The end of the year is traditionally a time for reflection – for taking stock of our lives and looking to the future. So we’d like to offer you our forecast for the year ahead, looking at the key issues that we believe are likely to dominate the security landscape in 2013. Of course, the future is always rooted in the present, so our security retrospective, outlining the key trends of 2012, is a good starting-point.
1. Targeted attacks and cyber-espionage
While the threat landscape is still dominated by random, speculative attacks designed to steal personal information from anyone unlucky enough to fall victim to them, targeted attacks have become an established feature in the last two years. Such attacks are specifically tailored to penetrate a particular organization and are often focused on gathering sensitive data that has a monetary value in the ‘dark market’. Targeted attacks can often be highly sophisticated. But many attacks start by ‘hacking the human’, i.e. by tricking employees into disclosing information that can be used to gain access to corporate resources. The huge volume of information shared online and the growing use of social media in business has helped to fuel such attacks – and staff with public-facing roles (for example, those with sales or marketing roles within a company) can be particularly vulnerable. We can expect the growth of cyber-espionage to continue into 2013 and beyond. It’s easy to read the headlines in the computer press and imagine that targeted attacks are a problem only for large organizations, particularly those that maintain ‘critical infrastructure’ systems within a country. However, any organization can become a victim. All organizations hold data that is of value to cybercriminals; and they may also be used as ‘stepping-stones’ to reach other companies.
2. The onward march of ‘hacktivism’
Stealing money – either by directly accessing bank accounts or by stealing confidential data – is not the only motive behind attacks. Sometimes the purpose of an attack is to make a political or social point. There was a steady stream of such attacks this year. This included the DDoS attacks launched by Anonymous on government websites in Poland, following the government’s announcement that it would support ACTA (the Anti-Counterfeiting Trade Agreement); the hacking of the official F1 website in protest against the treatment of anti-government protesters in Bahrain; the hacking of various oil companies in protest against drilling in the Arctic; the attack on Saudi Aramco; and the hacking of the French Euromillions website in a protest against gambling. Society’s increasing reliance on the Internet makes organizations of all kinds potentially vulnerable to attacks of this sort, so ‘hacktivism’ looks set to continue into 2013 and beyond.
3. Nation-state-sponsored cyber-attacks
Stuxnet pioneered the use of highly sophisticated malware for targeted attacks on key production facilities. However, while such attacks are not commonplace, it’s now clear that Stuxnet was not an isolated incident. We are now entering an era of cold ‘cyber-war’, where nations have the ability to fight each other unconstrained by the limitations of conventional real-world warfare. Looking ahead we can expect more countries to develop cyber weapons – designed to steal information or sabotage systems – not least because the entry-level for developing such weapons is much lower than is the case with real-world weapons. It’s also possible that we may see ‘copy-cat’ attacks by non-nation-states, with an increased risk of ‘collateral damage’ beyond the intended victim of the attack. The targets for such cyber-attacks could include energy supply and transportation control facilities, financial and telecommunications systems and other ‘critical infrastructure’ facilities.
4. The use of legal surveillance tools
In recent years, cybercrime has become more and more sophisticated. This has not only created new challenges for anti-malware researchers, but also for law enforcement agencies around the world. Their efforts to keep pace with the advanced technologies being used by cybercriminals are driving them in directions that have obvious implications for law enforcement itself. This includes, for example, what to do about compromised computers after the authorities have successfully taken down a botnet – as in the case of the FBI’s Operation Ghost Click, which we discussed here . But it also includes using technology to monitor the activities of those suspected of criminal activities. This is not a new issue – consider the controversy surrounding ‘Magic Lantern’ and the ‘Bundestrojan’. More recently, there has been debate around reports that a UK company offered the ‘Finfisher’ monitoring software to the previous Egyptian government and reports that the Indian government asked firms (including Apple, Nokia and RIM) for secret access to mobile devices. Clearly, the use of legal surveillance tools has wider implications for privacy and civil liberties. And as law enforcement agencies, and governments, try to get one step ahead of the criminals, it’s likely that the use of such tools – and the debate surrounding their use – will continue.
5. Cloudy with a chance of malware
It’s clear that the use of cloud services will grow in the coming years. There are two key factors driving the development of these services. The first is cost. The economies of scale that can be achieved by storing data or hosting applications in the cloud can result in significant savings for any business. The second is flexibility. Data can be accessed any time, any place, anywhere – and from any device, including laptops, tablets and smartphones. But as the use of the cloud grows, so too will the number of security threats that target it. First, the data centers of cloud providers form an attractive target for cybercriminals. ‘The cloud’ may sound fluffy and comfortable as a concept, but let’s not forget that we’re talking about data that’s stored on real servers in the physical world. Looked at from the perspective of a cybercriminal, they offer a potential single-point-of-failure. They hold large quantities of personal data in one place that can be stolen in one fell swoop if the provider should fall victim to a successful attack. Second, cybercriminals are likely to make more use of cloud services to host and spread their malware – typically through stolen accounts. Third, we should also remember that data stored in the cloud is accessed from a device in the ‘non-cloud’ world. So if a cybercriminal is able to compromise the device, they can gain access to the data – wherever it’s stored. The wide use of mobile devices, while offering huge benefits to a business, also increases the risk – cloud data can be accessed from devices that may not be as secure as traditional endpoint devices.
When the same device is used for both personal and business tasks, that risk increases still further.
