For the majority of our lives, artificial intelligence, biometric retinal scanners and cyber warfare have existed only within the realm of science fiction movies. Although the future will clearly demonstrate Applied AI has as little to do with beating humans at chess as it does with Terminators, the Fourth Industrial Revolution means it’s high-time we accepted that the future is already here… and it’s probably going to kill us all!
As our twenty-first century comes of age with its eighteenth birthday, intelligent technology has already begun acting-out like teenagers; cyberbullying, crashing their father’s cars and becoming more independent by thinking and taking responsibility for itself.
“If 2017 taught us anything, it’s that we have a long way to go to get ahead of adversaries.”
That’s why this month, we’re bringing you the Top Five Cyber Threats to worry about in 2018, beginning by focusing on AI as it will become an ubiquitous component within all the others.
Machine Learning and The Weaponisation of AI
Until the day humanity unites behind Elon Musk to fight his evil robot overlords, machines are here to help us. This coming year, major developments in machine learning will see intelligent algorithms, deep learning frameworks and User and Entity Behavioural Analytics (UEBA) help researchers move away from traditional signature-based security solutions by using AI to detect intrusions, monitor network traffic, log analysis and identify malware and zero-day exploits more quickly.
ABI Research estimates “machine learning in cybersecurity will boost spending in big data, artificial intelligence and analytics to $96 billion by 2021.” Machine learning will increase exponentially and many tech giants are already making a stand to better protect their own customers but, as any expert knows, one of cybersecurity’s flaws is “escalation”.
Mirroring Commissioner Gordon’s words to Batman; “We start wearing kevlar, they buy armour-piercing rounds”, cybercriminals are only ever one step behind utilising good tech for nefarious means and, very often, they are innovating faster than security defences can keep up. Therefore, we predict 2018 will see researchers reverse engineer a cyber attack to find it was driven by machine learning or, in other words, “AI versus AI in a cybersecurity context.”
As the world retools from physical IT to cloud-based AI, rapid-fire advancements in machine and meta-learning, deep learning/neural and capsule networks are exactly what threat actors have been waiting for. The stereotype of the hacker is changing with state-sponsored attacks but, traditionally, it was lone wolves up against giants like government defences and the FinTech sector: The kind of corporations with all the money in the world and the best security minds and tech weaponry at their disposal.
Until now, this David and Goliath relationship meant hackers were at a huge disadvantage because, while some attacks may already be automated, malware creation (for example) has remained a labour-intensive and time-consuming manual process.
Troy wasn’t built in a day – it takes time to write trojan and virus-creating scripts or scrape passwords. With machine learning classifiers creating, distributing and executing malware and then using probabilistic programming to hit as many specially-targeted vulnerable networks as possible (while reducing risks to themselves) cybercriminals will think all their Christmases have come at once.
What does this mean for 2018 and beyond? Well, for every new malware family detected by AI, threat actors will deploy generative adversarial network (GAN) based, unsupervised deep learning system algorithms to bypass machine learning-based detection systems or simply “poison” them as they have antivirus engines in the past.
For every thwarted WannaCry attack, millions of IoT Devices could be weaponised and turned into hive nets and swarmbots to carry out DDoS attacks. For every new vulnerability patch discovered, AI could unleash digital twins or carry out social engineering attacks via personalized phishing attacks.
For every company data breach circumvented, hackers could utilise AI to mine your address, email, phone number and jogging route from the public domain, social networks and Google’s AI CCTV surveillance cameras. Then it will combine the name of your favourite movie and date of birth to work out your banking passwords and empty your accounts.
Mirroring the nuclear arms race, as the bad guys weaponise AI, we good guys will have no choice but to weaponise AI in retaliation. In years to come, he who has the best AI wins, and we humans will be reduced to mere bystanders. So there’s that to look forward to. The good news is that we still have a few years until the machines take over but until then, it’s the human hackers and cybercriminals we must worry about; speaking of which…
Biometric Hacking Attacks
Fingerprint and iris scanning, vein and voice recognition and DNA authentication have been around for years, but it could be argued biometrics were only implemented on a worldwide consumer scale when Microsoft launched Windows Hello and Apple launched Face ID for the iPhone X. Of course, within a week of its launch, crackers had hacked into Face ID.
