2018 Security Predictions
2017 was a year filled with large corporate data breaches, national cyber espionage wars, and surging ransomware attacks. As we look forward to 2018, we must be diligent in our efforts to, not only remediate what cybersecurity threats may lie ahead, but predict and prevent them. With that, here are my top security predictions for 2018.
Abuse of digital assistants
Prediction #1 – We will see targeted attacks on digital assistants
It seems that every major tech company is now convinced that digital assistants (Alexa, Siri, Cortana) embodied as smart speakers (Amazon Echo, Apple HomePod) are the future of human > computer interaction. These devices are now mainstream and have become much more than just a convenient way to learn about today’s weather or get the latest sports scores.
Digital assistants are building open ecosystems whereby they trigger actions that drive other smart devices or applications. It’s one thing to say, open a garage door from a smartphone which should be protected by a password and/or biometrics. Simply obtaining someone’s phone isn’t of much value if you can’t get into it (just ask the FBI).
Smart speakers, on the other hand, offer access to digital assistants without strong security controls. What about physical location? How can I provide instructions to a smart speaker if I’m not within shouting distance? In a virtual world, physical proximity isn’t much of a barrier when it comes to audio communication. In April, Burger King and Google got into a spat when the fast food chain leveraged the ‘OK Google’ phrase in a TV ad to intentionally trigger Google Home smart speakers.
While hackers may not have access to television networks, they can make robo calls to homes with answering machines or post audio clips on web pages. A more stealth tactic would involve leveraging an exploit to plant malware on a computer that then plays an audio clip when the user is unlikely to hear it, such as late at night. What damage could be done? Attackers could leverage smart speakers to place orders that they profit from, or conduct physical attacks such as opening locks or disabling security systems. A British security researcher has already discovered a means of turning older Amazon Echo devices into a wiretap and you can be rest assured that he’s not alone in his quest to defeat the security measures of digital assistants.
Collaborative smart device hacks
Prediction #2 – The home ecosystem will be a new vector for home attacks
While digital assistants can trigger smart devices, so too can other smart devices. A ‘smart home’ is actually quite dumb when it’s comprised of a number of networked technologies that work in isolation. The ‘smart’ in smart home comes into play when these devices collaborate by setting off a chain of events triggered by some external variable.
For example, a CO₂ detector is a valuable safety device, but sounding an alarm in an empty house won’t do much good. That changes when the same device can shut down the furnace and alert the fire department. The smart home ecosystem is exploding and history has taught us that when there’s a technology land grab underway, security gets left behind.
Some of the smart home ecosystem is being stitched together by technology vendors such as Apple (Homekit), Google (Nest) and Samsung (SmartThings). These vendors impose differing restrictions on the smart device vendors. Apple not surprisingly, strictly controls and vets what is permitted into the ecosystem, often in the name of security, but even Apple has conceded that this won’t allow them to grow quickly enough and they had to loosen restrictions with iOS 11 by abandoning mandatory security chips. Vendor agnostic implementations such as IFTTT, try to create an infrastructure where any and all products can communicate with one another. While an individual product may have strong security controls, those same controls can be rendered ineffective when combined with other products. Consider for example the following IFTTT rule:
This rule would disable my security system every time I post a picture to Facebook. That’s a terrible rule! Why would I implement that? I wouldn’t, but an attacker gaining access to my IFTTT account could. By doing so, the attacker would bypass any restrictions that the security system had put in place to prevent unauthorized disarming of the alarm, because all of those controls assume that the system operates in isolation.
Security Budgets Shift to Respond
Prediction #3 – Corporate security budgets will shift from prevention and detection to response
We’ve long debated where security spend should be focused. Conventional wisdom has shifted in recent years to state that companies must move budget from Prevent to Detect. The logic for this was the near daily reports of data breaches and the realization that the quest to build an impenetrable fortress is now a fallacy. It is not a matter of if a company will be breached, but when. Budget therefore needed to be shifted from entirely preventing the breach to instead quickly detecting it once it had occurred, so that the damage could be mitigated.
Expect 2018 to be the year that the economics are rewritten once again with budget being shifted later in the attack cycle from both Prevent and Detect over to Respond. Two trends will account for this shift. The first is an increasing trend toward legislation mandating data breach response. While breach response laws remain an uncoordinated mess, most states and countries now have them at some level and 2018 will see a big player enter the space as GDPR becomes mandatory.
Beyond legislation, another driver will be the reputational damage that has been done by botched breach responses. We’re at a point where the general public can be quite forgiving in light of a data breach as they’ve become so commonplace. What the public won’t forgive is a sloppy breach response which looks more like a cover-up than an open and transparent disclosure. Look no further than the bungled efforts of Equifax or Uber to understand why every board is now demanding table top breach response exercises to ensure that their company won’t be the next poster child for how not to respond to a data breach.
