Key thinkers on the biggest security stories and trends in 2019
2019, what to say?
From keynote speaker controversies, to hacktivism of a Google Chromecast variety, the year in infosec has certainly been a test of what divides us can only make us stronger – plus bugs, and lots of them.
As the take up of IoT expanded the threat landscape, companies around the world warmed to the idea of crowdsourced security, with many implementing their own bug bounty programs and vulnerability disclosure policies, aided by the almighty GDPR data protection legislation, now a year old.
Gone in a blink of an eye, The Swig decided to speak to some of the industry’s top gurus and unsung heroes to discuss their key takeaways from 2019, as well as their top priorities for 2020.
“Diversity has been a hot topic across infosec for that last few years. With sponsored tickets for women to attend DEFCON and a rise in the number of women’s initiatives such as Ladies of London Hacking Society, WoSEC, and CTF Circle, greater inclusion of women has taken center stage.
It’s becoming more recognized that we cannot be secure if we are not diverse.
Whilst we welcome this upturn and the resulting increase of funded training places for women in our industry, we are keen to point out, that while women make up only 11% of the information security sector (PDF), white women does not equal diversity. We need representation from all groups to be diverse.
Indeed this assertion was backed up this year in questions to the CIA that it was ‘too white’ to spot 9/11 and initiatives from GCHQ to attract applicants from a range of backgrounds including black, Asian, and minority ethnic (BAME), gender, social mobility, and neurodiversity.
Our hope for 2020 is that we move from the current trend of listing women, which diverts conversation from the real issues that we face.
We want to see more effort towards putting greater focus on the achievements of individuals from all underrepresented groups, to demonstrate the benefits that greater diversity brings to our industry.”
David Rogers, MBE, CEO of Copper Horse
“The mobile security year has been dominated by debate around whether Huawei can be trusted to deliver 5G networks securely.
In early 2019, the UK government published its damning Oversight Board report into Huawei’s pre-deployment security testing facility. Huawei was also blacklisted in the US, with partial reprieves being renewed twice, but due to expire at the end of February 2020.
Whatever the outcome, which remains unclear, compounded by ongoing trade-related tensions, it appears that truly globalised networks and equipment are a thing of the past: the global internet is already balkanising and this is now manifesting itself in the network and mobile equipment space.
There has been less government scrutiny of other network equipment providers, who may also be deficient when it comes to resilience and ‘secure by default’.
There has been a visible increase in SIM swap attacks. Deploying social engineering methods against call centre staff at mobile network operators, attackers have sought to steal millions of dollars from bitcoin wallets.
Such trends are inevitable. As technology security increases, with SMS two-factor authentication (2FA) now widely used, any human interface point will be the target of increasingly sophisticated attacks.
It’s been a big year for internet of things security.
ETSI published the first global standard for consumer IoT security, a draft European Specification (EN) was issued to national standards organisations for review, and a European Standard is due for publication by August 2020.
From January 1, 2020, California’s IoT law will ban default passwords and prescribe other security measures. Parts of the UK’s IoT security code of practice will pass into law.
There is increasing harmonisation and alignment with the UK in this area from the US, Europe, Japan, and Australia.
Examples of shockingly bad IoT insecurity include, most recently, Amazon’s Ring cameras being accessed as the result of credential stuffing, more than one million DAB radios exposed to the internet with the telnet open, and more than 600,000 GPS trackers being shipped with the default password ‘123456’.
Children’s toys with negligible Bluetooth security, and vulnerable to basic audio attacks, will be appearing under Christmas trees this month too, according to research from Which?.
Expect regulators to wield the big stick when it comes to substandard IoT security in 2020, as well as a general uplift in secure products as secure hardware becomes more ubiquitous and product compliance schemes are put into practice.”
There was the recent PDL data aggregator breach, exposing 622 million unique email addresses – including mine! The data was siphoned off not by a shady underweb company, but a mainstream organization selling their services quite legally.
And back in January, there was the Collection #1 credential stuffing list, with 700 million unique email addresses – I was on there too.
From a volume perspective, those numbers are insane.
It has really struck me just how little control we have over our information. Someone told me they wanted PDL to delete their data. OK – but that just leaves countless other companies with the data.
Credential stuffing is becoming massive. All the right factors are at play: more data breaches and organizations are left in the difficult position of saying: ‘Someone might try to log onto our website with the correct username and password, but they’re not that person.’
I’m sympathetic to corporate victims, but the US Federal Trade Commission has said this is no excuse for avoiding enforcement.
I would urge organizations to combat credential stuffing – although effective credential stuffing solutions cost a bomb – but beware false positives. Because if you start denying people entry or raising access barriers, people won’t use your service.
Going to the dark corners of the web, there was a recent data breach of Zooville, a bestiality porn website. This data could have a really serious real-world impact on any associated individuals (you might take the moral high ground, but bestiality is actually legal in some jurisdictions).
The cheapness, ubiquity and rush to market of IoT products is leading to more IoT data breaches.
There was a really serious vulnerability with watches that allow you to track your kids. Pen testers found that by adding a number ‘1’ to the number in the request you could track a kid’s location.
