Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/27/2016
10:30 AM
Connect Directly
Twitter
RSS
E-Mail

8 Boldest Security Predictions For 2017

Scary, funny and maybe even a little outlandish, these industry predictions come from prognosticators who didn't mince words.
2 of 9

Rubber Ducky, You Make Bot Time Lots Of Fun

In light of the rise of the Mirai botnet this year, we weren't surprised to see many industry insiders predicting a ramp-up in weaponization of the Internet of Things (IoT) to carry out widescale DDoS attacks in 2017. This isn't a brand new phenomenon, just a burgeoning one; in fact it was one of the boldest predictions we made for 2016 that actually came true. 

One security fortune teller, however, was extremely specific with his IoT botnet predictions.

'We expect to see hackers continue to exploit IoT device vulnerabilities to launch attacks, and they will likely use Edwin, the app-connected smart duck who will be the biggest security threat of the year,' says Jeff Harris, vice president of solutions for Ixia. 'Hackers will leverage Edwin to launch the 'Rubber Ducky Botnet Army' of 2017, making it critical for organizations to better defend their networks to prevent the strong DDoS attacks made possible through a yellow ducky.'

Image Source: Adobe Stock

Rubber Ducky, You Make Bot Time Lots Of Fun

In light of the rise of the Mirai botnet this year, we weren't surprised to see many industry insiders predicting a ramp-up in weaponization of the Internet of Things (IoT) to carry out widescale DDoS attacks in 2017. This isn't a brand new phenomenon, just a burgeoning one; in fact it was one of the boldest predictions we made for 2016 that actually came true.

One security fortune teller, however, was extremely specific with his IoT botnet predictions.

"We expect to see hackers continue to exploit IoT device vulnerabilities to launch attacks, and they will likely use Edwin, the app-connected smart duck who will be the biggest security threat of the year," says Jeff Harris, vice president of solutions for Ixia. "Hackers will leverage Edwin to launch the Rubber Ducky Botnet Army of 2017, making it critical for organizations to better defend their networks to prevent the strong DDoS attacks made possible through a yellow ducky."

Image Source: Adobe Stock

2 of 9
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
botw803
50%
50%
botw803,
User Rank: Apprentice
1/8/2017 | 1:14:41 PM
Re: Minority Report: Infosec Edition
You obviously agree because you have been working for this website forever. Your post are really boring by the way.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
1/4/2017 | 4:34:59 PM
Help prevent an unwanted Internet sick day
I don't know that the Internet will take an unscheduled sick day, but I do know the common security system for Web sites, SSL, the Network Time Protocol and the Domain Name System are probably being probed for ways to exploit them by much more sophisticated hackers than before. And the Internet depends on each of them. We've built out an immense infrastructure without enough precautions, a bold move, but we'd be wise to now try to identify the points where it needs shoring up. One place to start is the Network Time Protocol, which has a dedicated staff operating on an extremely lean budget and which could use additional support (www.ntp.org).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/4/2017 | 8:59:51 AM
Re: Minority Report: Infosec Edition
Totally agree! AI definitely has tremendous potential, emphasis on potential. The big question is how much and how soon. 
alexanderstein
50%
50%
alexanderstein,
User Rank: Apprentice
12/28/2016 | 1:06:06 PM
Minority Report: Infosec Edition
It's not new years without resolutions and predictions.  Dark Reading honors the annual tradition with their top Info-Sec prognostications. #8: machine learning and artificial intelligence will build on significant capability gains to more accurately and intelligently learn from the past to detect and predict attacks. My counter-prediction: Nope. Most technologists and security professionals still wildly misunderstand/underestimate the complexity of human behavior as it relates to cybersecurity. Effective risk mitigation solutions will come from specialists in mental architecture and psychodynamics.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
12/27/2016 | 11:27:20 AM
Drone Jacking
I'm going to give drone jacking my top pick of these.  If you take a look at the volume of patents Google has put out for their drone army, from navigation aid systems to secure communication, you can see this has always been on their minds.  However, while Google is intent on making their drones as secure as possible (good luck with that, by the way), not all drone operators and start-ups are going to go the extra mile - at first.  And as applies to all drone companies, hijacking drones in-flight isn't the only method of taking control.  Drones can be captured through physical means and repurposed. 

Specifically on the topic of secure communication, we're going to see lots of projects working to perfect protocols that will help protect consumers and public safety.  Papers like "A Secure Communication Protocol for Drones and Smart Objects" by Jongho Won, Seung-Hyun Seo, and Elisa Bertino (2015) that explores securing communication between drones and smart objects (a smart parking management system, for example) are examples.  This paper states that "To support the required security functions, such as authenticated key agreement, non-repudiation, and user revocation, we propose an efficient Certificateless Signcryption Tag Key Encapsulation Mechanism (eCLSC-TKEM). eCLSC-TKEM reduces the time required to establish a shared key between a drone and a smart object by minimizing the computational overhead at the smart object. Also, our protocol improves drone's efficiency by utilizing dual channels which allows many smart objects to concurrently execute eCLSC-TKEM."

In the discussion about whether FOSS (Free and Open Source Software) or proprietary code and standards are better for drone tech, I think we need to work through 2017 to see what security flaws are revealed.  While I am a FOSS advocate, I also recognize the need for proprietary code under the right conditions.

 
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
5 Ways to Improve the Patching Process
Kacy Zurkus, Contributing Writer,  8/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15314
PUBLISHED: 2019-08-22
tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI.
CVE-2019-15317
PUBLISHED: 2019-08-22
The give plugin before 2.4.7 for WordPress has XSS via a donor name.
CVE-2019-15318
PUBLISHED: 2019-08-22
The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field.
CVE-2016-10921
PUBLISHED: 2019-08-22
The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL injection.
CVE-2017-18570
PUBLISHED: 2019-08-22
The cforms2 plugin before 14.13 for WordPress has SQL injection in the tracking DB GUI via Delete Entries or Download Entries.