2014 Predictions: The Threat Landscape

Here’s what I think we’re in for next year when it comes to APTs and the overall threat landscape.

1. The demand for cybersecurity and IR skills will reach new highs.

As advanced threats have become more commonplace, the demands on existing incident response (IR) teams have begun to outstrip capacity, especially in enterprises and government entities where cybersecurity skills are already in short supply. A recent survey by the Ponemon Institute held that only 26 percent of security professionals felt they had the security expertise needed to keep up with advanced threats. Computer science programs will continue to adapt to this trend with more focused training in cybersecurity disciplines.

2. Advanced attackers will move to mobile devices.

A wave of crimeware and fraud has already begun to target mobile devices, which are ripe targets for new malware and a logical place for new threat vectors. Mobile platforms will be uniquely leveraged by APTs thanks to the ability to use GPS location to pinpoint individual targets and the ability to use cellular connectivity to keep command and control away from enterprise security measures.

3. Financially motivated malware makes a comeback, and the lines between APTs and organized crime will blur.

The focus of enterprise security will again be on the attacks where money changes hands. Banking and fraud botnets will continue to be some of the most common types of malware and will continue to have a major impact in real-world dollars.

Meanwhile, attribution of APTs is becoming ever more a focus in the industry, which means that more hacker groups will spend more time attempting to cover their tracks and hide any unique identifiers. To do so, they will attempt to imitate, contract with, or even infiltrate criminally focused hacking organizations to provide cover for their operations.

2014 Predictions: Virtual Data Center

The growth in public and private cloud adoption made 2013 a big year for the virtual data center, and there’s no question that will continue in 2014. In my 2014 predictions, here are three trends I expect we’ll hear a lot about in the new year.

1.  Zero Trust Network Segmentation

Globalization has fundamentally transformed the way we do business. It has created interdependencies between global supply chains and multinational partners, expanded global economic interactions with many “countries of interest,” and enabled the movement of people, goods and information. Enterprises need to enable access to applications and data, not just for employees, but also partners and contractors. They must do business with technology and manufacturing partners and provide access to new acquisition companies, while protecting against intellectual property and confidential data theft.

In 2014, organizations will look toward practical implementations of Zero Trust network segmentation architecture as a means to address these challenges. Implementations will vary widely from enterprise to enterprise, from those that need to create distributed boundaries of Zero Trust to those that focus on data center segmentation. The key network security requirement, however, will be for solutions that can be deployed with minimal impact to the network, while providing comprehensive visibility, control and safe application enablement.

2. Cloud Adoption Growth

Organizations in 2014 will be implementing or planning to implement  cloud networks, i.e. moving from virtualized application silos (web, app, database tier) to more flexible cloud architectures that enable the delivery of any application on any server at any time. Most organizations will deploy a hybrid model where certain applications and services are offloaded to public clouds, but critical services such as internal research and development, financial data and customer data  continue to reside within private cloud boundaries.

The decision on the applications and services to be deployed in public versus private clouds will depend largely on network security requirements. In particular, with greater concerns about the integrity of US-based data centers, revealed in cases such as the Snowden leaks, greater scrutiny will be placed on the security in cloud service providers.  A key consideration for hybrid clouds will be the definition of a consistent network security policy and management framework to be implemented across both public and private clouds.

3. Software Defined “Anything”

Organizations will spend resources and time to understand the emerging technologies of software defined anything—i.e. software defined networks, software defined data centers and various permutations of this new dynamic, programmable, automated network architecture. In particular, in the battle of the titans, VMware and Cisco, will provide vastly differing architectures — a software defined data center utilizing VMware NSX network virtualization technologies or a more hardware-centric SDN architecture approach with Cisco’s Application Centric Infrastructure (ACI).

Organizations will look for tighter integration among network security, virtualization and network virtualization solutions while maintaining separation of duties. Critical network security requirements will include the ability to deal with the new dynamic, services-oriented characteristics of software defined networks.

Two Thirds of Personal Banking Apps Found Full of Vulnerabilities

A researcher looked at the security of home banking apps, and found shocking results. Forty home banking apps from the top 60 most influential banks in the world were tested and found to have major security weaknesses.

Ariel Sanchez, a security consultant with IOActive, tested 40 iPhone and iPad banking apps over a period of 40 man-hours. He doesn’t name the apps nor the banks concerned, but has contacted some of the banks and reported the vulnerabilities. Although he doesn’t describe the vulnerabilities in any detail, if he can find them so easily, then so could attackers – and many of them are relatively easily exploitable. He published his findings in a blog posting yesterday.

Sanchez conducted tests in six separate areas: transport security, compiler protection, UIWebViews, data storage, logs and binary analysis. In each area he found widespread weaknesses. For example, 40% of the apps do not validate the authenticity of SSL certificates, making them, he says, “susceptible to Man in The Middle (MiTM) attacks.”