Far from these setbacks ending this phenomenon, traction for consumer biometric authentication will continue to rise as companies such as Lloyds Bank and Microsoft continue to explore fingerprint and facial recognition. According to Eric Klonowski, senior advanced threat research analyst, “2018 will see the first biometric-access-based exploits using facial recognition or fingerprint access” but how will hackers crack biometric protocols?
For now, biometric protocols are largely considered more robust than 2FA, but this biological love affair may well prove to be a honeymoon period once we understand the numerous ways they can be hacked that don’t involve cutting movie security guards fingers off or eyeballs out.
Digital ID Theft costs banks and consumers billions and the coming years may well reveal that digitally stored biometric files are far from hack-proof; bio-data can be stolen, duplicated, rearranged or even bought and sold on Whatsapp for under U$10.
Then there are more creative hacks; biometric security protocols can be spoofed with 2D paper print-outs of faces, masks, mannequins and even 3D-printed models created from Facebook photos. In 2014, genius bio-cracker, Jan Krissler (known in hacker circles as Starbug) reverse-engineered German defence minister Ursula von der Leyen’s fingerprint using commercially available software called VeriFinger together with HD photos.
As biometric verification becomes more mainstream, relentless cyber masterminds will utilise more advanced and inventive lengths like Krissler’s to gain bio-data for nefarious means. Imagine the (nuclear) fallout if the German MOD utilised biometric tech and Starbug was not a well-meaning pen-tester but worked for a rogue nation or state-sponsored hacking group.
With any luck, hackers will stick to invading Microsoft Hello, Surface Laptops, Apple iPhone X, Samsung Galaxy Note and ApplePay in 2018 to give us all time to realise that biometrics may be just as exploitable as your password.
There’s one last, fundamental flaw surrounding biometrics we haven’t mentioned yet: as embarrassing as MuppetChristmasCarol1977 is, at least passwords can be reset… eyes and faces cannot. Here’s hoping Berkeley University solve this problem when they replace passwords with passthoughts or embed encryption keys into DNA.
Bigger, More Expansive Data Breaches
Last year, Equifax lost 145.5 million American’s records and Yahoo admitted every single one of its three billion user accounts were affected by 2013’s hacking attack. Uber paid a hacker to conceal a hack that affected 57 million customers and drivers, a South African real estate agent leaked data on every living person in the country, and every Australian’s Medicare details were being sold for $30 a pop.
Judging by the number of successful data breaches in 2017, it’s safe to say that corporations are being overwhelmed by the growing number of threats. And while they are taking steps to shore up defences, we predict this year will see a higher number and a higher scale of data breaches. Advanced threat research analyst, Tyler Moffitt goes into more detail stating “I predict a minimum of 3 separate breaches of at least 100 million accounts each.”
Experian’s Data Breach Industry Forecast (December 2017) suggests the method and form of attacks will make the leap from the digital to the physical, meaning 2018 may see our first critical infrastructure attack, disrupting governments, power companies and consumers alike.
In addition to corporate data breaches, attackers will move their attention to governments and the brave new, so-far unregulated world of IoT devices, perhaps even weaponising AI to render traditional multi-factor authentication null and void.
Amongst all this hypothesising, 2018’s biggest data breach news may be the European Union’s new General Data Protection Regulation (GDPR) which comes into force on May 25th. We predict that at least one company operating within the EU does not take adequate steps to protect consumer’s data and is hit by hackers and/or huge fines. Bureaucratic red tape may ensure no fines are levied in 2018, but they will soon after.
Finally, remember data breaches don’t only take the form of leaked personal data like social security numbers. 2018 will see renewed, fervent attacks on the entertainment industry, just as when an Iranian hacker released Game of Thrones episodes last year. Imagine the fallout if the next Star Wars movie was leaked; Disney could lose hundreds of millions of dollars, lightsabers would flash and heads would roll. And then there are our governments…
Nation State Hacking Attacks
“The majority of intrusions we respond to can be attributed to nation-state actors, by nations that condone cyber attacks, or folks in uniform paid by sovereign nations to do intrusions,” said Kevin Mandia, CEO of US-based cybersecurity company FireEye.
