It's that time of the year when those of us in the security industry look into the crystal ball to figure out what the year ahead looks like. Before I take a crack at what's going to happen in 2016, I thought it might be useful to reflect on my last year's predictions and see where they stand. Back in January this year, I had three things that I was predicting, two of which have come true. Hey, that's a pretty good hit rate in fortune telling.
- Increased Malware Attacks over SSL
- Malware Infiltrates the IoT
- Increased Scrutiny on Securing Containers
Increased Malware Over SSL
This prediction had its basis on companies like CloudFlare making SSL available for free for anyone with a website, no questions asked. Also known as domain-validated certificates, these are issued almost entirely via automated, challenge-response email. According to the Baseline Requirements from the Certificate Authority Board, you only need to prove that you are either the registrant of the domain name or have control over the FQDN. Now couple this with the fact that many large organizations don't break open SSL using the Next Generation Firewall or their Secure Web Gateways (for primarily privacy concerns), we had a perfect storm brewing. Fast forward to now, Netcraft recently published a blog that CloudFlare is a hotspot for deceptive certificates, accounting for 40% of SSL certificates used by phishing attacks during August 2015! Misspelt PayPal sites and Bank of America sites (remember the we11point.com domain used in spear phishing attack on Anthem?) are now showing up with the family green padlock. This is pretty scary as end users have been trained to trust the green padlock.
Malware Infiltrates IoT
My prediction here was on the basis that IoT wearables were a prime target for malware authors as the firmware/software on these wearables have two things going for them. First one is the sheer number of consumers that can be reached by hacking into one of these. Big ROI and channel for the malware authors. And secondly, they don't necessarily have all the security measures that most modern OS's have to thwart attacks - mandatory access control, process isolation, stack randomization, etc. At the Hack.Lu 2015 conference, Fortinet researcher Axelle Aprville (@cryptax) presented a proof-of-concept vulnerability in Fitbit fitness trackers. An attacker in close range only needs about 10 seconds to inject malicious code (GitHub) via Bluetooth. The code can persist and then spread to devices to which Fitbit connects. Pause for a second and think about it. Even Schneier thinks it's impressive. And that's saying a lot. 2016 is looking like the year when you go out for a run and come back with Malware.
Stay tuned for my 2016 security predictions.