Extreme Cybersecurity Predictions for 2019

Prediction blogs are fun but also kind of dangerous because we’re putting in writing educated guesses that may never come true and then we look, um, wrong. Also dangerous because if we’re going to get any airtime at all, we have to really push the boundary of incredulity. So here at Shape, we’ve decided to double down and make some extreme cybersecurity predictions, and then we’ll post this under the corporate account so none of our names are on it. Whoa, did we just say that out loud?

“Baby, when you log in to my heart, are you being fake?” Photo Credit: HBO

Forget the Singularity, Worry About the Inversion

New York Magazine’s “Life in Pixels” column recently featured a cute piece on the Fake Internet. They’re just coming to the realization that a huge number of Internet users are, in fact, fake. The users are really robots (ahem, bots) that are trying to appear like humans—no, not like Westworld, but like normal humans driving a browser or using a mobile app. The article cites engineers at YouTube worrying about when fake users will surpass real users, a moment they call “The Inversion.”  We at Shape are here to tell you that if it hasn’t happened already, it will happen in 2019. We protect the highest-profile web assets in the world, and we regularly see automated traffic north of 90%. For pages like “password-reset.html” it can be 99.95% automated traffic!

Zombie Device Fraud

There are an estimated five million mobile apps on the market, with new ones arriving every day, and an estimated 60 to 90 installed on the average smartphone. We’ve seen how easy it can be for criminals to exploit developer infrastructure to infect mobile apps and steal bitcoins, for instance. But there’s another way criminals can profit from app users without having to sneak malware into their apps—the bad guys can just buy the apps and make them do whatever they want, without users having any idea that they are using malicious software. The economics of the app business—expensive to create and maintain, hard to monetize—mean less than one in 10,000 apps will end up making money, according to Gartner. This glut of apps creates a huge business opportunity for criminals, who are getting creative in the ways they sneak onto our devices. In 2019, we’ll see a rise in a new type of online fraud where criminals purchase mobile apps just to get access to the users. They then can convert app-user activity into illegitimate fraudulent actions by hiding malware underneath the app interface. For example, a user may think he is playing a game, but in reality his clicks and keystrokes are actually doing something else. The user sees that he is hitting balls and scoring points, but behind the scenes he is actually clicking on fake ads or liking social media posts. In effect, criminals are using these purchased mobile apps to create armies of device bots that they then use for massive fraud campaigns.

Robots will Kill Again

Have you seen those YouTubes from Boston Dynamics? The ones where robots that look like headless Doberman pinschers open doors for each other? You extrapolate and imagine them tearing into John Connor and the human resistance inside. They are terrifying. But they’re not the robots we’re thinking of (yet). A gaggle of autonomous vehicle divisions are already driving robot fleets around Silicon Valley. Google’s Weymo and Uber use these robots to deliver people to their next holiday party, and we’ve heard of at least two robot-car companies delivering groceries. Uber already had the misfortune of a traffic fatality when its autonomous Tesla hit a cyclist in Arizona last year. But Uber robots will be back on the road in 2019, competing for miles with Weymo. Combine these fleets with the others, and more victims more can join Robert Williams and Kenji Urada in the “killed-by-robot” hall of fame. Hopefully it won’t be you, dear reader, and hopefully none of these deaths will be caused by remote attackers. Fingers crossed!

Reimagining Behavioral Biometrics

Behavioral biometrics are overhyped today because enterprises lack the frequency of user interactions and types of data needed to create identity profiles of digital users. But in 2019, behavioral analytics will merge with macro biometrics to become truly effective. The market will move to a combination of macro biometrics, like Face ID, and traditional behavioral biometrics, like keyboard behavior and swiping. Apple is ahead of the game with Face ID and has applied for a voice biometrics patent to be used with Siri.

Kim Jong Un as Online Crime Kingpin?

