What keeps security experts up at night?
“We still have a very fragile international financial system, and we know that ... [Electric] power is fragile ... Even food delivery is fragile from the cyber perspective.”
That’s Dave Aitel, former NSA research scientist and founder of Miami Beach, Florida-based software security company Immunity Inc. He’s not alone. “People in the know are scared, and they’re scared for good reasons,” Aitel told Tom’s Guide.
Social media attacks masquerade as messages from your friends. Data breaches steal your personal information from companies you trusted. The Internet is not a safe place to be. With the possibility of so-called “cyberwar” looming on the horizon, the threats are only increasing.
For example, the first three months of 2014 saw 254 data breaches worldwide, resulting in the theft of 200 million records. That’s a 233 percent increase from the first three months of 2013, according to the Breach Level Index reported by Belcamp, Maryland-based information security company SafeNet Inc.
What’s worse, only 1 percent of these 254 breached databases used encryption or other security measures that would make the stolen data unusable to criminals. In the other cases, once the attackers breached the database’s outer defenses, the data was theirs for the taking.
“Attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade,” wrote the Verizon Data Breach Investigations Report.
What kinds of security threats are coming your way, and what threats are already here? Moreover, what can you do to protect yourself? We asked a wide range of security experts about what new digital threats they see just around the corner.
Social attacks: Don't trust your friends
Have you checked Facebook lately? About 1.28 billion people use Facebook at least once a month, according to the company's 2014 first-quarter earnings report.
But between 4.3 and 7.9 percent of those users are "duplicate accounts," according to Facebook's own estimate in the April 25 Form 10-Q Quarterly Report it filed to the U.S. Securities and Exchange commission. Between 0.4 and 1.2 percent of those users are "undesirable," i.e., spammers or worse. Those numbers might look small, but 0.4 percent of 1.28 billion is 5.12 million.
How much personal information do you post on social media? Can your online "friends" put you at even further risk?
What it is: "One thing that I think continues to be an issue is social network security, and people's inability to believe, for whatever reason, that what they put on social networks isn't automatically going to someday be public," said Dave Aitel, chief technology officer of security firm Immunity Inc., in Miami Beach, Fla.
Yet revealing too much personal information, unwittingly or not, may not be the worst security aspect of social networking. Social networks are also excellent platforms on which online criminals can develop and disperse attacks.
"It doesn't have to be someone hacking into Facebook to hack into your Facebook account," Aitel said.
It's the difference between someone breaking through a website's security to access its back-end database and simply getting hold of a single user's login credentials. Even if it's not your own account being hacked, you might fall prey to a scam or attack that's running through a friend's account.
"The big advantage for bad guys of spreading over a social network is that the attack comes with the 'endorsement' of one of your friends," says Graham Cluley, an independent security expert and blogger. "It's not a complete stranger — it's your friend Mary, and you see her smiling face in her avatar next to the message.
"People are lulled into a false sense of security," he added. "As a result, spam and malware attacks aren't uncommon at all on links for Twitter and Facebook."
And just because you practice good online security doesn't mean you're safe; criminals often target the people around a high-profile target in order to get what they want. "You are the weak link in your security," said Robert Siciliano of McAfee, a Santa Clara, Calif.-based antimalware company
"Social network" means more than you think. An online video game that lets players communicate with each other is a "social game," and attackers can use it to spy, stalk or steal money. If the likes of "World of Warcraft" and "Second Life" are good targets for the NSA and GCHQ, they're good enough for savvy criminals, too. A hacker could also get a lot of money selling in-game resources such as gold, armor or even an entire character to other players.
Social network security is no laughing matter.
"We … expect to see attacks that employ the unique features of the social platforms to deliver data about user contacts, location or business activities that can be used to target advertising or perpetrate virtual or real-world crimes," McAfee wrote in its 2014 yearly forecast.
Twenty-two percent of social media users have experienced or perceived a security issue, according to a November 2013 survey sponsored by McAfee. What will that number look like at the end of 2014, when McAfee predicts that "social attacks will become ubiquitous"?
Being too free with your personal information could lead to identity theft or other kinds of privacy violations, such as "sextortion" involving hijacked Facebook accounts. Spies have used LinkedIn to identify targets for spear-phishing attacks. As for damages resulting from social-networking malware, the damage depends more on what the malware does than on how it reached you.
Reality Check: Social media-related scams are easy to avoid. Be aware of what you post online, and be skeptical of links, app invites and other things your friends post.
Aitel recommended you enable two-step verification whenever possible — Twitter, Facebook, Google and LinkedIn all allow it. He further recommended that people "compartmentalize" their information, so that no single website or service knows everything about you.
