THREE BIG CYBERSECURITY PREDICTIONS THAT WILL COME TRUE THIS YEAR
Tampa, FL – January 14 – As we enter the new year, ponder this: Blade Runner was set in the dystopian distant future of 2019. Yep, we were supposed to have flying cars, replicants, voice-driven photo enhancement, and be living in off-world colonies by now. Well, we’re actually not too far off from some of those things. Recent advancements in transportation, manufacturing, healthcare, and other sectors have progressed civilization to new heights. But just as everything was enveloped in a yellow radiation-induced fog by the time of Blade Runner 2049, we don’t want to see the bad side of technology drive our world to the depths now.
Bruce Schneier wrote in his prescient 2000 book Secrets and Lies: Digital Security in a Networked World that all modern systems suffer from being complex, interconnected, and emergent (i.e., doing things other than what they were initially intended to do). That means that no matter hard you try, there are going to be bugs. There will be bugs in the design because it was designed by humans. And there will be bugs in the implementation and operation, because, yep, those are done by humans as well. Bugs inevitably lead to exploit by the unscrupulous in our society.
So, what is the solution to dealing with these? Even as technology advances, some things never change. Security must be built into systems from the conceptual stages and not just bolted on after the fact. And because nobody’s perfect, continuous vigilance is the other critical factor. You must know what your environment is supposed to look like, when things have been perturbed, and how to respond effectively.
This year, I predict we will see three things that arguably we have already seen coming for a while. This year will just be the dénouement of events building for the past few years. My three predictions are as follows:
Prediction 1: Someone Will Hack a Light Switch to Burglarize a Home
Blue canary in the outlet by the light switch
Who watches over you
Make a little birdhouse in your soul
– “Birdhouse in Your Soul” by They Might Be Giants
Smart homes are great. Who wouldn’t want to stop carrying around a bunch of keys, or be able to open your door remotely for a delivery, or adjust your thermostat automatically for optimal cooling and efficiency? In the multifamily housing industry (apartments and condos) especially, smart home/connected home technology is a great differentiator in a crowded market.
However, the issue here is the Internet of Things (IoT) security. Yearly at the DEF CON hacking conference in Las Vegas, they “hack all the things,” such as Bluetooth wireless speakers and smart thermostats. The process is generally to open the device’s housing, solder some wires onto a serial port, and drop into an administrative interface to make changes. Such attacks most often require physical access to the device to tamper it. Much scarier attacks are those that can be performed remotely – over the network. Imagine if you could cause a microwave oven to turn on and start sparking up the kitchen!
So, who cares if someone exploits a light switch, you say? Ever hear of the term “lateral privilege escalation”? That’s when an attacker exploits a low-integrity device to compromise high-integrity devices that are interconnected in the same smart home.
Many of these smart home systems have a “hub” and central data repository that, if compromised, provides hackers the ability to access all devices in the home. It works like this: the attacker goes after a sprinkler or a third-party lighting app that has insufficient authentication, and then pivots from there to modify a data store variable for another high-integrity product, such as the security alarm. Researchers at William & Mary have already shown how they could trick the NEST smart home system into thinking the owner was home when he wasn’t, thereby disabling his security camera.
Smart home technology firms – including HP, Samsung, and Centrica Hive – have signed up for the UK government’s voluntary security guidelines for IoT consumer devices. However, these guidelines are just a start. The issue with many of these vendors is that they do not have a uniform approach to security in their suite of products. They tend to acquire numerous technologies and products over time, and each of these was developed by a different vendor with a different security approach. Just managing something as simple (ha!) as a PKI certificate solution for these devices is often difficult and deeply flawed.
So, in 2019, I believe we will begin to see a lot more stories of homes and businesses being looted due to flaws in burglar alarms, keyless entry, and yes… light switches.
Prediction 2: Attackers Will Take Down the Global Supply Chain
Webster: Every oil pump in America is run by…
Gorman: Computers. I know.
Webster: Will you stop interrupting?!
Gorman: I’m sorry.
Webster: You will command the pumps to stop pumping. Then I want you to program one special command…
Gorman: Into all these systems.
Webster: Tell them these orders are irreversible. So, it would be impossible for anybody to switch them back. Can you do this for me, old buddy? Old pal?
– Superman III (1983)
A couple years ago, attackers were thinking about stealing credit card data. Now, they are looking at things like taking down manufacturing plants and affecting global shipping lines. We have seen this coming for some time – well, at least in the movies.