North Korea will become a dominant player in the criminal underground with more frequent and sophisticated financially motivated hacks, rivaling Russian gangs. International sanctions have pushed the country to be more economically resourceful, so it has beefed up its cyber operations.The northern half of the Korean peninsula has been blamed for cyberattacks on banks, via SWIFT transfers, and bitcoin mining, in addition to traditional espionage involving governments, aviation, and other industries. In 2019, cyber attacks originating from groups (allegedly) associated with North Korea will continue to be successful and enforcement remains challenging. And with the recent Marriott breach affecting 500 million Starwood Hotels guests, the theft of passport numbers means nation-states and other attackers have an even more valuable and rare tool at their disposal for financial, tax, and identity fraud.  

All Breaches Aren’t Created Equal

As industries mature, we refine the metrics we use. In 2019 we’ll see enterprises change how they approach data breaches, moving beyond identifying size and scope, focusing instead on potency and longevity. Breach impact will be measured by the overall quality and long-term value of the compromised credentials. For instance, do these assets unlock one account or one hundred accounts? Most recently we’ve seen the Starwood data heist become one of the biggest breaches of its kind, largely due to the bevy of personal data exposed. In this case, since the unauthorized access dates back four years, we can assume this data has already fueled and will continue to fuel serious acts of financial fraud, tax fraud, and identity theft. As hacker tools become more sophisticated and spills more frequent, businesses can’t afford to ignore downstream breaches that result from people reusing the same passwords on multiple accounts. In reality, today’s breaches are fueling a complex and interconnected cybercriminal economy. In 2019, expect businesses to join forces and adopt collective defense strategies to keep one breach from turning into a thousand.

The Future Looks, Um, Futuristic!

These are our extreme predictions for 2019. Will they come true? Some of them, probably. We hope the robots don’t actually kill people, but we’re pretty sure that the Inversion (where automated traffic surpasses human traffic) is a sure bet, if it hasn’t happened already.

Where do you want to be when the Inversion happens?
Working with us, at Shape!

World Kill the Password Day

This World Password Day, let’s examine why the world has not yet managed to kill the password.

Today is World Password Day. It’s also Star Wars Day, which will get far more attention from far more people (May the Fourth be with you). It also happens to be National Orange Juice Day. And a few other days. This confusion is appropriate for World Password Day, because while the occasion is about improving password habits, the world has turned decidedly against passwords. Headlines from the past few years demonstrate a consistent stream of invective toward them:

2013: “PayPal and Apple Want to Kill Your Password

2014: “Inside Twitter’s ambitious plan to kill the password

2015: “White House goal: Kill the password

2016: “Google aims to kill passwords by the end of this year

2017: “Facebook wants to kill the password

And yet, not one of these efforts has succeeded in “killing the password”—as we can see from the fact that every major online service still requires them.

Why is this the case? To explore this question, it is useful to first examine the function that passwords serve. Online applications must ensure that only authorized users are able to access their data or functionality. In order to do this, the application requires some form of proof that the user who is accessing the application is who they say they are. Passwords are a “shared secret” between the authorized user and the application, and if the user accessing the application demonstrates they know this secret, the application assumes that they are the authorized user. Unfortunately, unauthorized users may learn this shared secret, through various types of attacks, so passwords simply do not provide a good proof of identity. And yet, the password continues to be the universal method of online authentication.

So what about all of the technologies that have gained popularity in recent years, like two-factor authentication using mobile devices and fingerprint scanners? Let’s take a look at some of these alternatives and why they haven’t been able to replace passwords.

Standard biometrics, like fingerprint and iris-based authentication, are convenient in that you always have them available on your person, but you obviously cannot change them. Soft biometrics, like voice and typing pattern analysis, are similar convenient, but have too much variation to be used for anything but negative authentication. Hard and soft tokens, in the form of dedicated hardware or personal mobile devices, are inconvenient to access and often difficult to use. And finally, device-based authentication is also only suitable for negative authentication, since users use multiple devices or may lose their authorized device.

There are some common benefits and drawbacks of these approaches which start to appear. This is because every system for authentication fits into the well-known framework of:

1. Something you know (such as a password)

2. Something you have (such as a mobile phone)

3. Something you are (such as a fingerprint)

The problem is that each part of this framework has different strengths and weaknesses. “Something you know” is convenient and changeable, but it can also be stolen easily, especially if copied somewhere and stored insecurely. “Something you have” is harder to steal, but is also not always with you. And “Something you are” is always available to you, but the description of what you are (say, a scan of your iris) cannot be changed if stolen from an insecure service that stored it. What this means is that the only true replacement for passwords will come from a mechanism that offers the same benefits as “something you know”, and yet somehow addresses its drawbacks.

