Will the next year bring a seismic shift in who controls the Internet? Another Mac malware outbreak? Your smart TV being highjacked for a DDoS attack? Whatever 2013 may bring, it’s sure to be an interesting year. Here’s F-Secure Labs’ take on what could be in store for the next year.
1. The end of the Internet as we know it?
“Depending on the outcome of an important conference taking place now in Dubai, a lot of things could happen in 2013,” says Sean Sullivan, Security Advisor at F-Secure Labs.That event, the World Conference on International Telecommunications, could have a major impact on the Internet as we know it. “The Internet could break up into a series of smaller Internets,” Sullivansays. “Or it may start to be funded differently, with big content providers like Facebook and Google/YouTube having to pay taxes for the content they deliver.”
The WCIT event is a meeting convened by the International Telecommunication Union (ITU) to finalize changes to the International Telecommunications Regulations treaty. In attendance are regulators representing governments from around the world, not all of whom are interested in Internet freedom. There is concern that some regimes would want to shift control of the Internet “from the geeks, and give it to governments,” as Sullivan puts it. New measures are also being proposed in the name of Internet security that privacy advocates suggest would mean the end of anonymity on the Internet.
2. Leaks will reveal more government-sponsored espionage tools
“It’s clear from past leaks about Stuxnet, Flame, and Gauss that the cyber arms race is well underway,” says Mikko Hypponen, Chief Research Officer at F-Secure Labs. While we may not always be aware of nation-states’ covert cyber operations, we can expect that governments are more and more involved in such activity. In 2013, we’ll most likely see more leaks that definitively demonstrate this, and from countries who haven’t previously been seen as a source of attacks. As the arms race heats up, the odds of leaks increase.
3. Commoditization of mobile malware will increase
The Android operating system has solidified in a way that previous mobile operating systems haven’t, extending from phones to tablets to TVs to specialized versions of tablets. The more ubitiquous it becomes, “the easier to build malware on top of it and the more opportunities for criminals to innovate businesswise,” Sullivan says. Mobile malware will become more commoditized, with cybercriminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.
4. Another malware outbreak will hit the Mac world
2011 saw scareware called Mac Defender, and in 2012 Flashback took advantage of flaws in Java. The Labs predict 2013 will bring another Mac malware outbreak that will have some success within the Mac community.
“The author of the Flashback Trojan is still at large and is rumored to be working on something else,” Sullivan says. “And while there have been smart security changes to the Mac OS, there’s a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak.”
5. Smart TVs will become a hacker target
Smart TVs are plugged into the Internet, they’ve got processing power, and since they typically aren’t equipped with security, they’re wide open to attacks. Adding to their vulnerability is that unlike home computers, many smart TVs are directly connected to the Internet without the buffer of a router, which deflects unsolicited traffic. Also, consumers often don’t change the factory default username and password that have been set for web administration, giving easy access to hackers.
“It’s very easy for hackers to scan for smart TVs on the Internet,” says Sullivan. “When found, they only need to use the default username and password, and they’re in.” 2012 already witnessed LightAidra, a breed of malware that infected set top boxes. 2013 could see smart TVs being used for such purposes as click fraud, Bitcoin mining, and DDoS attacks.
6. Mobile spy software will go mainstream
2013 may see a rise in popularity of tracking software, and not just for parental control purposes. There has already been growth in child safety apps that monitor kids’ activities, for example, their Facebook behavior. “Of course this kind of software can also be used to spy on anyone, not just kids,” Sullivan says. “The more smartphones there are, the more people will be seeking out software like this – to find out what their ex is up to, for example.”
7. Free tablets will be offered to prime content customers
Tablets and e-readers are all the rage, and more and more often in closed ecosystems such as the iPad with iTunes or the Kindle with Amazon. As the Kindle price keeps dropping, the Labs predict that 2013 may bring a free e-reader or tablet for prime customers of companies who charge for content, like Amazon or Barnes & Noble. “Closed ecosystems are more secure, but you have to trust the provider to protect your privacy,” says Sullivan.
For ongoing analysis from the F-Secure Labs, follow News from the Lab.
The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared. Photo: Getty Images
Little changes can make a difference. For instance, Twitter's decision to switch a star for a heart as its "Favorite" button increased use of the button by as much as 27.82 percent. And it's clear that despite Wall St. demanding that site grow faster and be easier for new users to grasp to have some hope of keeping up with competitors like Facebook and Snapchat, the site is still sweating the small stuff. Here are the four changes to the service announced this week: Replies: When replying to a Tweet, @names will no longer count toward the 140-character count. This will make having conversations on Twitter easier and more straightforward, no more penny-pinching your words to ensure they reach the whole group. Media attachments: When you add attachments like photos, GIFs, videos, polls, or Quote Tweets, that media will no longer count as characters within your Tweet. More room for words! Retweet and Quote Tweet yourself: We’ll be enabling the Retweet button on your own Tweets, so you can easily Retweet or Quote Tweet yourself when you want to share a new reflection or feel like a really good one went unnoticed. Goodbye, .@: These changes will help simplify the rules around Tweets that start with a username. New Tweets that begin with a username will reach all your followers. (That means you’ll no longer have to use the ”.@” convention, which people currently use to broadcast Tweets broadly.) If you want a reply to be seen by all your followers, you will be able to Retweet it to signal that you intend for it to be viewed more broadly. These tweaks are in line with Twitter's tradition of paying attention to how people use the site and make it easier for them to do what early adopters are already doing. That's how we got hashtags, retweet buttons and @ replies. Now you'll be able to tweet a bit longer messages, something people do now with screenshots of text, and have more public conversations, something people do now by putting a "." before someone's @username so their whole feed sees the conversation not just people who happen to follow you and the user you're conversing with. Cool. These are useful little nudges that will keep people who already love the site engaged -- even though they may have some ugly unforeseen consequences. But will they transform Twitter and spark a new wave of growth? Not likely. What would without alienating the hundreds of millions of loyal users? Tough question and we'd like to know what you think. [polldaddy poll=9429603] Cheers, Jason [Image by dominiccampbell | Flickr]