My assumptations I made in Security trends 2014 posting is in italic font style.
There will still be NSA aftershocks after new material comes out and different parties react to them (and news sources write about them). U.S. cloud services have been put into question for good reason. There will be a lot of NSA spying litigation. Those spying issues will also fuel some haktivism (it has already started to happen).
This has pretty much happened. A good deal of folk aware of NSA leaker Edward Snowden have improved the security of their online activity after learning of his exploits, a large survey has found. Maybe Edward Snowden has been the best security educator ever because it seeems that Snowden Leaks Prompt Internet Users Worldwide To Protect Their Data: An international survey of Internet users has found that more than 39% have taken steps to protect their online privacy and security as a result of spying revelations by one-time NSA employee Edward Snowden (706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing). Two-thirds (64%) of users indicated they are more concerned today about online privacy than they were a year ago.
The use of security tools like use of HTTPS and Tor network had increased. Today major players are embracing end-to-end encryption, so that about 50% of web traffic is carried by HTTPS. The increased use of HTTPS has made the life of IT departments harder, because normal firewalls can’s look what is inside encypted HTTPS packets.
The Tor Project, the world’s most popular anonymity network has continually resurfaced in the headlines, and not all of them have been positive. An international police bust of at least 17 hidden services like Silk Road 2.0 and Doxbin, is the only latest notch on the belt of law enforcement agencies that have been closely watching Tor users for years.
Malware attacks, especially in Europe, nearly doubled in the first half of 2014. Government, financial services, telecommunications and energy were the most targeted sectors – collectively making up more than half of attacks. The UK followed by Germany were the two European countries most commonly targeted by malware-flinging, spear-phishing cyberspies.
Details of some serious spying malwares have been come to public. Intelligence-gathering super spyware Regin has been gathering information from Windows computers for many years (bits and pieces of the malware have been spotted by Microsoft, Kaspersky Lab, F-Secure and Symantec over the years). I had very many targets. Reports indicate that Belgian telecom giant Belgacom was under continuous hack attack for more than two years: In its digital attack on Belgacom, the British secret service was able to intercept more communications than was previously realised (NATO and the EU, as well as from clients of hundreds of international telecoms providers). Regin further demonstrates that Western intelligence agencies are also involved in covert cyberespionage. But here’s a question no one’s answering: given this super-malware first popped up in 2008, why has everyone in the antivirus industry kept quiet about it until now?
There has been so-called advanced persistent threat (APT) “Turla” disclosed in August. In addition to infecting Windows computers, it used also a powerful, highly stealthy Linux trojan may have infected victims for years. For at least four years, the campaign targeted government institutions, embassies, military, education, research, and pharmaceutical companies in more than 45 countries.
The use of hacking techniques and malware in state-sponsored espionage has been publicly documented over the last few years: China has been linked to extensive cyber espionage, and recently the Russian government was also alleged to have been behind a cyber attack on the White House. Regin further demonstrates that Western intelligence agencies are also involved in covert cyberespionage.
Internet core was in danger: Hackers Compromise ICANN Computers. A “spearfishing” attack aimed at US-based nonprofit Internet Corporation for Assigned Names and Numbers (ICANN) hooked staff members with emails. User names and passwords were used to access a Centralized Zone Data System, a repository that stores, among other things, data related to information needed to pair domain names with IP addresses and information on domain owners (including hashed usernames and passwords).
The use of “fake” mobile tower acting between the target mobile phone(s) and the service provider’s real towers have increased or their use has now surfaced. The IMSI catcher subjects the phones in its vicinity to a man-in-the-middle attack, acting to them as a preferred base station in terms of signal strength. US Police have Used Fake Mobile Base Stations to Spy on Citizens: A civil liberties group has discovered emails showing that the US government has concealed police use of fake mobile base stations which can spy on citizens without requiring search warrants since at least 2009. Many fake mobile phone stations were found in USA. There is an underground market for illegal telecoms equipment, much of which comes from China. Fake base stations were found on many other countries. There is market for tolls tha can detect fake base stations (for example CryptoPhone 500 which costs $3500 ). It seems that guests states have been spying mobile phones in Finland, Sweden and Norway with fake base stations.