"That's the theme of the year: How do you compartmentalize your personal information?" he said. "Maybe I only use Google+ for friends and family, and I never use Google+ for work."
Data breaches: Your personal information exposed
In "Game of Thrones," the Wall protects humans from the deadly White Walkers. Sadly, many websites' "walls" aren't nearly as well-fortified or monitored.
What is it? A data breach occurs when protected data loses its protection. Sometimes that's due to attackers logging into a company network with stolen credentials or breaking into a database by exploiting a security flaw. Other data breaches are accidental, the digital equivalent of a filing cabinet falling off a truck and spilling open.
Data breaches can expose sensitive personal information, including individuals' names, email addresses, credit card numbers, home addresses, medical histories or Social Security numbers — most of which can be used to steal identities.
When a company website can't adequately protect its users' personal data, not only does it put the users at risk, but it can make other companies more vulnerable as well.
"If you are a user of a website, your biggest threat is that you re-use the same password everywhere, so that when a hacker breaks into a weak website, they get your password to strong website (like Google or Twitter)," said Robert Graham, chief executive officer at Atlanta-based Errata Security.
Data breaches involving credit card numbers are less harmful to the end user than those involving Social Security numbers, thanks to consumer-protection laws. But they cost banks and other card-issuing financial institutions millions of dollars in fraudulent charges.
"The impact of [card] breaches is getting greater and greater, as criminals are able to steal tens of millions or hundreds of millions of credit cards from these institutions," said Dmitri Alperovitch, co-founder and chief technology officer of Irvine, Calif.-based security firm CrowdStrike. "The impact is felt across the economy."
Alperovitch also says that criminals are getting smarter about how they attack databases. "Their tradecraft is getting a lot better. It used to be [cybercriminals would] go after consumers directly…They realized they can be a lot more efficient by going after the institutions that store all this data: retailers, banks, credit card processors.
"We're seeing them go after the places where they can steal millions of credit cards in one fell swoop," Alperovitch said.
But it's not just credit cards or email addresses that can threaten your identity. Online marketers want every bit of information on you they can get -- Web browsing habits, income, preferences, family size, race, age, gender and sexual orientation. You may have never heard of Little Rock, Arkansas-based Acxiom, but it has individual profiles of most American adults, and an estimated 500 million individuals worldwide.
Acxiom has been breached twice in the past: once in 2003 and once in 2006. For reference, Facebook was founded in 2004, and began admitting anyone over 13 years old (instead of merely high school and college students) in 2007. Imagine if Acxiom — or Facebook — was breached today?
A devastating data breach is not just possible; some say it's likely. A report by Joseph Feiman of Stamford, Conn.-based tech research firm Gartner says that "By 2020, enterprises and governments will fail to protect 75 percent of sensitive data, and will declassify and grant broad/public access to it."
There's little the average Internet user can do to protect himself against data breaches. It's up to the websites and other holders of sensitive data to employ strong protections and train their employees to recognize and defend against attacks.
What's the worst that could happen? Your identity is stolen; strangers get bank accounts and driver's licenses in your name; your friends and colleagues are hit by phishing and spam emails; your credit cards need to be replaced; if your physical address is leaked, you might be stalked.
Reality Check: All that can be stolen is what a breached institution has. Minimize your exposure by using unique passwords for every account, taking advantage of online payment systems such as Paypal and Amazon Payments and never give your Social Security number to anyone who doesn't absolutely need it.
Malware as a service: The new black market
Malicious hackers aren't kids pulling pranks from their mothers' basements any more. There's now a thriving, highly organized cybercrime economy where anyone can buy ready-to-use malware kits, rent time on botnets or purchase stolen credit card numbers. The business of cybercrime has become not just easy, but convenient.
"Cybercrime has become an industry,” says independent security expert and blogger Graham Cluley.
What is it: Malware packages sold in online black markets now resemble legitimate software, with user-friendly interfaces, service subscriptions and software licenses. Just as WordPress and Tumblr let people create blogs without having to know HTML or CSS, commodified malware has lowered the bar of entry for wannabe cybercriminals and made it easier to create highly specialized malware simply by churning out variations on a common theme.
"Every day, there are over 200,000 new pieces of malware coming out," Cluley said. "It's more than one every second. There's a sheer glut of malware."
What's more, cybercriminals are becoming bolder. "The black hat hackers [a.k.a. cybercriminals] aren't hiding like they used to," McAfee Online Security Expert Robert Siciliano told Tom's Guide. "They're not as secretive in their business dealings as they once were…they are not as fearful."
The flipside is that most of the malware being sold today is "mass-produced rubbish," Cluley said.
