What a difference 365 days makes. 2019 has been an eventful year for cyber security professionals with a number of new threats emerging as well as an escalation in ransomware and level of data breaches as well as all the normal threat vectors. IoT has also featured heavily in the cyber security landscape.
But first lets touch on one of the notable events of 2019.
The Internet Turns 50?
In 1969, the first message was sent over the ARPANET, a network of universities and research laboratories across the US. This marked the start of a technology that would go on to become the ‘network of networks’ we all rely on so heavily today – The Internet.
However, January 1, 1983 is considered the official birthday of the Internet. Prior to this, the various computer networks did not have a standard way to communicate with each other. A new communications protocol was established called Transfer Control Protocol/Internet Protocol (TCP/IP). This allowed different kinds of computers on different networks to “talk” to each other. ARPANET and the Defense Data Network officially changed to the TCP/IP standard on January 1, 1983, hence the birth of the Internet. All networks could now be connected by a universal language. So in 2033 we will be doing this all again.
Ransomware has been around for a few years now, but in 2019 it evolved into using more targeted attack vectors. Prior to 2019 Ransomware was more random in its attack vector, relying on people clicking on links in emails and was a bit random.
During 2019 a few new attack methods evolved that were more targeted against specific organisations via the supply line. Cyber Criminals managed to invade various companies that provide IT management services to businesses. As these companies are trusted to have direct access to the a companies systems, an infected update could be slipped into the mix that could infect the target company with malware of various forms.
Ransomware attacks are also becoming much more focused on specific industries and services.
- Targeted Ransomware attacks
- Supply Line
- Local Government
- Hospitals and Healthcare organizations.
A more recent development is where as part of a Ransomware attack your files are downloaded before encrypting. You are then told as part of the ransom demand that if you don’t pay the ransom, your data will be released on the dark web. Some organizations have already fallen foul of this tactic. Now, even if you have a fully recoverable environment, you are still stung by these cyber criminals and there are still no guarantees they won’t release the data anyway
In 2019 data breaches have just got bigger and more destructive. I started the year tracking all the major data breaches as they happened, but soon gave up as it was taking too much of my time to keep track (there are services out there that do a much better job than I could do). A list of the notable data breaches in 2019 includes:
- Capital One, who lost details of 106 million customers in July
- The whole population of Brazil had personal records made available online
- Facebook managed to disclose 400 million records of its users online
- Australian design tool Canva saw almost 140 million user records breached in May 2019
- More than 100,000 people found their data breached following a cyber attack on a US Customs and Border Protection (CBP) contractor in June 2019
- In September 2019 security company VPN Mentor discovered that the personal details of almost every Ecuadorian citizen was openly accessible online
- EA Sports, the creators of the Fifa video games, suffered a rather embarrassing situation in October 2019 when players’ personal data was exposed to other users
- In February 2019 an online security firm discovered customer data from the American Medical Collection Agency for sale on the dark web
- Around 100 million customer records were stolen from online invitation service Evite back in February
- Identity company Suprema in August, personal data, including fingerprints, photographs, names, addresses, and passwords, were found unprotected in the company’s database for its BioStar 2 tool.
With the accelerated move to the cloud in 2019, this has brought a lot of data out of secured data centres and onto public cloud infrastructure that just failed to be secured properly. A lot of the data breaches were not as a result of persistent hacking, but through carelessness of system administrators not securing online databases, or unsecured databases being made available online that were never meant to be online in the first place.
A number of notable hacks went down in 2019, the following being a sample of the worst:
- Whats App Listening hack
- Apple Facetime app was discovered to have a long standing vulnerability which allowed people to listen in after calling someone via a group chat on the app
- Game company Epic Games was forced to warn users of its hugely-popular online video game Fortnite of a cyber attack in August 2019, which centred around a third-party cheat tool that had been infected with ransomware
- ASUS Supply Line Hack where hackers had placed code into the update tool, delivering it to users via a software update
- In June 2019 an audit was released by NASA detailing a cyber attack that had taken place in early 2018
- Microsoft Exchange hack, where credentials of a system administrator who managed the companies Outlook email service compromised, which allowed hackers to read emails flowing through the Outlook service
The above list is by no means exhaustive. Such a list would probably go to several volumes just for 2019 alone. A good summary of the worst cyber attacks, hacks and data breaches was posted recently by ZDNet if you want a more extensive summary.
