Beating cybercrime today
Our newest guest blogger Byron V. Acohido lays today’s digital stakes on the line.
Back in 2004, when I co-wrote this USA TODAY cover story about spam-spreading botnets, I recall advising my editor to expect cybersecurity to be a headline-grabbing topic for a year or two more, tops.
I was wrong. Each year over the past decade-and-a-half, a cause-and-effect pattern has spread more pervasively into the fabric of modern society. Each and every major advance of Internet-centric commerce – from e-tailing and email, to social media and mobile computing, and now on to the Internet of Things – has translated into an exponential expansion of the attack surface available to cybercriminals.
And malicious hackers have taken full advantage – whether they are motivated by criminal profits, backed by nation-state operatives, or simply desirous of bragging rights. Year-in and year-out, criminal innovation has far outpaced the effort on the part of companies and governments to defend their business networks, as well as to preserve the sanctity of our private data.
2018 was no exception. The year closed out with Starwood Properties, parent of the Marriott hotel chain, disclosing it lost personal data for 500 million patrons in a breach that lasted some four years. Disclosures of huge data breaches no longer shock the public. Over the years, massive data losses have been reported by Equifax, Yahoo, Target, Anthem, Premera Blue Cross, Sony Pictures, Sony PlayStation, Home Depot, Deloitte, JP Morgan Chase, CitiBank and the U.S. Office of Personnel Management, just to name a few.
Meanwhile, we learned last year that stolen data might be the least of our worries. We witnessed Facebook CEO Mark Zuckerberg apologize to Congress for making behavioral data for 87 million Facebook users accessible to British consultancy Cambridge Analytica, which then used this sensitive information to manipulate U.S. voters into supporting Donald Trump.
Speaking of America’s president, with Trump dominating mainstream news coverage, most folks took little notice of a tectonic shift of the cyber landscape. In 2018, as businesses raced to mix and match cloud-services delivered by the likes of Amazon Web Services, Microsoft Azure and Google Cloud, unforeseen gaps in classic network security systems began to turn up. And sure enough, enterprising cybercriminals wasted no time taking advantage.
Hackers got deep into Uber’s AWS platform. They did this by somehow obtaining, then using the AWS login credentials of one of Uber’s software developers, who left those credentials accessible on GitHub. ‘Git’ is a system for controlling the latest version of software programs; GitHub is an online repository where developers upload code for peer reviews and such.
The wider context? Imagine the degree to which Uber uses software to tie into services hosted by Amazon, Google, Facebook, Twitter, iPhone and Android. Uber is a prime example of an Internet-centric enterprise comprised of a collection of tools and services hosted by myriad partners. Think about how frenetic the software development process must be to keep Uber humming. Imagine all of the fresh attack vectors.
The direction this is heading is not good. A report from insurance underwriting giant Lloyd’s of London and risk modeling consultancy, Air Worldwide, showed how a three-day outage of the top cloud services providers would cause $15 billion in damage to the U.S. economy. Such a scenario would devastate small- and mid-sized businesses reliant on cloud services.
Meanwhile, after presumably enjoying a restful holiday, the best and brightest malicious hackers are diving into 2019 with renewed verve. A cutting-edge information stealer, dubbed Vidar, is designed to relay stolen data back to a botnet command-and-control server, just as the botnets I wrote about in 2004 did. Vidar, however, can identify browser and computer specifications at a granular level. This makes Vidar capable of stealing cryptocurrencies from digital wallets.
There is also a new type of attack aimed at the hardware level of targeted computers, instead of the software application level. The “Meltdown” and “Spectre” exploits paved the way for so-called “microcode hacks” in early 2018. And as 2019 commences, a new iteration, referred to as “page cache attacks,” presents an insidious new way for attackers to bypass security systems and place phishing windows deep inside of legitimate applications.
“This attack class presents a significantly lower complexity barrier than previous hardware-based attacks and can easily be put into practice by threat actors, both nation-state as well as cyber gangs,” says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “There is not much that an end user can currently do to protect themselves against this type of attack, except to not run any software from a shady source, even if it does not raise any antivirus flag.”
Vidar and microcode hacking are two grains of sand on the beachhead of 2019 cyber threats. Conjuring a full summary of cyber exposures would be daunting. Clearly, there’s no turning the clock back on our Internet-centric digital lives. It is going to be a long while before the Pandora’s box of technical and societal problems we’ve opened gets resolved.
The good news is that an unparalleled acceleration of research has commenced in next-gen network architectures, including distributed databases, advanced encryption, datafication and artificial intelligence. What’s more, key industry standards-setting bodies and government regulators are well aware of what’s at stake. And they’ve begun a plodding march toward consensus standards and protocols.
But it will take some years to sort this all out. For the foreseeable future, the burden lies on each individual – each consumer, each employee, each company owner, each senior exec, each board director — to stay informed and to practice wise security and privacy habits.
I’ll do my part to keep the discussion going. Talk soon.