P4ssw0rds got you down? POODLEs Bashing you over the head giving you Heartbleed? Well, bad puns aside, 2014 was a rough year and you can surely expect more of the same in 2015—with a few new twists. Hackers will still chase credit card numbers and point-of-sale systems, but they’ve got their eye on health care data and you can bet on more commodity cybercrime tools showing up in APT attacks. Your best response? Encrypt everything, win with privacy—and for heaven’s sake, stop shaming victims. Here’s a look at seven things to watch in 2015:
Healthcare Data is the New Credit Card Number
If you believe the data coming out of underground sites, credit card numbers have flooded the market driving the price of a stolen card down. What’s in is identity data and credentials. And the most vulnerable subset of personal information is health care information. As with any rush-to-market, the conversion of paper records to electronic is likely to leave gaping holes ripe for a hungry community of hackers who can turn a quick profit with information that can be used for fraud, insurance scams and illicit drug purchases.
Move Over Heartbleed, Bash, POODLE
Where is the next big Internet-wide bug hiding and when will this cockroach show itself? Unanswerable questions today, but be sure that there will be more of them in 2015. The myth of open source software packages being more secure has been shattered by the litany of badness uncovered in OpenSSL, Bourne Again Shell and other protocols. These projects have, contrary to popular belief, relatively few eyeballs looking at code and even less money funding these initiatives. The end result is the row of Heartbleed, Shellshock and POODLE exploits that organizations will have to contend with for months to come.
The Blurring Line Between Crime and State Espionage
Why are we shocked when we hear about APT gangs pulling off attacks against chemical companies, utilities and the like using a banking Trojan? Rather than burn an expensive zero-day vulnerability in an attack against a high-value target, using a commodity exploit against a commodity bug almost always yields the same results. Industrial targets in particular seem to be particularly lax understanding web-based vulnerabilities and patching gear because of unacceptable downtime. With the source code for Carberp, Zeus and other nastiness available online, this distinction figures to go away in 2015.
An End to Victim Shaming
Can the security industry put on its big-boy pants and stop blaming and shaming enterprise security organizations that are victimized in hacks and breaches? Here’s a dose of reality: While the research and vendor community can afford to study tomorrow’s problems, security and network managers are still too busy putting out yesterday’s fires to worry about what some Russian APT gang is doing in the Middle East. They’re fighting a short-sheeted budget, absurd industry compliance demands, and users who can’t get past logging into Outlook Web Access with “p4ssw0rd” as a password. How about from now on, we wag our fingers and shake our heads at those who deserve it: Criminals.
Win With Privacy
Facebook, Google, Microsoft, Twitter et al have done a noble, albeit, self-serving job in petitioning the government for more transparency about government requests for user and customer data. Privacy is a thinly veiled differentiator for these technology giants. How about the industry going all the way and competing aggressively on the privacy of their web-based services? We should see more companies in 2015 encrypt everything, store nothing and follow Apple’s lead with iOS 8 and engineer products so that it’s impossible for the provider to comply with intrusive data requests.
Retail, Retail, Retail
Don’t expect point-of-sale malware to back off any time soon—not because exploiting old POS systems and the Windows XP servers holding them up are suddenly going to get better. No, it’s because their window of opportunity is rapidly closing down. Granted the switchover to chip-and-PIN credit cards will be slow, there is a soft October 2015 deadline where liability shifts by law from the banks to whomever does not support chip-and-PIN or EMV in a transaction. While chip-and-PIN isn’t a cure for credit card fraud, it does put attackers using point-of-sale malware on notice that their favorite weapon may be on life support.
Cruising and Browsing A Bad Match
Chris Valasek and Charlie Miller have created a cottage industry out of car hacking. For two years, they’ve been more than a passing curiosity at hacking conferences with their research looking at the soft spots inside modern automobiles outfitted with Bluetooth and other means of connectivity. They’ve even made for some good TV with a backseat driving exhibition where they took control of a vehicle’s steering and braking. While these proof-of-concept types of exploits are neat, the real risk is closer than we know as car builders are starting to outfit vehicles with full-fledged web browsers. The 2015 Volvo V60 T6, for example, promises a full browser built into the dash. So let’s not be so quick to dismiss car hacking as a novelty; it could soon be a click away.