US intelligence on the rise – NSA 2.0
The recent revelations based on the documents leaked by former Intelligence consultant Edward Snowden will have serious repercussions on US intelligence agencies. The internal structure of the overall US Secret Services is destined to radically change, modifying in a meaningful way the politics of the intelligence agencies. A growing number of cyber experts will take the lead of the US Intelligence Agency. The way to conduct intelligence operations is radically changed, and this will have a great impact on the internal organigram. NSA and similar agencies will reserve resources and assets to cyber operations. The change will be relatively quick and will involve the entire American Defense and the upper echelons of Government. NSA 2.0 will have to radically change its cyber strategy; the architectures and methods described by Snowden quickly became prehistory, the element of surprise is gone from which agencies like the FBI and NSA have benefited for years, the “cyber dispute” is in a crucial evolutionary phase, attack and defense are aware of the threats and are intent for the development of new sophisticated techniques.
Cyber weapons in the wild
Cyber weapons are the essential component of information warfare. The definition of a new generation of cyber tools and software will compromise enemy networks and infrastructure in cyberspace. The lack of a shared law framework that regulates the use of cyber weapons and that establishes the legal and political responsibility of the attacker is an incentive to operate on the borderline. Governments will continue the developments of new sophisticated cyber tools to offend foreign governments, moving the attack into cyberspace. The relatively low investments for the designing of a cyber weapon or the re-engineering of the code of an existing one will attract also many other actors into the new global information cyber arena. The cyber weapons are stealthy and during the next year it is likely that principal security firms will find evidences of their ongoing activities. It is an asymmetric conflict that could escalate with a clamorous incident at a critical infrastructure. The Zero-day market will literally explode, and a growing number of companies will specify their business in the research of unknown vulnerabilities. This is the big business of the next years: the knowledge of uncovered flaws that private entities will secretly sell to the highest bidder. In the case of conflict in critical areas such as Syria or Korea, the use of cyber weapons will be complementary to conventional weapons for offensive operations and the destruction of enemy defense infrastructures.
Tor Network, cybercrime and law enforcement
In the next months, the number of Tor network users will be stabilized, and the popular network will be mainly used by cybercriminals and whistleblowers. The cybercrime will use the popular anonymizing network mainly to try to strengthen their malicious botnet hiding command and controls within the Tor network. No meaningful changes will be observed in the activities of commercialization of odds like drugs and weapons; the volume of sale will remain constant. The real novelty will be the creation of a growing number of services for social purposes, primarily for the reporting of illegal activities or abuse. On the other side, law enforcement to fight cybercrime will increase the activities of infiltration of the anonymizing networks. In the case of the Tor network, the authorities will sustain the creation of new hidden services with a primary purpose to track Tor users and to create “honeypots” to monitor illegal activities.
Internet of things malware explosion
The number of smart connected devices is exploding; principal researchers agree that in a few years the number of “Intelligence Things” will exceed ten billion units. Harbor Research estimated that Smart Connected Devices will reach 13.5 Billion in 2016 and it is an estimate that needs to be revised upward. It is an impressive amount of devices, more or less complex, that could be the victim of cyber attacks due the lack of defensive mechanisms. Cybercriminals will look with a greater interest to this growing industry. In particular, malware authors will work to the creation of new malicious code to automatically infect millions of devices to recruit as member of botnets to conduct other illegal activities. Malware specifically designed for “Internet of Things” will become even more complex and multiplatform, able to infect Intel x86-powered Linux devices and many other architectures including ARM, PPC, MIPS and MIPSEL. The technology has reached an impressive level of penetration. Many objects around us have hidden operating systems, they are always online and run a multitude of applications. It’s necessary to ensure a proper level of security to the contexts that host them. Smart devices must be continuously patched and updated during their life cycle, and this is not always possible due a series of technical issues. On the other side, device manufacturers will start to produce a new generation of smart devices that includes the implementation of basic security requirements by design. It is a great challenge also for the security industry to produce new solutions to protect the intelligent things that surround us.
Hardware Backdoor e hardware qualification – New frontiers of cyber espionage
The recent events revealed by documents leaked by Snowden show a concerning IT scenario: every actor tries to spy-on allies and opposites. Since now the majority of cyber espionage activities are conducted using sophisticated malware able to silently infiltrate targeted networks, the level of attention on cyber threats is the highest and every government has included in its cyber strategy a series of countermeasures to avoid espionage. One of the most interesting perspectives for cyber espionage is the introduction of an undetectable hardware backdoor inside appliances and large consumer devices directly in the production phases. Deliberate flaws could be introduced at different levels of production with different effects on compromised devices. Hardware backdoors could be used to substitute a component within an electronic device or it could be implemented adding a supplementary circuit. Both methods are functionally efficient, but aren’t feasible due to the difficulty of hiding hacks upon careful inspection. The manipulation of dopant chemical elements is the method that in my opinion will be adopted for the definition of a new generation of hardware backdoor that could be tested in the next months. For the identification of such backdoors, a careful analysis is needed of the hardware during acquisition and qualification phases of the supply chain. IT researchers worldwide will be able to provide new methods for designing hardware backdoors, for example operating at dopant-level and introducing hardware Trojans. Researchers demonstrated how to modify a circuit, introducing hardware Trojans able to elude detection. This is the reality of the backdoors implemented at the gate level. That’s done by hanging the dopant polarity of existing transistors, instead of introducing supplementary hardware. In the past, research has been conducted without successfully altering the behavior of hardware by changing the concentration of dopant element. Now, researchers have changed polarity with a specific foundry setting. The method has been already tested in Intel’s random number generator design used in Ivy Bridge processors, as well as in a side-channel resistant SBox implementation. Someone could probably start testing the backdoor for commercial products soon.
