State of Security – Cyber Security Awareness Month 2017
The State of Security 2017
October is the first full month of fall (and sometimes even feels like it), National Pizza Month, National Dental Hygiene Month (so brush your teeth after you finish your pizza) and National Cybersecurity Awareness Month. I would prefer to write about pizza, but since I work in IT, it think we will look at some cybersecurity issues.
Most areas of cybersecurity concern showed an increase through the first part of 2017. One area where that is not true has been exploit kits, which are software packages used by cybercriminals to attack computers. Three major exploit kits vanished in 2016: Angler, Nuclear and Neutrino. Angler disappeared following a series of arrest of Russian cybercriminals; it is unknown what prompted Nuclear and Neutrino to go offline. (One reason may be the patching of a number of Flash-related vulnerabilities and Oracle’s removal of the Java browser plugin, both of which were popular targets for exploit systems.)1
However, other exploit kits are still out there and may take over for the big three, so we probably should not get complacent about our computer safety. More importantly, the decline of exploit-kit-based attacks has been mirrored by an increase in the number and variety of email-based attacks. While email-based attacks had declined heavily through the first quarter of 2016, they are on the rise again. Both McAfee and Cisco researchers identified a number of different attacks using email, whether by malicious executables attached to emails, targeted attack URLs in messages, or infected macros in email attachments. Some of attacks use a combination of methods (for example, an infected Word document that downloads a more sophisticated piece of malware which then further opens up the system for yet another attack)2 . The monetization of malware through ransomware or financial espionage has created a global market for malware tools, allowing even criminals with few or no IT skills to become cybercriminals.
A form of cybercrime called Business Email Compromise (BEC) has been growing steadily and (in fact) results in greater losses than ransomware. ($1.7 billion per year vs $1 billion)3 . BEC involves using social engineering techniques (possibly combined with actual password stealing or account hacking) to persuade employees of a company to transfer funds to the criminals.
Mobile malware continues to grow, with McAfee Labs reporting more than 1.5 million new mobile malware types in the 1st quarter of 2017, bringing the total number of mobile malware applications to between 16 and 17 million. One of the most disturbing attacks was recently discovered by Armis Labs; nicknamed “Blueborne” it exploits multiple vulnerabilities in Bluetooth to allow complete control of a phone or tablet4 . It does not require the attacker to pair with the device, nor does the vulnerable device have to be discoverable. Through this year, Armis has been working with vendors to patch the vulnerability, but it remains a worrisome security hole.
An inventive attack method was demonstrated by researchers at Zheijiang University in China. The attack, nicknamed “DolphinAttack” works by issuing voice commands to devices that use Siri, Google Voice or other voice-activation systems. The team discovered that it is possible to issue commands at frequencies above human hearing and still have the devices respond to them5 . The combination of DolphinAttack and Blueborne makes the likelihood of a criminal being able to assemble a significant botnet quickly very high.
MacOS malware also continues to grow, showing a huge spike in the last quarter of 2016 and the first quarter of 2017, with more than 500,000 new pieces of Mac malware discovered during that time6. (To show how great a spike this is, the total reported amount of Mac malware is only about 700,000). If you have a Mac, you need to take security seriously; the malware writers are targeting you now.
Cybersecurity. As we continue to do more and more online and through linked technology, the issues are only going to grow in importance, and the number of threats will only increase. We need to be aware of the issues, secure our data, and hold manufacturers and providers accountable for following good security practices.
1Cisco 2017 Annual Cybersecurity Report (http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017)
2McAfee Labs quarterly Threats Report, June 2017, (https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf)
3Cisco 2017 Mid-Year Cybersecurity Report 2017 (https://engage2demand.cisco.com/cisco_2017_midyear_cybersecurity_report)
4“Blueborne” (https://www.armis.com/blueborne/) accessed on 10/10/2017
5“DolphinAttack: Inaudible Voice Commands” (https://techcrunch.com/2017/09/06/hackers-send-silent-commands-to-speech-recognition-systems-with-ultrasound/) accessed on 10/09/2017
6Mcafee Labs op. cit