When your everyday life is all about information security, you start to see patterns that may not be so obvious to others. Each year, I take my best shot at describing these trends and making predictions for the coming year. In this annual article, we also go back retrospectively and review the predictions we made the previous year to see how clear or cloudy our crystal ball was in helping us create our forecast.
We predicted 4 major trends for 2015: Muleware, re-authentication exploitation, ransomware expansion and targeted extortionware. Conservatively, I’m going to say that we certainly got 3 of the 4 with muleware being the hardest to track, but we know that certain hotels where persons of interest frequently stayed were targeted in 2015 as staff physically delivered exploits to personal computers left unattended in hotel rooms.
Re-authentication exploitation continues to grow as more and more people find out the hard way that not all email accounts are equal. Attackers continue to target email accounts you use for password recovery and with that, trigger the forgot-password function of a website and then steal the password reset before you notice. The weakness here is that instead of looking at authentication as a step in time, we need to protect its entire lifecycle because if the authentication of a website is strong but the re-authentication process is weak, the advantage goes to the attacker every time.
Ransomware continues to evolve in its technique and also expand from Windows only to Macs, Android and Linux in 2015. While backup solutions are cheaper and more convenient than ever, people are still not backed up appropriately and it is too late once they are hit with various types of ransomware. 2015 was an even bigger year for ransomware than 2014 and there’s no reasons this cybercrime method should slow as we enter 2016.
Extortionware differs from ransomware because here the attacker has taken the data and is now threatening you to publish it publicly if you don’t pay. Everyone can think of something on their computer they would like to keep private and if published publicly would damage them personally or jeopardize their business. 2015 saw its share of this type of attack and like ransomware, all signs indicate that it will accelerate in 2016.
Aside from the continuing trends from 2015, adoption of new technologies and the spread of more personally identifiable information online will precipitate new targets and types of cyber-attacks.
Cracking as a Service
The counterpart to cryptography is cryptanalysis – the art of deciphering coded messages without being told the key. Large farms of compute clusters are setup to do Bitcoin mining, and without much effort, they could easily be setup for cryptanalysis as a service. How would this work? Like other SaaS services, you setup an account and let’s say that you have something to crack the 256-bit key ‘23295937673927337a43297b4d226b7d7e762e213b6e225d2d53573157’. Submit it with some metadata and within minutes (maybe seconds) you are handed back the clear-text WEP key. This can be extended to other hashes and cyphertext. This service can charge you by the compute cycles so it is truly an elastic business. A service like this would punctuate the evolution of cryptography, forcing everyone to a longer key length as massive brute force attacks are just a REST API call away.
We have seen a lot of data repositories breached to date, but 2016 will be the year we see a DNA vault compromised and possibly used for extortion/ransom. Millions of people are using DNA services to find their genetic history and the bio-markers of known diseases. My guess is that some of these sites are already compromised and just don’t know it yet. Regardless, never before have we had so much personal DNA data stored on the Internet and 2016 might be the year we experience a compromise of this type of data effecting millions. Unlike a credit card or a password, this information is not easily reset. In fact, it is immutable and so any disclosure of this data lasts for an eternity.
Attack the Overlay Network
In 2016, many data centers will be utilising overlay technology, which enables software-defined networking (SDN). The main driver for this adoption is microarchitectures like Docker containers. In the case of Docker containers, VXLAN tagging technology is the overlay network that allows the application to define the network overlay topology required by the system of applications. The problem arises if there is no entity authenticating and checking the tags. Attackers could then impersonate or abuse the tags, giving them privileged access to the system and its data.
VXLAN is just one of these overlay networking technologies, and in my opinion, not enough threat modeling has been explored in this area, making it a ripe target for innovative attackers. We will see exploitation of these overlay networks in 2016, forcing more threat modeling in the design and causing these overlay networks to add security features and evolve in hostile environments.
Namespace is the new battleground
Software architectures are quickly adopting containers. In hypervisor-based virtualization, attackers took aim at the hypervisor to then gain access to any of the resident guest operating systems. With container technology like Docker, the battle is waged in the namespaces in userland. These include the processes, networking and filesystem namespaces. In 2016, we will likely see attacks coming from malicious containers trying to share process namespace (UID 0 in my container becomes UID 0 in your container). This could completely compromise the victim container, allowing attackers to do what they want and erase most evidence that they were there.
Companies like CoreOS are working on cryptographic assurances but until the market has experienced the worst of it, there will be little demand for this as a mandatory feature. 2016 will likely be the year everyone learns their lesson.
New approaches for a new theater
Whenever a new paradigm becomes widespread, there is a tendency to apply old tactics and principles to cyber security. For instance, when virtual machines gained adoption, many operators attempted to patch them as they would a physical machine even when it was more time consuming and complicated than just ending the old VMs and firing up new ones with up-to-date software.
As more sensitive data is connected to the internet, attackers gain better infrastructure and new forms of networking become prevalent, we need to avoid trying to apply old, ineffective principles to new theaters of technology. Otherwise, attackers will take advantage of this window of opportunity while we are stuck trying to evolve our security in the midst of a hostile situation.