A full 90% of the apps contain non-SSL links, potentially allowing “an attacker to intercept the traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or similar scam.”

50% “are vulnerable to JavaScript injections via insecure UIWebView implementations… allowing actions such as sending SMS or emails from the victim’s device.”

70% have no facility for any “alternative authentication solutions, such as multi-factor authentication, which could help to mitigate the risk of impersonation attacks.”

“Most of the log files generated by the apps, such as crash reports, exposed sensitive information.” Documents leaked by Edward Snowden indicate that the NSA specifically looks for Windows error reports sent over the internet as a potential source for developing new 0-day exploits. Sanchez says the same problem exists with banking apps: “This information could be leaked and help attackers to find and develop 0day exploits with the intention of targeting users of the application.”

Some of the apps clearly rely on the device’s own security to protect the user’s data. “Some of them used an unencrypted Sqlite database and stored sensitive information, such as details of customer’s banking account and transaction history. An attacker could use an exploit to access this data remotely, or if they have physical access to the device, could install jailbreak software in order to steal… the information from the file system of the victim’s device.”

But one of his more worrying findings came from disassembling the apps themselves. He used the IDA PRO disassembler tool with the Clutch decryption tool. “A combination of decrypted code and code disassembled with IDA PRO was used to analyze the application,” he explains; and what he found was hardcoded development credentials within the code. “By using hardcoded credentials,” he says, “an attacker could gain access to the development infrastructure of the bank and infest the application with malware causing a massive infection for all of the application’s users.”

His research comes at a vital time. Banks are promoting the use of mobile banking as a competitive differentiator, but they clearly need to do more to protect their customers. “Home banking apps that have been adapted for mobile devices, such as smart phones and tablets, have created a significant security challenge for worldwide financial firms. As this research shows, financial industries should increase the security standards they use for their mobile home banking solutions,” warns Sanchez.

[Source: InfoSecurity Magazine]

Harvard bomb hoaxer used Tor, got caught anyway

Summary: Eldo Kim, Harvard student, wanted to get out of a final exam so he sent in a bomb threat using Tor to disguise his location and identity. Tor’s not magic and the FBI caught him anyway.

Monday’s bomb scare at Harvard was perpetrated by a sophomore “motivated by a desire to avoid a final exam…”

Even though Eldo Kim, 20, used the Tor network, in conjunction with an anonymous email service Guerilla Mail, to hide his location and identity, the FBI didn’t have a lot of trouble locating him because he used the Harvard wireless network to send the threat. Some of the details of his critical error are spelled out in an affadavit filed by FBI Special Agent Thomas M Dalton in support of an arrest. The fact that the threats came on the day of finals was a good indicator that a student was responsible.

The affadavit doesn’t give details on how he was traced, and it worked to a point. But the FBI and school IT were able to determine who was using that software at the time the emails were sent. That pointed to Kim’s login.

Hat tip to On The Media.

[Source: ZDNet]

No surprise: The NSA can hack iPhones

Summary: Nobody should find it surprising that the NSA can hack into iPhones and there’s no reason to assume Apple is helping them.

As we and everyone else are reporting, the latest poop on the NSA is that they claim to be able to hack into iPhones.

Go back through Apple’s log of security updates to their products, including iOS: there have always been many severe vulnerabilities. The general assumption out there is that nobody’s exploiting them, but the other possibility is that they are being exploited, but only very rarely in targeted attacks. The NSA would be exactly the sort of agency to do that.

Even since iOS 7 was released, vulnerabilities have been patched which could allow full compromise without the knowledge of the user. Usually you need two vulnerabilities to accomplish this: an arbitrary code execution vulnerability to gain control, and a privilege escalation vulnerability to gain admin or root privileges. Once you have this, you can install what software you want.

This, incidentally, is how jailbreaking works. Every jailbreak is based on at least one security flaw in iOS. We know these work, so we know that what the NSA claims is perfectly possible.

iOS 7.0.1 fixed many security vulnerabilities, including both code execution and privilege escalation, and there have been many others in the past. It only stands to reason that researchers (and their customers, including the NSA) have access to vulnerabilities which have not yet been disclosed to Apple or patched.

Of course none of this is verifiable by us ordinary civilians, but for me the NSA’s apparent claim of a 100% success rate in installing malware is a bit fishy. Unless they have an over-the-air, network-based exploit, something which executes automatically, then they still have to socially-engineer the user some. Good, targeted social engineering (sometimes a.k.a. “spear phishing”) can get very good results, but 100%? I don’t think so. And I very much doubt that they have an auto-executing, over-the-air compromise of iOS; someone else would have found it by now.

So don’t assume that Apple must be cooperating. I would assume the contrary. It would be very much against their interests to cooperate. Remember that any super-backdoor built into the OS could be used by anyone who finds it. Not all of them are the good guys, like the NSA 😉

[Source: ZDNet]

English
Exit mobile version