HACKERS ARE NOTHING if not persistent. Where others see obstacles and quit, hackers brute-force their way through barriers or find ways to game or bypass them. And they’ll patiently invest weeks and months devising new methods to do so.
There’s no Moore’s Law for hacking innovation, but anyone who follows cybersecurity knows that techniques get bolder and more sophisticated each year. The last twelve months saw several new trends and next year no doubt will bring more.
Here’s our take on what to expect in 2016.
Following the Sony hack in late 2014, we predicted that hacker shakedowns would increase in 2015. By shakedown, we were referring not to standard ransomware attacks, whereby malware encrypts or otherwise locks access to a victim’s computer until the victim pays a ransom. We meant extortion hacks where attackers threaten to release sensitive company or customer data if the victim doesn’t pay up or meet some other demand. With these attacks, even if you have backed up your data and don’t care that hackers have locked you out of your system, public release of the data could ruin you and your customers.
There’s just one problem with tracking such attacks. If the victim caves and does pay, the public may not know extortion occurred. We do, however, have at least two extortion hacks on record for 2015: the Ashley Madison hack, which took down a CEO and exposed possibly millions of would-be cheaters to public ridicule and worse; and the hack of InvestBank in the United Arab Emirates, which resulted in the exposure of customer account information. Extortion hacks play to the deepest fears of companies and executives—if not handled well, company secrets are exposed, customers file lawsuits, and executives lose their jobs. Expect such attacks to become more prevalent in 2016.
In testimony this year, James Clapper, the director of national intelligence, told Congress that cyber operations that change or manipulate digital data in order to compromise its integrity—instead of deleting or releasing stolen data—is our next nightmare. Mike Rogers, head of the NSA and US Cyber Command said the same thing. “At the moment, most [of the serious hacks] has been theft,” Rogers said. “But what if someone gets in the system and starts manipulating and changing data, to the point where now as an operator, you no longer believe what you’re seeing in your system?”
Data sabotage can be much more difficult to detect than the kind of physical destruction caused by Stuxnet. That’s because data alterations can be so slight yet have enormous consequences and implications. Anyone remember the Lotus 1-2-3 bug back in the 90s that would produce accounting miscalculations in spreadsheets under certain conditions? That was an unintentional error. But attackers could get into financial and stock-trading systems to alter data and force stock prices to rise or fall, depending on their aim.
Certain types of data manipulation could even result in deaths. In 1991 a Patriot missile in Saudi Arabia during the first Gulf War failed to intercept an incoming Scud missile due to a software glitch in the weapon’s control computer, allowing the Scud to hit an Army barracks and kill 28 soldiers. Again, this was an unintentional bug. But Chinese spies have invaded numerous US defense contractor networks in the last decade, raising concern among US military officials that they’re not just stealing blueprints to copy weapons, but might also alter or insert code to sabotage the integrity of weapons systems and change how they operate.
Any time the security community closes one avenue of attack, hackers adapt and find another. When retailers stopped storing customer credit card numbers and transactions in databases, hackers sniffed their networks to grab the unencrypted data live as it was sent to banks for authentication. When retailers encrypted that live data in transit to prevent sniffing, attackers installed malware on point-of-sale readers to grab data as the card got swiped and before the system encrypted the numbers. Now banks and retailers have begun rolling out new chip-and-PIN cards to thwart hackers once again.
The cards contain a chip that authenticates it as a legitimate bank card and also generates a one-time transaction code with each purchase, preventing hackers from embossing stolen data onto fake cloned cards to use for fraudulent purchases in stores. But this won’t stop fraud altogether; it will simply shift from brick-and-mortar stores to online retailers. In the UK, where chip-and-PIN cards have been used since 2003, card-present fraud—transactions done in person—has dropped. But fraud for card-not-present transactions—those completed over the phone or online—increased from 30 percent to 69 percent of total card fraud between 2004 and 2014, according to the UK Payments Administration. Neither a PIN nor a signature is required when customers use their cards online, so simply stealing card numbers is sufficient for this kind of fraud. Expect those online fraud numbers to rise in the US as well.
There are many who say that 2015 was the year of the Internet of Things; but it was also the year the Internet of Things got hacked. Connected cars, medical devices, skateboards, and Barbie dolls, were just a few items shown to be vulnerable to hackers this year.
If 2015 was the year of proof-of-concept attacks against IoT devices, 2016 will be the year we see many of these concept attacks move to reality. One trend we’ve already spotted is the commandeering of IoT devices for botnets. Instead of hackers hijacking your laptop for their zombie army, they will commandeer large networks of IoT devices—like CCTV surveillance cameras, smart TVs, and home automation systems. We’ve already seen CCTV cameras turned into botnet armies to launch DDoS attacks against banks and other targets. Unlike a desktop computer or laptop, it can be harder to know when your connected toaster has been enlisted in a bot army.
The year ended with a startling revelation from Juniper Networks that firmware on some of its firewalls contained two backdoors installed by sophisticated hackers. The nature of one of the backdoors—which gives an attacker the ability to decrypt protected traffic running through the VPN on Juniper firewalls—suggested a nation-state attacker was the culprit, since only a government intelligence agency would have the resources to intercept large amounts of VPN traffic in order to benefit from the backdoor. Even more startling was news that the backdoor was based on one attributed to the NSA.
There’s no evidence yet that the Juniper backdoor was installed by the NSA; it’s more likely that an NSA spying partner—possibly the UK or Israel—or a US adversary installed it. But now that companies and researchers know for certain what such a backdoor would look like in their system and how it would operate, expect more backdoors to be uncovered in 2016 as companies closely scrutinize their systems and products. And despite the fact that the Juniper incident shows that backdoors intended for US law enforcement and intelligence agencies can be subverted by others for their own malicious use, don’t expect the FBI and NSA to give up on their quest for encryption backdoors in 2016.