Old teleecom core protocols have proven to be vulnerable. Researchers discovered security flaws in SS7 that allow listening to private phone calls and intercepting text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. Hackers can repurpose some normal functions for surveillance because of the lax security on the network: the housekeeping functions built into SS7 can locate callers anywhere in the world, listen to calls as they happen. This allows spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network.
Security Professionals: Top Cyber Threat Predictions for 2014 article lists the following predictions that seem to pretty propable: Cybersecurity Regulatory Efforts Will Spark Greater Need for Harmonization, Service-Impacting Interruptions for Online Services Will Persist, We Will See an Increase in Cybercrime Activity Related to the World Cup, Rise of Regional Cloud Services, Dev-Ops Security Integration Fast Becoming Critical, Cybercrime that Leverages Unsupported Software will Increase, Increase in Social Engineering and Ransomware will Impact More People.
This list pretty much describes what happened in 2014. This was spot-on set of predictions.
Ubiquitous mobile computing is all around us, which will lead to increased risks and concerns about social network privacy. Social networks have quickly become the key organizing principle of Internet communication and collaboration.
Social networks are used more and more. There are privacy issues on social networks, but there are also secindary issues in wider uses of them. Nowdays there are many web sites that support social media logins. Hackers are atacking them for example with ‘SpoofedMe’ social login attack.
Android malware has been on the news quite often. Traditional AV companies have had complaints that they can’t scan the whole device like they could do with PC. To combat with that, Google has made major security enhancements to Android 4.4 and Android 5.0. Android 5.0 also has a number of under-the-hood changes, including some major updates to the overall security of the platform. The biggest roadblock to mobile device security is actually user apathy, which sees people skipping basic security practices like implementing a lock screen pin code because it’s inconvenient when you’re checking your device every few minutes. There are usability improvements that hopefully help.
2013 was a very hacked year when there was many cases where information on millions or tens of millions of users were stolen from companies. It’s likely that we will see much more of the same in 2014, the way people use passwords and how the on-line services are built have not changed much in one year.
To me seems that year 2014 was much worse than 2013. There has been lots of hacking incidents and some of the basic building blocks of our IT world have been seriously hacked.
USB security is fundamenally broken: Consider all USB devices potentially dangerous. Attack BadUSB shows that USB controllers in very many USB devices can be reprogrammed to bake the device become attack devices. It is practically impossible to know if any unit could be reprogrammed to own computers. Once infected through USB, malware can use peripherals as a hiding place, hindering system clean up. As long as USB controllers are reprogrammable, USB peripherals should not be shared with others. There are no easy or quick fixes to this serious problem. Malicious firmware could easily spoof its legitimacy to foil malware scans. A little USB device can hack your computer in no time flat without you knowing about it. It’s a classic scene from basically every spy movie in history. In this case, however, that mystery device is real. It is pretty easy to make a device that pretends to be a keyboard/mouse or does even nastier things.That’s… kind of terrifying. So what can you do to protect yourself from things like this? Not a whole lot, really — that’s why attacks like this and BadUSB are so freaky.
This was a year of well branded vulnerabilities: In year so14 was the year when found security vulnerabilities started to be tranded with catchy names, logos and web sited.
Open source security was hit very baddly with Heartbleed and Shellshock. The Heartbleed bug allowsed anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This was a very severe two-year-old security hole right in the core of the Internet security – HTTPS protocol. Heartbleed affected most web servers, email servers, chat servers, virtual private networks (SSL VPNs), network appliances, wide variety of client side software, mobile apps and Internet-connected embedded devices.
Later in the year HTTPS was hit again with POODLE bug that bypasses TLS crypto. It hit around 10 percent of websites - some of the Internet’s top websites. POODLE attack rendered the already old SSL 3.0 encryption useless and support for being phases out on web browsers and servers.
CVE-2014-6271 is also known as “Shellshock” or Shell Shocked bash bug has been around for a long, long time (around 20 years). The vulnerability affects versions 1.14 through 4.3 of GNU Bash. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed. It’s things like CGI scripts that are vulnerable, deep within a website. This was not only Linux problem. This problem could allow attackers to execute code on Linux, Unix, and Mac OS X.
