Vulnerabilities / Threats

7/27/2017
06:30 PM
50%
50%

Get Ready for the 2038 'Epocholypse' (and Worse)

A leading security researcher predicts a sea of technology changes that will rock our world, including the Internet of Things, cryptocurrency, SSL encryption and national security.

BLACK HAT USA – Las Vegas – Buckle in for a wild ride in the next two decades where the role of security professionals will rise in dramatic importance, Mikko Hypponen, F-Secure chief research officer, predicted at a Black Hat presentation today.

"Our work is not to secure computers, but our work is to secure society," says Hypponen in his presentation The Epocholypse 2038: What's In Store for the Next 20 years.

The security researcher pointed to likely sea changes the industry will witness in the coming 20 years: the 2038 Unix Millennium bug that will drive industry worry on par with Y2K, major shifts in the way security professionals deal with Internet of Things devices, cryptocurrency, SSL encryption and national security.

Y2k Redux in 2038?

When January 19, 2038 rolls around, the industry is bracing for a situation where the computer industry running on Unix will out of bits and systems will crash.

The 2038 epocholypse has been compared to Y2K, in that fear and loathing hype is mounting. Hypponen recalls how he was busy standing guard on New Years Eve when 2000 rolled in and the entry into the new millennium went smoothly. But despite all the bashing that the industry cried wolf about the doom that could have occured on New Years' day 2000, Hypponen says two points were missed -- and it's something to keep in mind for 2038.

One point is that an enormous amount of work went into finding bugs and fixing them prior to Y2K, so the impact was greatly minimized on the actual day, said Hypponen.  The second point is that not all Y2K-related problems immediately emerged on Jan. 1. Some came much later, such as inaccurate readings for Down Syndrome risk in pregnant women, he recalled, noting how some women underwent abortions unaware of the misdiagnosis.

"[The year] 2038 is way off in the future. People think we have plenty of time to fix it,  but I will guarantee you we will run out of time," Hypponen warned.

Cryptocurrency Game Changer

Bitcoin and other forms of cryptocurrency will likely take a big chunk of business away from the brick-and-mortar banks but these virtual currencies won't likely cause institutions to go out of business, predicted Hypponen.

But cryptocurrency is dramatically changing the landscape related to how law enforcement will chase the bad guys and follow the money. Cryptocurrency not only allows cybercriminals to conduct transactions anonymously but also gives them an avenue for laundering the money through multiple digital accounts with lightning speed, he noted.  

And thugs are also using the cryptocurrency when committing traditional physical crimes, Hypponen said, pointing to a Brazilian kidnapping where the attackers demanded a ransom payment in Bitcoins.

SSL, IoT, and Nation State Attacks, Oh My

Quantum computing is reaching a point where in the very near future it may pose a threat to SSL encryption, Hypponen predicted, explaining how the ability of quantum computers to crunch through waves of prime numbers puts the security of SSL encryption at risk. Evidence: IBM's announcement earlier this year about the construction of a commercially available universal quantum computing systems for its IBM cloud platform.

In addition to the potential demise of SSL encryption, humans are also facing greater risks with the rise of IoT devices. "There will be a day when consumers buy products and don't even realize they are IoT devices," Hypponen said. "If it is a smart device, it is a vulnerable device," which he predicts will create the need for a separate IoT network.

But what keeps Hypponen awake at night is the prospect of a nation state attack on consumers. "Wars today are fought with drones," he said, asking what would happen if the software that feeds into computer chips and devices were instructed to have the device catch on fire, simultaneously across millions of homes.

"Technically, it can be done," Hypponen said, showing a demo of one device in flames.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
0%
100%
Christian Bryant,
User Rank: Ninja
7/31/2017 | 1:14:09 PM
Flying Without Technology
While I suspect this will ultimately be fixed through some well-written code to manage patching systems to either relieve us of time-related services or getting creative with real-time hijacking of 32-bit time functions with 64-bit (can't wait to see that), I think the cautious will familiarize themselves with what infrastructure could be affected.  Case in point, transportation that utilizes embedded technology that could be affected by this issue could be brought to a halt.  While an unusual thought these days, anyone with access to low-tech infrastructure, planes in particular, could still get around thanks to enterprising business leaders who will quietly set up a "shadow" low-tech infrastructure in anticipation of the need.  Planes, trains, ocean liners - anything whose safety could be compromised using current embedded tech could be replaced with low-tech versions, or re-vamped to remove reliance on these systems.  Of course, the more I read about this issue, the more I'm hoping the fix is already in the can.  Other things that are airborne and rely on embedded tech include missiles and satellites...

   
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.