Tech. Vs Gov’t - Round II
Prediction #4 - The privacy debate with device makers will heat up again
An uncomfortable standoff in early 2016 between Apple and the FBI regarding access to a San Bernardino Gunman’s iPhone ultimately subsided when the FBI was able to access the phone leveraging a third party hacking tool for which they paid a substantial but undisclosed amount. We knew full well that this was nothing more than a temporary cease fire, with Deputy Attorney General Rod Rosenstein noting in October that “over the past year, the FBI was unable to access about 7,500 mobile devices submitted to its Computer Analysis and Response Team, even though there was legal authority to do so.” The government recognizes that expanding powers to access private data is a sensitive topic in light of what many deem to be past abuses that came to light with the Snowden revelations. Apple has not backed off on its stance and with each new iteration of iOS, Apple continues to add security hurdles to prevent extracting data from an iPhone, even implementing a shortcut to disable biometric unlock capabilities should a user fear that their device is about to be confiscated. As with any political issue, we’re never more than one event away from an effort to sway public opinion and we have one with Apple being served with a search warrant to access data on the Sutherland Springs shooter's iPhone SE. The US government has also shown that it isn’t backing down on this issue, with phone searches/seizures at border crossings having tripled in the past two years . The cease fire is over and the tech industry will ultimately lose when the US Federal Government introduces legislation forcing technology companies to weaken controls around encrypted data, to permit access by law enforcement.
AR Privacy Concerns
Prediction #5 – Privacy advocates push for restriction on how augmented reality is shared/stored
Facebook’s stunning $2B acquisition of Oculus Rift in 2014 brought the promise of virtual reality (VR) to the forefront, but three years later we’re still waiting for the technology to go mainstream. Augmented reality (AR) on the other hand is very much ready for primetime. The general public got a taste with the Pokemon go craze in 2016 and mass adoption is now a reality thanks to Apple’s release of ARKit and Google isn’t about to miss the party as they race to release ARCore. AR transposes virtual content on an image of the real world. There are also numerous independent AR platforms such as ARToolKit, Wikitude and Vuforia. Microsoft ultimately hopes to do this with eyewear (HoloLens), but for now we’ll have to be content with using our smartphones.
Why is this a privacy risk? In order to determine which digital images to add and where, the phone captures details of your surroundings and sends them to a cloud based AI engine to be analyzed. AR companies also have motivation to encourage users to share AR data captured by their devices in order to improve the experience for all other users, in much the same way that Waze built crowdsourced traffic maps. This time however we’re dealing with a map of the user’s physical surroundings, not just GPS coordinates.
GDPR Moves the needle…and drops the hammer
Prediction #6 – GDPR drops the hammer and begins delivering significant fines for non-compliance – forces companies to scramble to catch up
If you’re not familiar with the EU General Protection Data Regulation (GDPR), you will be. GDPR is an EU data privacy regulation which replaces the EU Data Protection Directive. The goal of GDPR is to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”. As a regulation, it applies to all EU member nations without separate national legislation and brings with it significant financial penalties for non-compliance. We’ve known for a while that it was on the way, but in 2018, we can no longer procrastinate.
GDPR was first proposed in January 2012 and in April 2016 formally adopted by European Parliament. Since then, companies have had a two-year transition period during which regulations weren’t enforced, but that all changes on May 25, 2018. GDPR is very broad in scope and will impact companies worldwide. GDPR applies to any company that collects or processes data on a person based in the EU and compliance requires implementation and documentation of a variety of security controls. So why is GDPR more important than the multitude of national, local and industry based privacy laws/rules which already exist?
First off, the scope is significant. If you are a company doing any business in Europe you will be impacted regardless of where you’re headquartered. Beyond that, the financial penalties have the potential to be massive. Are companies ready for GDPR? EU based companies have been focused on this for a while but many foreign companies will not meet the deadline. Try shopping with a credit card in the US and count the number of times that you can’t use the chip and PIN functionality because retailers have still not hit the Oct. 2015 to support the standard and you’ll understand that compliance deadlines are just a circle on the calendar. Many companies won’t be ready. The penalty for failing to comply - the greater of “a fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year.”Expect those fines to be real. By year end, someone will be the poster boy for non-compliance.
Fake News - The information war has begun
Prediction #7 – Fake news becomes the new tool of choice for elections and propaganda
We’ve spent plenty of time debating the impact that fake news may or may not have had on the 2016 presidential election but precious little has changed. No matter what your position on the topic, it’s hard to argue that fake news is not now very real with Facebook revealing that some 126 million US Facebook users saw content from the Internet Research Agency, the Russian government backed troll farm, over the past two years. That content came from thousands of Russian Facebook accounts, but even more fascinating is that fact that only 11.4 million users saw the content directly. The rest observed it when hit was shared by someone else. In short - fake news works. Plant an interesting story and it will be shared regardless of whether or not it’s factual and the potential reach is enormous.
Calls from US lawmakers to have social networks ban political ads paid for in foreign currency is completely missing the point. This isn’t just a political issue. Trying to prohibit a foreign government from buying political ads is like battling a hoard of locusts with a fly swatter. You’ll get a few, but what’s the point. Not only would such rules be easily bypassed, but we should be concerned about any and all decisions being influenced leveraging the power of social media to push false narratives, regardless of the source.
