January 2015: Top Ten Cyber Security Predictions in 2015 - An Interview with AKATI Consulting’s CEO
An Interview with AKATI Consulting Group’s CEO, Krishna Rajagopal on the Top Ten Cyber Security Predictions in 2015.
- How did things go as far as computer security is concerned in 2014? Was it like a boring year for cyber security or was it an eventful one?
2014 was such an eventful year, almost like soap opera for us. Call it Twilight or whatever the series you like. As soon as people were starting to say Happy New Year, hackers were getting straight to work. There was a survey statistic from the Global CEO survey which said that in 2014, 69% of the people who responded to the survey who were all Global CEOs said that they were very worried about the impact of cyber security threats on their own growth prospects. That is interesting because one year ago only less than 40% said that, so within a year almost 30% has increased. People around our neighbouring countries have also taken a bold step. For example, look at what’s happening in China. They set up an information security SLGISIM; called it Leading Group on Information Security and Internet Management and the best part is the leader is president Jinping himself. He heads this thing and it’s interesting because in China 70% of the computer users are still using Windows XP.
If you look at a figure, that’s about 200 million computers which have no support. Meaning no patches, no updates and they seriously need to look at that. I would like to quote something from Jinping, at the launch of this SLGISIM, he said “No information security, no national security. No informatization, no modernization,” So he has put Information security as the root cause of modernisation. If there is no Information security, no national security and therefore no modernisation, I think a lot of countries have to take that step. That’s basically what happened in 2014, it was a very eventful year, a lot of things happened and I think there is a lot of interesting changes as far as policies are concerned.
- What are the most popular incidents that kept you and your team busy in 2014?
There were a lot of unique cases and in reverse chronological order, I would say starting with the recent ATM heist that took place in Malaysia, ATM machines spitting out cash all the way to our very grave incident of the MH370. When these incidents happened there were a lot of cyber attacks that followed it which were very sophisticated. We had a very interesting case where cybercriminals were forming a pact with the politicians and an attempt to rig elections at a particular country. That was first in the world for us and we were involved in that case. That was very interesting but as they say crime does not pay so it didn’t work out for them.
- How about the traditional attacks like the Trojans or the ransomware, were these still popular in 2014?
Yes, unfortunately they are still popular but there was a little twist. In 2014, a couple of statistics that I have; there was about 85,000 new pieces of malware that were discovered. That’s about 68% to 70% increase from 2013, that’s a lot. From Android devices alone, we found 40 million infections and we believe it’s going to double in 2015 and that’s going to be 80 million. The funny part is about 60% to 70% of these attacks are targeted towards financial gain. So they are not there to do social service anymore. It’s more to get at your personal data; it’s all about PII, Personal Identifiable Information. And also trying to look at an angle where I can leak information or I could lock your device and make money out of it through ransomware. The funny part is, if you look at the top ten countries that are targeted in terms of malware we should not be worried, because we should be rejoicing, Malaysia is in the top ten. We’re right at number ten this year. If you look at the top 20 targeted countries in terms of cyber attacks, we are also there, number 17.
- Why is Malaysia such an attractive target?
I would suggest, because the adoption of technology in Malaysia is greater. We are always more keen on adopting new technology and at times organisations also jump into new technology headfirst, without looking at security. Sometimes security is an afterthought for us and perhaps because of that.
I would also say that we have been on news too much this year, not for the good reasons. So people sort of open up their eyes and say, oh it’s this country now so let’s go and target them. That’s probably why we have been very popular this year. And especially during the times that we have been facing challenges and struggles due to the national tragedy and that’s where they hit us. Right after that, in fact in the first hour or so, some of the organisations were already getting attacks so they didn’t give us a chance.
- 2014 was also known for Information leakage attacks in the cyber world, will 2015 be any different?
I highly doubt it’s going to be any different. But here’s the interesting thing. Look at this, if you take real data from a Command & Control Centre of malware; one particular server that we took had about 5700 infected computers. We look at that, and we look at an average of about 2-3% of those users paid the ransom. And we look at that with an average of a $200 per ransom. That is pretty low, but we’re coming up to about $33,000 a day. That’s about 300 to 400 thousand US dollars a month. Some companies don’t make that much of money so there is a demand; there is a motivation for that. Plus again, if you have to look at it, price of let’s say a stolen Gmail credential, in 2011 it costs about a $117 and in 2013, the price dropped to $100, because there are more players in the market so there is more competition.
When the cost of stolen data drops, competition increases so these guys have to do more. They have to focus on customer service. They have to go deeper in making sure their customers don’t get caught. They are really going out make sure their customers are happy and they don’t get caught, those people who are buying these stolen credentials. We would think that in 2015, information leakage is still going to be a very big consideration, especially with PDP in Malaysia; companies have to look at it seriously. They have to go beyond just compliance and beyond baseline.
- Information leakage just sounds like a whole business?