"One of the things we've seen over the past 15 years," he told us, "is [that] the creativity or, if you like, the art of malware has really gone down the drain."
It's not just malware that's available to anyone with a Bitcoin account. Stolen credit card numbers can be purchased for pennies. Anyone can rent or lease a botnet, or a network of hijacked computers connected to a single command-and-control server the way the Borg of "Star Trek" are connected to a queen.
If you rent a botnet, you can use the combined processing power of thousands of PCs to conduct denial-of-service (DoS) attacks that overload websites with more data requests than they can handle, crack passwords, or churn out spam.
But what's the difference between spam and behavioral marketing campaigns? In its white paper on cybercrime in the year 2020, Trend Micro predicts that as digital technologies create new possibilities (and new ways of making money), the line between legal and illegal activity might become blurred.
What's the worst that could happen? A mature, thriving, segmented market of specialized criminals offering customized malicious products and services can only increase the number and effectiveness of all types of cyberattacks.
Reality Check: Cybercriminals aren't artists; they're just looking to make money as fast as possible. Malware is increasing in volume faster than it's getting better. A strong antivirus program and a cautious attitude will go a long way toward protecting you online.
Point of Sale Attacks: Everyone's a Target
Just before Christmas 2013, Minneapolis-based retailer Target Corporation revealed that 40 million credit and debit card numbers had been stolen from the company's electronic payment systems. Malware had been installed on Target's in-store point-of-sale terminals, the devices through which shoppers swipe their cards to purchase items.
What it is: Malware is normally found on a personal computer. But in a point-of-sale (PoS) attack, the malware is installed on payment card terminals, which can be found at just about every retailer in the United States.
PoS malware, which has been around for several years, scoops up the data from a card's magnetic stripe and transmits it to remote servers run by criminals. You don't need to own, or even use, a computer to be affected.
The number of PoS attacks actually decreased in 2013, but the attacks that did occur focused on larger, better-known targets, according to the 2014 Verizon Data Breach Investigations Report (DBIR).
The next big retailer threat may be Web app attacks, which exploit flaws in Web-facing content-management or database software. The DBIR logged 3,937 confirmed Web app attacks in 2013 (not all of which were financially motivated), far more than the 198 point-of-sale attacks.
"The variety and combination of techniques available to attackers makes defending Web applications a complex task," the Verizon report states.
There is some good news. Beginning in late 2015, credit and debit cards will become harder to exploit as the U.S. switches from magnetic-stripe cards to EMV cards, which store data on embedded, encrypted computer chips. Some "chipped" credit cards, called "chip-and-PIN" cards, will require PINs to complete transactions as debit cards already do, while others will stick with a signature.
The bad news is that even EMV cards aren't perfect.
"Like everything with fraud, it's a game of cat and mouse," said Loc Nguyen, vice president of Feedzai, a fraud-risk-prevention firm in San Mateo, Calif. "As the good guys come up with solutions, the bad guys are trying to come up with workarounds."
EMV cards are already common in Europe, and Nguyen said criminals there have shifted their focus from point-of-sale fraud to online-payment fraud.
Immunity, Inc.'s Dave Aitel describes EMV cards as "a stopgap, a too-little-too-late stopgap." But don't go switching to a barter economy just yet: Aitel predicts the United States will eventually develop a more flexible (and, according to him, more secure) set of payment options that includes chip-and-PIN cards as well as online-payment systems such as Google Wallet and Paypal, and even cryptocurrencies such as Bitcoin.
"The variety and combination of techniques available to attackers makes defending Web applications a complex task," the Verizon report states.
"Honestly, I think Bitcoin is great," Aitel told us. "It's not perfect, but money is not perfect. Even dollar bills can be forged. And Bitcoin has a lot of other advantages."
But why stop there? In a recent white paper speculating on cybersecurity in the year 2020, Tokyo-based security company Trend Micro predicts a dedicated secure Internet specifically for online transactions. This may make life more difficult for businesses, who would need to operate in both the public Internet and the transaction-focused Internet, but it would generally make customers' data more secure, Trend Micro said.
What's the worst that could happen? A point-of-sale attack will compromise your name and credit- or debit-card number, so you'll want to alert your bank or card issuer and replace the card. If your card was fraudulently used to make purchases, you may have to contest those charges.
Reality Check: As long as you're aware that your card was compromised, and act to limit the damage, a point-of-sale attack really isn't that bad for the end user. Cybercriminals often prefer personal information such as addresses, dates of birth and Social Security numbers. Those are harder to change than a credit card, and criminals can use them to open new lines of credit in your name.