Windows security was also hit: Sandworm security issue will trigger the UAC (User Account Control) on Windows . Windows had also it’s own Shellshock style security issue – Microsoft fixes severe 19-year-old Windows bug found in everything since Windows 95. The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare “unicorn-like” bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks. A separate critical hole (MS14-066) affecting Microsoft’s Secure Channel (SChannel) that implemented Secure Sockets Layer and Transport Layer Security protocols was also patched: if an attacker modified packets in a particular way and attacked your machine, they may be able to execute whatever code they like remotely without an authorized an account.
Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks. Researchers have distinctly detected approximately 12 million readily exploitable unique devices connected to the Internet present in 189 countries across the globe, making this one of the most widespread vulnerabilities revealed in recent years. All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address (a simple modern browser can do that). Misfortune Cookie affects any implementation of a service using the old version of RomPager’s HTTP parsing code, on port 80, 8080, 443, 7547, and others (devices managed by TR-069 or web browser). The vulnerability allows attacker to take over device setting and turn off all firewall seting (=WAN-to-LAN free-crossing that makes possible that attacker can try to access your home webcam or extract data from your business NAS backup drive, both potentially using default credentials and/or have their own vulnerabilities). This should be considered an alarming wake-up call for the embedded device industry and consumers alike: The vulnerable code is from 2002 and was actually fixed in 2005 and yet still did not make it into consumer devices. Watch for firmware updates from your device vendor addressing Misfortune Cookie, apply the update as it is released. Remember that your router’s security should be just one layer in your multi-layer network security defenses.
Large scale privacy scandals:
Celebrity photo leak 2014 generated many headlines. Beginning August 31, 2014, a collection of almost 500 private pictures of various celebrities (photos and videos of more than 100 individuals including 26 celebrities), mostly women, and with many containing nudity, were posted on the imageboard 4chan, and later disseminated by other users on websites and social networks. The images were believed to have been obtained via a breach of Apple‘s cloud services suite iCloud using using a “very targeted attack” on account information.
Attacks against banking and businesses:
Financial security problems in USA were touching every other household: Some 45% of Americans say they or a household member have been notified by a credit card company, financial institution or retailer that their credit card information had possibly been stolen as part of a data breach.
The huge cyberattack on JPMorgan Chase that touched more than 83 million households and businesses was one of the most serious computer intrusions into an American corporation.
Almost 100 million credit card details were revealed on a series of serious retailer breaches (Target, Home Depot, Neiman Marcus etc.). Organized crime groups are actively distributing malicious code and compromising networking environments of merchants and credit card devices. A growing list of POS variants (POSCLOUD, Nemanja, JackPOS, BlackPOS, and Decebal) is being developed by underground cyber criminals because of the high ROI when they hit payloads like a Target or Home Depot. As more and more breach reports have come up constantly, consumers officially are starting to get breach fatigue, fraud shop OVERSTOCKED with stolen credit cards and banks are bringing breached companies to court to pay for damages caused to them.
It seems like year 2014 has almost been “The Year of PoS Breaches.” Can We Learn from Big Breaches? At least companies will also face more stringent regulations: The new Payment Card Industry Data Security Standard 3.0 (PCI 3.0) will be mandatory for all businesses that store, process or transmit payment card information beginning 1 January 2015. The revamped standard includes requirements aimed at third party providers. The changes follow a string of high profile breaches.
There has been a long history of security companies hyping up remote threats in press releases. Then came the big corporate hit as bad as it can get: The Sony Pictures Hack Was Even Worse Than Everyone Thought. One of the biggest Hollywood studios and TV production companies was hit very seriously. Sony employees face ‘weeks of pen and paper’ after crippling network hack: The infiltration by hackers has left Sony employees “sitting at their desks trying to do their job with a pen and paper”. It could take three weeks to clean up the mess and get things get back to normal. Lot of data was leaked out, including unreleased movies uploaded to pirate sited, contract details posted on-line, password-lists posted on-line, and everything from medical records to unreleased scripts. A recent report from the consulting firm PricewaterhouseCoopers estimated that more than 117,000 cyberattacks hit businesses each day, but few are on the scale of the blow dealt to Sony “It’s obvious from the scope of what’s been done that the intruders owned the entire environment”. Sony that has seen gigabytes of information leaked onto the internet (for example sensitive information and unreleased movies).
