Cyber attacks will cause real world harm in next seven years

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.v3.co.uk/v3-uk/analysis/2296357/cyber-attacks-will-cause-real-world-harm-in-next-seven-years

New technologies such as Google Glass and IPv6 will lead to new, deadly
forms of cyber attack if current manufacturing security practices continue,
according to experts from Europol, Trend Micro and The International Cyber
Security Protection Alliance (ICSPA).

The experts made the warning in a recently published Scenarios for the
Future of Cyber Crime white paper. The paper explored what threats the
experts expect to emerge in the next six and a half years and is the result
of collaborative research between law enforcement, academia, governments
and industry.

Trend Micro's vice president of security research Rik Ferguson highlighted
innovations moving us towards an "always-on society" as a key development
leaving web users and businesses open to new forms of attack, during a
press event attended by V3.

"The inevitable miniaturisation of technology, where Google Glass becomes
Google Contact Lens and wearable tech means technology will eventually be
embedded in everything we do and have – from your running shoes to your
car, to any mobile devices that you carry around. For the more technically
advanced younger generation we're even beginning to talk about implants, so
it won't even be stuff you wear it'll be stuff that's with you all the
time," he said.

"Everything will be connected, everything will be running an operating
system and everything will be directly addressable. Think about IPv6.
Consider the fact you can fit the entirety of the IPv4 internet into one
allocation block of IPv6 and it should give you an idea of the scale of
things – everything is going to be rootable."

ICSPA chief executive officer John Lyons said the interconnectedness of
society could also leave users open to more dangerous attacks, with the
potential to cause real world harm.

"At the moment cybercrime's damage is fairly ephemeral: you lose money from
your bank account, the bank gives it back to you and nobody cares. We're
going to see a development where some of these elements could actually
cause real harm to citizens," he said.

Lyons' comments mirror widespread warnings within the security community
about the danger of rushing new or unsuitable technologies online. Many
security researchers have highlighted the government's misguided decision
to get critical infrastructure areas, such as power plants, outdated Scada
systems online as proof of the claim. These warnings were given weight in
2011 with the emergence of Stuxnet, a malware designed to physically
sabotage Iranian nuclear plants.

"I put a call out to ICT manufacturers for less reckless behaviour,
throwing out products without properly testing them, without checking for
vulnerabilities that could be secured and as a result starting to put
people in danger. I know they are pressed by marketing requirements and
what have you, but they could be doing an awful lot better," he said.

Ferguson mirrored Lyons' sentiment, arguing that lacklustre security
testing will also offer traditional cyber criminals a new avenue for
financial gain. "If you look at a lot of business the goal seems to be
'release early, release often'. This means you address the vulnerabilities
after release, as for them it's about being first to market," he said.

"They need to start addressing vulnerabilities during the manufacturing
process, particularly when things like 4D printing become more widespread –
things like 3D printed components that will then self assemble in some
remote locations – here there's a real opportunity for criminals to hijack
systems and have them appear at another location."

Europol assistant director and head of the European Cybercrime Centre (EC3)
Troels Oerting added that law enforcement will need to rethink its current
strategies to act at an international level if it hopes to protect
businesses and citizens from the threats.

"The internet is probably one of the greatest things ever invented. It
helps us in so many areas, but unfortunately it also makes crime much, much
easier. My background as a Danish police officer from a small country
that's very peaceful with a population of 5.5 million and 12,000 police
officers designed to provide a service to these people," he said.

"But in cybercrime they're not tasked to look at these 5.5 million people,
but at 2.7 billion on the internet. For the first time the police cannot
block people out using border control."

Lyons supported Oerting's claim, citing the new threats as proof of the
need for more international collaboration.

"We wanted to look at what the challenges might be and how we can
collaborate. Even in the EU, with its 28 states, we're not co-ordinated,
we're all moving at different speeds. Law enforcement is more advanced in
some countries when it comes to combating cybercrime. There's an awful lot
of good practice out there that we could share," he said.

The ICSPA chief highlighted improving the world's education as another key
step, necessary to counter the increased threat. "If we don't take citizens
on this journey with us and help them understand what the threats are and
what they can do about them with some very simple measures, they won't
change their behaviour," he said.

"We need a campaign to make them more aware of what's going on and a
personal sense of responsibility for securing their own systems."

The security experts also announced plans to launch the Project 2020 film
series to help educate web users about the new dangers facing them. The
nine-episode web series showcases the potential dangers listed in the white
paper using a fictional narrative.

The white paper and web series are two of many initiatives designed to
alert web users and businesses to the dangers facing them. Within Europe
both the UK government and European Commission have listed improving the
region's cyber defences as key goals.

Most recently vice president of the European Commission and EU commissioner
for justice Viviane Reding called for the creation of new cross-national
privacy laws designed to help businesses and web users secure and manage
what data they share online.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.