Zero-day exploits: Slipping through cracks you never saw
All software has flaws. Usually, experts find the flaws before anyone can exploit them. But sometimes the bad guys find the flaws first. Attacks using these flaws are called "zero-day exploits" because the good guys have no time to prepare for them.
What it is: Milpitas, California-based research firm FireEye recently detected a devastating zero-day exploit on Internet Explorer that gives attackers control of infected computers. Microsoft was taken by surprise, and the U.S. Department of Homeland Security warned people not to use Internet Explorer — a major product of a major American company — until the flaw was patched.
The attacks that brought this zero-day exploit to light (FireEye dubbed it "Operation Clandestine Fox") are similar to attacks carried out by Chinese cyberspies. That's how serious zero-day exploits can be.
The use of software vulnerabilities, both unknown and merely unpatched, is "one of the things I think has changed [about cybercrime]," according to independent security researcher Graham Cluley. "We've seen lots more exploitation of vulnerabilities, so they will try and exploit security holes in the likes of Adobe PDF reader, Microsoft Word, [etc.]."
One of the many advantages of using zero-day attacks is that the targets don't know they're coming. "A good zero-day is not going to announce on the screen that something is suspicious," Cluley said. "It's going to be silent and stealthy."
Several firms in the U.S. and Europe specialize in finding and selling zero-day vulnerabilities and exploits. The NSA and its foreign equivalents race each other to find — and buy — zero days.
If criminals get their hands on zero days, they build them into browser exploit kits, each of which contains multiple ways to attack Web browsers. Exploit kits are hidden in compromised websites or banner ads, and any Web user unlucky enough to encounter one may find many forms of malware leaking through his or her browser.
Cluley fears cybercriminals may have built up a stockpile of zero-day exploits for Windows XP, Microsoft's retired but still widely used operating system. Now that XP won't get any more security updates, criminals could use these exploits freely knowing the underlying flaws won't ever be patched.
What's the worst that could happen? A lot. Cybercriminals can use zero-day exploits to slip in and out of networks without leaving a trace. Antivirus programs can't directly detect malware based on zero-day exploits and may not even notice its aberrant behavior. Good zero-day exploits have much better success rates than social-engineering attacks, such as email phishing, which rely on human error.
"I think one reason why we've probably seen [zero-day exploits] becoming more important is they don't rely so much on social engineering," Cluley said. "If you can silently infect people's computers, there's nothing suspicious [to warn people]."
Reality Check: National intelligence agencies, such the NSA or GCHQ, pay a lot of money for zero-day exploits, pricing out most criminal organizations. It's more common to see such exploits used in state-sponsored cyberespionage campaigns rather than in regular cybercrime.
The average consumer, unless he or she works in the defense industry, international finance or the higher reaches of government, isn't likely to encounter a zero-day exploit. In most cases, by the time regular criminals get around to using one, patches will be available.
Spying goes digital: Theft of national and corporate secrets
Cyberespionage sounds like something out of a thriller paperback. But of all types of cybercrime, espionage saw the biggest growth in 2013, according to the latest annual Verizon Data Breach Investigations Report.
What it is: Foreign countries and groups are constantly trying to steal American manufacturing secrets, said CrowdStrike's Dmitri Alperovitch. If thieves succeed, they can copy items and sell them overseas for less than the original American products.
"That's been a huge issue in terms of the competitiveness of Western countries," Alperovitch told us.
Verizon's DBIR reported that of the 1,367 confirmed data breaches in 2013, 511 were the result of cyberespionage, and 306 of those resulted in the data being disclosed.
"Most surprising to us is the consistent, significant growth of incidents in the [cyberespionage] dataset," the report said. "We knew it was pervasive, but it's a little disconcerting when it triples last year's already much-increased number."
Cyberspies are on the cutting edge of technology and have many different tools at their disposal.
"I don't want to suggest there's anything like state-sponsored cybercrime," Cluley said. "But I think it is something that people need to be aware of, because that is an area where we probably see more innovation and more bespoke malware attacks."
So who's doing all this spying? China and North Korea are the usual suspects, but they aren't the only ones playing the spy game — they're simply the ones who get caught most frequently. By contrast, the NSA is so stealthy that without Edward Snowden's leaks, other countries would never have been aware of the extent to which the NSA had penetrated their networks.
"Having to negotiate against a Chinese team that has stolen your internal proposal documents or bid price is not something that any American company should have to deal with," said Immunity Inc.'s Dave Aitel. "It's the government's job to make sure this isn't the case, and so far it is failing."
What's the worst that could happen? For a consumer, the immediate worst-case scenario is having personal data exposed during an espionage attack. You might even lose your job, if your company sees enough losses.
