of the situation is that the underlying mobile operating system security and (more importantly) back-end payment processing fraud detection systems are advancing at sufficient pace to counter much of the threat.

It is easy to fall in the trap of drawing parallels between desktop software threats and mobile threats — especially when it comes to malware. The reality of the situation is that the operating systems and default security structure of the platforms are completely different.

At its most basic level, mobile operating systems are less bulky (having shed all the legacy of 30 years of desktop backward compatibility requirements) and, frankly, a lot of the best security talent on the market has been employed by the major mobile vendors to invent a more secure platform — from chip to code.

Now that isn't to say that mobile devices can't be hacked (they obviously are being hacked at an increasing pace), but it is much more difficult to conduct a mass attack. While the malware will continue to evolve, most of that evolution will need to be in the direction of usurping the other applications in the device — which means a more targeted development path, and consequently more targeted at particular classes of victims. That may change eventually as the mobile operating systems change, but for the next two to three years I don't think that the "pandemic" angle will come to fruition.

For the time being the types of mobile threats we'll be most concerned about will effectively be a "cyber mugging" — unfortunately being in the wrong place at the wrong time.

Internet of Things (IoT)

If it was important for security mystics to provide a prediction or two about the cloud, it may have well been the equivalent of a God-like command from their marketing departments that they mention something about the biggest buzzword of 2014 — the Internet of Things (followed by the sound of a sharp crack of lightening for effect).

Unfortunately the predictions for IoT in 2015 tended to be of the generic but ominous type — a little like the way the rest of the US talks about the impending cataclysmic earthquake that will rattle California to its core and possibly see it sink in to the Pacific Ocean. No one knows when it will happen, but there's near universal expectation that it will happen eventually… and possibly soon.

As device manufacturers strive to think of new ways to slot in system-on-chip boards or stick in remote management TCP/IP stacks, more and more devices are finding themselves connected to the Internet. This wouldn't necessarily be so bad if it wasn't for the abysmal level of out-of-the-box security they've inherited and the fact that the vast majority of vulnerable devices already shipped and installed around the world cannot, or will not ever, be patched even if the vendor does come up with a fix.

The previous decade has seen a steady increase in the number of disclosures and bug hunting presentations covering Internet connected devices (even before "IoT" was coined) at top-rated annual security conferences like Black Hat and Defcon. If the 2014 events were anything to go by, then 2015 will be packed with new and innovative ways in which hackers could turn your home, car, workplace, and commute into a remotely controlled nightmare.

All aboard

Why would you connect a known vulnerable marine satellite receiver on a container ship (that's meant to provide navigation information and function as an emergency beacon in case of disaster) to the Internet and give it an externally routable IP address? Because it had an RJ45 connection and the ship-board Internet router had a spare cable of course.

While there will undoubtedly be a record number of new vulnerability disclosures in the IoT sphere over the next 12 months, the real question is whether there will be widespread exploitation and an ensuing wave of chaos.

If historical trends are anything to go by, then we can expect to see a number of free proof-of-concept tools and automated exploitation vectors be disclosed throughout the year, and maybe a handful of attacks that simultaneously affect the integrity of few tens-of-thousands of devices manufactured by some a cluster of notable brand-name vendors.

Perhaps some of the most interesting things that will happen in the IoT security world in 2015 will revolve around the gush of new products, technologies, and start-ups promising to detect or mitigate the threat.

On one hand, we can expect the established network protection vendors (with product portfolios in Firewalls, IDS, IPS, ADS, DLP, etc.) to add new signatures and detection modules to their products to cover IoT threats.

And on the other, we can expect a bunch of new or recent startups to reinvent the wheel and offer products specifically focused on protecting the IoT — at home or within the enterprise. I'm also sure there'll be an exciting spectrum of new and exciting abbreviations or word-soup for the (reinvented) technology as the vendors try desperately to distance their technological descriptions from 'legacy' detection approaches (even though the core technological approaches have existed for the last decade-and-a-half).

For vendors to be successful in protecting the IoT the primary hurdle will be how they get their technology on to the same local network as the vulnerable devices. This may not be too difficult for the home; although it is debatable whether an average household would in reality purchase and be able to successfully install and manage a pure-play network security device. However, the likely exploitation vectors will require highly focused designs for critical infrastructure deployments — for this is where the majority of currently installed and vulnerable IoT devices are installed.

Crystal ball or hologram projector

Standing atop a virtual Mount Delphi, many an oracle has cast their prediction or opinion as to how Internet security will evolve in 2015. Several have stated that, in one word, 2014 could be summarized as "sophisticated" and that this year that word will be "elusive" — both of which are subjective and have historically been hijacked by marketing teams.

