2017 is nearly here. People are looking ahead to the new year. And for cyber security experts, this inevitably involves thinking about what threats we’ll all have to contend with in the near future. The possibilities might seem incalculable. But experts know the past always offers clues about what attackers are focusing their attention on. Bad software launched one year become targets the next. New, insecure devices become security risks. And so on. So if you’re the betting type, here’s where you should put your money in 2017. “China will increase cyber espionage ops in the United States” Russia and their cyber espionage capabilities made headlines in 2016 thanks to their perceived involvement in the recent US presidential election. But China, and the prospect of them using cyber attacks to dig up dirt on the incoming administration, are the threat actors the US needs to start worrying about. It wasn’t too long ago that everyone was upset about China. The Office of Personnel Management hack disclosed in 2015 was reported to affect as many as 14 million people. It was enough for Obama to push back against China on cyber security matters. But the new administration seems to be blissfully unaware as to how and why nation-states use cyber attacks to develop their political interests. For example, the incoming national security advisor apparently once had an unauthorized internet connection installed in the Pentagon, basically eliminating the “air gap” used to safeguard one of the US’ most important national security centers. Stuff like this makes Michael Flynn a cyber attack victim waiting to happen. As for motive, a normal presidential transition would attract China’s attention, as they would like to catch “sneak peeks” or a “behind the scenes look” at the policies and positions of the incoming administration. But this wasn’t a normal election. Trump and his political network caused controversy throughout their campaign. Pulling that thread by digging up non-public dirt can help China gain leverage over Trump’s team, and actually unravel initiatives, policies, and positions that might run against their interests. And China has the motives and capabilities to make this happen in 2017. -Sean Sullivan, Security Advisor “We’ll see more DDoS attacks from the internet of things” The Mirai attacks against Dyn seemed to take many people by surprise. I think the shock value of the attack, which is how I interpreted the massive amount of media coverage the attacks generated, is a by-product of people either misunderstanding or underestimating the threat posed by the proliferation of insecure internet of things (IoT) devices. All new technologies enter this phase where early adopters begin using them in ways not foreseen by original manufacturers. IoT devices are in this part of their adoption cycle. We’re seeing certain “design flaws” that aren’t apparent when testing these products in a lab or under controlled testing conditions. That’s why we saw one company recall their webcams in the wake of the Dyn hack. They realized that the security flaw in that particular model was something that could be used by hackers, which wasn’t something they considered when designing the device. So I definitely think IoT devices will increasingly be used for Denial of Service attacks through 2017. But the good news is that I don’t think the problem will escalate beyond DDoS stuff until 2018, when we’ll probably see hackers working to attack device owners through their IoT gadgets. That gives the cyber security industry, regulators, and device manufacturers time to work together to protect the smart environments we’re creating. -Mika Stählberg, Chief Technology Officer “The backdoor debate will eat through Europe” Cryptography is one of the few counterweights to the security risks entrenched in the digital infrastructure we rely on today. It’s a cornerstone of security used to protect the information we entrust to digital environments. By using cryptographic means to safeguard information that’s stored or transmitted digitally, people can trust that their information stays safe from the prying eyes of spies, criminals, and even companies. Unfortunately, not everyone appreciates the benefits this type of security has for individuals, companies, and society. In recent years, governments have been exploring ways to essentially weaken the ability of IT companies to use cryptography. Apple’s spat with the FBI over encrypted iPhones is probably the best example of how policy makers and IT companies clash over this issue. A more significant (and recent) example is the approval of the so-called “Snoopers’ Charter” in the UK. In 2017, we’ll see a revitalized push for IT companies to accommodate surveillance needs by weakening the security of their products and services. Politicians in different European nations will follow France’s lead and discuss legal and technical ways to give governments the capability to monitor people’s digital activities. Proponents of these types of regulatory initiatives will clash with those who believe sacrificing security measures such as cryptography will increase everyone’s exposure to cyber crime, foreign intelligence gathering, government persecution, and more. I’ve testified in front of governments about these issues in the past. And I expect to do so again in 2017. -Erka Koivunen, Chief Information Security Officer “Someone will create the first Wi-Fi worm” 2016 saw some developments with internet of things security that I think gives some clues about how the threat landscape will shape up next year. The destructive capabilities of botnets and DDoS attacks certainly become more apparent. I think Mirai really highlighted the potential value of targeting internet-connected devices like IoT products and routers, and I think we’ll see this trend continue next year. Specifically, I think we might see the creation of “Wi-Fi worms” – a type of malware that could quickly spread through an urban area by using Wi-Fi to infect routers. Basically, an infected device would contain code that attempts to copy itself to routers via Wi-Fi