Machine learning for information security has prioritized defense: think intrusion detection systems, malware classification and botnet traffic identification.
With General Data Protection Regulation (GDPR) coming into play, the Internet of Things (IoT), Artificial Intelligence (AI) are new tools in the hands of both attackers and defenders of consumer privacy. Cryptocurrencies and biometrics, the deployment of enterprise IT, cybersecurity will be buzzwords for 2018.
It’s that time of year to look back and plan the year forward, here are some of the key takeaways and trends for the year ahead.
IoT Botnets are Internet connected smart devices that have been infected by malware and are controlled by a threat from a remote location.
The massive Mirai attack in October 2016 crippled internet infrastructure and services, and IoT Botnets have been rumored to be involved in nearly every major DDoS attack since, including hospitals, national transport links, communication companies and political movements.
By 2020, Gartner predicts we will see 26 billion connected devices. That is hundreds of thousands of new, vulnerable devices coming online every day. With each passing day the malware evolves to exploit an increasing number of vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others.
Moreover, the future portends exponentially larger and more destructive threats – think your kids are safe?
With more smart toys that connect to the wifi, has speech recognition capability, has wireless transmitters and receivers to name a few – IoT is also “Internet of Toys” – strangers can pinpoint your address, snag children’s names and birth dates, download your son or daughter’s photo and even listen in on your conversations and record your child’s voice.
It is critical that companies and individuals protect their networks and assets as the IoT landscape expands with authentication, encryption, firewalls etc.
Automated spear phishing attacks using data science and social networks
Social networks, especially Twitter with its access to extensive personal data, bot-friendly API, colloquial syntax and prevalence of shortened links, are the perfect venues for spreading machine-generated malicious content.
There is also an implicit trust, no one suspects their social networks of having negative content. Furthermore, there is also incentivized data disclosures, which makes people want to share their personal details about themselves.
In a video from DEF CON 24, a hacker conference that took place last August in Las Vegas, two data scientists from ZeroFOX, which specializes in threats over social media, demo an automated system for writing targeted tweets at Twitter users with malicious links. It worked disturbingly well. Traditionally, spear phishing is a time intensive activity. A real person needs to sit down, research a mark and then craft a message that fits their personal interests while sounding plausible, but these two proved computers could pull it off at machine speed, as The Atlantic previously reported.
SNAP_R (Social Media Automated Phishing and Reconnaissance) by these 2 data scientists Philip Tully & John Seymour, responds by taking posts from a Twitter user’s site and using their most frequently used words and interests to customize fraudulent posts based on their timeline. It starts by prepending tweets the user posts. The tool also shortens the payload for the user, and triages user-targets based on their relative value and engagement on the platform. “It is designed to only target people who are likely to click on links based on their value and engagement,” says Tully & Seymour.
Advancements of social engineering including offline data
Social engineering has been an activity that has been going on for a long time. It is the ability to get someone to do what you want without them even knowing it. Some of the best social hackers cannot only request someone to do something for them; the best ones are able to make the person go way out of character to get the request done.
Not only do social media sites give hackers access to personal information, some sites can also share your exact whereabouts at any point in time. And if someone knows where you are – they also know where you are not. For instance, the social media network Foursquare allows users to “check in” to the places they visit such as school, work, restaurants or even the movie theater. Any number of people can easily tell where you are, and at what time of day by logging into the social network and looking at your profile. The indicator that you are away from home base can put your valuables and safety at risk.
Furthermore, the idea that taking your pc or laptop offline decreases the chance of hacking, is proving to be a fallacy. In 2016, researchers in Tel Aviv University and Technion demonstrated that air gapped pc or laptop could be attacked via a “side channel”, an attack that relies on the electromagnetic outputs of the laptop that are emitted during the decryption process, which are used to work out the target’s key.
As mobile technology is continuously evolving, so are mobile cybersecurity threats. Every new phone, tablet and mobile device serves as an additional opportunity for a cyber attacker to gain access to someone’s personal data. As many mobile devices can be plugged into computers to be charged, sharing charging ports with others can create malware issues for many different devices.