A threat you are unable to detect or prevent must have some degree of sophistication and elusiveness. But we must be prepared to admit that a failure to detect, while an advantage to the attacker, doesn't necessarily mean that the attacker was sophisticated or elusive. If anything, it points out that strategic advantage on the battlefield does not lie with the defender.

Outlook

The prognosis for 2015 is as poor as it was for 2014. The attackers will continue to innovate, vendors will strive to maintain the technological status quo, and defenders will manage their breach disclosures and continue to clean up the mess.

Moving beyond the purely technological aspects of Internet security and the confines of a one-year annual prediction, here are three new things that are likely to keep us all awake for just a little longer every night over the next handful of years — and require a different approach to combat.

Cyber fraud and extortion will become more personal and flourish as a call-center business

We've seen the core components of the threat evolve over the last few years. Originally the criminals focused on premium number fraud, but last year law enforcement uncovered a call center in the Philippines wholly to extort honey trap victims who'd emailed naked pictures to what they thought were girlfriends in a long-distance relationship.

The obvious successes of social engineering and malware, and the affordability of international call-center technology to personalize attacks and maintain a "relationship" over many weeks or months, means that the threat will move from a malware author distributing their wares to a personalized deception at an industrial scale(over multiple public and personal communication channels).

Tools like Shodan will be core to a new breed of IoT cyber-criminal

While online tools such as Shodan have been invaluable for providing insight into the scope of threats likely to be faced by the growing volume of IoT devices that are connected directly to the Internet, they're also the shortest path for attackers to uncover vulnerable systems to target.

The number of public and private databases that perpetually scan the Internet and catalogue vulnerable systems in easy to search databases will continue to grow and they will be the source of intelligence a new breed of cyber-criminal will tap first in order to identify the exploit vectors of their target.

A key consequence of this approach is that the target will get no prior warning of an inbound attack — as attackers will have effectively outsourced their scanning to a third-party provider.

Better tools to mine, scrutinize, and profit from your online identity

It is inevitable that we'll soon see the first public tools designed to automatically mine and cluster all the personal disclosures from social networking sites, dating sites, games boards, discussion boards, blogs, and online dross we leaving lying around, and neatly organize it all in to a single profile entry carefully listing all your personal information in one location — and it will be entirely legal (except for maybe a breach of the Terms and Conditions of various social networking sites.

The first versions of these online tools (almost like a Shodan for humans) will attempt to provide answers for the standard litany of password recovery questions offered by popular websites — such as your date of birth, your first school, your pets name, your favorite sports team or movie, etc.

For most people (especially Generation Y), the answers to these questions have already been exposed over the years through various online posts, updates, and social network disclosures. The information is public, so there'll be very little the "victims" can do about it. Criminals (not just cyber criminals) will be able to query these tools and use the information in assorted frauds.

While not entirely shocking in theory, the first proof-of-concept tools will fundamentally change our perception of our online identity and cause online businesses to quickly review their whole approach to password resetting.

It's not just about technology

In the world of cyber-security it is all too easy to focus upon the technology side of the equation — because that is the easier and most linear path. Unfortunately, as malware authors and expert hackers become subsumed in broader organized crime enterprises, the technology becomes a smaller part of the crime. If anything, if we're to really make headway against the escalating threat we have to focus more upon the human element rather than the tools and artifacts they produce.

As the reindeer rest from their annual round-the-world trip and Santa returns to his day-job (hopefully not speculating on the price of coal in the futures market), we can hope that so too do all the folks who provided a prediction on what Internet security will look like this year.

So there you go. There's my take of security predictions for 2015.

Let's see what 2015 brings…

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cyberattack, Cybercrime, Cybersecurity, Internet of Things, Malware, Mobile Internet

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

IoT evolution Peter Fretty  –  Feb 04, 2015 11:32 AM PDT

Great post. Actually great series.  I would suggest of all the areas that we need to pay the most attention, its the growth of the IoT space. True devices have been connected for quite some time, but the addition of new devices, the data growth and the proposed seamlessness connecting outside the enterprise opens up a new range of threats. It's an instance of new opportunities and risks where IT needs to be more adaptive, have greater visibility with an ability to respond to the changing adversarial intent as it unfolds.

Peter Fretty, IDG blogger posting on behalf of Cisco

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services
Verisign

Cybersecurity

Sponsored by Verisign
Afilias

DNS Security

Sponsored by Afilias

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Major Media Websites Lose Audience Due to Slow Load Times on Mobile

Leading Internet Associations Strengthen Cooperation

DeviceAtlas Wins 2017 IHS Markit Innovation Award

DeviceAtlas' Deep Device Intelligence Now Addresses Native App Environment

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Airpush Chooses DeviceAtlas to Provide Device Awareness to Mobile Ad Network

DeviceAtlas Releases Q2 2016 Mobile Web Intelligence Report, Apple Loses Browsing Market Share