The Sony hack is different from most past hacks on this scale because the people who got the information don’t seem to be out for personal gain. Instead, they’re actively trying to embarrass and perhaps even destroy the company. The motives of sophisticated hackers have changed from self-gain to destruction. There have been estimates that Sony could suffer a loss of more than $100 million — and that was before a couple of former employees sued the company. The incident has caused the Sony Pictures to cancel the release of The Inteview movie. There has been question going on in USA could this kind of cyber-attack to be considered to be act of war?
This was not the only one attack that tried to damage company. Now at the Sands Casino: An Iranian Hacker in Every Server article tells how computer engineers at Las Vegas Sands Corp. (LVS) raced to figure out what was happening when it was under a withering cyber attack. PCs and servers were shutting down in a cascading IT catastrophe, with many of their hard drives wiped clean. the $14 billion operation had sputtered to a halt. This was no Ocean’s Eleven. The hackers were not trying to empty a vault of cash, nor were they after customer credit card data. This was personal. The perpetrators wanted to punish the company, or, more precisely, its chief executive officer and majority owner, the billionaire Sheldon Adelson. This happened some moths before Sony event. This was likelythe first time that a foreign player simply sought to destroy American corporate infrastructure on such a scale.
HTML5 was really pushed to mainstream. It is used visibly on many applications and also very much on the bacground in very many mobile apps. The use of HTML5 has increased, but it has not seem to be turned as a major security problem. So the secrity situation on HTML5 seems to be better than what I expected.
Over 50% of net traffic to web sited made by bots! More Than Half of Internet Traffic Is Just Bots article says that security and cloud service provider Incapsula analyzed and found out that more than 60 percent of internet traffic is computer generated, compared to less than 40 percent of traffic that is driven by human clicks. 31% of Bots Are Still Malicious. SEO link building has always a major motivation for automated link spamming, but it is decreasing due the fact that Google was able to discourage it. There are more advanced hacking and automatic vulnerability searching.
There has been a series of dangerous atack vectors and very large volumetric DDoS attacks over the year 2014. DNS amplification attacks and NTP amplification attacks became popular. There were huge attacks that peaked over 400Gbps.
There will be still many SCADA security issues in 2014. Even though traditional SCADA vulnerabilities have become easier to find, the increased connectivity brought with IoT will cause new issues. And there will still be very many controls systems openly accessible from the Internet for practically everybody who knows how to do that. There was a large number of SCADA systems found open in Internet in the beginning of 2013, and the numbers have not considerably dropped during the year. I expect that very many of those systems are still too open in the end of 2014.
Large number of SCADA systems vulnerabilities and open systemd were found in 2014. Many SCADA systems are still too open – it seems that much of the world’s factories and critical infrastructure aren’t properly protected against hackers. Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. Over 60,000 exposed control systems were found online.
Industrial systems are gaining the attention of not only security researchers, but also potential attackers. Data obtained from the Open-Source Vulnerability Database (OSVDB) shows that 80% of all ICS vulnerabilities have been disclosed since 2011. Hackers exploit SCADA holes to take full control of critical infrastructure.
Finnish security research firm F-Secure reported on a cyber campaign targeting industrial sectors and the suppliers of equipment to these sectors, including many in critical infrastructure. Late December a German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace – one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant”. The incident is notable because it’s one of the few computer intrusions to cause physical damage.
There came also new details on some earlier damaging incidents that they could be result of cyber-attacks. The Stuxnet worm that targeted Iran’s uranium enrichment program has been dubbed the world’s first digital weapon, destroying an estimated 1,000 centrifuges. Bloomberg News reported that a fiery blast in 2008 that hit a Turkish oil pipeline was the result of hacking. The suspected sabotage of a Siberian pipeline in 1982 is believed to have used a logic bomb.