Phone hacking to steal bitcoin, access email, bank theft
Hackers have discovered that one of the most central elements of online security — the mobile phone number — is also one of the easiest to steal.
One common crime that’s carried out on cryptocurrency investors is the phone-porting attack. Hackers snoop around social media, looking for cryptocurrency conversations in which investors post their phone and email for easy contact. Then, posing as the victim, they call up the phone provider in an attempt to fool the customer service representative into transferring the phone number to a device they control.
Once the hackers take over the phone number, they can go into the victim’s cryptocurrency exchange account by resetting the password, ultimately stealing cryptocurrencies from the account.
In a growing number of online attacks, hackers have been calling up Verizon, T-Mobile U.S., Sprint and AT&T and asking them to transfer control of a victim’s phone number to a device under the control of the hackers.
Once they get control of the phone number, they can reset the passwords on every account that uses the phone number as a security backup — as services like Google, Twitter and Facebook suggest.
Computer hacks, phishing attacks and cryptocurrency Ponzi schemes are all common types of cryptocurrency theft.
On Dec 7 2017, Nearly $64m in bitcoin has been stolen by hackers who broke into Slovenian-based bitcoin mining marketplace NiceHash.
The hack was “a highly professional attack with sophisticated social engineering” that resulted in approximately 4,700 bitcoin being stolen, worth about $63.92m at current prices, said NiceHash head of marketing Andrej P Škraba.
In another example in Nov, millions of dollars’ worth of ether, the digital token of the ethereum blockchain, could be frozen on a cryptocurrency wallet because one individual “accidentally” triggered a bug. Parity, a cryptocurrency wallet provider, said in a security alert Tuesday that it had discovered a “vulnerability” in its wallet that allowed users to change code and become the owners of wallets that didn’t belong to them.
The company said that one person “suicided” the wallet, deleting its code and freezing all ether tokens contained within. Users are now unable to move funds out of the wallet.
“We are analyzing the situation and will release an update with further details shortly,” Parity said in the security alert.
The coding “accident” affects all of Parity’s “multi-signature wallets” — wallets that require one user to sign another’s transaction before it is added to the ethereum blockchain — which were created after July 20.
In July, one of Parity’s multi-signature wallets was compromised because of coding error. Hackers managed to steal roughly $30 million worth of the world’s second largest cryptocurrency because of the bug.
Businesses, personal affairs, governmental and organization activity and every other sort of thing you can think of is shifting irreversibly to the cloud.
The shift is permanent because it brings so many advantages. Who would go back to searching for addresses on paper maps after using online mapping services?
Needing to save and file canceled paper checks rather than inspecting them online, or doing a thousand other chores in pre-cloud form?
In addition to these corporate and public services, whose users are increasingly conducting their business and storing their data in the cloud rather than on paper, our personal data has moved to the cloud as well, with the premise that we’ll be able to retrieve and work on our correspondence, our contacts, our photos and documents, from any computer connected to the Internet.
The more we rely on the cloud, the more we expose ourselves to its vulnerabilities. These include the breakdowns that affect any complex system and deliberate attacks—for criminal gain, spying, or sabotage—that are sure to increase as the value of cloud-based information does. Where the money is and where the sensitive information is concentrated, that is where the spies will go. This is just a fact of life. The more important online storage becomes, the more relentlessly it will be under attack.
Where social security numbers, medical records, photos, emails, intellectual property, research and financial data are available; there is always a chance to be held ransom.
Take careful inventory of security best practices and look to implement user education programs in order to close any gaps that may exist. Research or engage a professional. Don’t be the next profitable victim.
About the author
I am an Internet, Security, and Data Center Industry veteran and executive who has worked for several Internet startups to Fortune 150 in many different capacities from technical to business level roles.
Unless otherwise noted, opinions expressed are solely my own and do not express the views or opinions of my employer.
For other articles on Cybersecurity, IT, and Sales Leadership, I invite you to my blog at blog.nagrosst.com