2014 – The year of changes
The year 2014 will be a year of continued change in the ICT security world. It will be a year in which some very fundamental, unfinished business that originated in 2013 and earlier years will be carried forward and will be heading for an outcome. Making any prediction for the next 12 months in the extremely fast-paced InfoSec world is very difficult without the use of a reliable crystal ball, but with a little research and aggregation of various information sources, some conclusions can be drawn.
The emerging interest in ICT security by the general public due to, for instance, the Snowden NSA revelations, increased media coverage of virus infections, hacking, and phishing, and the subject being picked up in more movies and books, will lead to the politicization of the subject. President Obama can agree on this, as he is currently going through the process of reining in (or attempting to rein in) the NSA grip on metadata, to gain back the trust of the general public in the Unites States. Whether he will succeed in getting through the majority of the recommendations by the panel on domestic spying abuses will be a political matter. How much power and control do the intelligence agencies have in the United States? The year 2014 will most likely tell us.
The Snowden revelations have brought the ICT security realm into the parliament of other countries as well. Just to name some examples, there is the spy scandal of the U.S. government’s tapping German Chancellor Angela Merkel‘s phone and the scandal around the tapping of the phones of Indonesian president Susilo Bambang Yudhoyono, his wife, and senior government officials by the Australian government. Of course the reactions of the targeted governments could be called highly hypocritical, considering they were well aware of their phones being under constant threat and their own agencies were most likely targeting the opposite governments as well, but the politicians cannot afford to be seen as weak by their own electorate. They need to speak up and speak up loudly. They will need to demand apologies, change internal policies and propose new laws. Will this lead to real changes or will this be a short flexing of muscles only to limit national embarrassment? We will see the outcome soon enough.
Another trend in 2014 will be the further move of traditional (including organized) crime into cyberspace. This move has been going on for at least the last decade due to the enormous benefits for criminals, such as the low-risk/high gains environment and the ability to easily work on a large, international scale. In the previous year we have seen some particularly worrying developments in this area, which in my opinion will really start to play out in 2014.
The first development is the emergence of virtual currencies. By far the largest one is the bitcoin. Whether the virtual currency, now worth 10 billion USD, has a financial future is to be seen. This is far out of the scope of ICT security, but what is happening is still very interesting from the security perspective. Due to their provision of anonymity to users, virtual currencies have made it easy to transfer money for criminals. An example is the Cryptolocker ransomware which initially demanded 1 BTC from the user to unlock their encrypted files. After the bitcoin value more than doubled, the people behind Cryptolocker easily dropped their demands to 0.5 BTC. The speed and ease of how this was done shows how convenient this new currency is for criminals in cyberspace. Expect to see a lot more use of these virtual currencies in the dark corners of the Internet in 2014 and expect a lot more ransomware out there, linked to bitcoin. Of course, bitcoins have been stolen from workstations and web servers as well. This will get a lot more common as long as the value of the bitcoin keeps rising as it is currently doing. It was a matter of time before the high gains would start to attract criminals willing to invest their time to steal the virtual treasures many systems now hold.
The second development is the emergence of black markets on the Tor network, of which Silk Road was the best known one. On Silk Road, services such as drugs and even hit men could be organized, until the FBI arrested the person behind the site (Ross William Ulbright, aka “Dread Pirate Roberts”) and seized over 26.000 BTC from its accounts. Even though it seems the takedown of Silk Road is a demonstration of the grip of governments on the internet (Tor), the continued popularity of virtual currencies such as bitcoin and the continued growth of users of the Tor network will make this grip very difficult to maintain. Within weeks after the closure of Silk Road, admins launched a more secure version 2.0 of the site. Following this, three Silk Road admins were arrested, of whom some were linked to the new Silk Road 2.0. The commitment of the new “Dread Pirate Roberts” to distribute encrypted copies of the site’s source code for quick recovery shows how hard it will be for enforcement agencies to control this phenomenon.
Last year the evidence about governments sifting through the vast amounts of data on the internet, has come to light. This is starting to lead to the increased interest of the general public in encryption technologies to protect their privacy. A very difficult situation for large companies such as Microsoft and Apple is developing here. On the one hand, they need to comply with government requirements but, on the other hand, they cannot give their users the impression that they are not protecting their privacy. An open letter at the end of 2013 from technology companies like AOL, LinkedIn, Facebook, and Apple to the Unites States government requesting to “reform government surveillance” is a clear example of their difficult position. Another example of this pressure they are under can be seen in the responses Apple received after they decided to reject the encrypted chat service Cryptocat. For whatever reason they rejected the application, the general public was quick to assume this was due to pressure from the NSA so they could continue their operations. Justified or not, these actions will start to hurt company public profiles more and more and will create pressure to further develop (and advertise) their own privacy-enhancing technologies. Even that might not be enough to instill user confidence after releases by the Guardian describing Microsoft’s assistance to the NSA with the circumvention of its own e-mail encryption services. This will lead to a strong growth in third-party secure communication services, the use of the Tor network, and the use of PGP and S/MIME e-mail encryption technologies in the next few years.
At the end of 2013 we have seen further moves of the technology sector to remove the biggest security sore in their eyes: the password. Passwords, especially the ones where the complexity is the responsibility of the end-user, are notoriously insecure. Quite often the easiest form of attacking a system is to guess, extract, steal, or bruteforce a password to obtain full system or data access.
Apple has included the fingerprint scanner in its Iphone 5s model and Samsung, among many others, will most likely follow that action in 2014. On the back of this, mobile or web applications are now increasingly able to use the mobile device as a second layer of authentication: the token. This creates a two-factor login to websites, for instance, by requiring a password the user “knows” and the use of a code in an SMS or mobile application which is something the user “has.”
On the other hand, we have seen an increase of the use of biometrics in other devices, such as Bluetooth and USB fingerprint readers, as well as fingerprint readers integrated into computer mice and laptops. Banks such as the National Australia Bank are integrating voice recognition services into their call centers and moves are being made to secure mobile online banking apps the same way. Due to the increased user acceptance, which was always the biggest hurdle in biometrics implementation and due to the increased hardware availability, biometrics will take some large steps in 2014.
Future predictions are always difficult, especially considering some of the major forces that will influence the next year of InfoSec have only just come to light. What is clear however, is that this year will be a fascinating year for the InfoSec community. Due to the increased pressures and demands from many different sides, it will be a year full of radical changes and newly adopted technologies.