Most of the time, the media uses the term hacking in the negative context. However, there are many white hats who hack for good. In the last Daily Security Byte episode for 2015, I cover two fun stories that show how people can use hacking and reverse engineering techniques to do things that improve our lives.
Show note: This will be the last Daily Byte video this year. I’ll resume the daily video January 4th, 2016.
Unlike cyber criminals, who want to stay under the radar, Hacktivists like to make big splashy messages. The whole point of “cyber” activism is to use technology to get as many people as possible to notice your message, whatever it may be.
Anonymous is a great example of this, with their well-known videos containing a man in a suit wearing a Guy Fawkes mask and speaking with a distorted voice over theatrical music. All of the Anonymous’ “operations” are designed to get noticed. Whether they’re trolling the Church of Scientology, DDoSing credit card providers, defacing websites, or doxing someone they disagree with, the goal is getting attention for their cause. What better way to get attention than to hijack a live TV signal or big event?
While hacktivists are known for their attention-grabbing videos, so far they’ve never taken over live TV or radio, and really gotten their message across to a wider audience. Movies and TV would have us expect “l33t h@x0rs” to take over the airwaves, but so far their strange hacktivist videos have been relegated to YouTube posts anyone can do. Hacking TV broadcasts may sound like sci-fi, but there is precedent. Back in the 80s, a weird, masked man (sound familiar?) took over a few Chicago TV stations for a few minutes at a time. While our TV broadcast have become more protected today, the breach to TV5Monde—a French broadcast network—shows that attackers still have the potential to take over the airwaves.
Next year, I expect cyber attackers to pull off some hack that gets broadcast to the world live. Perhaps they’ll take over a big stadium screen during the Super Bowl or World Cup; they might hijack all of the big TVs in Times Square; or perhaps they pull off the ultimate hacktivist’s dream, and hijack a major TV network’s live broadcast. Whatever it is, expect hacktivists to do something big that televises their revolution to the world live.
A few stories surfaced yesterday talking about “devastating” vulnerabilities in Windows’ Kerberos. Today’s vlog explores whether or not these are new issues, how severe they really are, and where you can learn how to mitigate them.
To be honest, wireless security hasn’t changed too much in the last few years. That’s not to say it’s perfectly secure. There are still plenty of folks using legacy WEP encryption standards, and organizations that use WPA2-PSK with a horrible password. There are also many wireless networks that don’t segment clients, so attackers can sniff plenty of private connections by hanging out on public hotspots. Furthermore, many SMB organizations haven’t solved the problem of rogue hotspots or evil twin hotspots. That said, there hasn’t been a huge, industry-wide wireless standard vulnerability in quite awhile.
While we don’t know exactly what it’ll be, we suspect the next big wireless vulnerability will have to do with an “ease-of-use” feature. The Wi-Fi Protected Setup (WPS) standard was a great example of this possibility. WPS was designed to make it easier for new users to join a secure wireless network without having to remember a complex password. Unfortunately, it suffered from a flaw that made it easy for attackers to brute-force a WPS pin and gain access to the wireless network quickly. Unfortunately, usability features can sometimes clash with real security.
Recently, Windows included a new wireless feature called Sense. This feature is intended to allow you to automatically connect to secure wireless networks that your friends or acquaintances have used. While no one has found any issue with this feature yet, this is the type of feature that may introduce new wireless problems. In 2016, expect the next wireless security vulnerability to involve an ease of use feature like Sense.
If you use Joomla to manage content on your website, you’re going to want to patch immediately. Today’s daily video covers a new zero day flaw in the open source content management system (CMS) that attackers are actively exploiting in the wild.
When a hacker hijacks a computer, gaining persistence (or making sure his malicious trojan stays on the computer) is easy. The attacker just has to load malware onto the computer’s hard drive and make sure it runs when the computer reboots. However, hijacking the Internet of Things (IoT) is a different story. Many IoT devices don’t have local storage, and are often small embedded systems with low resources. Gaining persistence on these devices is much more difficult and may actually involve modifying the software these devices use to boot, which we call firmware.
Next year, we expect to see more researchers release proof-of-concept attacks that permanently modify and hijack the firmware of IoT devices. It’s not enough to just find a vulnerability in these devices, but you also have to figure out how to inject malicious code that can stick around. We expect to see vendors start to harden the security of their IoT devices by implementing secure boot mechanisms that makes it more difficult for attackers to modify firmware.
Yes! When attackers hijack your news site to serve malware from your cyber crime article, it probably is a bit out of control. Watch today’s video to learn what I’m talking about, and how you might protect yourself from legitimate web sites unknowingly spreading malware.
Information security is all about protecting data, because at the end of the day, stolen data is what makes the cyber criminals rich. Criminals started with the basics. Monetizing stolen credit card (CC) information was easy. You just needed the basic CC information and a few personal details to make a purchase with a stolen card. We saw this in 2014—the year of the retail breach—as cyber criminals stole millions of CC records through point-of-sale systems.
However, as fraud systems got better, making false CC purchases became harder and today stolen CC information is barely worth the effort to steal it. Meanwhile, the personally identifying information (PII) required to steal a full identity has become much more valuable. PII value in the underground directly increases in relation to how many individual pieces of data you have in a corresponding set. As you can imagine: a name, email, address, CC, date of birth, and social security number (SSN) is much more valuable than just a name and email address. That’s why CCs may only fetch 50 cents to a dollar on the underground, while a full set PII (which the underground calls a fullz) can bring in 10 to 20 dollars, especially since it includes a SSN. That’s also why healthcare records are so valuable—they’re rich in PII data and include SSNs. In 2015, we saw many attacks targeting healthcare data.
So what’s even better than a healthcare record? Apparently, student records! We are learning that the amount of data collected about our kids over their lifetime as a student is staggering. It even includes some of their health records to boot, which is already one of the richest PII datasets. This, combined with the more open network environment found in educational facilities is why we expect cyber criminals to target student data systems in 2016.
If you run IT for an educational facility, look out for hackers next year.
Can hackers knock out the Internet? Probably not, but it look like attackers tried to disrupt DNS recent by launching a distributed denial of service attack against the root DNS servers. Watch today’s video to learn how the IT community can make it harder for attackers to launch reflected attacks.
Security experts have always realized that information security is a constant arms race. Attackers discover new methods to evade defenses, we update our defenses, and the cycle continues and repeats. In fact, much of our legacy defense is reactive. It relies on us having seen a particular attack, and creating a specific defense for that particular attack. The problem is, reactive defenses do little good for new attacks.
Today’s attackers have automated their attacks, ensuring they constantly evade our reactive defenses. Signature-based protection is no longer effective. While human analysts can identify new threats by monitoring for suspicious behaviors, cyber criminals release new threats in such volume that humans can’t keep up. The solution? Artificial Intelligence (AI) and machine learning that can automatically recognize malicious behavior.
At a very high level, statisticians and mathematicians have begun to develop big data algorithms that can identify very complex behaviors and trends. The security industry is starting to see a new level of security controls that can proactively find new threats in real-time, without human interaction. We’ll always be one step behind the latest attack, so these more proactive security technologies are the only way we might stop the newest threat.
Expect 2016 to be the year of machine learning and behavioral detection security controls.
December 17, 2015 
WatchGuard Security Center 