Security challenge questions: the worst second factor

Some systems have tried to use security challenge questions as an additional authentication factor, especially for password recovery, but these are one of the worst developments in online security. Their problem is that they combine the drawbacks of passwords (answers can be stolen through data breaches), with the drawbacks of biometrics (you can’t change your mother’s maiden name or the street where you grew up), and add their own unique drawbacks (answers can be guessed through social media). Most security professionals now enter random information into such security challenge questions, but that effectively creates additional passwords, which offer no benefit over a single, strong password, except for use as a backup password.

But there is a more fundamental conflict which underpins our continued reliance on passwords: the fact that security and convenience are usually at odds. Moving toward three-factor authentication (one factor from each category), using a combination of something like a password, a soft token, and biometrics, one can create a relatively secure authentication mechanism, but this is much less convenient for most users.

Users value convenience over security (yet still expect security)

For many years, the public has been learning of the need for everyone to select strong passwords. But most people still don’t. Recently, because of the Yahoo and other data breaches, the public started to learn that even if they select strong passwords, they should never reuse them across sites. But most people still do. Password managers aren’t silver bullets, and are subject to their own vulnerabilities, but their widespread use would dramatically improve both of the above issues. Unfortunately, most people don’t use them. Multi-factor authentication, specifically two-factor authentication using mobile phones, is now offered on most major online services. While everyone should enable it, most people won’t, due to the difficulty of use or the lack of convenience.

Security professionals and other security-conscious users are getting more and more options, but the average person continues to value convenience and ease of use above all else, and would like security to simply be provided for them automatically. They don’t want to have to take responsibility for preventing their online bank account from being hacked—they want the bank to take care of that.

In fact, since users will quickly abandon services that are too difficult to use, online services focus much more on improving usability than on security. This is illustrated by a step back in security that technology companies have taken over the years, by standardizing on the use of email addresses as usernames. In the past, you could set a unique username for each account, making it far more difficult for cybercriminals to gain access to your account on one service by stealing your credentials from another. But since remembering both usernames and passwords was hard for users, and online services needed users’ email addresses anyway, they have collectively chosen to consolidate the username and email address into a single identifier. This, of course, has fuelled credential stuffing attacks and automated fraud across all major online services, leveraging billions of spilled credentials through attack tools like Sentry MBA.

The future includes more passwords, for now

The reason that we still have passwords is because we as users continue to demand their advantages, and haven’t come up with anything that preserves those while addressing their drawbacks. Similar to Winston Churchill’s observation on democracy, we might say that passwords are the worst form of authentication—except for all the others that have been tried.

While users are becoming more security conscious, and are learning to accept the friction of multi-factor authentication for the benefit of security, a sea change in user behavior isn’t happening anytime soon. This shifts the burden for security and fraud protection back to online service providers. Given the constraint of delivering a friction-free experience to their users, they are now investing in layered, invisible security mechanisms. These mechanisms allow them to provide the benefits of passwords with defense against their drawbacks, by doing things such as detecting when stolen passwords are used (as recommended by NIST) or protecting against credential stuffing attacks.

It’s World Password Day. While technologies like Apple’s Touch ID afford us great conveniences, and may eventually result in many people being able to bypass re-entering their passwords much of the time, they do not replace those passwords. We’re not “killing” the password anytime soon, so this May 4th, let’s make sure we continue to promote good password practices.

The Right to Buy Tickets

Young people waiting in line to buy tickets in NewYork.

With President Obama’s signing of the Better Online Ticket Sales (BOTS) Act of 2016 and the passing of recent legislation in New York, there are signs of hope that beginning in 2017, humans may once again have a fighting chance of purchasing a ticket to a hot concert, show or event.

