We Live in a Target-Rich Environment
In the movie “Top Gun” Maverick and Goose walk into the officer’s club and Maverick says “This is what I call a target-rich environment.” This came to mind while perusing the latest in the long list of security issues that have come to light recently. Today’s cyber bad guys have a very target-rich environment.
Perhaps one of the more interesting was the dump of CIA hacking tools on Wikileaks. As this dump is analyzed there are varying reactions. Apple says newer systems are not vulnerable to the tools. By extension, if you have an older Apple device, you are vulnerable. Microsoft says up to date Windows 10 systems are not vulnerable, however that leaves all the XP (yes some are still out there), 7, and 8 systems vulnerable.
Perhaps more interesting was what this article pointed out:
“As of October 2014, the CIA was also looking at infecting the vehicle control systems used by modern cars and trucks,” theWikileaks poststated. “The purpose of such control is not specified, but it would permit the CIA to engage in nearly undetectable assassinations.”
Keep this in mind when you are considering that new self-driving car. If the CIA was working on this, then the bad guys are no doubt doing the same. To get a brief idea of the complexity of current cars see this article at Popular Mechanics. As the complexity of this system increases, the security issues get increasingly complex as well.
The numbers involved in data breaches start to become mind numbing. The River City Media debacle potentially exposed 1.37 BILLION email addresses along with some other personal data. This is the largest of many large breaches in the last half of 2016 and the start of 2017. This flood of data has had an unintended consequence. The data is so plentiful that selling it is no longer profitable. What’s a bad guy to do to earn money? The simple answer: RANSOMWARE.
Sonicwall reported that there were 638 million ransomware attacks in 2016. Since no one else wants to buy the data, bad guys are encrypting it and selling it back to the owners. The expectation is that attacks will move from businesses and individuals to critical services such as healthcare (already a target), utilities (electric, gas, water) and critical services (police, 911 dispatch, etc).
What makes ransomware such an issue is the existence of RaaS (Ransomware as a Serivce). There are a number of folks out there that have set up web sites where they will be happy to provide you with all you need to run ransomware attacks and split the take with you. (see here and here for examples). This means that anyone who has a hankering to be a cyber bad guy can go into the ransomware racket with almost zero computer knowledge. They just need to be willing to commit a crime.
And finally we come to what I consider the greatest cause for concern, IoT (Internet of Things). There is this huge population of poorly secured security camers, DVRs, thermostats and other ‘dumb’ devices connected to the internet. They have enough smarts to be corralled into a botnet to attack other devices and websites, but not enough to be properly secured. They can’t be updated, they can’t be firewalled, but boy were they affordable. According to the folks over at Bleeping Computer, one Mirai botnet consisted of 400,000 devices. Mirai is software that lets you marshal a botnet to launch a DDoS (Distributed Denial of Service) attack against the site of your choice. This can be an attack of such magnitude that it taxes even the resources of someone like Google to withstand it. (For an example see here).
The goal here is much the same as ransomware – extortion. The site can be knocked offline for as long as the attacker cares to do so and it can be next to impossible to prevent. Services can be brought to bear to mitigate the attack but the cost can be prohibitive for smaller businesses. This ‘business model’ works well for sites that do high volumes of transactions (gambling sites, e-commerce sites) and where downtime costs can be measured is thousands of dollars per minute.
There is nothing to prevent someone with a grudge from renting a botnet and attacking an employer for some perceived slight, attacking some site for political motives, or just proving it can be done. Unfortunately this is one of those attacks that is impossible to prevent and extremely difficult to deal with.
The challenge is the large population of devices that are out there and will never be properly secured. A small bright spot is the news that Consumer Reports has started an effort to come up with a standard for these devices and has begun evaluating them on that basis. This may have some positive effect and is at least one more avenue to get security in front of consumers.
Yes it is truly a target-rich environment out there. Is there a bulls eye on you?