Yes, in fact there was a case where Target got breached last year in the US and a lot of credit card numbers were stolen. We know who did it, the guy has a website in Panama and he even posted selfies of himself. He even has holiday promotions like one classic card for $4.99 and Platinum card $12, bundle of five, two Platinum and 3 Gold so you know he has promotions and we can’t do anything because he has shielded himself. That’s the problem.
- So Krishna, what are your top ten predictions for security trend in 2015?
Well if you look at the top ten predictions, first of all if you look at the industries. We’re looking at the financial industries being a target, we are looking at the government public sector being a target, and we’re looking at transportation, retail and accommodation being a target. These are the industries that didn’t look at security in the past. But now a day’s people are using credit card to purchase train tickets, flights or even book hotels it’s becoming more and more popular. In terms of the top ten, the first thing we’re looking at is, we think that users are still going to be targeted but then users will be victims of cyber attacks but they will not be direct targets. So criminals are not going to be targeting your Windows PC at home, rather they are going to be targeting larger corporations that has your information. That way, you’re still going to be a victim but you will not be a direct target. For example, we will see a lot more RAM scrapers being used, a lot more POS, Point of Sales malware being used, and a lot more ATM targeted malware being used in 2015.
Number two, we are going to see more and more darknets coming up. Criminals are going to be shielding behind these darknets, as I said the retail prices of stolen credentials are dropping and these guys have to go to greater lengths to shield themselves and shield their customers as well. So we are going to see more creative darknets coming up, where criminals can go and have their exchange, retail market exchange where they can share their ideas and sell their loot.
The third thing we think is it’s mobile, mobile, mobile. Everything we think of in 2014 is going to have a mobile twist. So there’s going to be more and more. In 2014, there were a lot of browser based exploits but in 2015 it’s going to be mobile based exploits. There will be exploit kits targeted for mobiles. So somebody could be selling a set of exploits that are targeting Android for a $100. If you buy this two out of three times, you’re probably getting into an Android phone. So there is going to be a lot of these kind of things coming up targeting popular mobile operating systems that is iOs, Android and of course Windows and Blackberry. We think that Android based attacks are going to be doubled from 4 million in 2014 to 8 million and ransomware is going to be looking at your mobile. So you’re going to have mobile ransomware. Imagine if you have to make that phone call when your wife is angry with you and that’s the moment when your phone is locked; and the guy says pay me 10 Bitcoins or you can’t make a call. So people are going to take your phones or your mobile devices for ransom.
Number four is, we are going to have new kids on the block. See in 2014, 2013, whenever you say Advanced Persistent Threats, we’re talking about Russia, China and the US. But in 2015, we’re going to be talking about new kids on the block, countries like Malaysia, Indonesia, Thailand and maybe Sri Lanka and Singapore are going to be targets. They are going to be targets of APT and people are going to be looking at turning away from traditional security devices like firewalls and stuff and going towards security analytics. So you will see a lot of companies setting up SOCs, Security Operation Centres to be looking at are we under attack or not.
Next thing, number five, I think with this whole trend of NFC going on, I think the NFC based solutions are going to give us a new threat; especially with Google wallet. As soon as Google Wallet came out there was a fake Android vulnerability targeting the Google Wallet. Now with Apple Pay coming along the way, you will find that there is a lot of focus on this and specially with your credit cards in there, people are going to be targeting that. Another twist that we saw was, in Asia for example you have got apps like ‘Line’ and ‘Vchat’ that also offer some kind of a currency. So we think that they are going to target that as well by sending some kind of link that attacks these devices, these chat programmes and steal your coins for example.
Number six. In 2014 we had all kinds of stuff. The heart was bleeding, the shell was shocking, we had Poodles and we had all kinds of big vulnerabilities, legacy vulnerabilities that took surface in this year. We think that is going to continue and they are going to have more new vulnerabilities targeting legacy systems, open-source systems. Open source is going to be the biggest target for 2015, at least for now.
Number seven, I think banks and Telcos are still going to be targets of cybercriminals because that’s where the door is, that’s where the Muller is and there is going to be more and more of advanced malware. I see sometimes organisations are still talking about Zeus as an online banking malware but you’re talking about like a 1970 ford in year 2015, because that’s an old Trojan, it’s old. The kind of malware we see in year 2014, sends shivers through the spine like Wartrack for example, even the name sounds scary. Very scary, very advanced so we think more of those are going to come up. They are going to come in to target mobile banking and also because there are mobile wallets, mobile banking, mobile money that’s why we say banks and Telcos. So they are not going to target just banks but Telcos as well. So banks have to prepare for fake mobile banking applications. We see sometimes banks posting up, maybe Android banking applications or the iOS and they get developers to upload it for them. That is dangerous because then the users will not know if this is the real banking app or not. We caught one guy with 40 different fake banking applications on Google Play, and all of them were fake. We’re going to see more of those coming up.
