Predictions 2020: The Next 12 Months in Security and Privacy
The emergence of new technologies and devices in an
increasingly connected world also means consumers will
encounter a range of vexing new cyber security and privacy
challenges.
Cyber Threats Morph into
Physical Threats
Cyber
criminals have made a business out of stealing personal
data. But their ambitions aren’t stopping there, and we
expect 2020 to be a year in which they increasingly lend a
helping hand to criminals looking to carry out crime in the
non-cyber world. In practice, this means you’ll find them
trafficking (stolen) smart lock passwords combinations on
underground forums - coveted information that can give the
buyer control over the digital devices like smart locks and
smart thermostats commonly found in “smart homes.”
Armed with that password information, a bad actor would have the capability to turn up the heat in a house to 110 degrees, lock the doors and force a victim to pay in bitcoin in return for control over their house. You can also imagine attackers armed with stolen password data being able to remotely splice someone’s online security camera recordings, essentially allowing them to remove any segments filmed while they were ransacking the victim’s home, thus removing evidence of themselves ever committing a crime. All this moves the threat from the cyber realm to the kinetic - even to the point where there’s potentially an actual physical safety threat.
“Creepware”
Menace Goes Mainstream
By this time next year,
we expect the world will be familiar with the concept of
“Creepware.” These are applications meant to harass
victims, allowing attackers to launch a variety of personal
attacks that embarrass, bully or otherwise disrupt their
victims’ lives. Cyber security researchers, including
researchers with NortonLifeLock, have been tracking the
phenomenon as operators of download sites battle to keep
creepware out of their app stores. Despite their efforts,
new creepware apps replace the removed apps. Making it more
difficult, the developers behind creepware products often
attempt to obfuscate their app’s purpose to evade policy
enforcement.
Over the course of 2019, NortonLifeLock
found a significant number of creepware apps being used to
spy on people for interpersonal kinds of attacks. In fact,
we located 1,000 creepware and surveillance apps that Google
subsequently removed from its Google Play Store.
Attackers are getting very creative in the type of nasty
and abusive apps they use to target each other. For
instance, some creepware apps can hit a person with hundreds
of text messages at one time. Imagine if the victim had a
pay-per-text plan. This could result in a very expensive
phone bill. Or consider what can result from the use of
spoofing programs that send out fake texts. A domestic
abuser now has a tool they can deploy to send messages that
could potentially ruin someone’s relationships with their
friends and family. Other apps offer impersonation
capabilities that can be used to frame people. The list goes
on, but this is uniformly bad news for the victims. Until
now, the general public has been largely unaware of this
threat. We expect this to change as creepware goes
mainstream over the course of the next 12 months.
Disinformation and its Discontent
As
the United States enters an election year, we expect
disinformation campaigns to blur the line between what’s
real and what's not as the technology tools to support this
improve. In his dystopian masterpiece “1984,” George
Orwell painted a picture of a nightmarish future in which
trust meant little anymore as a concept. But when Orwell
published “1984,” seeing was believing. If someone saw a
picture, it was probably real. That doesn’t work
automatically in the digital world in which you cannot
always trust your ability to discern real from fake. He was
off by a few decades: with DeepFake audio and video becoming
mainstream, what used to be thought of as science fiction
has increasingly become fiction.
In talking about disinformation, we usually hear about fake news sites. However, that’s not how disinformation manifests itself. What the originators do is find existing reporting that might be polarising in and of itself and then promote such news through artificial accounts. They often take something out of context, such as a picture that was taken a long time ago and blast it out over social media, pretending it was taken recently in an effort to make a political point.
Different countries view disinformation as an effective tool to shape their image abroad. Efforts typically include targeting social media, curation, astroturfing, shaping trends in media, writing editorials - everything to prop up the administration and cast it in the most positive light. Even developing countries are seizing upon disinformation campaigns as a way to control dissent within their borders.
Unfortunately, there is no uniform way to identify and counter disinformation campaigns, but this much is assured for 2020: disinformation is here to stay.
5G’s New Challenge to IoT Security
The 5G era promises to stimulate the growth of
super-fast networks with billions more devices working at
higher speeds that make for seamless user experiences. At
the same time, it throws down a new gauntlet to IoT
suppliers who will be under acute pressure to up their game
when it comes to ensuring device security. Their track
record isn’t promising as IoT security has remained a
laggard for years.
Device manufacturers prefer to roll out devices as fast as possible and come out with features that consumers want. They also take security shortcuts in order not to hold up their production schedules. The upshot: Consumers have little way to understand the security risks of devices they buy off the shelves or online. Even toys are not immune, especially when they are GPS-enabled and might inadvertently disclose a child’s location to outsiders. And now, even before the industry has had a chance to figure out how to better protect these devices, 5G presents a challenge that’s orders of magnitude larger than anything they’ve faced previously.