I just can’t see a reason for it to change. People say GDPR will fix it, but really, will a US data aggregator say: ‘We were going to put all this data on the internet and sell it for gazillions – then we learned about a law on the other side of the world’?
There needs to be better regulation, with more teeth, certainly on the US side. The data aggregators and abuse of personal information need to be clamped down on.
Here in Australia, the regulation is weighted heavily towards not being burdensome on organizations.
We got our first mandatory disclosure law last year and three things stood out: the post-breach disclosure period was a month – 10 times that of GDPR (72 hours); only organizations with at least AUS$3 ($2.1) million annual turnover are within scope; and you don’t have to disclose if you believe there is no likelihood of serious harm.”
“For the year 2019, we continued our awareness campaign with boot camps to various universities in Kenya, and our sixth cyber security conference themed Cybersecurity Innovation and Situational Awareness: an African Tale.
During the conference we also conducted free trainings focusing on forensics, network security, mobile app hacking, and incident response. This was achieved through partnership with Safaricom, SheHacks, Microsoft, Comae Technologies, United States International University (USIU), Foresight Tech Group, and many more well-wishers.
Cybersecurity awareness is on the increase, but this is also purely dependent on technology penetration. For East Africa and, specifically Kenya, awareness is very high due to the various forms of attack that exist such as smishing, phishing, etc.
Governments have been able to absorb infosec talent to build up its capacity, and also government bodies in countries like Rwanda are looking to get information security management (ISO 27001) accreditations.
I think we are facing the same threats but our biggest hurdle has been the ability to recognize and recover from such attacks. For instance, some organizations have had to close shop for a lengthy duration as they try to figure out what happened.
Some of our challenges:
Chester Wisniewski, principal research scientist at Sophos
“We’ve seen two primary trends building throughout the decade and these have continued in 2019: enterprising criminals experimenting with new, more efficient scams, and the criminal masses adopting techniques that make exploitation more profitable at scale.
That being said, a few other changes stand out in 2019.
Ransomware continues to march along, focused on businesses rather than consumers, something we began to see in 2018. This year showed an uptick in these attacks with a focus on scaling up.
Most significantly, we saw the abuse of managed service providers (MSPs) to gain access to large numbers of victims through the compromise of a single entity. Cybercriminals have increasingly striven to both steal sensitive data and hold it for ransom – giving them two swings of the bat to extort victims. No one has mastered this, but I wouldn't be surprised to see more of it in 2020.
The other focus is on supply chains in general. Attacking MSPs to target their customers with ransomware is certainly one kind of supply chain attack, but there continues to be a focus on this tactic from threat actors of all skill levels.
Every method you can think of seems to be fair game: poisoning docker containers, uploading malicious packages to npm and PyPI, abusing software update utilities to deliver malware, attacking third-party providers to embed malicious code into shopping carts, and bribing employees to steal confidential data.
In 2020, organizations will need to not just lock the front and backdoors, but keep an eye to the side too.”
Adam Kujawa, director of Malwarebytes Labs at Malwarebytes
“Our latest healthcare cybersecurity report revealed a big rise in breaches, with 89% of our medical customers being breached.
We saw an 82% quarterly increase in trojan malware targeting medical organizations, with Emotet spread widely until May, when we began seeing a lot of TrickBot detections.
Both trojans have evolved from being just banking trojans to infiltrating business networks and spreading laterally, quickly, to gain a foothold, sometimes resulting in ransomware.
Both used the EternalBlue exploit seen in the WannaCry and Petya attacks. TrickBot uses credential brute-force attacks for cracking passwords, while Emotet has a built-in spam module for grabbing and phishing your contacts.
Combine all those – business-focused trojans, exploits with malicious phishing attacks and, in the worst case, drive-by exploits – and then the backdoors tell me that efforts are made to return to that network later on.
We’ve seen an increase in hybrid attacks, which combine automated and manual attack methods, to maybe give attackers system access remotely and disabling security software before launching new malware.
Last year, a stolen partial database of electronic healthcare records went for half a million on the darknet. It’s information that you can’t usually find anywhere else.
Breach a bank and you might get a Social Security number, addresses, and phone numbers; go down the medical route and you can get prescriptions, diagnoses, medical procedures, and so on.
Combine that with information you might have from other breaches and you can create a valuable victim profile – something we’re trying to raise awareness of, especially with advancements in AI.
Many medical organizations have outdated infrastructure, and some are running insecure smart medical devices.
There are many ways into hospital networks. It could be as sophisticated as breaking into the network or setting up your own fake WiFi network while sitting in the parking lot.
An app for booking appointments or checking prescriptions would usually be provided by a third party and be covered in the US under existing HIPAA rules.
The US might not be fully on top of medical privacy, but at least some people are looking in that direction. We also need guidance setting out base requirements for technology deployed in hospitals.
It’s an uphill battle: you need enough people protected against these threats to the point that it’s no longer a good ROI (Return on Investment) for criminals.
But the more security we deploy, the more sophisticated the threats become.
I think 2020 will be a better year than 2019 for the industry. Will it be better than 2024? We’ll have to see.”
Read Part I of The Swig Security Review here.
Additional reporting by James Walker and Adam Bannister.