What does the New Year hold for information security, malicious software, consumer privacy and cybercrime? Questions of this mature are posed by journalists toward the end of every year and, beginning about November, answers from security specialists start to appear in print. Indeed, ESET researchers in Latin America published a 20-page white paper on this topic a few weeks ago: Trends for 2013: astounding growth of mobile malware.
No prizes for guessing what our colleagues below the equator think the biggest trend of 2013 will be (but continued growth of malware targeting mobile devices in not the only prediction they make and I urge you to read the white paper).
For this first week of the the New Year I have pulled together further predictions for 2013 from my fellow bloggers at ESET.
This prediction comes first because it is likely, in my assessment, to drive a lot of cybercrime and other malicious activity in 2013. The processes behind accelerated malware development have been in place for some time and we have talked about them here on the blog as the industrialization of malware. What this means for 2013 is more innovation in all aspects of malware: distribution, infection, exploitation, and monetization. Of course, this innovation will add to, not replace, the ongoing deployment of existing malware technology. So, even as we work to defeat new threats, we will not be able to let down our guard in other areas (for example, an increased use of compromised websites for drive-by infections will not mean that we can stop defending against old-fashioned autorun infections via removable media like USB flash drives).
My colleague Cameron Camp sees targeted attacks ramping up in 2013 to steal trade secrets that can be used to create competitive products and service. Let’s face it, if your company didn’t have to spend so much money on researching and testing products and/or service you could make it to market much cheaper and quicker. That’s exactly what the bad actors are trying to do. If your competitor had to spend $1M doing the real heavy lifting of research, versus renting out a targeted attacker’s time and skills for $50K, the math gets very compelling in favor of taking the low road and cheating.
So how do you protect yourself against those who are tempted to take the low road? Cameron recommends Defense-in-depth: don’t put your digital “crown jewels” just one level deep from the public Internet. If you do, thieves only have to penetrate one defense before you have big problems. A better plan is to have them locked away on a private network with minimal (or no) external /Internet access. Private networks are easy to set up. But start by calculating the total “heartache factor” and bottom line hit your organization would face if your critical data got stolen and assign a monetary number to it. If that number is high, it gets easier to justify more defensive architecture and risk mitigation planning, so pick your number and then make plans for how involved you want to get.
Technologies like Java, Flash, and others are being prodded and poked by scammers looking for a way into your systems. If bad actors are able to exploit a Java vulnerability and gain access to your system, it may by-pass protections on the Operating System itself. Last year’s outbreak of OSX/Flashback on the Mac exploited Java, not Apple’s OS X operating system, and took advantage of a lack of patching, prompting numerous out-of-band patches, that is, patches which are not handled by the underlying OS patch cycle.
In short, it’s easy to forget (or not plan) to patch all the code your systems are running, and then have a fresh batch of troubles when a new vulnerability appears in the bad guy arsenal. The good news is that you can reduce the likelihood of problems by limiting the number of end points that have access to these vulnerable technologies. If possible don’t install them in the first place, or remove if not needed. If your endpoints need them to get their job done, then work on automating the updates to the newly narrowed pool of those who need it. By doing these two things, you reduce your potential attack surface considerably.
We think there will be more discoveries of malware that spreads in new ways in 2013. Early in 2012 we saw Linux/Hydra.B, malicious code that attempts to create a network of zombie devices using non-traditional, embedded operating systems such as those found in IP surveillance cameras, home routers, VoIP (Voice over IP) systems, smartphones and tablets. Estimates of the number of devices affected range from 11,000 to 18,000.
Later in the year we saw Linux/Chapro.A installed as a malicious Apache module. ESET researchers are still examining this threat and it is not clear who was placing this module on Linux servers. Were server owners complicit? Was weak physical security to blame for bad actors getting access to the server to install this code? Could this be a new style of pay-per-install scheme? Stay tuned in 2013.
We predict continued expansion of malware efforts in three areas: Linux, Android, and Java. Most readers probably know that Linux is an operating system found on a large number of digital devices besides web servers. Android is an operating system that can be used on more than phones and tablets. Java is a widely deployed programming language and a key pillar of the Android operating system. These three technologies are installed on everything from computers to TV sets to DVD players to set-top cable boxes. Increasingly these devices process personal and financial data (for example, last night I used my Amazon account to rent a movie through my DVD player, which now knows my Amazon password, the key to a bunch of my personal financial data). Again, stay tuned for emerging threats in this area in 2013.
