2014 has seen some interesting developments in computer security and the lack thereof: the growth of encryption based ransomware, the exposure of several highly sophisticated state sponsored cyber espionage malware packages, the takedown of the Silk Road drug sales website (twice), a series of massive credit card breaches from major retail chains in the US, and a massive invasion of personal privacy in the form of leaked celebrity nudes have all made headlines. Here are Cloudmark’s thoughts on how these threats are likely to mutate in 2015, along with a few new headlines we expect to see.
Ransomware will spread to other platforms: the enterprise, the cloud, and mobile devices
Ramping up in the fall of 2013, ransomware is now one of the most successful forms of cybercrime. Though Cryptolocker has been largely disabled, Cryptowall and other forms of PC ransomware are spreading by multiple vectors. However, PC’s are not the only places where data of value is stored. We’ve already seen ransom attempts on mobile devices using compromised credentials, and we expect these to grow in sophistication. The theft of celebrities’ nude photos shows how vulnerable data stored in the cloud can be. What if that cloud data had been encrypted rather than stolen, and that encrypted version had automatically overridden all the original copies? Finally, in the past year, we’ve seen the ease with which attackers can penetrate corporate defenses to steal credit card and customer data. Again, what if, instead of stealing that customer database, the backup system were disabled and the database was encrypted. Large companies probably have robust enough backup systems to deal with this, but there may be many small and medium sized businesses that do not.
Encryption will be the default in more consumer products, but this will come under both technical and political attack
Data encryption will become a feature, rather than a conscious choice of users. Users won’t likely be choosing to encrypt, but they will want software with more security. However, not all companies are looking out for their customers. Recently, several major carriers in the U.S. and abroad have been caught actively subverting the use of encrypted email channels, downgrading them to plaintext. They’ve done this by preventing STARTTLS from functioning, thus forcing the messages back to plaintext. Given this fallback mechanism exists in other technologies, it’s very likely that in 2015 we’ll see ISPs strip DNSSEC from DNS requests. DNS, the technology behind such things as how your browser finds the website for URLs, provides DNSSEC as an additional security feature, and preventing its use will actively subvert the security of DNS traffic in an analogous manner. It’s also very likely that in the 2015 rush to engage customer demand for security that it will be done wrong in spectacular ways, eventually leading to users being compromised.
Unfortunately, the move to fingerprints as a method for unlocking secured devices wasn’t without pitfalls. A Virginia court ruled recently that the Fifth Amendment (which would ordinarily protect someone from divulging incriminating evidence) does not apply to your fingerprint since you own it rather than know it. Thus, law enforcement and judges can force you to unlock your otherwise secure device if by fingerprint or similar biometric. This, on its face, is a logical step. The problem arises when we consider more and more individuals are storing their entire day-to-day lives digitally. With FBI Director James Comey weighing in on the debate about phone encryption, claiming it has “swung too far” against government’s ability to investigate, it’s likely that we’ll continue to see the legal grounds of privacy and security ironed out in the face of national, and just local, security needs. It is likely that the security establishment will make common cause with the intellectual property industry in sponsoring another round of Internet legislation with features from the failed SOPA and CISPA bills.
More nation states will start building elite cyber espionage teams
In the past year we have seen evidence of widespread cyber espionage for military, political, and commercial purposes. The big players in the game are currently, the US, the UK, China, Russia and Israel. Regin, Flame, Stuxnet, Sandworm, BlackEnergy, and Hikit are all examples of highly sophisticated malware from these countries. Targets included businesses, activists, and industrial control systems as well as the more traditional military and intelligence targets of state sponsored espionage. It is clear that nation state cyber espionage teams are working to further the commercial aims of businesses in their country as well as having political goals. However, the barriers to entry in this game are minimal, as is the downside if you get caught. You don’t even have the embarrassment of seeing your spies put on trial in a foreign country like the bad old days of the Cold War. Your spies never leave their desks in Beijing or Cheltenham. All you need is a fast Internet connection and a dozen or so great software engineers. While great software engineers are not that common, they are a lot easier to come by than nuclear scientists, so a nation wishing to increase their threat profile will find it far better to put together a cyber espionage team than a nuclear weapons program. We expect to see the would be nuclear powers Iran and North Korea exploring cyber espionage soon, along with a number of other powers both friendly and unfriendly.
