Share

Related Stories

  • SMBs beware: Researchers uncover cloud browser vulnerability
    Researchers from North Carolina State University and the University of Oregon have found a way to use a technique called MapReduce to exploit cloud-based web browsers, which execute JavaScript code for mobile clients.
  • Mobile, APTs and apps top IT security concerns for 2013
    As they take stock of their endpoint vulnerability moving into 2013, IT departments are dealing with the flood of mobile devices entering their corporate networks, advanced persistent threats and third-party application vulnerabilities as their primary pain points, driving the need for new security approaches.
  • Yahoo! mail exploit on sale for $700
    A new zero-day vulnerability in Yahoo! Mail has given rise to a $700 exploit for sale in the hacking underground.
  • Pacemaker virus could lead to "mass murder"
    Hackers now have a new attack vector, but one with much more serious consequences than data theft or financial ruin: pacemakers and implantable cardioverter-defibrillators (ICDs).
  • Universal man in the browser malware allows real-time information processing
    Hackers who employ the man-in-the-browser (MiTB) gambit to steal information from computer systems have found a way to more efficiently cast their net. According to researchers at Trusteer, a new strain of MiTB malware can adopt a “one-size-fits-all” approach to collecting compromising data from websites, eliminating the time-consuming process of parsing through specific logs for the sensitive bits.

Top 5 Stories

News

Cyber-attacks that kill, IPv6, and vulnerability markets on tap for 2013

07 December 2012

As rough of a year as 2012 was for cybersecurity, in 2013 we will see higher stakes than ever before, researchers say. WatchGuard's security research analysts are predicting upticks in emerging cyber threats – including those that can cause loss of human life.

Among other predictions, it also expects browsers and IPv6 to cause problems, a cybersecurity bill to pass in the US, and vulnerability markets to open the door for a major attack.

"2012 was an eye-opening year in cybersecurity as we saw the number of new and more sophisticated vulnerabilities rise, impacting individuals, businesses and governments," said WatchGuard director of security strategy Corey Nachreiner, in announcing the predictions. "This is a year where the security stakes reach new heights, attacks become more frequent and unfortunately more damaging as many organizations suffer attacks before taking measures to protect themselves from the bad guys." 

One of the company’s more sobering predictions is that digital attacks will soon have real-world physical consequences. With more computing devices embedded in cars, phones, TVs and even medical devices, criminals can, through targeted attacks, destroy physical equipment and even cause loss of life. For instance, recently researchers warned that pacemakers were even vulnerable.

“WatchGuard hopes it is wrong in this prediction,” it said. “[But] digitally dealt death is not only possible, it's plausible. Security is still often an afterthought when developing innovative technical systems.”

In less dark territory, the company also expects the rise of attacks on virtual machines. “Today, there is an emergence of malicious code that can recognize when it's running in a virtual system and can act accordingly,” researchers said. “In 2013, WatchGuard predicts attackers will create even more VM-targeted malware. It will be designed to take advantage of weaknesses found in many virtual environments, while attempting to avoid virtualized automatic threat detection systems.”

In 2013, browsers will increasingly be in the spotlight. As more consumers adopt practices like online banking, a great deal of personal and sensitive data passes through web browsers. Many anti-virus solutions are focused on catching traditional malware that infects an operating system and aren't as effective at detecting browser-based infections.

“Now, a new type of malware has emerged. Sometimes called a Man-in-the-Browser (MitB) or browser zombie, it arrives as a malicious browser extension, plugin, helper object or piece of JavaScript,” the company said. “It doesn't infect the whole system; instead it takes complete control of a browser and runs whenever the victim surfs the web.”

Meanwhile, companies will likely not implement "strike back" measures, even though a lot of attention has been placed on cyber-retaliation. Strike-backs can consist of filing lawsuits, launching cyber espionage campaigns or counter cyber-attacks against attackers. But, “WatchGuard anticipates most organizations won't implement these measures given the jurisdictional challenges of digital attacks which bounce through several countries. Plus, criminals have the ability to plant false flags in malware, tricking victims and authorities into thinking someone else is behind the attack.”

Next year, WatchGuard also expects to see an increase in IPv6-based attacks and IPv6 attack tools. While the IT industry continues to be slow at adopting IPv6 into their networks, most new devices ship IPv6-aware and can create IPv6 networks on their own. Many IT professionals don't have a deep understanding of IPv6's technicalities, yet they have IPv6 traffic and devices on their networks, it noted. This also means most administrators haven't implemented any IPv6 security controls, opening the door to attackers looking to exploit unprotected weaknesses.

Also, WatchGuard expects that at least one auctioned-off zero day exploit will emerge as a major targeted attack this year.

“Vulnerability markets or auctions are a new trend in information security, allowing so-called ‘security’ companies to sell zero day software vulnerabilities to the highest bidder,” it said. “While they claim to ‘vet’ their customers and only sell to NATO governments and legitimate companies, there are few safeguards in place to prevent nefarious entities to take advantage.”

And finally, in 2013, expect the US government to pass at least one new cybersecurity act, which will likely impact private organizations, according to WatchGuard. The US government has been trying to pass cybersecurity bills that give the president and various government agencies some control over what happens in the event of cyber-attack on US infrastructure. The government also wants more cooperation among private infrastructure organizations and US intelligence agencies. Many are pressing for the government to enact more detailed cyber crime laws, which may help prosecute digital crimes. On top of that, some organizations are lobbying for tougher digital IP enforcement, which privacy advocates often oppose.

“While 2012 proved to be a difficult year for passing new cyber legislation, WatchGuard expects this year to be different,” it said.

This article is featured in:
Application Security  •  Compliance and Policy  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Public Sector  •  Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×