Key thinkers on the biggest stories and security trends of 2018
Additional reporting by James Walker, Catherine Chapman, and John Leyden
In a year that’s seen data-slurping scandals, supposed high-profile supply chain attacks, and more data breaches than you can shake a stick at, it’s fair to say 2018 has been a wild one.
It’s hard to believe that it’s been almost 12 months since the Meltdown/Spectre bugs rocked the infosec community.
In the time since, we’ve weathered almost-weekly reports of our data being misused or not properly protected by those who really should have done better.
We’ve also witnessed some cool new hacks and exploits, as well as some frankly stupid scenes – the ‘unhackable’ BitFi wallet, anyone?
The Swig spoke to some of web security’s top names to discuss their key takeaways from 2018, as well as their top priorities for 2019.
Mohammed Aldoub, independent security engineer and consultant and OWASP Kuwait Leader
“I think the year has been excellent for those working in the field of AppSec, as we’ve seen more tools, more public reusable exploits (for the penetration testing side of community), and we’ve seen more adoption for newer technologies with AppSec.We can sense now that SecDevOps (or DevSecOps if you like) are slowly but surely gaining ground in the scene of AppSec, where people are coming up with interesting methods to streamline the process of AppSec scanning and validation into the DevOps process of deployment and testing.
I expect this trend to continue because, to be frank, it’s now an essential survival skill for AppSec engineers. We cannot survive in a speedy ever changing environment of DevOps, continuous changes, serverless and transparent infrastructures, unless we become less of a roadblock to deployment and business flexibility.
I think there are more very interesting vulnerability classes surfacing now [and] getting more exposure, like edge side include injection and serverless event-driven injection, as well as many others. If the AppSec community doesn’t focus on these new frontiers, we will be much less relevant.
However, I notice that there is increasing, but shy, adoption for these technologies. OWASP, for example, released in 2018 the Serverless Top 10 [security issues] project, and I notice many companies are now focusing on API-centric languages such as Golang for both attack and defense.One of the main problems facing security engineers is slow rates of adoption. Attackers jump fast at new technologies, and utilize top industry grade automation. Any vulnerable system can be attacked within minutes of going online. We can’t beat that without top automation and adoption of risky technologies.
The other day I was watching an online course with an experienced AppSec specialist demonstrating mongoDBs and how they can be attacked, and while he was demonstrating this ability online, an attacker attacked this MongoDB instance and ransomwared it [sic], much to the amazement and awe of the demonstrator, myself and I’m sure anybody who's seen it. Attackers are fast like that, and are flexible like that. What are we gonna do about it?”
Chris Boyd, lead malware intelligence analyst at Malwarebytes
“Across 2018, we saw a pronounced shift away from consumer to business targets, coinciding with a rise in banking trojans and other methods of data exfiltration, especially off the back of the large Emotet campaigns in Q3. Cryptomining is on a gradual decline as scammers realise the return on investment simply isn’t there, especially if the compromised sites aren’t particularly high traffic ones.
Similarly, ransomware detections increased on the business side and decreased for consumers, with GandCrab and Magniber being two of the major players. While ransomware detections are also on a slow downward curve, there’s a fair amount of innovation and renovation of older files to perform new attacks. We’ve also seen some decidedly amateur style files such as Spartacus manage to be reasonably successful alongside the big guns.
We expect to see more innovative forms of ransomware developed in 2019 alongside a continued effort to harvest businesses of their corporate data.”
Tanya Janca, cloud security advocate at Microsoft
“Credential stuffing is the most interesting new attack [from 2018] to me. It’s such an obvious attack vector, but strangely the industry hasn’t figured out a standardized way to defend against this. From my viewpoint it’s incomprehensible that every business has not already registered all of their email addresses with HaveIBeenPwned.com.
They also have an API that can be used (without giving away your user’s secrets) to check new creds are not already in a data breach. I’m also surprised that most businesses don’t supply password managers to their users (run by the enterprise), for all work-related passwords, and teach them how to create long, randomized, unique passwords. Lessons on password hygiene could protect employees at home and at work, and I’m shocked that our industry seems too slow to react to the threat.
I think that we need to double-down on the efforts to ensure we are patched, our frameworks are up to date, and that our third-party components are not known to be vulnerable. Basic security hygiene is the thing that always gets us, with vulnerabilities in software (AppSec) likely having been the #1 cause of breaches again this year (it was #1 according to the Verizon Breach report in both 2016 and 2017).
And if we can’t find time or space to do these things in with the way we currently run our IT shops, then we need to change the way we run them, incorporating modern operations and software development techniques, such as DevOps, Site Reliability Engineering (SRE), and so much more.
My number one priority for next year is educating as many people as possible about “Cloud Native”, modern operations (SRE), and software development practices (DevOps, CI/CD, serverless, containers, etc), and the new security models required to protect them (DevSecOps, Zero Trust, JIT, automation, and new ways to achieve old security goals).
Although the traditional types of network security defences could still be applied in the cloud, that only works if an implementation only uses traditional types of functionality in the cloud, and it is implemented perfectly.
With most organizations adopting the new features, architectures, and possibilities that the cloud affords, so must they apply the new security models. This, in my opinion, is the largest security problem facing the cloud; education around the new security models required to protect the new architectures and features available in the cloud.”
Ken Munro, partner and founder at Pen Test Partners
“Slowly but surely, governments, regulators, and consumer groups are waking up to the threat from IoT security. It’s taken far too long, but persistent pressure and media coverage of truly awful personal data exposures from smart products has finally resulted in action.