On a broader scale, loss of national-security secrets could result in military losses. Adversaries who knew all about the United States' missile-defense system could more easily penetrate it.
Reality check: Cyberespionage affects companies and states far more directly than it affects individual users. Even "watering hole" attacks, which embed hidden malware in websites of interest to specific groups of people, are narrowly focused — the most successful have targeted politicians, diplomats and software developers.
Cyberterrorism and Cyberwar: The worst-case scenario
In our hyperconnected world, computers control just about everything, including drinking water, electricity and emergency services. Does that mean hackers could disrupt, or even destroy, such essential institutions?
What it is: Cyberterrorism, cyberwar or cybersabotage (the terms depend on who's doing the attacking and why) involves altering normal computer operations to cause physical damage. National security officials fear such an attack on critical infrastructure — digitally disrupting the operations of a power plant, dam, water distribution system, financial network or transportation system.
"While people themselves have greater personal security, the critical infrastructure they rely on does not. Generally, the systems that keep the lights on, keep hospitals safe and keep our tap water running are built on older systems with no security, and have all been attached to the Internet," Immunity Inc.'s Dave Aitel said. "There are plenty of malicious actors who know this very well."
The possibility of a devastating attack on critical infrastructure has been compared to a cyber-9/11, and government officials take the threat seriously. This past March, a French security expert canceled his own conference talk entitled "Hacking 9/11" because he feared terrorists could glean tips from his material.
A digital attack on critical infrastructure would likely not stand alone, but serve as stage one of a physical attack. Cutting the power to a major city would make it more vulnerable to a missile or bomb attack. Just this past month, Russian forces cut telephone and Internet links to the Ukrainian mainland as they seized control of the Crimean Peninsula.
And according to CrowdStrike's Dmitri Alperovitch, North Korea is also becoming a serious player, frequently targeting South Korea in "disruptive attacks ... where they're able to wipe data from machines" as well as put whole networks offline for several days.
North Korea "is not a top-tier country in terms of cyberoffense, but ... they're getting quite good and quite sophisticated, so they can do significant damage."
"These are things that we are quite worried about," Alperovitch told Tom's Guide.
As new technologies develop, our definition of "critical infrastructure" may change as well. Imagine a "Star Trek" world where 3D printers were used in every home to create food, tools and more. A disruptive cyberattack on 3D printers would be an attack on critical infrastructure.
Or think of a scenario in which people used virtual-reality and augmented-reality headsets on a regular basis. If someone were able to attack the networks serving those headsets and removed warning signs or directions or inserted disturbing content, that might not only constitute a cyberattack — it might also cause physical and emotional harm.
What's the worst that can happen: A critical-infrastructure attack is the worst-case scenario. Water released from dams could flood whole towns; cities could grind to a halt without electricity; banks, subways and other important institutions would cease to function; people would soon run out of clean water or fresh food — and that's before any physical attack.
Reality check: Cyberterrorism and cyberwar, at least with the intent to cause personal injury, are still only speculation. The Stuxnet worm, which damaged an Iranian nuclear facility in 2010, is a clear example of cybersabotage.
What some call cyberterrorism is better described as cybervandalism, such the Syrian Electronic Army's hijacking of Twitter accounts or the Izz ad-Din Qassam Cyber Brigades' denial of service attacks on American bank websites. Such attacks are disruptive, but not cyberterrorism — there's little chance of physically injuring anyone.
Security threats, ranging from the mildest of spam to the most serious critical infrastructure attacks, won’t be going away. But the news is not all bad. For example, while Verizon’s 2014 Data Breach Investigations Report shows attackers outpacing defenders with new and better attack techniques, the report notes that affected companies and law enforcement are getting better at detecting breaches early on.
“Governments and companies are spending hundreds of millions of dollars on protective measures,” CrowdStrike’s Dmitri Alperovitch told us. “They can’t protect everything against everything. They need to prioritize their resources.”
The federal government might soon take a role in mitigating data-breach damage: U.S. Attorney General Eric Holder recently called for a federal data-breach reporting law that would require breached companies to promptly notify both law enforcement and their customers as to what information had been compromised.
“Most of what we hear is all the bad stuff going on — the breaches, the mistakes, the latest shiny new malware, etc.,” Immunity Inc.’s Dave Aitel told Tom’s Guide. “The reality is that the security community is making some promising gains itself.”
Despite the serious threats security experts deal with on a daily basis, Aitel retains a sense of optimism for the future.
“The more technology humanity has access to, the better it is,” he said. “I think in the end we’ll have a better society. It’ll be a different society, but in the end it’ll be a better one overall.”