Last year, I compiled the predictions of 5 big security firms to see what major themes were popular. As I reported in my last post, the firms did well enough, and I gave them a ‘B’ rating.
For 2016, I am doing the same. I compiled the predictions from the same 5 firms; Trend Micro (TM), FireEye (FE), Websense (WS), Kaspersky (K), and Wired (W). (The abbreviations will be used for easier reference.) From these predictions, the following six major themes emerged. Here they are with my own assessment of each.
1. Internet of Things (IoT) Hacks (TM, FE, WS, W)
This is the most popular theme that emerged from the predictions of these firms. Though weird and somewhat scary (hacked medical devices), it’s not the easiest vector to exploit. There is also the question of value for effort. Yes, maybe a hacker could, with some effort, access your refrigerator but then what? They could manipulate its settings and, at the ultimate extreme, use it as part of a spamming network. FireEye points out that hackers could hold some of these devices for ransom (see below). Because of their human interest value, these sorts of attacks will probably get more attention than they deserve; however, I don’t think this threat is as great as it is proclaimed. The one disclaimer on this could be an attack on a corporate network via a connected, but not secure, printer or other device.
2. Mobile Payment Hacks (TM, FE, WS, K)
Of all the predictions, in my opinion, this is the most likely to occur. First of all, there’s the financial motivation angle. Hackers can get their hands on quick cash and do it with relative ease using a number of attack vectors. Since the use of mobile payment apps are expected to rapidly increase in 2016, expect this to be the first big hack that you hear about. You’ve been warned.
3. Hacktivist Attacks (TM, WS, W)
The role of the hacktivist attack broadened in 2015 with attacks on the Hacking Team, ISIS, and Ashley Madison, to name just a few. If someone has a view that someone else finds especially distasteful, they can express their displeasure by either bringing down their website with a DDoS attack, taking over social media accounts and putting up incriminating posts, or releasing stolen data that destroys an individual’s or corporation’s reputation. Websense correctly points out that, since this is an election year in the US, we may see a number of such attacks against individual candidates or policies. Of course, none of the candidates will admit having any knowledge of such attacks and will blame them on overly-enthusiastic supporters.
4. Extortion/Ransomware (TM, K, W)
Ransomware has been making people’s lives miserable for quite a while now with malware like Cryptolocker, and new types of ransomware may be used to get money in more innovative ways. Ransomware holds your computer files hostage until you do what the attackers want, which is usually sending them money. However, we may expect to see this strategy evolve more into ideological extortion as the year goes on. Trend Micro goes so far as to call this, “The Year of Online Extortion”. Attackers may demand that individuals, companies, or institutions do what they, the attackers, want or the victims will have incriminating or sensitive information exposed. Companies may be threatened with losing secret information, others may be threatened with having customer account information released, and others may be told that if they don’t change certain policies, bad things will happen. Some attackers may use these threats to make money, but others have more ideological demands. Kaspersky foresees ransomware used on ‘things’, such as cars, TVs, and refrigerators. It’s possible, but seems like a lot of work for little return. Still, if I thought my car brakes could be randomly manipulated, I might pay for the peace of mind of having this threat eliminated. Other threats could be used to manipulate political candidates.
5. Apple Becomes a Target (FE, K)
Kaspersky predicts that Apple will be targeted with ransomware. FireEye points to the increase in attacks against Apple devices at the end of 2015 to show that there is increasing interest in breaching this lucrative platform. It was no accident that the zero-day exploit seller, Zerodium, paid a million dollars for an exploit that could jailbreak iOS 9. There’s certainly money to be made on attacking one of the world’s biggest companies. For these reasons, I think this prediction has a nearly 100% chance of being realized this year.
- Stock Market Hacks (W, K)
Interestingly, this is something I had predicted for last year. No direct attack on any of the big exchanges occurred, though individual accounts registered with some investment firms, like JP Morgan, were, in fact, breached and manipulated, The truth is that if the main exchanges were breached, we may not hear about it until well after the breach had occurred and after those in charge of the breached exchange network had already taken actions to repair the damages. The government would probably suppress information of such an attack so as not to panic investors. The government did the same when they initially downplayed the OPM attack. Kaspersky mentions the possibility of hackers “going after the black-box algorithms employed in high-frequency trading to ensure prolonged gains with a lower likelihood of getting caught.” This is a vector I thought might be exploited last year and pointed out how it could be used in a post (How to Hack and Crash the Stock Market). Though I still think this vector is viable, the interconnectedness of markets may make “hacking to crash” ineffective or counterproductive. Crashing the US stock market would have repercussion which could lead to all markets around the world crashing. However, if making an anti-capitalist statement was the goal of the crash, it could be effective.
*Websense for pointing out how new gTLDs (generic top-level domains) could be used to trick users. These are the endings you see at the end of domains, such as .com, .net, and .org. More of these endings are coming online and attackers may try to employ them in tricking users into visiting infected sites that, because of the similarity in names, seem to be the actual site.
*Kaspersky for predicting that security firms may become targets for those who want to learn about the latest security tools that are being used. Getting their hands on these tools will enable the attackers to back-engineer them and use them for their own exploits. Kaspersky learned this lesson the hard way last year when they fell victim to such an attack.
*Wired for explaining how hackers may manipulate, rather than steal, data to cause unexpected results. This could undermine company operations and production. They could, for example, cause machinery to malfunction. Malware, in this case, would not commonly be looked at as the source of the problem and so it would be able to remain hidden (and disruptive) for a much longer time.
My Own Predictions
Let me crawl out on this shaky limb and throw out a few predictions of my own. I will begin with the disclaimer that the big attacks of 2016 will probably not be predicted by anyone.
Political Bot Attacks – As this election year ramps up, candidates will pull out all stops to gain attention for themselves while degrading their opponents. Political bots can be used for likejacking, sharejacking, and comment spamming. You will know this is happening when you are suddenly sent lots of email either supporting or demeaning certain candidates or you see people in your social network sharing positive comments about candidates that they would never support. Candidates will routinely have their Twitter accounts hacked. No candidate will endorse this means of campaigning but…
Attack on a High Level Government Agency – This may seem obvious because it has more or less already happened, but some agencies have so far remained untouched. I expect this to change. Watch for an attack on the White House that actually disrupts operations. Attacks on the NSA and Homeland Security networks may occur, though we may not learn of them. Watch for continued IRS hacks because this is a gold mine of personal information.
ISIS Ramps up Attacks – I predicted last year that ISIS would launch more hacks, and they did. The attacks were usually on poorly protected sites and the attackers did nothing more than post silly messages. They may have scared a few technologically naïve people into paying ransoms. But now they are getting more desperate. They are watching their beloved caliphate crumble around them. They are also running out of money. I expect they may use off-the-shelf malware and ransomware to try to raise their profile and acquire some capital. They cannot launch some big nation-state-style attack without outside help.
Only time will tell if these predictions pan out. We probably won’t have to wait long as any attacks on retailers that occurred over the holidays should begin to surface in the next couple of months.