A buffet of 2014 security and privacy predictions

Have you been wondering what trends in security and privacy ESET researchers are predicting for 2014? The following is a sampling, a year-end snack plate if you will. (Later in the month we will also be serving a main course of 2014 predictions in the form of a whitepaper from our colleagues in Latin America.)

Perennial readers of the ESET blog will know researchers do not relish making predictions, and yet each year we make them. Why? Because some people ask nicely, and because there is some practical value in looking ahead at where future attacks on information systems might come from, and in what form. Sometimes we name trends that are already in motion, like Bring Your Own Device, which has been a trend for several years. But we only draw attention to an ongoing trend if we think its persistence has implications for security and privacy (for example, one of researchers sees the increasing diversity of cheap smartphones adding to the BYOD challenge).

2014 predictions

First up is ESET Distinguished Researcher Aryeh Goretsky who predicts that, as locked-down computing environments such iOS and Windows RT come to the fore, we will see criminals increase their focus on identify theft. In other words: “Why 0wn the computer when you can 0wn the p3rs0n?”

Aryeh also observes that, while biometric authentication–such as a fingerprint reader–has largely been a feature of corporate computers: we now have the first widespread consumer computing device to incorporate this technology–the Apple iPhone 5s–and we will begin to see fingerprint sensors become increasingly common in other consumer computing devices. Aryeh suggests we will see this first at the higher “prosumer” end of the market, and then increasingly in less expensive devices, as the cost of sensors decreases. Low end devices will still probably not have these in 2014, partially because of cost and partially because of market segmentation reasons.

A third Goretsky prediction is that research into UEFI rootkits will continue, and we will probably see a handful of proof-of-concept demos, largely device or manufacturer-specific and due to flawed implementations of the standard or from improper key management by manufacturers. Or both.

Weighing in from the Netherlands, ESET Senior Research Fellow Righard Zwienenberg predicts the trend for Bitcoin to become more and more popular and valuable will continue. However, illicit Bitcoin-miners as well as Bitcon-stealers will also increase. Righard suggests that, as Bitcoins become more valuable, and because they are untraceable, operators of ransomware scams will increasingly demand payment in Bitcoin.

Righard also thinks 2014 will see a gradual increase in IPv6 installations along with the associated implementation faults that will allow some taking over of networks and systems.

A third Zwienenberg prediction is that the BYOD trend will get even larger due to more and cheaper (non)branded devices, making CYOD more needed than ever (see ‘From BYOD to CYOD: Security issues with personal devices in the workplace‘). Consequently, there will still be a big need to convince the people about the right device policies and security measures.

Weighing in from the redwood forests, ESET security researcher Cameron Camp predicts that the convergence of payment systems on smartphones and other mobile devices will increase the value of them as a target, and scammers will spend more effort aimed at financial fraud on these platforms.

Cameron also see nation states moving closer to drafting digital truces between trading partners in response to escalating tensions and the underlying need to continue strong trade in a semi-protected fashion. This is analogous to naval trade routes, where protecting cargo vessels carrying goods was deemed critical for semi-open worldwide trade, and therefore subject to various safe harbors, rules of engagement, etc.

Mr. Camp also predicts a year-long escalating cat-and-mouse game between anonymizing technologies (and related crypto products) and those who try to break into them in various fashions and with various motives. This will result in a bevy of new and novel technologies hitting the streets in an attempt to reclaim some modicum of the expectation of private communication, for better or worse (depending on one’s point of view).

ESET security researcher Lysa Myers sees the use of DDoS as a means of protest continuing to grow, particularly by people unhappy with the surveillance activities of governments and events in the Middle East. Indeed Lysa predicts a lot of hacking as well as DDoS for activist purposes in 2014; so, expect a lot of attacks against high profile, controversial targets, especially national and local governments and their infrastructure.

David Harley, ESET Senior Research Fellow, thinks cyber criminals will pay more attention to finding vulnerabilities and potential exploits in mobile operating systems. This will be driven, in part, by the convergence of payment systems on smartphones and other mobile devices that Cameron mentions.

Mr. Harley also thinks that, as the use of mobile devices–especially smartphones–as a means of strengthening privacy by two-factor authentication becomes more common, it will become more important to consider the use of other kinds of security software (where available) to reduce the risk of other attacks, including the interception of financial and other sensitive transactions.