In the 1983 movie Superman III, programming savant Gus Gorman introduced us to the “salami slicing” attack (to be replayed in 1999’s Office Space), in which the hacker gets rich by embezzling a few fractions of a cent at a time so that no one notices. However, Gorman also did something much more nefarious – he created a virtual oil embargo by reprogramming all oil tankers to sail to the middle of the Atlantic Ocean. Ultimately, Superman overcame a split personality induced by synthetic kryptonite to beat Gorman’s supercomputer.
In 1995’s Hackers, Eugene “The Plague” Belford also took advantage of autonomous systems to attempt to steal from Ellingson Mineral Company. Although ostensibly Ellington’s CISO, Belford anonymously threatened to capsize the Ellingson tanker fleet with his “Da Vinci” virus – which, of course, was just a red herring for his own worm designed to steal funds from Ellingson’s “Gibson” supercomputer. When CEO Duke Ellingson asked why they didn’t just put the ships’ ballasts under manual control, Belford tells him, “There’s no such thing anymore, Duke. These ships are totally computerized.” Fortunately, however, aspiring hacker Joey stole a garbage file that ultimately implicates Belford.
We have, in the past, heard about malware getting into systems via all of the following:
The bottom line is, we are seeing a lot of attacks specifically targeting ships, terminals, and ports – not to mention manufactories, warehouses, and Industrial Controls Systems (ICS). That means an interruption to global shipment of materials and goods. And we may not have Superman or a lucky script kiddy around to save the day.
Prediction 3: We Will See a Convergence of Cybercrime and Physical Crime
“In the United States, the Mafia makes witnesses disappear so they can’t testify in court. In Colombia, Pablo Escobar made the whole court disappear.”
– Steve Murphy in Narcos
In many ways, we have seen physical crime decrease in past years. While there have been several well-publicized mass shootings, in fact, gun violence is actually down overall. In addition, the rate of overall property crime and burglary declined about 10% from 2016-2017. I have been saying for a while that cybercrime is potentially much more dangerous and widespread than physical crime. For example, if I knew how to hotwire a car, I could maybe teach one or two others at a time how to do this. The propagation rate of this knowledge is fairly limited (even though nowadays you could maybe watch how to do it on WikiHow or YouTube). In addition, you must be physically present at the crime scene, and with modern forensic techniques, you would be hard-pressed not to leave any DNA evidence around.
So, cybercrime is much more attractive for several reasons, namely:
- Its effects are more far-reaching. That is, I could rob one bank branch at a time with a gun; but with a computer, I might be able to break into several at once.
- I don’t have to put my butt on the line. Computer crime can take place from anywhere on the Internet, where perception is easily manipulated. For example, I could proxy in through a site in another country and make it seem as if the attack is coming from there.
Organized crime has seen a hit to revenues due to the extensive (mostly legal) availability of marijuana and the decline in cocaine and heroin use (due to the wide availability of prescription opiates). The New York mafia, for example, is now mostly into construction, extortion, and protection rackets. In many cases, we have seen organized crime delve into cybersecurity schemes, such as botnets, ransomware, and so forth. In fact, this FUD is predicted by the Herjavec Group’s 2019 Official Annual Cybercrime Report to hit $6 trillion in damages by 2021.
But what if someone were able to combine cybercrime with a physical crime?
Imagine this scenario: an organized crime group hacks into the system of a company that manages the wealth portfolios of high net worth individuals. First, the attackers snoop about and collect data that they can use to steal funds or extort the victims, perhaps by doxing them (e.g., publishing all their personal and net worth info publicly).
If none of that works, the crime syndicate now adds a new wrinkle: use the victim’s personally identifiable information to send Rocco to pay them a visit in the physical world. Either shake them down, kidnap a family member, or otherwise intimidate them into paying some ransom.
Privacy and anonymity are the new currency of our era. Protecting these at all costs is a part of doing business.
Meet the Author
CTO & CISO
Jeremy Rasmussen is Chief Technology Officer of Abacode, a Tampa-based company that provides managed cybersecurity services to growing businesses across all industries. Abacode employs global thought leaders and industry experts in ethical hacking, corporate governance, and incident response to provide its clients with a holistic view of cybersecurity. He is also an adjunct professor at the University of South Florida and founder of the USF Whitehatters Computer Security Club (WCSC). Since 2000, he has taught USF courses in cryptography and network security, ethical hacking, digital forensics & investigations, and mobile & wireless security. He has more than 25 years of experience in performing R&D and developing cybersecurity solutions for government and commercial customers. Jeremy is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), and Project Management Professional (PMP). He was named the 2017 Tampa Bay Technology Leader of the Year.
Abacode Cybersecurity is fundamentally different than most Cybersecurity providers.
We address company risk from a business strategy first, and cyber-technologies second. This methodology ensures our clients’ technical (and non-technical) leadership are able to make strategic decisions that positively impact the entire organization.