David Harley thinks it’s a safe bet that there will be more attacks on digital aspects of infrastructure in 2013 and many other researchers concur. These aspects could be active sabotage but there may be more instances of ‘enemy action’ that turns out not to be due to sabotage. (Sometimes the cockup theory is worth a second look, even if cyberwarfare gets more media attention and is likelier to harvest some government funding for remediation.)
The hidden 90% of the infrastructure attack iceberg is likely to be more along the lines of espionage, backdoor monitoring of the state of essential utilities with a view to future malicious action, should it become advantageous. There might even be occasional (further) instances of pre-installed, currently latent malware. The SCADA scene being what it is, we may not become aware of such breaches until direct malicious action is identified locally or there’s some crossover with non-SCADA sites, as happened with Stuxnet. (Sorry, we were hoping not to mention Stuxnet… ) So this observation is essentially hypothetical, given the increasing awareness of SCADA/ICS vulnerabilities.
Anyone interested in this corner of the malware world should probably be paying attention to the ICS-CERT website. On the positive side, there are some very security-aware people working in the SCADA security, though they tend to be somewhat defensive in conversations with the security community at large. They have a point, though: security mavens with no great expertise in SCADA do sometimes tend to pontificate about ICS issues as if it didn’t have its own special problems and issues.
As a sidebar, David points to an increasing awareness of the possibility – he won’t say probability – of exploiting security weaknesses in medical technology. Don’t be surprised to see some movement towards revised legislation in the US to take account of the risks of unsecured, unencrypted wireless communication with devices such as insulin pumps and pacemakers (particularly now this attack surface has been dramatically portrayed in the much-watched Showtime original series Homeland.
Aryeh Goretsky thinks that Windows 8, like any new version of Microsoft Windows, is going to be heavily examined in 2013, by researchers evaluating its resistance to attack, as well as people looking to exploit any security weaknesses, such as criminal hackers desiring to steal money or resources (not to mention nation states looking for means to monitor, or even attack, their adversaries). As Microsoft has made the Windows operating system more secure, Aryeh thinks we may see more social engineering-based attacks, which trick users into bypassing the operating system’s security mechanisms in order to run malicious code.
One path these attacks might take is to exploit the very novelty of the new Modern Windows 8 Store interface, which looks very different from the traditional Windows desktop interface. The new look–formerly known as Metro design language–may cause confusion about what are, and are not, legitimate messages from the operating system. Look for attackers to try and exploit that confusion.
The addition of new hardware sensors in Windows 8 slate devices is another area potentially open to abuse: Thermometers, accelerometers, GPS are all sensors which allow a computer to interact with its physical environment, but what happens when data from those sensors is abused, falsified or otherwise manipulated for malign intent?
Another target is the developers of Windows 8 applications. While targeting software or hardware developers is nothing new (the Win32/Induc infector specifically targeted developers using the Delphi IDE, and the Stuxnet worm contained digital certificates stolen from different hardware manufacturers), the introduction of the Windows Store in Windows 8 for purchasing and downloading software makes targeting developers using it more attractive for an attacker. For more information about Windows 8 security, see A white paper: Windows 8’s Security Features and Windows 8: there’s more to security than the Operating System in the ESET Threat Blog.
At the end of 2011, Cameron Camp raised concerns about data mining, looking for patterns in large data sets. In 2012, we read that the web analytics company Compete had settled Federal Trade Commission charges over its data collection practices. Clearly, the FTC thinks data mining companies should be much more transparent about what they do with your information, and many consumers agree (our infographic showing the diversity of data that Google could potentially mine was one of the most widely shared posts on the ESET blog this year).
That infographic was prompted by a change to Google’s privacy policies. Such changes caused waves of discussion through the entire year, which was notable for a long string of privacy apologies after a variety of surreptitious data collection practices came to light. The cavalier attitude to address book information displayed by the mobile social network Path was just one of many such incidents. Recently we saw a ton of discussion about changes to the terms of service at Instagram, one of 2012′s fastest growing social networks with over 100 million users.