It took ticket prices reaching $1000 per head for the award-winning Broadway show “Hamilton”, to force action against ticket bots getting the best seats in the house. Lin-Manuel Miranda who created and stars in Hamilton wrote a compelling Op-Ed in the New York Times in June 2016 entitled “Stop the Bots from Killing Broadway.” Finally, in December New York Gov. Cuomo passed a bill to make ticket bot purchases illegal. As one of the founding fathers of the US Constitution, it seems that Hamilton would have approved of an amendment that protected “the right to buy tickets.”

So how did ticket bots get control over the ticket purchases? The cybercriminal ecosystem has evolved over the past few years to make it easier to launch automated attacks on web and mobile apps with the purpose of stealing assets. In the case of ticket bots, automated scripts running on rented botnets enable the immediate and rapid purchase of tickets to popular events once they go on sale. Humans don’t have a chance against a machine intent on purchasing tickets. Until now.

With the recently passed ticket bot legislation, it is officially illegal to use ticket bots with the purpose of automated purchasing. Now ticket sellers  are protected against fraud by state fines and possible jail time as a deterrent.  With this new legislation, ticket sellers must also tighten up their defenses so that they can prevent the use of ticket bots proactively. Just stating that the use of automation and ticket bots is not allowed will no longer be sufficient as a defense.

Enforcing this legislation will have some challenges given the number of parties involved in automated ticket purchases. The illegal ticket reseller is in many cases at the outer edge of a cybercriminal ecosystem that is rapidly building out infrastructure and services on the Dark Web. In addition to automated ticket purchases, automated credential stuffing attacks for account takeover and malicious content scraping are affecting retail, travel and ecommerce businesses. The threat of fines and possible jail time for ticket bots will hopefully go some way to drying up some of the demand for cybercriminal automation.

Shows such as Hamilton were created for humans to enjoy, and at Shape Security we believe consumers shouldn’t have to fight bots to get a ticket. Every day at Shape Security we help major companies defend against automated attacks by bots, and we applaud this new legislation outlawing ticket bots.

Avivah Litan at Gartner: Impact of Automated Attacks on B2C Websites

Avivah Litan, Gartner VP and distinguished analyst, is well known for covering big data analytics for cybersecurity & fraud as well as fraud detection & prevention solutions. In this educational webcast, she discusses automated website attacks and their impact on global business to consumer (B2C) brands.

Refer to this link to watch the videos.

Key highlights include:

  • How Gartner defines automated attacks on websites
  • How existing controls, such as device analytics, velocity checks, geolocation, and IP address whitelisting are defeated by attackers
  • How cybercriminals monetize their automated website attacks
  • And, most importantly, how to stop automated attacks

5 Things We Learned At RSA

1. KBA and NSA are shaping tech startups

General Keith B. Alexander, who retired as NSA Director in 2014, has become the founder and CEO of a new startup, Ironnet. During his RSA session this year, he talked about how to heal the wounds to the tech community and what gift he’d send Snowden if he were given the opportunity. For the tech community, he recommended classified briefings to get technology companies the facts. For Snowden, he said he would send him the oath, which was met with loud applause from the audience. Take a look at the FCW article here.

2. Breaches are happening, even during RSA

On the 2nd day of RSA, a major hotel chain notified their 18 million members via email that their accounts had been reset out of an abundance of caution. According to us at Shape, it seems possible, even likely, that account checkers had been used to hijack 200 accounts at the hotel chain. Take a look at the Shape blog post on account checkers.

3. Taking security up one level – to the Board

Everyone seemed to like and agree with what was said at the presentation, “A CISO’s Perspective on Talking to the Board about Cybersecurity”. See what WSJ wrote about it here.

4. Password management is hard

Shape’s own Zhiwei Li spoke about password managers, exposing several vulnerabilities (now plugged) and discussing which manager would be the best manager in various cases. Take a look at his presentation slides.

5. Botnets are alive and well despite takedowns

Botnets are alive and well, despite takedowns. The federal agencies behind the takeover of a major Zeus botnet (12 governments, 13 companies, 4 non-profits and 3 USG federal agencies) said the criminal enterprises have learned and adapted to build more sophisticated and evasive botnets. Check out the list of agencies involved on the RSA session summary page.

It was a great show for Shape Security. If you go to a lot of conferences, like we do, then we’ll be seeing you at Blackhat in Vegas, and again at RSA in San Francisco in 2016.