Another Harley prediction is that post-Snowden concerns about whether providers are sharing cloud-stored data with government agencies–voluntarily or through enforcement of legal processes–will revive questions about the geographical location of data and cloud storage and processing. Older concerns about differing approaches to data privacy will flare up due to fresh mistrust and tensions between nations, not only between European and other nations, but even between European nations with differing views on how to counter terrorism without infringing on the privacy of their citizens. The General Data Protection Regulation, which among other things will aim to extend European Community data protection principles (see European Union Directive 95/46/EC) to countries outside the Community, is expected to be adopted in 2014. But it may not be compatible with sending data to be processed in countries where government rights to carry out surveillance are seen as excessive.

Finally, a few predictions of my own, starting with an educated guess about basic phishing attacks against consumers in developed countries. These will continue to be conducted from less developed countries where such activity is tolerated because it provides revenue to an under-employed citizenry.

A popular computer magazine asked ESET for one big and bold prediction for 2014 and my money is on: Cryptowar! An unprecedented level of interest in encryption products due to continuing revelations about state-sponsored surveillance of companies and consumers.

I will end this buffet of 2014 predictions with the first Internet fumble! I predict a small but not insignificant percentage of current Internet users in developed countries will scale back their online activities in light of continuing revelations about state-sponsored surveillance of companies and consumers. This and other aspects of the “Snowden effect” will not do the economy any good. I leave you with an illustration of what happened to Cisco’s stock price after it publicly referenced the “NSA effect” on future sales.

cisco-share-price

 

Author Stephen Cobb, ESET

  • dallascovington1

    finger print recognition? i think that can be replicated by a devious sort of person and i see in my future wearing “Tippies”, little finger tip sleeves so that I don’t leave my prints all over the place in public and possibly the home?

    • Sonder Twyful

      Yes, fingerprints can be replicated. But, to think that hackers would view fingerprints as an “easy” hack is far removed from reality. Consider this scenario:
      1. Hacker decides YOU are a worthwhile target. He does this by finding out your name and then doing a background check to see if you have anything worth stealing. (Really? A hacker would spend that much time on one person?)
      2. He has to get your fingerprint. (Not so hard)
      3. He makes a cast of your fingerprint. (Time, equipment, and supplies to create fingerprint hack = 2 hours+)
      4. Hacker now needs to get physical access to your computer or smartphone. (Which is usually kept on or near your person.)
      5. Hack completed. On to the next fingerprint owner ….

      Now, try this Reality-Based hack:
      1. Hacker goes to Shodan ( http://www.shodanhq.com/ ) to find vulnerabilities about computer systems and which companies are likely to be utilizing vulnerable technologies.

      2. Hacker decides Target stores are a good target (no pun intended, but, hey …)
      3. Hacker scans for wi-fi signals outside business offices and captures what he needs.
      4. Hacker posts news of data capture online and sets up account to sell data to highest bidders.

      Remember this: Hackers don’t like to interact with their targets. They want to be anonymous and as far removed from their victims as is possible. Computer hacks give hackers anonymous access. Fingerprint hacks means a hacker would have to interact with you physically somehow.

      What I’m trying to say is that hackers want the biggest bang for the lowest amount of effort. It takes a LOT of effort to run a fingerprint hack and it takes very LITTLE effort to obtain tons of passwords, PINs, and other useful data. (Most people use less than 5 passwords on a daily basis and that most of them are easily hackable.)

      A majority of identity theft hacks started with the capture of massive amounts of data. The purpose of the theft was not to capture one account; it was to capture many. When someone’s ID is stolen, the emphasis on the news was that ONE person got hacked. The reality is: MANY people got hacked; we’re just hearing about this ONE person because that person is [local, well known, a celebrity, whatever]. The perspective of the hack is skewed this way.

      The vast majority of hacks are successful because we use stupid passwords! We need to use something other than a single password to protect ourselves!
      I think it would be a brilliant move for computers and smartphones to use BOTH your fingerprint and password to protect your systems/devices. That would be great protection for your personal devices.

  • Sonder Twyful

    Nice bunch of predictions. What I’d like to see happen in 2014 is that Big Media (ie, CNN and their ilk) finally go for substance over sound bytes when covering any “cyber” stories. It would help if they would include URLs for good reference material in their newscasts. My prediction, however, is that they will continue to fail to give their audiences accurate and informative segments; full of FUD and nothing else. …sigh…

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.