The efforts so far are sporadic and inconsistent, but the UK government is on the case of IoT security, as are many other countries. Of note was California State Bill 327 which is perhaps vague and open to interpretation, but sets a stake for acceptable levels of security. I am less impressed with efforts from the EU; the Cybersecurity Act is too optional for consumer IoT, though it is progress in the right direction.
Manufacturers: listen! A sure-fire way to get a vulnerability in your product in the press is to ignore a security researcher trying to disclose a vulnerability to you. We’re doing you a favor – unethical hackers would simply exploit the flaw for personal gain. If you acknowledge and fix the flaw, most researchers simply want a ‘thank you’ and a credit. All too often, it takes the threat of public disclosure to wake an organization up to the potential brand damage. Funny, that…
IoT security is not improving yet. Too many new products are piling on to the market with no thought towards protecting customers. There are a few lighthouse examples of vendors that are doing it right. Sadly, there aren’t many.
The rate of vulnerability disclosures we are making in IoT is increasing. From perhaps one per quarter in 2015 to nine in the last week alone! It will get worse before it gets better. I hope that retailers will start to include security requirements in their procurement processes. That will help prevent vulnerable product from reaching the market, giving manufacturers an incentive to ‘do security’.
Personally, I will continue to lobby for regulation across the US, UK, and EU through 2019. We will get there, eventually.”
Alan Woodward, computer scientist and professor at the University of Surrey
“There have been two main developments this year in cryptography. First, the NIST competition to find a quantum resistant public key encryption scheme. The first round candidates were submitted and have been scrutinised. Round two, where the field will be narrowed and further information requested, should happen during 2019.
Secondly we have seen the re-emergence of certain governments trying to legislate against end-to-end encrypted messengers. The more astute governments have abandoned that route and switched their attention to legislation that allows “equipment interference”, but some persist with new laws of the land attempting to triumph over the laws of mathematics.
Some alternative schemes were suggested (eg encryption crumpling) that would allow only those with massive resources to decrypt. Although made by some very credible people it didn’t move the debate forward much, but a few interested researchers to continue to search for a way to please both sides of the debate.”
Gordon Lo, Director (Business Management) and Head of Hong Kong Computer Emergency Response Team Coordination Centre, Hong Kong Productivity Council
“In 2018, we have seen an upsurge in data breach cases with stolen data being sold in the underground market. In Hong Kong, data breach incidents are seen across different industries – from financial, mobile payment, airline, [and] telecommunications to travel agencies. The causes of these incidents could be two folds: (1) design flaws in systems and processes; and (2) insufficient awareness in risk management, such as prioritising convenience over security.
With the new regulations on data privacy from various regions coming into effect, the number of cases concerning data breaches and reports could go up further. In Australia, Mainland China, and Macau for sure, and later in the pipeline in places such as Thailand and Singapore, the mandatory requirements of data breach notification will become a norm. This has already been the case for Asia Pacific companies doing businesses with the European Union following the enactment of the General Data Protection Regulation in May 2018.”
Tom Sulston, board member at Australian NGO Digital Rights Watch
“The Australian Access and Assistance bill debacle will continue to roll throughout the greater part of 2019. The Parliamentary Joint Committee on Intelligence and Security will be convening to discuss the amendments that were not passed with the bill in December. Due to the timing of Australia’s next federal election, it looks likely that the next government will be charged with passing and implementing these amendments. This means that the shape of the bill is still very much under discussion.
We also don’t yet know how much the bill will be used to infringe on internet users’ privacy, or how much appetite the tech industry has to challenge it. We expect this to become more visible throughout 2019, either through the courts or through leaks.
Other unfinished business includes the Facebook/Cambridge Analytica/Internet Research Agency noise around election propaganda. Due to the complexity of the systems in operation, we still don’t have a clear view of what’s being going on but as more elections happen without a resolution, more will be affected by state actors. In Australia, our privacy legislation doesn’t apply to political parties. We’d like to address that as it’s become apparent that there are privacy abuses happening with data-mining companies and micro-targeting in social media.
We’re interested in pushing for more transparency [regarding the] government’s use of decision-making algorithms. With 2018’s #notmydebt debacle in Australia, we have seen first-hand the failings of an AI-like system identifying citizens for targeted government harassment. As the government has committed to using more AI, we must set the ground so that these systems are fair, transparent, and protective of citizens’ privacy.
This also applies to the corporations. Although we’ve been on the same side in opposing the AA bill, we haven’t forgotten that surveillance capitalism is driving a significant number of large digital businesses. We will continue to apply pressure for regulation of these industries so that the data they collect on private citizens is handled not only respectfully, but under a regime that requires citizens to give meaningful consent to its use.”
Gabriela Zanfir-Fortuna, policy counsel at the Future of Privacy Forum
“As much as 2018 was first and foremost the year of the GDPR and second, of the awakening of America’s appetite for privacy law, 2019 will continue to see these two in the spotlight, but switching places. The battles in Washington DC over federal privacy legislation will intensify in this “make it or break it” year. State initiatives, following the lead of California will likely keep the momentum going and push the federal government to act (the governor of Washington state, where giants like Microsoft and Amazon are headquartered, already announced an initiative on privacy legislation in the upcoming year).
As for the GDPR, 2019 will be the year of the first significant fines. Several potentially high impact complaints against tech giants were filed on the very first day of GDPR becoming applicable, but administrative procedures in Europe are slow. We will likely see significant enforcement unfold starting with the second trimester, approaching the one year anniversary of the GDPR.”
RELATED The year in #StupidSecurity