Seven Things to Watch for in 2015

A new year begins at midnight and Threatpost highlights seven things you’re bound to contend with in 2015.

P4ssw0rds got you down? POODLEs Bashing you over the head giving you Heartbleed? Well, bad puns aside, 2014 was a rough year and you can surely expect more of the same in 2015—with a few new twists. Hackers will still chase credit card numbers and point-of-sale systems, but they’ve got their eye on health care data and you can bet on more commodity cybercrime tools showing up in APT attacks. Your best response? Encrypt everything, win with privacy—and for heaven’s sake, stop shaming victims. Here’s a look at seven things to watch in 2015:

healthcare-info

Healthcare Data is the New Credit Card Number

If you believe the data coming out of underground sites, credit card numbers have flooded the market driving the price of a stolen card down. What’s in is identity data and credentials. And the most vulnerable subset of personal information is health care information. As with any rush-to-market, the conversion of paper records to electronic is likely to leave gaping holes ripe for a hungry community of hackers who can turn a quick profit with information that can be used for fraud, insurance scams and illicit drug purchases.

Move Over Heartbleed, Bash, POODLE

Where is the next big Internet-wide bug hiding and when will this cockroach show itself? Unanswerable questions today, but be sure that there will be more of them in 2015. The myth of open source software packages being more secure has been shattered by the litany of badness uncovered in OpenSSL, Bourne Again Shell and other protocols. These projects have, contrary to popular belief, relatively few eyeballs looking at code and even less money funding these initiatives. The end result is the row of Heartbleed, Shellshock and POODLE exploits that organizations will have to contend with for months to come.

crime-state-espionage

The Blurring Line Between Crime and State Espionage

Why are we shocked when we hear about APT gangs pulling off attacks against chemical companies, utilities and the like using a banking Trojan? Rather than burn an expensive zero-day vulnerability in an attack against a high-value target, using a commodity exploit against a commodity bug almost always yields the same results. Industrial targets in particular seem to be particularly lax understanding web-based vulnerabilities and patching gear because of unacceptable downtime. With the source code for Carberp, Zeus and other nastiness available online, this distinction figures to go away in 2015.

An End to Victim Shaming

Can the security industry put on its big-boy pants and stop blaming and shaming enterprise security organizations that are victimized in hacks and breaches? Here’s a dose of reality: While the research and vendor community can afford to study tomorrow’s problems, security and network managers are still too busy putting out yesterday’s fires to worry about what some Russian APT gang is doing in the Middle East. They’re fighting a short-sheeted budget, absurd industry compliance demands, and users who can’t get past logging into Outlook Web Access with “p4ssw0rd” as a password. How about from now on, we wag our fingers and shake our heads at those who deserve it: Criminals.

privacy_law

Win With Privacy

Facebook, Google, Microsoft, Twitter et al have done a noble, albeit, self-serving job in petitioning the government for more transparency about government requests for user and customer data. Privacy is a thinly veiled differentiator for these technology giants. How about the industry going all the way and competing aggressively on the privacy of their web-based services? We should see more companies in 2015 encrypt everything, store nothing and follow Apple’s lead with iOS 8 and engineer products so that it’s impossible for the provider to comply with intrusive data requests.

Retail, Retail, Retail

Don’t expect point-of-sale malware to back off any time soon—not because exploiting old POS systems and the Windows XP servers holding them up are suddenly going to get better. No, it’s because their window of opportunity is rapidly closing down. Granted the switchover to chip-and-PIN credit cards will be slow, there is a soft October 2015 deadline where liability shifts by law from the banks to whomever does not support chip-and-PIN or EMV in a transaction. While chip-and-PIN isn’t a cure for credit card fraud, it does put attackers using point-of-sale malware on notice that their favorite weapon may be on life support.

car-hacks

Cruising and Browsing A Bad Match

 Chris Valasek and Charlie Miller have created a cottage industry out of car hacking. For two years, they’ve been more than a passing curiosity at hacking conferences with their research looking at the soft spots inside modern automobiles outfitted with Bluetooth and other means of connectivity. They’ve even made for some good TV with a backseat driving exhibition where they took control of a vehicle’s steering and braking. While these proof-of-concept types of exploits are neat, the real risk is closer than we know as car builders are starting to outfit vehicles with full-fledged web browsers. The 2015 Volvo V60 T6, for example, promises a full browser built into the dash. So let’s not be so quick to dismiss car hacking as a novelty; it could soon be a click away.

Suggested articles

Discussion

  • Day Milovich on

    this posts remind me to one thing. everyone should be a hacker. in 2015 it becomes "must be". thanks!
  • PhilBAR on

    "How about from now on, we wag our fingers and shake our heads at those who deserve it: Criminals." Really? So if we shame cyber-criminals, they'll stop stealing our stuff? We are all victims of cyber-crime. This is different from a criminal stealing money from a company; now they're stealing MY data, MY health records, MY financial data, etc. Companies are ethically obligated to make all reasonable efforts to protect MY data, regardless of the legal coverage their "privacy" policies might provide. How are we to publicly debate what "reasonable efforts" means if we don't focus on what could have been done to prevent a breach? And how would you propose that we get the public interested in this debate without explicitly attributing responsibility when there is a failure to make these reasonable efforts?
  • Cynthia on

    I'll be shopping for a new car soon (as soon as my 15 year old takes this old one from me). I have NO interest in an in-dash browser. There are just SO many ways that can go wrong. But I do agree with PhilBAR to an extent. I see your point, companies are busy, of course. But so often, we're making things easier than they should be for hackers.
  • SJ on

    Why should companies have to be blamed? Why can't You and I be responsible for our own actions? If we put data where someone else can steal it, then we are accepting the risk. No one has to use a credit card, as far as I know. There's still this thing known as CASH we can use to pay our bills. If that's not convenient, how about CHECKS? And yes, even checks bring risk. You know what, "everything" is risky! Who are you going to blame if a meteor hits you? Who do you blame when a tornado or earthquake or hurricane occurs? A company should not have to be at fault when we choose to use plastic cards or electronic payment methods.
    • Deramin on

      I disagree, SJ. What you're arguing is equivalent to saying people who work in factories with bad safety records are at fault when they get hurt because they chose to work there. It is reasonable to assume that companies have an obligation to protect you from reasonably predictable things. I'm willing to have sympathy for a business hit with a zero-day exploit. But I'll publicly shame any company that chose to save money by playing exploit roulette and lost. This is not acceptable behavior, it's endangering everyone, and we need to whoop and holler about it until company boards see security as necessary.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.