For consumers, the implication of current trends in data mining is to be mindful of the potential abuse of personal information before agreeing to hand it over, and before placing it online in such a way that it might be turned over without your consent. For businesses, the lesson seems to be that transparency is the best policy, at least if you want to avoid outbreaks of outrage or you have an aversion to making very public apologies.
David Harley thinks it’s likely that the classic tech support cold-call scam – “we’re ringing to tell you that you have a virus, but if you give us remote access to your PC and your credit card details, we can fix it for you” – will continue to decline in its present form: cold-calling from Indian call centers using fairly stereotyped social engineering. Why? Mounting legal pressure from the Federal Trade Commission and its associates, and from other coalitions of security groups, law enforcement and so on.
The increased popular awareness of this particular scam will probably also help to reduce its profitability. However, David thinks there will be continuing diversification into types of scam that are, so far, less definitively defined and not so widely recognized – mortgage and other loan scams, refund scams, survey scams and so on. They will, however, probably continue to follow the more general call-center trend towards migrating to other regions, especially the Philippines, where the characteristic accent and idiom is more in tune with the North American ear.
The US and Canada constitute one of the largest pools of potential victims who may still be “under-exposed” to the scam relative to smaller populations of English speakers. While personnel in the Philippines are better-paid, there is a trade-off against the fact that call-centre staff in India tend to have a very distinctive accent that people in the US often have difficulty in understanding, while other English-speaking nations are increasingly associating cold-callers with that accent with scamming.
When Aryeh Goretsky wrote about the following type of scam email in 2012 it became one of our most frequently read blog posts. We think this scam is likely to continue into 2013. Here is an edited and abbreviated version of the scam:
We are [Domain Registration Service]. Here I have something to confirm with you. We formally received an application on [alleged date of application] that a company [whatever] to register [your company name, or a version of it] as their Net Brand and some domain names through our firm.
We found the name was similar to your company’s, so we need to check with you whether you authorized that company to register these names. If so, we would finish the registration at once. If you did not authorize, please let us know within 7 workdays, so that we could handle this issue better.
Of course, if the victim responds to this, the scammer’s advice is that you register the names with them so that no-one else can. And of course, it will cost, though the cost is usually not big enough to raise a Big Red Flag, even at audit. As both Aryeh and David Harley point out, these scams aren’t new and they aren’t likely to be effective against a well-organized enterprise with a well-defined communication channel to sound legal advice. However, smaller enterprises where a few individuals wear many hats are more vulnerable. Furthermore, even larger organizations where there’s no clear policy as to who should be handling the issue can and do fall into the trap.
We expect to see less Mitt Romney in the news in 2013, but the story of the 2012 Presidential candidate’s tax returns being exposed via a combination of physical break-in and network hacking served to remind us that physical security is an oft-neglected aspect of safeguarding digital information and the systems that store and process it. The fact that the incident turned out to be something of a hoax does not undermine its awareness-raising value (just ask the folks at the Franklin office of PriceWaterhouseCoopers, just outside of Nashville, how much hair-pulling and scrambling they had to do when the news broke).
Computer security veteran Mich Kabay wrote an interesting piece highlighting importance of physical security in the summer of 2012 and there are plenty of reasons to think this topic will be trending up in 2013. Consider just one: Risk displacement. The more we do to button up digital security, the more likely it is that the bad guys will consider alternative attacks. One can argue that in 2012 we saw a trend toward more reliance on social engineering to spread malware as the malware writers grappled with the challenge of writing successful 64-bit infectors. As organizations build up their defenses against targeted attacks, including security awareness training to help employees avoid becoming victims of social engineering, it is reasonable to predict more bad guys will resort to targeted physical attacks. After all, why bother trying to hack your way into a CEO’s firewalled, AV-protected and encrypted laptop if he leaves it unattended in his favorite coffee shop at the same time every week day, while he orders his morning caffeine fix?
David Harley predicts that someone, either a purveyor of a competing technology, a biggish name from the mainstream security industry, or a self-proclaimed expert, will predict that antivirus is dead because it only detects viruses, and only known viruses at that. Whereupon at least one AV guru will point out that:
Despite that last prediction, rest assured that in 2013 ESET’s security researchers will continue their fight against malicious code and malicious people seeking to abuse and exploit your digital assets. Just as ESET product developers will continue to refine the company’s award-winning security products, we here on the blog will continue to bring you the best information we can gather about threats to your security and privacy. We wish you all the best in 2013!