Another major vulnerability was found in Microsoft Windows Operating System – the BlueKeep Vulnerability. This centres around the remote desktop protocol (RDP) and a long standing bug in its implementation. At the time over 1 million machines were vulnerable and were accessible via the Internet. At the time of writing this number doesn’t seem to have reduced. Also, at the time it was thought that this vulnerability would not be exploited as Microsoft had extensively patched its systems. However we are now seeing this vulnerability being exploited and it is thought (although unconfirmed) that this was the initial attack vector for a Ransomware attack on a number of Spanish companies reported in November.
In May 2016 the General data Protection Regulations (GDPR) were enacted in the European Union countries. In 2019 over half of UK firms are not fully compliant with this regulation. With extensive fines started to be levied in 2019 for breaches of the regulations, this can only get worse in 2020.
In the UK we also enacted the GDPR and I believe this will continue to be in force even after the UK leaves the EU (now slated for 31st January 2020).
The US is also getting more strict with fining companies reporting data breaches. One notable fine was levied onto Google for $170 million by the Federal Trade Commission when its YouTube service earned millions by illegally harvesting personal information from children without their parents’ consent.
Various companies and regulators in the US have also voiced a need for a GDPR like regulation in the US, and in fact California enacted the California Consumer Privacy Act in 2019 which I believe was largely modeled on the GDPR.
While talking about privacy, the end-to-end encryption of our mobile devices and messaging services also came under fire from legislators in the US and UK. This debate will continue in 2020.
Internet of Things
2019 also saw an explosion of Internet of Things devices, including:
- Smart Speakers
- Door Locks
- Smart TV’s
- Many other smaller consumer IoT devices
- Industrial control and monitoring systems.
One thing that has not been addressed by the majority of vendors is the support of these devices with security updates and with end-to-end encryption of messaging from the device to their vendors servers. Also, various Botnets have surfaced in 2019 that utilise these insecure devices to mount Denial of Service (DoS, DDos) attacks. This will only get worse until the vendors are forced to provide full support.
Another vulnerability is the password used to access the IoT device. Most of the time these passwords are not reset from their defaults leaving them wide open to attack.
Microsoft have made a massive investment in IoT and have developed an IoT device that has security built in by design and can be configured for most applications. If you want to hear more on this take a look at their blog on this. More manufactures need to take this example and change their designs.
Artificial Intelligence continues to make advances in 2019. Lets be clear about what we are talking about though. What we have now is very specific skills being automated using Machine Learning techniques and we won’t be seeing ‘killer robots’ taking us over any time soon.
What we do see are applications like the following becoming mainstream:
- Speech Recognition (see your smart speakers for an application of this)
- Image recognition ad vision
- Speech synthesis (again your Smart Speaker)
- Automated language translations.
We are also seeing a lot of business applications providing automation, for example:
- Instruction capture
- Trading decisions
- Automation of business processes.
We are also seeing Machine Learning techniques used in monitoring activity on networks for potential cyber attacks and applications in cyber security proactively alerting and acting on these threats.
One highly visible malicious application of the cognitive AI technologies is that of Deep Fakes, where it is now possible to create a video where someone can be faked to speak words they never uttered. Take a look at this video if you need proof – this was totally computer generated:
China has recently made it a criminal offense to publish deep fakes or fake news without disclosure. I expect similar actions will be taken by other countries in 2020. I will be doing a blog on this in the New Year.
5G Cellular Services
While not exactly new, 5G Cellular Technology is now being rolled out across the world. This promises better connectivity and faster downloads on mobile devices. It is also suggested that it could replace our cable based internet services to our homes and business in the future. Look out for a blog on this in 2020.
In 2019 the US blacklisted Huawei (a Chinese electronics manufacturer) due to a perceived risk to cyber attack from China. There is plenty of press on this subject, but in a nutshell this is rooted in a law enacted by the Chinese government where they can request any Chinese company to assist in state sponsored surveillance. This particularly emerged around the companies 5G technology, which at the time was the most advanced in the world and being rolled out in the US and other countries. The UK did its own investigation, the results of which have been deferred until after the December 2019 general election.
5G also opens up the attack surface for IoT devices, since this technology will be widely used to provide communications to back-end servers especially in industrial settings. This leads from the discussion above on IoT being largely insecure. We will be blogging on this technology in 2020 once our research is complete.
