The Future of Malware
Personal information belonging to a full third of Massachusetts residents has been compromised in one way or another, according to the state's attorney general, citing statistics gleaned from a tough new data breach reporting law.
RSA recently announced that security of its two-factor SecurID tokens could be at risk following a sophisticated cyber-attack on the company. And Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts. The cost to Sony and credit card issuers could hit $2 billion.
Of course, that's just a sampling of recent breaches, and if you think it's bad now, just wait. It's only going to get worse as more information gets dumped online by mischievous hacker groups like Anonymous, and as for-profit hackers widen their horizons to include smartphones and social media.
For example, in August AntiSec (a collaboration between Anonymous and the disbanded LulzSec group) released more than 10GB of information from 70 U.S. law enforcement agencies.
According to Todd Feinman, CEO of DLP vendor Identity Finder, AntiSec wasn't motivated by money.
"Apparently, they don't like how various law enforcement agencies operate and they're trying to embarrass and discredit them," he said.
But, he adds, what they don't realize is that when they publish sensitive personal information, they are helping low-skilled cyber-criminals commit identity theft. Every week, another university, government agency or business has records breached. Feinman estimates that 250,000 to 500,000 records are breached each year. Few details from those breaches are published on the Internet for everyone to see, however.
While certain high-profile attacks, like the one on Sony, may be intended to embarrass and spark change, the U.S. law enforcement breach could represent a shift in hacker thinking. AntiSec's motivations appear to have a key difference, with the attackers consciously considering collateral damage a strategic weapon.
"In one online post, AntiSec came right out and said 'we don't care about collateral damage. It will happen and so be it,'" Feinman says.
Experts say the future of malware isn't so much about how malware itself will be engineered so much as how potential victims will be targeted. And collateral damage won't be limited to innocents compromised through no fault of their own.
Have you ever accepted a friend invite on Facebook or connected to someone on LinkedIn you didn't know? Maybe, you thought this was someone from high school you had forgotten about or a former business partner whose name had slipped your mind. Not wanting to seem like an arrogant jerk, you accept this friend and quickly forget about it.
"When people make trust decisions with social networks, they don't always understand the ramifications. Today, you are far more knowable by someone who doesn't know you than ever before in the past," says Dr. Hugh Thompson, program chair of RSA Conferences.
We all know people who discuss every single thing they do on social networks and blogs - from their breakfast choices to their ingrown toenails. While most of us simply consider these people nuisances, cyber-criminals love them.
"Password reset questions are so easy to guess now, and tools like Ancestry.com, while not created for this purpose, provide hackers with a war chest of useful information," Thompson says.
Thompson believes there are two areas the IT security industry desperately needs to innovate around: 1) security for social media, along with ways to manage the information shared about you on social networks and 2) better methods for measuring evolving risks in a more concrete way.
Thar she blows
Chris Larsen, head of Blue Coat Systems' research lab, says the most common social engineering attack their lab catches is for fake security products. He also explained that social networks aren't just being used to target individuals.
Larsen outlined a recent attack attempt where the bad guys targeted executives of a major corporation through their spouses. The logic was that at least one executive would have a poorly secured PC at home shared with a non-tech savvy spouse, which would then provide the backdoor needed to compromise the executive and gain access into the target company.
"Whaling is definitely on the rise," says Paul Wood, senior intelligence analyst for Symantec.cloud. "Just a couple years ago, we saw one or two of these sorts of attacks per day. Today, we catch as many as 80 daily."
According to Wood, social engineering is by far the most potent weapon in the cyber-criminal's toolbox (automated, widely available malware and hacking toolkits are No.2). Combine that with the fact that many senior executives circumvent IT security because they want the latest and trendiest devices, and cyber-crooks have many valuable, easy-to-hit targets in their sights.
Fortune 500 companies aren't the only ripe targets. "Attacks on SMBs are increasing dramatically because they are usually the weakest link in a larger supply chain," Wood says.
Today, there's no sure way to defend against this. Until Fortune 500 companies start scrutinizing the cyber-security of their partners and suppliers, they can't say with any certainty whether or not they themselves are secure. While it's common for, say, General Electric to run parts suppliers through the ringer with factory visits that result in the implementation of an array of best practices, companies aren't doing this when it comes to cyber-security.
