Paranoid Technology All things cybersecurity

18May/17Off

Wanna Cry?!!! We do…

The cyber-attack that happened earlier this week reminded us of the questions posed in our March post – Initial Thoughts on Wikileaks Vault 7 Leak Series:

This wikileak points to increasing erosion of public safety - despite having these tools at hand, world governments (US, UK, Germany) continue to push for encryption back doors. Equation Group’s leak (NSA) late 2016 and this latest CIA leak once again prove all organizations have their OpSec issues - the three letter agencies are themselves at risk; backdoors, once discovered, work just as well for foreign spies, cyber-criminals and script kiddies.  Who is protecting the innocent? “

Apparently no one… Is the NSA going to step up and accept responsibility? Maybe if hell freezes over – “Cannot either deny or confirm the existence of these weapons…” Well, everybody else did – who cares if you do or don’t?!!

Interestingly, even Chinese state media called for the NSA to take some responsibility, how ironic… Like they should be talking…

28Dec/16Off

10 Scary Security Predictions for 2017

Given the accuracy of DT’s 2016 predictions, it’s exciting (and unnerving) to present DT’s 10 Scary Security Predictions for 2017.

  1. IoT zombie army (the sequel) – from TVs to toasters people are connecting everything to the Internet, a little too carelessly. In 2016 the Internet of Things (IoT) was used as a force-multiplier in DDoS attacks. This was only a dress rehearsal and the attacks will get more sophisticated in 2017. Expect to see:
    • Web Infrastructure Attacks – attacks like DynDNS at a larger scale.
    • Utility Infrastructure Attacks – Thousands of pieces of SCADA & PLC, ICS equipment is unprotected and exposed to the internet. Most of these are connected to critical infrastructure that could impact human life in significant ways. For example, recently a Ukrainian power company was attacked and could not deliver power to its customers. Temperatures that day ranged from 30.2F to 15.8F – nobody was hurt reportedly, but a longer outage without power would be a problem.
    • Human Life-Threatening Attacks –IoT may become an assassination tool this year. Connected pacemakers, insulin pumps and let’s not forget cars.
    • Expect other new forms of IoT activity – swarms of “things” used as relays, conducting passive and active recon activities as an example.
  2. Pre-emptive hacking by government – this happened with no congressional debate or vote. According to this, if you are using TOR or a VPN service or if you are infected by malware the FBI can hack you without a warrant to understand what kind of a threat you are, or in the case of malware infections to identify the culprits (or to fulfill their jump-host quotas to launch attacks to whatever target); and they don’t even have to tell you. It’s the dawn of a new Internet era. Minority Report anyone?
  3. Get ready for GDPR – U.S. companies doing business in the E.U., or with U.S. citizens who reside in the E.U. will need to comply with GDPR requirements. The effective date isn’t until May 2018, but compliance will require planning, investment, and on-going reporting to keep the regulators and consumers happy. Three main things to watch are for are the requirement for each affected company to appoint a Data Privacy Officer (DPO), the fact that data subjects have new rights (including the right to be forgotten, to data portability, and to be informed of data breaches), and that there are steep fines for non-compliance.
  4. Machines learn to hack – machine learning will result in more sophisticated and harder to attribute attacks ranging from phishing and DDoS to Automated Target Selection and others. With Mirai-like IoT attacks, the capacity of humans to respond will significantly diminish and security workflow automation will gain importance. At DEFCON24 this year DARPA had its CyberSecurity Grand Challenge All-Machine Hacking Tournament the goals included reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses.
  5. Cyber-warfare on the rise – Increasing global tensions, constant use of cyber-warfare to impose political will, and the rejuvenation of nationalism has increased paranoia levels worldwide.  Nations are rightfully improving their defensive positions. In 2017 expect an increase in tensions to the point where citizens will become indifferent to surrendering their freedom in exchange for security. Cyber-gangs will join forces with nation states to deliver intelligence in exchange for a harassment-free work environment. Expect more cyber-mercenaries in the form of “black hat-as-a-service” (BaaS). Despite growing awareness, expect an increase in fake news and perception management operations will be observed.
5Feb/13Off

President given “broad authority” to order cyber attacks

cyber-warfareEnter the era of official cyber warfare. According to a report by The New York Times; a secret White House legal review has cleared the way for preemptive cyber attacks if the president determines there is credible evidence of a pending attack. Granted certain countries are really trying hard to steal corporate secrets, but hopefully, this will not end-up like conventional warfare - remember the (on-going) misguided UAV attacks and now the new enemy cyber terrorists....  Officials who had been involved in the review told The Times' David Sanger and Thom Shanker that the new rules give the president "broad power" to order computer-based attacks on adversaries that disrupt or destroy their systems, without requiring a declaration of war from Congress. The rules also govern how intelligence agencies can monitor networks for early warnings of imminent attacks, and when the Department of Defense can become involved in dealing with domestic network-based attacks.

   
Stop SOPA