Interesting Statistics from 2019
A few interesting stats came my way in 2019. Some of which are quite shocking and others – well, you can see below:
- 70% of the US population are on Facebook, roughly 232.6 million
- By 2098, Facebook will be the biggest virtual graveyard (basically accounts of people who have died and are kept going by relatives/friends)
- The Vulnerability used in Equifax data breach is the top network attack in Q3 of 2019
- 49% of workers, when forced to update their password, reuse the same one with just a minor change (for best practice in this, take a look at our guidance on this)
- 63% of organizations face security breaches due to hardware vulnerabilities and outdated hardware (our blog on this)
- Almost three quarters of retailers have been victims of a cyber attack
- Over 1million devices exposed on the internet that are vulnerable to the BlueKeep RDP vulnerability
- Cyber attacks on IoT devices are booming with 105m attacks on IoT devices (originating from 276k unique IP addresses) detected during the first half of 2019
- It is estimated that 73% of all consumer interactions with banks are now done via digital channels
- 5,183 data breaches reported in the first 9 months of 2019 with 7.9 billion records exposed, and we are on track to reach 8.5 billion by year end (thought this would be a lot higher)
- 44 million Microsoft users reused passwords in the first three months of 2019
- VPN Report 2019 reveals a 54% growth rate in VPN use with 480.1 million mobile VPN downloads worldwide in the previous 12 months
- Google identified and warned over 12,000 of its users who were targeted by a government-backed hacking attempt in the third quarter of 2019.
Stats like those above demonstrate just how active Cyber Criminals are and this won’t get any better in 2020.
What to Look Out for in 2010
Predicting the future is always a bit hit and miss, but here are a few of my predictions around what will happen in 2020.
- 5G and IoT – The 5G rollout will accelerate and we will see a proliferation of IoT devices using it. If security is not baked into these solutions, then we will see the attack surface expand exponentially. The concerns over Huawei and vulnerability to the Chinese Government will seem inconsequential unless this is addressed. Let’s face it, if the spectrum of IoT devices are largely insecure, we won’t need sophisticated nation state hacking to extract data from these devices. As the self driving automobile technology matures, I hope the auto companies are securing the communications as this could potentially be a life threatening situation.
- Deep Fakes – As the technology matures further, deep fakes will become a realistic threat especially to political campaigns and in faking instructions in BEC style compromises. Employees are going to have to get better not only at spotting phishing and BEC emails but also detecting faked audio and video. Business processes and authentication policies will need to be updated to mitigate the worst effects of the new trend.
- Ransomware Becomes Critical – We are seeing very targeted ransomware attacks in 2019, and as these attack critical infrastructure (e.g. the electricity supply, water supply, communications), this will represent a very serious threat. These organisations are also potentially at risk via their managed service providers (MSPs). Cloud partners and cloud computing platforms in particular will be exposed to an uptick in code injection attacks, either directly or via third-party libraries.
- GDPR Style Regulations and Privacy – In 2018 we saw the GDPR being put into force, and this year we have seen similar legislation produced and enacted in other geographic locations. Some senators in the US are also asking for legislation to be produced similar to the GDPR. I personally think that privacy will become a much bigger thing worldwide in 2020 and in the coming years. In addition, a lot of concern is being voiced in various legislatures about the rise in end-to-end encryption limiting law enforcement ability to track down criminals and terrorists. I expect this debate to expand in 2020.
- Malware – One of the biggest rises in malware was around what are called Web Skimmers, which are scripts injected into websites that skim financial details/payment details as you checkout in online stores. Ransomware is also evolving, with some the latest incidents also suffering the potential exposure of their data on the internet if they fail to pay the ransom. All the other types of malware will continue to have a presence and as we discover more vulnerabilities in our software, hardware and infrastructure in general, we can expect new variants to to emerge.
It’s been an eventful year in the Cyber Security space, with new threats emerging, and old ones still causing issues. The biggest lessons learnt for me this year are:
- IoT is still very insecure and more needs to be done to make this secure
- Authentication still remains a problem, especially when passwords are re-used
- Data Breaches have escalated in 2019 mostly due to sloppy administration practices which must get better
- Ransomware attacks have also escalated and become more targeted in 2019 – the best defense is always to fully patch systems and ensure your data is fully backed up in an offline location
- In 2018 we suffered from Fake News, in 2019 that evolved to use Deep Fakes to fake video and audio.
As technology advances, we have to design security in from the start. Users of technology have to be educated about the risks, and this is something I intend to expand upon in 2020 (for more on this keep an eye on our website).
On this website we will continue to post blogs on emerging threats and guidance on being proactive around securing your own life online. Using our Twitter account we will also continue to post (and re-post) articles on the day-to-day developments.
We wish our followers a happy new year and hopefully with our help a hack free experience.