Watch your e-wallet
While smartphone threats are clearly on the rise, we've yet to see a major incident. Part of the reason is platform fragmentation. Malware creators still get more bang for their buck by targeting Windows PCs or websites.
Larsen of Blue Coat believes that platform-agnostic, web-based worms represent the new frontier of malware. Platform-agnostic malware lets legitimate developers do some of the heavy lifting for malware writers. As developers re-engineer websites and apps to work on a variety of devices, hackers can then target the commonalities, such as HTML, XML, JPEGs, etc., that render on any device, anywhere.
Smartphones are also poised to become e-wallets, and if there's one trait you can count on in cyber-criminals, it's that they're eager to follow the money.
"The forthcoming ubiquity of near-field communication payment technology in smartphones is especially worrisome," says Marc Maiffret, CTO of eEye Digital Security. Europe and Asia are already deep into the shift to m-commerce, but the U.S. isn't far behind. "Once the U.S. adopts mobile payments in significant numbers, more hackers will focus on these targets," he adds.
Over time, smartphones might replace other forms of identification. Your driver's license and passport could be on your phone instead of in your pocket. In the business world, this shift is already occurring.
Mobile phones are serving as a second identity factor for all sorts of corporate authentication schemes. Businesses that used to rely on hard tokens, such as RSA SecureID, are moving to soft tokens, which can reside on mobile phones roaming beyond the corporation as easily as on PCs ensconced within corporate walls.
"Two-factor authentication originally emerged because people couldn't trust computers. Using mobile phones as an identity factor defeats two-factor authentication," Maiffret says.
For consumers, mobile payments aren't necessarily all that troubling, especially if m-commerce is tied to credit card accounts and surrounded with the same consumer protections. Banks have been aggressively pushing consumers towards e-banking for years. Obviously, even with the risks involved, e-banking generates better ROI than traditional banking. Otherwise, they wouldn't do it.
Moreover, m-commerce should have all of the behind-the-scenes security benefits wrapped around it, such as advanced fraud detection. You can't say that for cash.
Today, Android is the big smartphone target, but don't be surprised if attackers turn their attention to the iPhone, especially if third-party antivirus programs become more or less standard on Androids. IPhone demographics are appealing to attackers, and when you talk to security pros, they'll tell you that Apple products are notoriously insecure.
Apple is extremely reluctant to provide third-party security entities with the kind of platform access they need to improve the security of iPhones, iPads, MacBook Airs, etc. "Apple is very much on its own with security," Maiffret says. "It almost mirrors late-90's Microsoft, and it'll probably take a major incident or two to incite change."
If we've learned anything about digital security in the last 20 years, it's that another major incident is always looming just over the horizon. And then there are the new threats to cars and homes.
During the Black Hat and Defcon conferences in early August, researchers demonstrated a number of disturbing attack scenarios. One particularly scary hack showcased the possibility of hijacking a car. Hackers could disable the alarm, unlock its doors and remotely start it through text messages sent over cell phone links to wireless devices in the vehicle.
Other at-risk embedded devices include airbags, radios, power seats, anti-lock braking systems, electronic stability controls, autonomous cruise controls and communication systems. Another type of attack could compromise a driver's privacy by tracking RFID tags used to monitor tire pressure via powerful long-distance readers.
"As more and more functions get embedded in the digital technology of automobiles, the threat of attack and malicious manipulation increases," says Stuart McClure, senior vice president and general manager, McAfee. "Many examples of research-based hacks show the potential threats and depth of compromise that expose the consumer. It's one thing to have your email or laptop compromised but having your car hacked could translate to dire risks to your personal safety."
Of course, cars represent just one example of hackable embedded systems. With the number of IP-connected devices climbing to anywhere from 50 billion to a trillion in the next five to 10 years, according to the likes of IBM, Ericsson and Cisco, tomorrow's hackers could target anything from home alarm systems to air traffic control systems to flood control in dams.
Based in Santa Monica, Calif., Jeff Vance is the founder of Sandstorm Media, a copywriting and content marketing firm. He regularly contributes stories about emerging technologies to this publication and many others. If you have ideas for future articles, contact him at firstname.lastname@example.org or http://twitter.com/JWVance.
Read more about wide area network in Network World's Wide Area Network section.