Reading between the lines, the quote reveals a disturbing new model. The subtext reveals not nation state hacks but impossible-to-catch “folks in uniform” carrying them out on behalf of “nations that condone cyber attacks.” And It’s not only the usual suspects: Russia, China, North Korea and newly-technologically advanced Iran that are guilty – every nation is perpetually locked in quasi-cyber warfare and that means cyber attacks from both sides.
On the morning of writing, BBC News reported the Director of the CIA and spymaster general, Mike Pompeo, stated “We are going to go out there and do our damnedest to steal secrets on behalf of the American people.” These words came in a speech on Russia’s expected midterm election meddling, China’s threat as a state hacker and North Korea’s nuclear capabilities.
Whether after financial (China) or political gain (Russia), any state with common sense will increasingly utilise proxy hacking groups. Financially-motivated mercenaries are ten-a-penny, or ten-a-rubel, so we are bound to see a rise in state-sponsored attacks as both parties, hackers and governments, gain. Former hoodie-clad lone wolves operating from their grandmother’s basement now have access to limitless money, time, space, tech and a patriotic cause to believe in, while governments have the ultimate get-out-of-jail-free card.
So, further to an increase in scale, frequency and sophistication of state-sponsored penetrations like identity theft, malware and DDoS, how will attack vectors change in 2018 and beyond?
Cyber-Physical Attacks will almost certainly see hackers deliberately target power grids, telecoms and transport infrastructures. The Ukraine power-grid has been hit by malware numerous times (which experts believe were test runs for attacks on the USA.) Multi-pronged firesale attacks could result in a new era of cyberterrorism with human lives at stake as nuclear power stations reach critical mass, hospitals shut down and planes fall from the sky.
On June 13th, 2017, Senator John McCain asked Attorney General Jeff Sessions if he was aware of the existence a Russian “cyber weapon that can disrupt the United States power grids and telecommunications infrastructure.” and if the Government had a strategy to counter Russia’s attacks. Sessions admitted they did not.
As the Internet becomes more and more Balkanised, we can expect a rise in Troll farms like the Russian’s Internet Research Agency (or Kremlebots,) especially with the aforementioned American Midterms looming. Unfortunately, these may be the hardest attacks of all to stop, because they target The People.
In the good old days, back when criminals kidnapped business fat-cats, hackers attacked vulnerable systems, but when so many of our everyday human traits – inattentiveness, laziness, over-confidence, lack of security savviness, frugality and stupidity – leave us vulnerable, why should hackers penetrate systems when they can go straight for the weakest link in the armour?
Since social engineering, or the art of hacking humans, is such a wide, fascinating and growing subject, the area we’ll be looking at today is Whaling. While traditional spear-fishing targets swathes of people, Whaling is phishing that targets C-Suite employees.
One might think that CTO’s would be the last people to fall for phishing attacks, yet whaling attacks are surprisingly effective because they trick CTO’s, CEO’s, CFO’s or others who have access to sensitive data into revealing personal or corporate data via highly personalised emails and websites.
Instead of badly-spelt emails promising troves of African gold, whaling attacks often include targets’ names, job titles, corporate logos and phone numbers to seem like they’re from trusted sources such as accounts departments, business partners or banks. Two such cases in 2016 saw a Seagate employee leak income tax data of 10,000 employees and a high-ranking Snapchat employee fooled into leaking payroll data to a third party.
While educating employees and verification processes can help, you’ll be hearing about more and more whaling attacks – 2018 will see artificially intelligent Twitterbots like SNAP_R mimicking more of your tweets to entice you to click on malicious links.
Directly or indirectly, Social Engineering, Nation State Hacks, Data Breaches and Biometrics are all interlinked and that’s a compelling reason why we must hand over our cybersecurity keys to artificial intelligence sooner rather than later. In the meantime, we’ll paraphrase the most famous killer robot of all by saying “We’ll be back” next month.