A Ransomware Menagerie

Ransomware isn’t new. The ploy of using software to extort money or other valuables from unwitting computer owners dates back to the dawn of the public Internet. But recent years have seen an explosion in the complexity and diversity of ransomware operations. Variants of ransomware now allow victims to “pay” by spreading the malware to their friends and family. Another variant, Spora, allows tiered payments that unlock “some” or “all” of a victim’s encrypted files or grant “immunity” from the virus that infected them. Expect that to continue in 2017 with an emphasis on alternative payment modes (always the trickiest part of the ransomware scheme).

The Shadow (IT) Knows

The growing reliance on cloud-based applications and services is a trend that is being experienced in almost every organization. Shadow IT – or the use of unsanctioned services like cloud-based storage and applications (think Slack) is an offshoot of that. Often, sensitive data is parked in unsanctioned cloud servers by employees or contractors as a convenience, and then exposed when their credentials are hacked or phished. In some cases, the data itself inadvertently falls into the public domain via user error and catches the eye of web crawlers or other tools. Look at the case of L2 Media, the political advertising and data broker firm that was linked to a leak of information on 239 million US voters. The data was found exposed in a Google Cloud instance of CouchDB that was configured for public access with no security protection. L2 blamed a client who had been “hacked,” which may be the case. The real culprit: insecure cloud infrastructure that makes it easy to copy and forget huge troves of sensitive data. Beware!

Third Party Hangover

Mishandling of data by (trusted) third parties will be a prime source of data leaks again in 2017, as it was in 2016. Third party breaches are among the most vexing because business partners and contractors – or even customers – often have access to our most sensitive IT assets and data, but are the hardest to police. We’ve noted the trend of third party breaches before. But expect it to get stronger in 2017 rather than weaker. The reason? More reliance on hybrid products and services that mingle on premises devices and clients with a wide range of cloud based services. Longer and more complex supply chains compound risk. Consider the recent news about wholesale transmission of mobile phone users’ text data and contacts by firmware from the Chinese firm ADUPS to company servers in China. That same firmware, ostensibly used to provide software updates to mobile devices, was later found running on inexpensive Barnes and Noble Nook readers. You get the picture.

The Year of the Voice Hack

One of the most salient trends in the technology space is the rapid adoption of voice-based interfaces like Amazon’s Echo. As AI and machine learning advancements make voice-based interaction more common and powerful, however, security and privacy concerns are beginning to bubble up. The recent news about an incident in San Diego, California, in which a broadcast news segment about a girl who ordered a dollhouse via her parents’ Amazon Echo repeated the voice command the girl used to order the toy, thereby prompting Echo devices within hearing distance of the television set in the greater San Diego area to likewise order dollhouses for their owners. That head slapping incident may be easy to fix. (Voice-based purchasing is “on” by default on Echo devices – perhaps a setting that should be changed.) But more subtle voice-based theft and hacking is on the way. Researchers have already shown that it’s possible to hide voice commands in ways that humans can’t hear, but voice-active computers can.

All Your Biometrics Belong to Us

As the world moves to ditch the password in favor of other, stronger and less easily stolen identifiers, biometrics of all kinds are coming to the fore. In addition to fingerprints (now standard on iPhones), companies that make mobile phones are looking at everything from iris scans to walking patterns and voice as a way to verify the identity of a device’s owner. But more reliance on biometrics will just spur investment by cyber criminals in stealing or otherwise compromising data that’s supposed to uniquely identify you. The latest example: lifting fingerprints from photographs. As The Register reported this week, researchers in Japan have warned that fingerprints could soon be copied from photographs taken up to three meters (10 feet) from their target, given high resolution and good lighting. The technology possible to do this is no more than a couple years off, the researchers said. Look for more effort to lift biometrics in 2017.