The Internet of Things will be an ever-increasing threat.
We have already seen massive botnets of home routers and security cameras used for devastating DDoS attacks such as the one on Dyn. The source code to do this has been published, and there is no way to systematically upgrade all IoT devices to protect against it. We can expect to see DDoS attacks increasing in magnitude to the level where entire countries or regions may be taken offline for substantial periods. In addition, the more creative cybercriminals will be finding other ways to use IoT devices, including click fraud, bitcoin mining, and spamming.
Email hacking will be the new normal in politics and cybercrime
As we have seen in the 2016 US election, email hacking is a powerful weapon for disrupting or discrediting an opponent. It does not require sophisticated use of a zero-day vulnerability, just a successful phishing attack, and there is no apparent downside to anonymously publishing stolen data. Political operations need a Chief Information Security Officer just as much as business. Dual factor authentication should be the norm for all email systems, and the use of private email accounts for business or government purposes has to stop.
Zero day prices will continue to escalate far beyond bug bounties, leaving us all less secure.
Zero day vulnerabilities are selling for increasing amounts, with up to $1,500,000 being offered for the ability to hack iPhones. While some software companies offer five and even six figure bug bounties, even the richest software companies are not offering anything to compare with this. For example, Apple’s bug bounty program has a maximum reward of $200,000. The main market for these zero days seems to be nation state actors who wish to spy on their own citizens or conduct espionage on other countries. However, even if the purchaser of a zero day is a friendly government, that does not mean that other less benign hackers will not discover the bug and use it maliciously. So long as the US and other governments continue to tolerate and participate in the trade in zero days we will all continue to be more vulnerable to criminals and foreign spies.
Ransomware is here to stay. Make sure you have a current backup.
While some forms of cybercrime such as credit card fraud require a fair amount of effort to monetize, the use of Tor and Bitcoin makes ransomware an easy way for a criminal hacker to make a living. All you need is a way of infecting machines using spam or malvertising, and some encryption code you can download from Github. There are a number of different strains of ransomware, all evolving as their operators try new approaches when the old ones are blocked.
A recent ransomware attack on the San Francisco Muni public transport system took down ticket machines, so that the streetcars had to operate for a few hours without charging fares. However, Muni had a backup of their servers and was able to recover without paying ransom. A current backup is the best defense against ransomware.
As EMV credit cards become the standard in the US, credit card fraud will move towards online purchases.
The more secure EMV credit cards with embedded chips are gradually replacing the older and less secure magnet stripe cards in the US. This will make physical credit cards harder to forge, so monetization of stolen credit card information will increasingly move to online and phone purchases where the card does not have to be physically present. Smaller banks and credit unions are lagging behind the big players in the adoption of this standard. While the customer is not responsible for credit card fraud, debit card fraud can create difficulties because the customer’s checking account may be emptied and other bill payments fail. For the best security use an EMV card from an issuer that allows you to set up email alerts for online, phone, or high value regular purchases.