Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/27/2017
06:30 PM
50%
50%

Get Ready for the 2038 'Epocholypse' (and Worse)

A leading security researcher predicts a sea of technology changes that will rock our world, including the Internet of Things, cryptocurrency, SSL encryption and national security.

BLACK HAT USA – Las Vegas – Buckle in for a wild ride in the next two decades where the role of security professionals will rise in dramatic importance, Mikko Hypponen, F-Secure chief research officer, predicted at a Black Hat presentation today.

"Our work is not to secure computers, but our work is to secure society," says Hypponen in his presentation The Epocholypse 2038: What's In Store for the Next 20 years.

The security researcher pointed to likely sea changes the industry will witness in the coming 20 years: the 2038 Unix Millennium bug that will drive industry worry on par with Y2K, major shifts in the way security professionals deal with Internet of Things devices, cryptocurrency, SSL encryption and national security.

Y2k Redux in 2038?

When January 19, 2038 rolls around, the industry is bracing for a situation where the computer industry running on Unix will out of bits and systems will crash.

The 2038 epocholypse has been compared to Y2K, in that fear and loathing hype is mounting. Hypponen recalls how he was busy standing guard on New Years Eve when 2000 rolled in and the entry into the new millennium went smoothly. But despite all the bashing that the industry cried wolf about the doom that could have occured on New Years' day 2000, Hypponen says two points were missed -- and it's something to keep in mind for 2038.

One point is that an enormous amount of work went into finding bugs and fixing them prior to Y2K, so the impact was greatly minimized on the actual day, said Hypponen.  The second point is that not all Y2K-related problems immediately emerged on Jan. 1. Some came much later, such as inaccurate readings for Down Syndrome risk in pregnant women, he recalled, noting how some women underwent abortions unaware of the misdiagnosis.

"[The year] 2038 is way off in the future. People think we have plenty of time to fix it,  but I will guarantee you we will run out of time," Hypponen warned.

Cryptocurrency Game Changer

Bitcoin and other forms of cryptocurrency will likely take a big chunk of business away from the brick-and-mortar banks but these virtual currencies won't likely cause institutions to go out of business, predicted Hypponen.

But cryptocurrency is dramatically changing the landscape related to how law enforcement will chase the bad guys and follow the money. Cryptocurrency not only allows cybercriminals to conduct transactions anonymously but also gives them an avenue for laundering the money through multiple digital accounts with lightning speed, he noted.  

And thugs are also using the cryptocurrency when committing traditional physical crimes, Hypponen said, pointing to a Brazilian kidnapping where the attackers demanded a ransom payment in Bitcoins.

SSL, IoT, and Nation State Attacks, Oh My

Quantum computing is reaching a point where in the very near future it may pose a threat to SSL encryption, Hypponen predicted, explaining how the ability of quantum computers to crunch through waves of prime numbers puts the security of SSL encryption at risk. Evidence: IBM's announcement earlier this year about the construction of a commercially available universal quantum computing systems for its IBM cloud platform.

In addition to the potential demise of SSL encryption, humans are also facing greater risks with the rise of IoT devices. "There will be a day when consumers buy products and don't even realize they are IoT devices," Hypponen said. "If it is a smart device, it is a vulnerable device," which he predicts will create the need for a separate IoT network.

But what keeps Hypponen awake at night is the prospect of a nation state attack on consumers. "Wars today are fought with drones," he said, asking what would happen if the software that feeds into computer chips and devices were instructed to have the device catch on fire, simultaneously across millions of homes.

"Technically, it can be done," Hypponen said, showing a demo of one device in flames.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
0%
100%
RetiredUser,
User Rank: Ninja
7/31/2017 | 1:14:09 PM
Flying Without Technology
While I suspect this will ultimately be fixed through some well-written code to manage patching systems to either relieve us of time-related services or getting creative with real-time hijacking of 32-bit time functions with 64-bit (can't wait to see that), I think the cautious will familiarize themselves with what infrastructure could be affected.  Case in point, transportation that utilizes embedded technology that could be affected by this issue could be brought to a halt.  While an unusual thought these days, anyone with access to low-tech infrastructure, planes in particular, could still get around thanks to enterprising business leaders who will quietly set up a "shadow" low-tech infrastructure in anticipation of the need.  Planes, trains, ocean liners - anything whose safety could be compromised using current embedded tech could be replaced with low-tech versions, or re-vamped to remove reliance on these systems.  Of course, the more I read about this issue, the more I'm hoping the fix is already in the can.  Other things that are airborne and rely on embedded tech include missiles and satellites...

   
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.