Number eight, I would say is that the new digital gold mine is information and it’s all about information. That is the key and that’s cash so there is going to be increasing insider threats. (That’s the real digital currency in a way). You will find direct insider threats and indirect insider threats, outsiders making use of your staffs to steal information so you will need Data Loss Prevention. DLP is a must; it’s no longer a luxury or a ‘nice to have’. Like the guy I was telling you about, the guy behind the Target crime, André. People like him will benefit as long as companies don’t look at information seriously. So information protection is serious and insider threats, companies have to be protected from insider threats. That’s number eight.
And of course number nine; there is a lot of talk on Internet of Things, different devices. Here’s my take on this, we think Internet of Things will be targeted but hackers are not going to be targeting their vulnerabilities because the variety of technology is just too wide for them to come out with an exploit that will work on two three things. So what they are going to be doing is targeting the data that will be moving from one device to another and exposing that data. For example, I have a watch that is connected and I have a phone, now they are not going to be targeting the watch because there are no major players down there. The technology in the watch maybe different from one brand to another, so what they are going to do is not target on the watch but rather target on the data exchange between my phone to my watch. That most of the time is unencrypted, especially with the most popular smart watches right now. So those kinds of things. When your device is communicating with the TV, they are going to be intercepting that. That’s what we think is going to happen. But now you got Open Interconnect Consortium, then you’ve got home kit by Apple. Those will change. Those will change the scenario maybe in 2016. Maybe then you will probably get things like smart cards, you’re going to have smart cards getting ransom, imagine that right. It has already being done. There was a team this year in Sejong University that infected malware on Tesla. Tesla model and the malware allowed them to honk the horn, lock the doors, and flash the lights. So imagine that happens when you’re stuck in your car and they say, pay us 100 Bitcoins otherwise you’ve got nowhere to go. That’s a big trouble. That’s going to happen not in 2015 but rather in 2016. For now, people have to be worried about exchange of data. Data is going to be leaked out by these devices.
The last thing is people say ‘old is gold’. So the old attacks are going to have a new WEP2 point of twist to it. So injections, Cross-site scripting but with a WEP2 twist to it. So we’re going to see them targeting new areas, so we’re going to have XPath Injection and those kinds of things that are going to be popular in 2015. So things like what happened to JPMorgan where 82 million customer information was at risk. We have to understand that it’s a wakeup call. JPMorgan spends about US$ 250 million in their IT security budget so if they can go through that, a lot of us probably can go through that as well. That was a traditional attack vector; it was not a high-end attack vector. That is something that is going to happen. Old techniques are going to take a new twist and come back in 2015, targeting WEP2. That’s basically the top ten in a nutshell.
- Top ten of what’s going to happen in 2015. Going back to 2014, what was the scariest attack you worked on, seen or read about?
I think personally, interesting and scary would have been the ATM heist in Malaysia. This is because, this is the same thing we have been telling banks for years but was always going on to a deaf ear. They don’t take it seriously. Some banks do but some don’t. One of them was running outdated operating systems. Simple stuff, we never thought that someone would do it but this bank was doing it. In fact, if you look at that situation and that whole modus operandi, it’s very interesting how they even do it, because we see cases like that. We were involved in a similar case in Africa where we first saw it in the world and second time was in Mexico and the third time it happened was somewhere in Germany but we were not involved in that case and fourth was in Malaysia where we were involved. Every time they changed the style and there is a growing sentiment of distrust between the criminals themselves. So in Malaysia for example, the guys on ground were not even trusted by their boss. So the malware had a split Command & Control. There was a certain part of it which required input from the boss so it was very interesting. We thought that was going to be something interesting that financial institutions have to look out for and there is going to be more of that to come in 2015. Not just in Malaysia but for a lot of other countries. A lot of other countries have not had this attack and they are still sitting down there relaxing. When it hits, that’s when it happens too fast. That is probably one, and of course with the national incident that’s also very sad. It would always leave a memory but unfortunately there is nothing much we can say about that.
- END -
About AKATI Consulting Group
AKATI Consulting Group is a security-focused consulting firm providing services specializing in Information Security and Information Forensics. Operating in 5 continents with over 300 global clients, AKATI Consulting has earned its reputation for offering reliable solutions with guaranteed results using cutting-edge technology. Top banks in the world, military and some of the most hostile environments in the globe trust AKATI Consulting as their Trusted Security Advisor.
With its extensive experience and capabilities in Information Security & Computer Forensics consulting and training, AKATI Consulting is able to customize its services to suit the needs of each client. AKATI Consulting Group fills a distinctive requirement in business environments increasingly dependent on Information Technology and takes on the role of your InfoSec S.W.A.T Team.
For media enquiries, please contact :
AKATI Consulting Group
Email : firstname.lastname@example.org
Web : www.akati.com
Contact : +603.8688.4778