The annual RSA computer security conference, in San Francisco this week, offers one of the world’s greatest concentrations of well-founded paranoia. Experts from the highest levels of government mingle with enterprising hackers working for no one but themselves. And, as far as I can tell, all of them share the opinion that things are worse than most of us realize and set to get worse.
On the conference’s first full day, some experts told attendees about which specific bogeymen we need to be wary of. Here are seven taken from talks at the event today, starting with some surprising ones from influential security expert Bruce Schneier:
- Big data. “It’s been used to mean large data sets. I mean big data as an industry force, like big tobacco or big pharma,” said Schneir, before singling out Facebook, Google, Amazon and Apple. Such comprehensive and well correlated datasets of personal data raise the chance of serious security leaks and erode privacy, he said.
- Government regulation of the Internet. US legislators are increasingly talking about the need for new legislation to provide tighter control of the Internet, for example the recent SOPA and PIPA bills intended to protect copyrighted movies and music. Such efforts usually ignore their possible technical consequences, said Schneier. “I really worry at some point that at some point we will be asked to design a kill switch into theinternet system. Because I have to be sure that only the president can push the button.”
- A cyberwar arms race. The Stuxnet computer worm is widely believed to have been developed by a national military to cripple Iran’s nuclear program, and Schneier says that efforts by countries worldwide to ramp up their own cyber weapons will endanger all of us. “HBGary [a federal contractor from which emails were released by WikiLeaks] was a US cyberweapons manufacturer,” said Schneier, “it’s reasonable to assume that the US is stockpiling cyberweapons.” As the US and other countries probe one another’s networks and develop new exploits the Internet will become more closely controlled by militaries, and at risk of unintended “detonations” of cyberweapons. “The result is less security for all of us.”
In a separate session straight after Schneier’s, two experts on the frontline of cleaning up after new attacks gave their own rundown of the security problems that will blight the next 12 months:
- The Web’s most common security mechanism can no longer be trusted. When you connect to Facebook or your bank’s website all your traffic is encrypted – what is known as a HTTPS connection – using a ‘certificate’ that a site uses to prove to your Web browser it is to be trusted. Last year many of those certificates were stolen or spoofed, a tactic that can be used to steal user data or even install malicious software to their computers. “[It’s] the most widely deployed security implementation in the world, but it sometimes feels we’re trying to apply bandaids to a very leaky damn,” said Ed Skoudis, an expert who is called in by large corporations and even the White House to tackle security problems.
- Mobile devices as a back door into company networks. Although more malicious mobile apps are appearing, end users aren’t the ones that need to worry, said Skoudis. “The big thing is using it as an entry way into the overall enterprise network.” Attacks that steal company secrets are one of the major topics of discussion this week. Google, defense contractor Lockheed Martin, and this week’s host security company RSA, have all been victims in the past.
- Home automation. Connecting alarm systems, thermostats, lights and locks to the Internet allows some smart new ways to manage your home. But also brings risks, said Johannes Ullrich, who heads the Internet Storm Center, which documents new attacks. “Comcast does alarm systems, and they may also open your doors,” he said, predicting that exploits that target such systems will increase. It’s worth noting that Google is working on devices that use its Android mobile operating system to connect your home and what’s inside it the Internet.
- Hacktivism (again). Online attacks by the nebulous groups that identify as Anonymous and LulzSec made headlines last year and Ullrich says they will do again this year. “They’re not your latest and greatest attack but they’re very persistent,” he said, showing off a simple piece of software that such groups use to scan websites for vulnerabilities and crack passwords. “Anybody with about ten mins of training can use this tool,” said Ullrich. Because many companies don’t attend to the basics of computer security, such attacks will continue to succeed he said.