User Controlled Encryption explosion
Internet surveillance is the greatest fear of netizens. In the upcoming months, numerous service providers will launch solutions and services to avoid censorship and Internet monitoring. The services will allow users to control encryption processes in a transparent way: the users will be the unique manager for their encryption keys with the dual advantage that users will not doubt the encryption management operated by providers, and service providers will not be liable for content posted by users. In the User Controls Encryption (UCE) scheme, the user holds the encryption key, the service providers hold the “encrypted” files, and the service managers themselves cannot access the files, nor can hackers gain access. Is encryption really the panacea for user privacy? Maybe not!
Hackers will increase pressure on consultants and subcontractors
In 2014 I believe that the number of attacks against subcontractors and consultants will increase with a concerning trend. These categories of professionals represent in the majority of cases the weakest link in the information chain. The vulnerabilities in the information management are usually related to the way those entities manage sensitive data targeted by hackers, but in many cases the flaws are present in the way the contracting authority and subcontractors/ consultants exchange information. The attack techniques are becoming even more sophisticated. Watering hole attacks and spear phishing are the most common techniques of attack for targeted offensives, and their frequency is destined to grow. Consultants, contractors, vendors and other entities typically share sensitive information with the large corporate and government entities. This consideration makes them a privileged target for hackers. It is also expected that a growing number of large enterprises will review their security policies to better approach the possible cyber threats and to promptly respond in case of incident.
A major cyber attack may happen
Principal security firms daily detect new cyber attacks, more or less complex. The intensification of cyber operations could be the cause of a serious data breach, or worse, of an incident to critical infrastructure. Despite that I consider profit-motivated cyber attacks the principal cyber threats, it is reasonable to believe that a major attack could be conducted by a state-sponsored actor. Critical infrastructure is a privileged target and a serious attack could have serious repercussions on homeland security of a country. Electric grids and more general infrastructures belonging the energy industry are an easy target for state-sponsored hackers that could target control systems or internal networks with specifically designed malware. The attack may not directly harm the population, but a major data breach could cause the disclosure of sensitive information that could harm national security. It is to predict that the attribution of responsibility for the attacks will still remain a principal problem, especially for the announced major cyber attack.
Bitcoin … lights and shadows
The peaks of the Bitcoin value reached in these weeks are a strong motivation for malware authors to develop new malicious codes capable of stealing Bitcoin wallets from the victims or abuse of their resources for mining activities. We will see in the first months of the year an explosion of malware with these purposes. An increasing number of exploit kits sold in the underground will include these capabilities. But does it really make sense to run this popular virtual currency? Should we expect a collapse? Despite Bitcoin becoming a valuable currency as legitimate businesses and various markets are starting to accept it, actual value respects the robustness of the currency. The recent price surge, supposedly driven by Chinese investment in the Bitcoin, may vanish as a classic bubble. A crash is a further risk for Bitcoin owners.
Gaming between cyber espionage and cyber threat monitoring
Governments have been working for years on projects that enable them to exploit the gaming platforms for surveillance purposes on a large scale. In the next months many special projects specifically oriented to the exploitation of gaming console to track users in the cyberspace, and monitor the online habits and sentiments of the entire population, will become operative. Gaming console are powerful tools to spy on their owners and on the environment that surround them, they could be used to infiltrate domestic networks and to serve any kind of malicious code within targeted networks. The real innovation could be represented by an innovative use of those powerful platforms. According to several colleagues, some governments are working on the definition of programs for the realization of an alerting and probing network based on a gaming console. The computational capabilities of these consoles, once online, could be used to watch over the Internet to detect and monitor anomalous events that could represent an indication of ongoing malicious activities. Cybercrime, cyber terrorism and state-sponsored operations could be also be monitored, analyzing a series of network activities and indicators thanks to the use of gaming platforms.
Too easy to predict
I have written this post with the specific intent to speak on possible trends in the security landscape for the incoming year. The predictions I made are not so ordinary because principal security firms have the privilege to introduce classic topics highlighting the principal evolution of most common cyber threats. I decided to close the article with “easy predictions” on the cyber security scenario in 2014. The number of malware will continue to increase despite the great effort of principal security firms. Cloud computing, mobile and social networking will be the areas with greatest increments for malware volume. Cybercrime will intensify its actions, in particular thanks to the model of sale known as “malware-as-a-service”: a growing number of non-professional cyber criminals will be attracted by the possibility to easily monetize their efforts with illegal cyber activities. It is easy to predict also a surge in the number of state-sponsored hacking campaigns, despite their attribution will remain impossible, fortunately on the other side principal governments are working on the definition of a national cyber strategy to preserve critical infrastructure. Java will remain highly exploitable and a highly exploited platform, the principal cause of the incident will be that a huge quantity of the victim’s system will continue to run older versions of the popular framework. A growing number of exploit kits will be sold on the black market to automatically compromise vulnerable systems based on Java applications. Also in 2014, activism remains a primary cyber threat with abilities to compromise the security of any target, from large enterprises to government agencies.