The Internet is expanding into enterprise assets and consumer items such as cars and televisions. The Internet of Things (IoT) will evolve into the Web of Things, increasing the coordination between things in the real world and their counterparts on the Web. There will be many security issues to solve and as the system become more widely used more security issues on them will be found in them.
Internet of Things was expanding very rapidly in 2014. The focus was on gettings the things running. Many of the applications were so new that there has not been any very big scale wide issues yet. I expect the IoT security issues become more to spotlight in 2015.
Cloud security will be talked about. Hopefully there will be some clear-up on the terminology on that area, because cloud security can mean a lot of things like the term cloud computing. Research firm Gartner forecasts that cloud security sales will increase dramatically in the next few years. Cloud Security sales have increased over the past year by 2.1 billion to $ 3.1 billion in 2015.
Let’s see nex year how the nunber add up.
Marketers try to put “cloud” term to security product brochures as much as they can. Cloud made from the traditional information security sound old-fashioned because companies are under pressure to move services to the cloud. Also, mobile devices and information security dispersed users to set new standards.
Yes. Securiyt marketers used cloud security term a lot in their material.
Cyber Security Center performed it’s tasks om 2014.
Crypto-currencies like Bitcoin and similar are on the rise. Early adopters already use them already actively. Those crypto-currencies have many security related issues related to them. The values of the crypto-currencies vary quite much, and easily the value drops considerably when they get so used that different governments try to limit using them. Bitcoin is increasingly used as ramsonware payment method. Bitcoins have been stolen lately quite much (and I expect that to increase when usage increases), and those are stolen from users, on-line wallets and from exchanges. When more money is involved, more bad guys try to get into to get some of it.
Year 2014 was a huge year for Bitcoin in good an bad. The alternative currency has been plagued by hacks, ponzi schemes and increasingly professional thefts since 2011, but yea 2014 was really special. There were many gains to the wider use of Bitcoins, even up to state that Microsoft has quietly added Bitcoin as a payment method for digital content.
On the other side there were also many cyberatacks that stole lots of Bitcoins and Bitcoins were used by ransoware makers. In February 2014 world’s leading Bitcoin exchange mt Gox declared bankrutpcy, claiming that hackers had exploited a technical issue called “transaction malleability” to steal 750,000 bitcoins ($400 million). It is hard to say if that’s what really happened or not. Next moth Flexcoin, the Canada-based Bitcoin bank, is to close after losing $600,000 in a hacker attack. Also other crytocurrencies were atacked by hackers, for example Hackers Steal $1.65 Million in NXT from BTER Exchange.
InNovember the Bitcoin Foundation says that Bitcoin is GREAT and SAFE. Bitcoin will have its biggest impact in unstable regimes and foreign currency transfers, according to the Bitcoin Foundation’s chief scientist Gavin Andresen. The Foundation works on keeping transaction fees inexpensive. Besides Bitcoin there are also many other smaller cyptocurrencies.
The world is looking for a virtual currency. Virtual means that the currency is not backed by a physical commodity, is not controlled by a government agency either, and is used and accepted among members of a specific virtual community (that is, the Internet). Today, enthusiasts of virtual currencies fall into two camps.
The first camp contains the crypto-currency enthusiasts, which have had lots of publicity on their idea: There are now 80 virtual currencies—all based off of Bitcoin—with names like Dogecoin, Altcoin, and Primecoin. Of these, Bitcoin has the vast majority of mindshare and user base (users at less than 1 million).
The second camp of virtual currency enthusiasts is largely unknown, which is surprising considering that there are over 30 million of them - just ordinary people in Africa using an SMS text-based currency called M-Pesa. The forward drivers for Bitcoin and M-Pesa are completely different. The M-Pesa phenomenon is a product of a unique regulatory environment. Creating a flexible, but safe regulatory space made the difference in Kenya and Tanzania. Kenya has become the paragon of mobile money. Today, more than two-thirds of Kenyans use M-Pesa. Mobile money has lagged in India and Nigeria, both of which are known for their more complex bureaucracies. Clearly the message here is that mobile money is a long game and most bitcoin startups accept this applies to them too. Research shows that there is clear demand for faster, cheaper, and more transparent financial services.