Last Christmas

Last Christmas we gave you a few predictions in the final blog of the year (not our heart for you to give away the very next day – RIP George Michael).

It has become traditional for these to be a high level assessment so as not to dilute the detailed call to action predictions that our in-house soothsayer (Chromas T Wizard) will be making at our annual security conference (called StormCloud this year), which is being held on Thursday 26th January 2017 at Landing Forty Two in The Leadenhall Building aka ‘The Cheesegrater’.

We understand that Landing Forty Two is the highest venue of this type in the capital and you can even look down on the Tower of London, where we held last year’s event – ‘CloudBurst’. Like everyone we are moving up into the cloud(s), which will no doubt be evident in more ways than one on the day. We are of course bitterly disappointed that they didn’t call it Level Forty Two because the terrible song-related jokes would have been a gift. We will come up with something, though.

The feedback we had from last year’s event was very positive. This year we have re-engaged the services of Sean Alexander, who messes with your mind and finds out your secrets. We also have Graham Cluley speaking, which we are all looking forward to. If you haven’t come across Mr Cluley before, he blogs about matters security professionally and prolifically. His site can be found here.

Of course, we have the usual team of ITC amateur speakers for your entertainment along with some industry professionals to keep us honest.

If you haven’t signed up for this year’s event and can spare the time, please visit the event site and get yourself registered.

So with the massive plug for our event out of the way, what can we say about 2016? Let’s start with our high-level blog predictions from last year:

• Personal data as a commodity in the organised crime world
  The data from the TalkTalk, Yahoo and countless other breaches is now on general sale on the ‘Dark Web’ (Mwahahaha). Given that the Yahoo details number is something like 1.5 billion alone, and they include third party details such as BT Mail customer data, we consider this prediction to be a good-un.

• The mobile device exploited as the easiest way in
  2016 has been the year of screeching headlines about mobile device exploits ‘Millions of devices, infected or vulnerable’ etc. etc. Some of these alarming headlines are marketing driven FUD (yes Check Point, we are talking about you), but many are very real. The single most scary mobile exploit this year (in our opinion anyway) was the malware written by an Israeli hacking shop that sell to Nation States only, purchased by (just a guess) an Emirate nation and delivered via text message to a UAE human rights journalist. The exploit contained three zero-day iOS exploits which (of course) are now named ‘The Trident Exploit Chain’. We wrote an article about this on our website.How many more zero days are out there and are they being used widely and regularly? Highly likely – the questions are: by who and why?

• Old code, written by Jolt Cola and pizza fuelled midnight developers in the eighties requiring increasingly urgent patching
  We often joke that vulnerabilities that get their own name and logo are our favourite. This year that has not been the case. Our favourite named and shamed vulnerability was of course ‘Dirty Cow’ (what is not to love?). Our least favourite however are the multiple exploits published by the so called ‘Equation Group’ which appear to be bona fide NSA materiel documenting exploitable weaknesses in Cisco, Juniper and Fortinet infrastructure. The whole episode has been most traumatic and our thanks go out the boys and girls in the NOC and SOC for their astonishing efforts over the last year.

2016 has also seen some huge bank breaches, a massive rise in both the volume and scale of denial of service attacks driven by the proliferation of totally insecure Internet of Things tings, even more malware delivered through phishing, targeting the vulnerable, like hospitals, and to top it all off a nation state cyber arms race.

For those interested in the USA vs Russia cyber warfare, you will have seen in the news that 38 Russian ‘diplomats’ were expelled from the US yesterday. The US Government also declassified some of its research into the Russian dirty tricks and has published it here.

It is really worth a read and illustrates the audacious and massive scale of these operations.

For next year we think the following themes will be among us:

• Nation state cyber warfare will escalate massively, presumably continuing with the expulsion of 39 US ‘diplomats’ from Moscow.

• Ransomware will continue to be a very big thing, but the industry is getting together at some scale and will work tirelessly to reduce the ability for it to execute and deliver free decrypt tools. We can only hope that this is a success.

• ISPs might actually be compelled to do something about DOS and DDOS themselves rather than hide behind ‘not my problem guv’ contractual detail. Who knows, they might be made to implement RFC2827 (Ingress Filtering). It has only been around since 2000 after all… They may also be forced to consider the implementation of Carrier Grade NAT, pigs will fly and the second coming will, well, come.

• Just like the Swift exploits of this year, which we are reliably informed “scared the bejeesus” out of some banks we will not mention, legacy banking applications will be exploited either from the outside via some phishing, reconnaissance and lateral infection or via the good old insider threat.

• ‘Artificial intelligence’, ‘machine learning’, ‘big data’ and ‘analytics’ will drive new security solutions. Many of these will be nothing but snake oil, but some will add real value and help us spot the unknown.

Hopefully these have piqued your interest and if you want to get the detail on both last year and our thoughts for next year, please sign up for StormCloud, or if you can’t make it, request a copy of our 2017 Threat Files.

We are sure that 2017 will be a busy year for both sides of the security community. Unfortunately, we can’t rely on The Force to help us out (RIP Carrie Fisher), but will have our best people on it all day, every day.

Have a great New Year! Thanks to our customers for your business this year, we look forward to working with you in 2017.