While the challenges in the US election have been the most widely covered, fake news has played a role in politics around the world including in France, Germany, the Philippines, Myanmar and Kenya. Now that the world has witnessed the power of the process, the floodgates are open. Expect lobbyists, foreign and domestic to push fake news to further their agenda. Expect criminals to do the same to make a profit by influencing decisions such as stock purchases using pump and dump schemes. This is an enormous problem without a simple solution. Facebook must walk a fine line between doing the right thing and being big brother, deciding what we can and cannot see. Even then, Facebook is one platform of many. This problem will require legislative, judicial and industry based solutions. If you need a reminder on how little we’ve done to address the problem, fear not as a reminder is just around the corner with the US mid-term elections in November 2018. Russia blazed the trail, but everyone will participate in the stampede.
Vigilante hacking gets personal
Prediction #8 – Vigilante hacks escalate
We previously received a taste of vigilante hacking with the Ashley Madison and Hacking Team breaches in 2015. In both cases, the motivation appears to have been to embarrass or even bankrupt the companies, but not for extortion. As we move into an increasingly hostile political and social climate, expect vigilante attacks against individuals as opposed to corporations. 2017 has become the year that abhorrent sexist behavior by powerful men is no longer being tolerated and investigative journalism is uncovering allegations that are justifiably ending careers. Likewise, politics has reached a new level of aggression with a newfound willingness to dig up dirt on political opponents at any cost. In both situations, hacking is a powerful tool and those wielding it will believe that the end justifies the means. Suspect that the whispers in a settlement in a sexual misconduct case may be true? What better way to bypass the NDA signed by the victim than to dig up evidence from the perpetrator’s email account. Politician not comfortable disclosing his tax returns? Who needs a lobbyist when there are hackers for hire.
Malware campaign Turing test
Prediction #9 – We see our first malware attack engineered with artificial intelligence
In my 2017 security predictions, I discussed how hackers would leverage machine learning to scale and more efficiently analyze the mass quantities of data involved in cyberattacks. While hackers tend not to share their methodologies, we have already seen anecdotal evidence that machine learning is indeed helping drive the targeting used in Business Email Compromise (BEC) scams, whereby corporate executives are social engineered via targeted email messages. AI/ML is quickly becoming accessible to a broad array of developers thanks to the many cloud based AI/ML platforms that have emerged. Using ML to pre- or post-process large datasets is the first step. The next evolution will involve leveraging AI to actually drive a large-scale attack that is capable of adapting and altering tactics throughout. AI will also permit attacks to scale far beyond what humans are capable of, as researchers from ZeroFox demonstrated at BlackHat 2016 by pitting a human against an AI driven Twitter bot. The victor in this human/machine battle would be the contestant that social engineered the most Twitter followers into clicking on a URL. The bot won handily.
AI has evolved to the point where it will be used in cyberattacks for more than just data processing. 2017 saw a number of major malware campaigns. From the return of Locky to NotPetya and BadRabbit, ransomware once again ruled the day, but largely followed traditional propagation techniques, leveraging known exploits and static social engineering email messages. Expect this to change in 2018 when we observe our first mass malware campaign leveraging social engineering driven not by a human, but an AI engine.
SSN - Dead man walking
Prediction #10 – 2018 is the turning point for the retirement of the social security number
The Equifax breach was appalling from a variety of angles. The data breach response couldn’t have been handled more poorly, the scope was massive and the damage was permanent. In the Target, Home Depot, Neiman Marcus and [insert retailer here] breaches, consumers didn’t feel pain as credit/debit cards can easily be replaced and fraudulent spending is reimbursed. I was impacted in the Target breach and received an email notice one day and a new debit card the next - problem solved. The Equifax breach was very different as it included Social Security Numbers (SSN). You can quickly get a new debit/credit card whenever you need one, but you're stuck with a SSN for life. Unfortunately, the US credit system is addicted to SSNs as a primary identifier. If there’s one silver lining to the Equifax breach, it’s the fact that we received a painful lesson in just how dangerous the practice of leveraging a static identifier for credit truly is.
At this point, the vast majority of SSNs are compromised and we can no longer rely on them (nor should we have previously). Fortunately, some politicians are listening and in November the Senate Commerce Committee questioned various current/former CEOs of companies hit by data breaches to find a solution to the problem. A recurring theme in that hearing, one that even former Equifax CEO Richard Smith agreed with - SSNs need to go. White House Cybersecurity Coordinator Rob Joyce has gone on record stating that it’s time to find a better way.
The writing is on the wall, but it will take a long time to fully eradicate SSNs from the credit process. A number of countries have begun implementing electronic national ID cards which lean on technology to solve the problem by replacing static numerical identifiers with digital certificates that can be dynamic in nature and revoked/replaced as needed. This one will take time but expect to see federal legislation in 2018 to [finally] get the ball rolling.