To be sure, large botnet attacks in the past have featured commandeered IoT devices. But those were just the coming attractions of what we can expect in 2020 and beyond. Given the tens of billions of devices connecting to 5G-based business networks and (increasingly) smart homes, the prospect of an “IoT Armageddon” will remain a very real threat unless device vendors are able to execute a 180 degree turn on device security. The optimists shouldn’t hold out hope. The debate over whether an IoT disaster is possible isn’t any longer a matter of whether it will happen, but when and at what scale.
Ransomware Attackers Go for the Big
Score
For the last couple of years, Ransomware
has been a source of trouble for municipalities, healthcare
organisations and small businesses. These were all targets
where malicious attackers exploited underinvestment in
infrastructure as well as sloppy security practices among
the rank and file to freeze their victims’ networks and
hold their data hostage to ransom payment. That was the
low-hanging fruit. In 2020, count on ransomware attackers
going after harder - and far more profitable - targets in
the manufacturing sector as well as critical infrastructure
organisations that cannot afford downtime.
It’s going to be increasingly difficult to combat this cohort of professional ransomware attackers. They are perfectly capable of conducting sophisticated campaigns in which they sit quietly inside networks for months gathering up intelligence and learning the location of assets, backups and endpoints before striking. How well their plans succeed will hinge on the security postures of their victims. While companies are aware of the threat, many still face financial restraints that have forced security down their priority list.
Internet Fraud on the Rise
Fraudsters will step up their efforts to rip
off victims using a variety of techniques old and new to
steal data and other valuable information from people
unaware they are walking into internet traps.
One growing problem is “juice jacking,” where victims charge their device by plugging into a USB port or using a USB cable that’s been surreptitiously loaded with malware. So, while they were getting a charge, they also put themselves at risk of getting their data stolen. It’s still unclear how big a problem this will be in 2020 but concerns arose after the Los Angeles County District Attorney’s Office published an advisory across its social media platforms warning holiday travellers of juice jacking at airports and other public locations.
Scammers are also increasingly using deepfake audio where victims receive a call that appears to come from a loved one in their own voice, saying they’re traveling but lost all their money and need a wire transfer.
Lastly, credential stuffing (cyber attack where stolen account credentials are used to gain access to accounts through large-scale automated login requests) is primed to be problematic as fraudsters increasingly turn to the dark web to acquire stolen usernames and passwords, they can then use on social media platforms, or websites to try and unlock a victim’s personal data. Within seconds, they blitz hundreds of sites until looking to gain entry. Unless someone has elected to use 2FA, they are going to be at risk.
New Devices Still Face Old
Problems
Insecure devices can potentially
compromise everything and leave connected networks
vulnerable to attackers. That’s a clear and present danger
as technology gets interwoven into the fabric of our daily
lives with security receiving only short shrift. People now
use smartphones with more computing power than Ronald Reagan
could ever command, while the cars they drive are turning
into iPads on wheels. Meanwhile, the emergence of “smart
home” means even more devices will be connected to manage
daily house operations. That will pose new potential risks
of which we’re not even aware. One ray of encouraging
news: There’s a move afoot to get manufacturers to add
information labels that convey security and privacy
information consumers can examine to make more informed
decisions about the devices the purchase.
Expect more developments on this front in 2020.
Public Backlash: “Enough is
Enough!”
With each new data breach, consumers
grow understandably frustrated with the poor protection
afforded their private information by supposedly responsible
stewards. It doesn’t help that the data collection
policies of many companies remain shrouded in mystery and
difficult to understand. Consumers often remain in the dark
about who has their data and how it’s being used. So,
don’t be surprised if their discontent boils over with
demands that companies and institutions finally get serious
protecting both privacy and user identity. The California
Consumer Privacy Act, a state statute intended to enhance
privacy rights and consumer protection, went into effect Jan
1, 2020. Meanwhile, there are advanced discussions of a
federal privacy bill, plus several states are debating
various privacy regulations right now. Even if the odds of a
federal bill passing this year are long, the idea is
actively being discussed. At the same time, cyber insurance
will most likely grow as a business as more corporations and
individual seek such insurance against cyber threats.
Another potential flashpoint: the increasing use of sophisticated facial recognition and surveillance technologies as the public faces the prospect of a world in which cameras are trained on you almost all of the time. In some parts of the world, people regularly encounter this type of intrusion into their private lives and assume as a matter of course that cameras are tracking their movements. But in countries with a longer history of democratic institutions, where privacy has been considered a fundamental right that government ought to protect, if not regulate, the growing accuracy of face recognition is going to raise hackles. It almost feels as if privacy is becoming a privilege so expect a push by people to reclaim it as a right.
To read the full report please visit:
https://www.nortonlifelock.com/blogs/research-group/2020-predictions.