6. Dude, where’s my privacy?!
The erosion, or loss, of privacy has become a hotly-debated issue in IT security. The Internet pervades our lives and many people routinely bank, shop and socialize online. Every time we sign up for an online account, we are required to disclose information about ourselves and companies around the world actively gather information about their customers. The threat to privacy takes two forms. First, personal data is put at risk if anything compromises the providers of goods and services we do business with. Hardly a week goes by without a news story about a company that has fallen victim to hackers, exposing the personal data of its customers. Of course, the further development of cloud-based services will only exacerbate this problem. Second, companies aggregate and use the information they hold about us for advertising and promotional purposes, sometimes without us even knowing about it, and it’s not always clear how to opt out of this process. The value of personal data – to cybercriminals and legitimate businesses – will only grow in the future, and with it the potential threat to our privacy increases.
7. Who do you trust?
If someone knocks on your front door and asks you to let them in, you’d probably be very reluctant to do so if they can’t show you a valid form of ID. But what if they do? And what if their ID isn’t fake, but a real ID from a legitimate organization? This would undermine the trust process that we’re all encouraged to rely on to keep us safe from real-world fraudsters. The same is true in the online world. We’re all predisposed to trust websites with a security certificate issued by a bona fide Certificate Authority (CA), or an application with a valid digital certificate. Unfortunately, not only have cybercriminals been able to issue fake certificates for their malware – using so-called self-signed certificates – they have also been able to successfully breach the systems of various CAs and use stolen certificates to sign their code. The use of fake, and stolen, certificates is set to continue in the future. The problem may well be compounded by a further development. In recent years, whitelisting has been added to the arsenal of security vendors – that is, checking code not only to see if it’s known to be malicious, but also checking to see if it’s ‘known-good’. But if rogue applications find their way onto a whitelist, they could ‘fly under the radar’ of security programs and go undetected. This could happen in several ways. The malware might be signed using a stolen certificate: if the whitelist application automatically trusts software signed by that organization, the infected program might also be trusted. Or cybercriminals (or someone inside a company) may gain access to the directory, or database, holding the whitelist and add their malware to the list. A trusted insider – whether in the real world or the digital world – is always well placed to undermine security.
8. Cyber extortion
This year we have seen growing numbers of ransomware Trojans designed to extort money from their victims, either by encrypting data on the disk or by blocking access to the system. Until fairly recently this type of cybercrime was confined largely to Russia and other former Soviet countries. But they have now become a worldwide phenomenon, although sometimes with slightly different modus operandi. In Russia, for example, Trojans that block access to the system often claim to have identified unlicensed software on the victim’s computer and ask for a payment. In Europe, where software piracy is less common, this approach is not as successful. Instead, they masquerade as popup messages from law enforcement agencies claiming to have found child pornography or other illegal content on the computer. This is accompanied by a demand to pay a fine. Such attacks are easy to develop and, as with phishing attacks, there seem to be no shortage of potential victims. As a result, we’re likely to see their continued growth in the future.
9. Mac OS malware
Despite well-entrenched perceptions, Macs are not immune to malware. Of course, when compared with the torrent of malware targeting Windows, the volume of Mac-based malware is small. However, it has been growing steadily over the last two years; and it would be naïve of anyone using a Mac to imagine that they could not become the victim of cybercrime. It’s not only generalised attacks – such as the 700,000-strong Flashfake botnet – that pose a threat; we have also seen targeted attacks on specific groups, or individuals, known to use Macs. The threat to Macs is real and is likely keep growing.
10. Mobile malware
Mobile malware has exploded in the last 18 months. The lion’s share of it targets Android-based devices – more than 90 per cent is aimed at this operating system. Android OS ‘ticks all the boxes’ for cybercriminals: it’s widely used, it’s easy to develop for, and those using the system are able to download programs (including malicious programs) from wherever they choose. For this reason, there is unlikely to be any slow-down in the development of malicious apps for Android. To date, most malware has been designed to get access to the device. In the future, we are likely to see the use of vulnerabilities that target the operating system and, based on this, the development of ‘drive-by downloads’. There is also a high probability that the first mass worm for Android will appear, capable of spreading itself via text messages and sending out links to itself at some online app store. We’re also likely to see more mobile botnets, of the sort created using the RootSmart backdoor in Q1 2012. By contrast, iOS is a closed, restricted file system, allowing the download and use of apps from just a single source – i.e. the App Store. This means a lower security risk: in order to distribute code, would-be malware writers would have to find some way of ‘sneaking’ code into the App Store. The appearance of the ‘Find and Call’ app earlier this year has shown that it’s possible for undesirable apps to slip through the net. But it’s likely that, for the time being at least, Android will remain the chief focus of cybercriminals. The key significance of the ‘Find and Call’ app lies in the issue of privacy, data leakage and the potential damage to a person’s reputation: this app was designed to upload someone’s phone book to a remote server and use it to send SMS spam.
11. Vulnerabilities and exploits
One of the key methods used by cybercriminals to install malware on victims’ computers is to exploit un-patched vulnerabilities in applications. This relies on the existence of vulnerabilities and the failure of individuals or businesses to patch their applications. Java vulnerabilities currently account for more than 50 per cent of attacks, while Adobe Reader accounts for a further 25 per cent. This isn’t surprising, since cybercriminals typically focus their attention on applications that are widely used and are likely to be un-patched for the longest time – giving them a sufficient window of opportunity to achieve their goals. Java is not only installed on many computers (1.1 billion, according to Oracle), but updates are installed on demand, not automatically. For this reason, cybercriminals will continue to exploit Java in the year ahead. It’s likely that Adobe Reader will also continue to be used by cybercriminals, but probably less so because the latest versions provide an automatic update mechanism.
by David Emm (Kaspersky Lab)