Well, if you thought you had it rough in 2014 because of big, bad Poodles and an irritating case of Heartbleed, things only got worse this year. Rather than intrusions permeating our IT systems and stealing our data, attacks got a bit more personal in 2015. Not only were privacy and civil liberties put at risk by legislators pushing overbearing rules based on an underwhelming knowledge of computers, but hackers and security research were squarely in the crosshairs of government and law enforcement. It was a rough year.
What’s ahead? Who knows? Who saw Wassenaar coming? Or Going Dark? Or backdoors in enterprise networking gear? Nonetheless, 2016 can be better with some prep work against a best guess of what we might be in for as the new year turns.
Security researchers and advocates have certainly grown up in the last two years. Emerging from the shadows of SOCs and IT labs, researchers spurred on by the assault on crypto, privacy and overall integrity of legitimate hacking, have evolved into a tidy and effective group of activists. Hopefully this trend continues, because with legislators and law enforcement convinced that things like CISA and Wassenaar and exceptional access are good ideas, there needs to be more voices from the security wilderness. Many of you have stood up and shouted about the lunacy of some of these ideas, and in the case of Wassenaar for example, a spate of rational, well thought-out comments put a temporary halt to the U.S. implementation of the rules. This was a victory that can be emulated on many fronts in 2016.
Brush off securing the Internet of Things as a fad, tomorrow’s problem, perhaps. But that’s foolhardy. Against the kicking and screaming of those who know better, we continue to embed tiny, networked computers in just about everything without clearly mapping out security and privacy implications. Just like mobile and client-server architectures before it, IoT has been rushed to market and security is flailing its arms desperately trying to catch up. Thankfully, we had our first inflection point in 2015 demonstrating the need to slow down—literally. Charlie Miller and Chris Valasek’s car-hacking research put a real face on the problem of IoT security. Their ability to remotely manipulate a moving automobile’s controls forced a recall of 1.4 million vehicles, and in the bigger picture, caused an entire industry to stand up and take notice.
Predicting at the start of 2015 that there would be a major health care data breach was a cakewalk. Five weeks into the year and we had Anthem, and shortly thereafter CareFirst Blue Cross. Health care data is the new hacker black, and attackers are taking advantage of organizations still behind in securing patient data and electronic health care systems. For next year, shudder to think it, but cybercrime is going to continue to target personal data in a big way and they’re going to go younger. We’ve already seen VTech and Hello Kitty breaches impacting the personal data of tens of thousands of children, giving hackers a long shelf life of identities to be exploited for fraud. Expect more of it in 2016.
Now that mobile payment services like Apple Pay and Google Wallet have turned your smartphone into an extension of your wallets and bank accounts, expect hackers to turn out en masse against these systems. The juicy target for hackers may not be on the transaction side of mobile payments, but in the personal payment card data that lives on your device. An attacker with access to that data is a short hop away from being able to spoof your identity and payment data, and this is a shortcoming that needs to addressed next year.
Advanced persistent threats, a.k.a sophisticated nation-state sponsored targeted attacks, a.k.a China/Russia/the NSA, aren’t necessarily going away, but they are going to look different. Researchers at Kaspersky Lab say APT gangs are making strategic and tactical changes to their activities—likely since so many have been outed in the past 24 months. Expect to see more attacks with roots in memory-resident or fileless malware, Kaspersky says. APTs will be harder to detect because there will be fewer cookie crumbs for investigators to follow. The security company also said that APT gangs have likely invested enough in building custom malware and rootkits and commodity attacks will be repurposed more often.
Is there a more creative hacker than Samy Kamkar? He’s been around for a long time, but it’s likely he’d be hard-pressed to remember a year when he had as much fun tackling new problems. Very few hackers can say their resume includes the use of a child’s messaging toy to open garage doors on a whim, or game vehicles’ OnStar systems to gain persistent access to vehicles. Thrown in his take on the ProxyGambit attack, and Rolljam, another device that steal vehicular lock codes, and Kamkar had a busy year. Predicting what’s next is a crapshoot, but nothing in the IoT universe seems out of reach.