Government takedowns of drug marketplaces will continue but the Internet drug trade will continue while the Tor network still exists
As the effort that went into the takedown of Silk Road and Silk Road 2 shows, this is obviously a high priority for law enforcement, and we can expect this to continue. Underground drug marketplaces are also vulnerable to hacking and bitcoin theft, or by the owner simply shutting up shop and keeping all the bitcoins that were held in escrow. However, there is a lot of money to be made in this business, and as each one gets taken down, another will spring up. The eventual survivor(s) will be operated out of countries such as Russia where they are beyond the reach of US law enforcement. So long as the Tor network provides anonymous secure communications and bitcoin allows for anonymous payments these marketplaces will continue to operate.
The Tor network will suffer a major DDoS attack
The Tor network was created to allow dissidents in oppressive countries to access the Internet anonymously. While it is still used for this purpose, it is also used for a range of criminal purposes: drug dealing, sharing child abuse material, and botnet command and control. We live in interesting times and the Tor network is attracting the attention of important people. Sooner or later someone is going to decide that the world would be a better place without Tor, and give the order to take it down. There are only a limited number of Tor endpoints where the network connects to the rest of the Internet, and these are publicly listed. Launching a coordinated DDoS attack on these would be well within the capabilities of any major botmaster or nation state.
Credit cards with embedded chips will finally roll out in the US, and will be attacked via compromised point of sale networks
EMV credit cards, which have an embedded chip, are scheduled to roll out in the US in 2015. In most countries a PIN is also required to confirm sales, but the US had standardized on the weaker chip and signature validation. Even so, these are far harder to fake than the magnetic stripe cards currently in use, and this system will provide significantly better security. The most likely attack vector for this system is through point of sale (POS) devices. Hackers have already demonstrated the ease with which they can compromise POS networks to harvest credit card information. Perhaps it is just as easy to turn off validation in those POS devices so that they approve transactions for a forged credit card even if there is an invalid chip in it. This would allow accomplices to make unlimited purchases from the store with a dummy card. In this case it is likely that the store would be legally responsible for the losses rather than the issuing banks.
Email spam originating form IPv6 addresses will become more common
Unlike IPv4 space, where most ISPs and enterprises used real time blacklists of IPs sending spam, IPv6 paths often have little or no protections. We expect to see spammers exploiting this increasingly in future. As filtering based on blacklists becomes less effective, policy based rate limiting by IP block and content based filtering will increase in importance.
At least one startup will fail because of messaging abuse on its site or service
Many growing startups are based on social networking or messaging. As soon as they build up a sufficiently large user base, the spammers move in to try to exploit that. Making sure that they don’t succeed is fundamental to maintaining growth. There are too many ways to spend time on the Internet, people will just avoid the ones where they are likely to get spammed. However, based on past history we expect to see at least one promising startup get this wrong, and fade into obscurity because they can’t control spam on their network.
As mobile payment systems become more mainstream, they will come under attack from cyber criminals
When asked why he robbed banks, Willie Sutton is famous for saying, “Because that’s where the money is.” Though that line was actually made up by an enterprising reporter, it’s certainly true that just as spammers will go wherever people are reading messages, thieves will go wherever money as being transferred. Several systems are competing to let us use our phones to make payments, both in person and remotely. Apple, Venmo, PayPal, Square, and Snapchat all have approaches to this. PayPal is already one of the most phished brands in the world, but we can expect to see attacks on the other payment systems both through credential theft and malware.