2011 was an eventful year for IT security, perhaps more eventful than we remember; Sony was repeatedly hacked; rumours and truth became confused over Carrier IQ; shocking information about the hacking of celebrities and politicians’ mobiles became known; and even NATO was hacked.
Looking forward to 2012 the Managing Director of IT security firm Threatscape, Dermot Williams, predicts that IT security threats will become increasingly concerning – but it won’t just be government agencies or the famous who should be concerned with their digital security, it’s us.
Threatscape specialises in protecting and advising multi-nationals, government departments, and large corporations about IT security and data communications. The IT security firm operates in Ireland and the UK and in 2011 it became the first UK and Irish company to obtain Symantec Enterprise Security Specialisation and Symantec Platinum Partner status making it one of only three companies in Europe, the Middle East, and Africa to hold such a position.
Williams believes that digital security risks will not just threaten on our personal information but could threaten lives and livelihoods. This isn’t scaremongering but a recognised threat; this year the US Department of Defense announced its rules of engagement for cyber threats, they said, “Cyber threats continue to grow in scope and severity on a daily basis. More than 60,000 new malicious software programs or variations are identified every day threatening our security, our economy and our citizens.”
Dermot Williams’ predictions for 2012 are;
- Hacking will cause loss of life
- Export controls introduced for hacking tools
- More sophisticated mobile threats will emerge
- Digital certificate business goes into meltdown
- Microsoft software patches move from monthly to weekly
Hacking will cause loss of life
Throughout 2011 we have seen an increase in targeted cyber-attacks, and a number of high profile incidents involving critical infrastructure. Many of these were suspected to be state-sponsored. In 2012 I expect this type of attack will not only continue – but that given the type of systems being targeted, we will see at least one incident where direct loss of human life results.
Export controls introduced for “lawful intercept” hacking tools
Want to export a nuclear missile to a “rogue state” such as Iran or North Korea? No, of course you can’t. Ditto for a long list of munitions, stun guns, ‘dual use’ materials and much more. Various computer security products – especially those containing strong encryption – are likewise prohibited from sale to those who the USA and its allies consider a threat to world peace. But bizarrely, the sale of computer technology designed to defeat computer security is not controlled in this way. So while it is illegal to sell software to those fighting for democracy in various states, supplying their governments with technology that allows their secret police to spy on private citizens is perfectly legal. Hopefully 2012 will see export controls updated to remedy this bizarre double standard.
Ever more sophisticated mobile threats emerge
Imagine if you could track the movements of an individual of interest to you anywhere they went. Or read their email messages, spy on their SMS messages, maybe even remotely eavesdrop on their conversations or take a few undetected photos or video clips from far away. Orwellian nightmare? No, this is the real threat faced when powerful smartphones are targeted by sophisticated malware. We’ve already seen a banking trojan which can infect both your PC and your mobile, in order to capture your online banking credentials AND any one-time PIN being sent to you by SMS. This is just the tip of the iceberg and for 2012 I predict that some of the most audacious and intrusive of all cyber attacks will be those targeting mobile devices.
Trust in digital certificates gets undermined
Users rarely think about digital certificates as they are hidden away in the ‘plumbing’ of their daily electronic communications. The most that a typical user may be aware of is that the ‘padlock’ symbol in their browser indicates their communication is with a confirmed entity and is secure as it traverses the internet. But is it? 2011 saw multiple instances where compromises of certificate authorities (“CAs”) allowed attackers to issue fraudulent certificates (Comodo and DigiNotar for instance). I fear that the CA business will suffer an increasing number of cyber attacks – something it is vulnerable to because of its highly fragmented and widely distributed nature. Microsoft and Mozilla (Firefox) recognise over 50 root certificates, and the Electronic Frontier Foundation has mapped over 650 CAs which major browsers trust directly or indirectly. Secure web communication via the HTTPS protocol is only as strong as the security of the weakest of this myriad of CAs and attackers have many targets to choose from. Further CA compromises will severely test trust in the whole digital certificate system.
Microsoft software patches move from monthly to weekly
“Patch Tuesday” is the monthly event – normally the second Tuesday of the month – which sees Microsoft release security updates to remedy the most recently discovered security vulnerabilities in their products. The intention is to fix flaws before attackers have time to actively exploit them. But with a greater scramble by hackers to exploit flaws before patches are released and widely deployed, I think 2012 may see Microsoft start to release their patches with greater frequency, perhaps weekly.