This year's flavor of madness...with a twist
In This Issue:
- Happy New Year, Security geeks!
- Security predictions for the new year
- Will 2019 see data tampering explode?
- The infosec journey of a thousand miles begins with a single step
New Year's #Infosec: All the Predictions!
The Internet is full of predictions about 2019. The information security space is no different. A lot of these pieces are just filler; noisy content that doesn't really help us much. April Wright’s Cybersecurity Trends for 2019 — The Good and The Bad is an exception to rule, and proves that there is value to be found even in prognostication.
In science and technology, advancement is predominantly driven by the slow, steady, incremental improvement of that which has gone before. This evolution is slow, and entirely different from the revolutionary leaps in understanding that are what scientists and engineers dream of, even knowing the statistics about the rarity of true revolutionary thought.
Information security is very much the same. Wright's crystal ball hovers over a wide range of topics from the WPA3 rollout to the security vulnerabilities of Cloud Access Security Brokers (CASBs). Like most predictions about a new year, Wright's piece is predominantly a summary of that which infosec professionals already know, but it stands out as being particularly excellent at it.
What’s coming in 2019 will be very much like what we saw in 2018. This year's flavor of madness will come with an evolutionary twist, but it's unlikely that 2019 will be a revolutionary year for infosec. The simple truth is that a lot of the existing scams and approaches to malware are working.
None of the major vectors are at risk of being cut off. There are no known big ASLR-class technologies entering mainstream use in 2019 that will really dent the day-to-day for the bad guys, so there's no real pressure for anyone to invest in accelerated evolution. This means that for 2019 to be a standout year in infosec, someone would have to get one of those extremely rare revolutionary ideas, and those are inherently unpredictable events.
Countermeasure:
Read Wright's piece, and similar pieces from major infosec names. Do not read them seeking magical insight into shocking and ultimately unpredictable new vulnerabilities. Instead, use them as something of a refresher course on current and emerging threat categories. Identify those threat categories you had written off as "not a problem just yet" in 2018, and plan to address them in 2019.
2019: The Year Data Tampering Really Takes Off
Everyone likes to make predictions, and here are ours: 2019 looks set to be a year in which attackers build on existing techniques and exploit known classes of flaws in more clever ways. It would not be surprising to see, for example, some real-world uses of side channel vulnerabilities. There might even be a highly public compromise event involving a side channel zero day.
Just as ransomware came to mainstream attention in 2012, but really became a pain in the years after, 2019 is likely to be the year where existing annoyances – such as browser-hijacking cryptominers – evolve into threats, while largely academic threat vectors – such as side channel vulnerabilities – start being exploited in a widespread fashion.
Advanced data tampering is a threat category that looks set to gain a great deal of mindshare in 2019. Like side channel attacks in 2018, it’s unlikely there will be any serious real-world attacks in 2019; but it wouldn’t be unreasonable to expect the first really big ones to land in 2020.
Toxic Data: How 'Deepfakes' Threaten Cybersecurity. The site Dark Reading is a great introduction to data tampering. Dirk Kanngiesser is CEO of Cryptowerk, a vendor peddling data integrity solutions, which means he has some incentive to ham it up a little. But the piece is still a useful example of education-focused content marketing.
The concept of data tampering isn’t new. Just as side channel attacks were discussed decades ago, but only came to mainstream attention over the past year, advances in artificial intelligence and machine learning are promising to change the game.
Data tampering has traditionally been something of a rarity. An alienated employee might futz with data on their way out. Someone might "cook the books" to hide embezzlement. An external attacker might tamper with things, usually for no purpose beyond vandalism, but occasionally with far more serious intent.
Creepy things large IT vendors are doing with GPUs are likely to be the catalyst for data tampering entering a new era: Nvidia’s Fake Faces Are a Masterpiece—But Have Deeper Implications.
Like the problem of data tampering itself, the solution to this problem is well known: each input needs multiple sensors. Ideally, not all sensors are designed using the same technologies, and they should all be regularly calibrated. When talking about strain gauges on a rocket, the engineering necessity, and even the technologies involved, are reasonably simple to understand. 2019 is likely to be the year when organizations – or more specifically their developers – learn that this applies to IT as well.
The ability of AI to generate increasingly believable fake images is modern canonical example of data tampering. These images can be used to fool everything from thumbprint scanners to facial recognition systems. Detecting the fakes is going to take AI. Building useful detection systems is likely going to require using multiple different AIs, and some form of quorum system. Just like on those rockets.
Software development: after 2019, it pretty much will be rocket surgery.
Countermeasure:
it’s time to start building checks on your system for data integrity. Note that this isn’t going to be a simple project. Generic, usable, off-the-shelf solutions for the data tampering problem are a decade away. Today, we're at the beginning of the curve, where solutions to this problem are going to have to be done one data type at a time. Each application – and potentially each data input – will have to have a custom-designed means of verifying that the data received, stored, and then retrieved is valid.
Even Rookies Are Chaining Vulnerabilities Now
Every now and again, it's good to start from the beginning. IT practitioners who have been doing infosec for years will find it easy to forget how much they've forgotten. Those whose careers are more focused on strategic planning and budgets are often never exposed to the nuts and bolts of IT security. But there is real value to be found in following someone's journey of discovery through the basics of infosec.
For IT practitioners, it’s worth remembering that sense of wonder, that curiosity and drive to solve new puzzles. For many IT practitioners, this is why they chose their career. Taking the time to sand off the callouses of cynicism that experience brings is often invigorating; not only emotionally, but it can serve as a reminder that normal people aren't professionally paranoid. Curious, yes. Dangerously naive, perhaps. But the paranoia of an infosec practitioner is rare.
How I XSS’ed Uber and Bypassed CSP is a great example of a beginner's journey into infosec. Beyond knocking some of the cruft off of experienced nerds, this piece is written with just the right level of approachability to be a useful introduction for slightly technical suits to the mindset – and basic skills – of IT security teams.
It’s worth taking the time to curate a list of beginner-level walkthroughs on infosec. Skip the dry how-tos, and seek out those that are written with a palpable sense of wonder, excitement, curiosity and passion. They're useful in the aftermath of a crisis or sprint by refocusing the nerds, and helping the suits appreciate just how hard being an infosec nerd can be.
Countermeasure:
As always, remember that the weak point in any network isn’t the hardware or the software. It's the wetware. Take care of your wetware if you want your networks – or anything, really – to actually work.
Tweet of the Week
This is a thing web developers need to know about, and all they need to know fits in a tweet. Short and sweet, a great way to start the new year.
"#bugbountytip You can turn an input box into automatic #XSS by setting agnostic payload on the "onfocus" attribute and then setting it to "autofocus".
Eg: <input onfocus="alert(0);" autofocus>
This will result in automatic XSS (no user interaction)." – m0z (@LooseSecurity)
This Week's Threads
This week has been light on killer threads, but these two stand out as worth a peek.
"I have colected a *highly curated* list of #infosec tweeters." – packetswitchr (@packetswitchr)
"Don't come to me with your "#infosec talent shortage" when what you really mean is "I'm not willing to train people up"." – David J. Bianco (@DavidJBianco)
Tool of the Week
Everyone needs to learn how to use a fuzzer. Here's an easy-to-use one with decent OS support.
A Not So Very Intelligent Fuzzer: An advanced fuzzing framework designed to find vulnerabilities in C/C++ code. – Oxagast – Github