connections. Once a router becomes infected, the worm then attempts to find and replicate itself to more routers. Now, I don’t necessarily foresee this being something used in attacks. It may be something developed as a proof-of-concept by researchers. But we’ve seen more attention being paid to routers and non-PC devices in the past few years. A Wi-Fi worm is a logical extension of what we’ve seen with Mirai, and I think current technologies and tactics have put this within reach. -Sean Sullivan, Security Advisor “Man and machine will dominate cyber security” Commodity malware is becoming less effective against the kind of endpoint protection we have nowadays. You might not think that based on some of the terrible security incidents that made headlines in 2016. But it’s true. It’s not just about malware anymore. Hackers can take run of the mill, commodified malware and find new and innovative ways to use it. Sometimes this involves social engineering their way into an account with a phishing email. Other times they’re able to find servers that have simply been forgotten by IT admins, and then use those as beach heads to penetrate networks. Combining artificial intelligence and human ingenuity is how the cyber security industry will combat these threats in the future. Tasks like risk analysis, penetration testing, threat assessments, incident response, and forensics, can all be innovated by leveraging the benefits of man and machine working together. And we’ll see industry players and even cyber security startups put a lot of focus on growing their expertise with this approach in 2017. -Andy “Cyber Gandalf” Patel, Senior Manager, Technology Outreach [ Image by Cambodia4kids.org Beth Kanter| Flickr ]
"For years, signature-based antivirus detection has been only a fraction of what security companies have been offering... If someone thinks that antivirus being dead is news then we don't know in what world they have been living in for the past five to six years," F-Secure's Timo Laaksonen said -- two years ago! But the question has remained a topic of constant debate among security researchers, which is why "Is AV dead?" was the theme of AVAR, an annual event organized by the Association of Anti-Virus Asia Researchers (AVAR) since 1998. This year, F-Secure hosted the event and our chief research officer Mikko Hypponen delivered a keynote at the three-day event in Kuala Lumpur that featured discussions that tackled the questions of AV's demise with sessions like "Is AV Dead - Or Just Missing in Action?" and "Advanced Endpoint Protection Says AV is Dead. Should you?" [youtube https://www.youtube.com/watch?v=GtegflcYGpo] When many people -- including Wikipedians -- mention antivirus they're referring to software that "used to prevent, detect and remove malicious software" by "relying heavily upon signatures to identify malware." What's a signature? Now you ask! Once a piece of malware is identified, "a signature of the file is extracted and added to the signatures database," which is either unique to the AV solution or shared with several providers via a common database. Highly professionalized modern malware is obviously designed to evade signature detection, which has existed for decades. "All technically minded people know that there aren’t any signature-only endpoint protection products on the market," F-Secure Labs' "Cyber Gandalf" Andy Patel explained in a recent post, on the News from the Labs blog. Andy notes that F-Secure's endpoint solutions employ four "non-signature" technologies that go beyond classic signature protection. He adds that "we actually have internal test configurations with signature-based technologies disabled and our products still do a great job at blocking emerging threats." Why should this matter to you, someone who doesn't reverse engineer malware for a living? Because given the billions of dollars being made in cyber crime and the billions being invested by nation-states in both offensive and defensive cyber tools, the average internet user's best hope for securing her data is finding security that's at least as advanced as the threats it faces. And any industry that doesn't constantly ask if its technology is becoming obsolete is probably already there. So is AV dead? Maybe. Or, as Timo noted years ago, it's been assimilated like a piece a much larger puzzle. Because this is the digital age and that's just what happens to most everything.
Using public Wi-Fi without a VPN is risky. Lots of people know that. Unfortunately, most don’t give a s**t. Think about it. People do all kinds of risky things even when they know they shouldn’t. They smoke, drink, eat too much. You get the idea. But when it comes to public Wi-FI, one of the biggest reasons people don’t care about the risks is because they don’t really know what they are. Well, we’re going to let you in on a little secret. Ready? Free public Wi-Fi isn’t actually free. In fact, every time you use it you’re exposing really personal stuff like your passwords, search history and waaaaay more. So why would anyone be interested in seeing your personal stuff? After all, it’s not like your name is Kim or Kanye, right? Long story short: So they can hack you. All it really takes is a few hundred dollars, some easy-to-buy software and a criminal mind. And it happens all the time. In fact, one in ten people will be the victim of an online crime. We took to the streets of New York to have some fun and prove a very important point. If people actually knew just how much intimate stuff they were giving away on public Wi-Fi, would they? Well, you’ll have to watch the hilarious video to find out. But let’s just say you’d be surprised just how far some people are actually willing to go to get online. In fact, some of the stuff people were willing to reveal in exchange for our free Wi-Fi password (no, we weren’t actually giving away free Wi-Fi) was so risque that it ended up on the cutting room floor. Risking it all for free Wi-Fi is ridiculous. Luckily, it’s also ridiculously easy to protect yourself with Freedome VPN. https://www.youtube.com/watch?v=fN7z-XrSQyE