301 – How did we do?

Not sure how your year has felt? Ours seems to have gone January, January, January, March, April, MAY, July, Augus, Se-, Octo-, Nove-Christmas. So here we arrive at the last Threat Of The Week of 2018 and the 301st consecutive week’s blog in total.

301 is a number to be celebrated not just because that is quite a lot of consecutive weeks of nonsense, sorry amusing and informative content, it is also a semi-prime number being the product of 7×43, which are themselves primes and you know how we love prime numbers round here.

Ironically HTTP 301 is a ‘moved permanently’ status code, which may bring a smile to some.

As those of you trawling the security news over the festive period will no doubt be aware, there has been little reported on the standard channels. We all know that the bad boys will not have downed tools in favour of mince pies so expect a flurry of activity when everyone wakes up.

There is something that did catch our attention because it is tangentially related to The Most Revered B. Krebs Esq. (doff, doff).

Those of you who follow Mr Krebs will recall that the rascals who DDOS’d his website were caught and jailed in Israel a couple of years ago.

Well…another young man who trod on the toes of Mr Krebs, one Mir Islam a deft exponent of the art of swatting (you know, where you amusingly report a kidnapping or some such at a third party’s address and then chortle as the SWAT team raids and in some cases kills them), who swatted Lord Krebs in 2013 has just been nicked on a charge of murder in the Philippines. The curse of Krebs is a real thing.

The circumstances are most bizarre. The well-known scumbag Mir Islam (aka ‘Josh The God’) and a pal of his Troy Woody Jr. booked a ride using the Grab app, stuffed a large cardboard box in the boot/trunk, stopped off briefly on the way to their destination and threw said box into the river and went about their business.

Of course the box contained Woody Jr’s dead girlfriend and they are both now in deep doo-doo. Happy Christmas indeed.

As you all know, every year we make some predictions about what will happen in the world of cyber in the coming year and we use this in-between festivities blog to mark our homework.

So how did we do? Here goes:

NATION STATES

The intelligence and security outfits of the usual suspects will continue to probe each other’s infrastructure, especially power (including nuclear, what could possibly go wrong?), water and transport systems. Nation states with currency restrictions will utilise ransomware and crytpocurrency to generate funds outside of banking regulations.

You would have to be sleeping in a bunker all year to have not noticed a sharp upturn in at least the reporting of nation state cyber activity. Only this week, the UK’s NCSC produced a fairly damming report of Chinese APT 10 activities.

Back in June, the former GCHQ boss Robert Hannigan was blaming the Russians for live testing cyber munitions on a grand scale.

The American government has charged Russian and Chinese hackers.

And more besides. This is going to grow and grow, just like the Cold War, but warmer because you don’t have to shiver your bits and pieces off in a trench in Germany to play the game.

On the subject of states using crypto currency to beat embargos, bet you thought we had forgotten that bit, according to this report in March 2018, it was estimated at that time that North Korea (surprise!) may have made $200 Meeelion Bitcoin through various projects nefarious. Bound to have more now.

Not a bad start.

CRYPTO CURRENCIES

It would seem that National Treasuries, the Federal Reserve and all of the major investment banks are beginning to wake up to the fact that huge amounts of cash are being made, lost or discreetly shifted using crypto currencies. Undermining all of the cash controls imposed upon the banking community to identify and prosecute fraud, crypto currencies are currently outside the law. It is the wild west with everything that goes with it. Bitcoin robberies, fraudulent activity, market manipulation and the like will become everyday stories in 2018 and it is only a matter of time before regulation will be imposed. There will obviously be some very hard questions to consider especially regarding scarcity, value and ownership – what is money, does it really exist? Having abandoned the Gold Standard in 1931, the Bank Of England should be well positioned to come up with a plan!

Of course we have all seen the massive Bitcoin heists this year (and others for that matter), all very common news these days.

There has been a lot of talk about regulating crypto currency all year and until recently little action. Anticipating having to mark ourselves down, we were relieved when a number of nation states started to get the ball rolling late in the year.

The Brookings Institution (a US-based non-profit public policy organisation) published this paper in October 2018, which was followed by an announcement from Republican Congressman Warren Davidson that he would be working on new crypto legislation.

In India a panel tasked by the Finance Ministry announced its draft legislative plan for crypto currency will be published this month (good job they don’t do Christmas there!).

Here in Blighty, the only country that some of our inwardly looking Rule Britannia singing associates think matters, The U.K. Cryptoassets Taskforce released a report on October 29th that proposes some changes for crypto currency regulation and raises concerns over how digital assets are traded and used.

Launched in March, the Cryptoassets Taskforce is made up of the Bank of England (BOE) and the Financial Conduct Authority (FCA) and is charged to regulate and support crypto technologies.

We are cooking on gas!

ARTIFICIAL INTELLIGENCE AND MACHINE LEARNING

Increases in computer power, the availability of cloud resources and off the shelf AI and machine learning packages presents enormous opportunity for the attacker and the defender. Just as legacy Antivirus vendors and malware/virus coders did battle, this will be a new theatre of conflict.

Possibly the lowest risk prediction of all of them.

Machine Learning and AI are now commodities provided by all Cloud providers. You can even get an introductory tutorial on the subject free from Google in this 3 MINUTE(!) video.

As this is given by Doc Brown’s younger brother, there is a distinct possibility that the 3 minutes are used to take you elsewhere in time and reprogram you to be an AI expert before bringing you back seemingly 3 minutes later.

IBM released this report in August, which paints a fairly bleak picture.

It is widely believed that the weaponisation of AI by hackers (not just those good old nation states who have clearly been at it forever) has definitely begun and will continue to grow.

QUANTUM COMPUTING

There is just a chance that a game-changing technology such as quantum computing will become a reality (and by that we mean accessible by individuals without 2 PhDs, no beard, no sandals) this year. If this does happen we can all pack our Public Key Encryption malarkey into a recyclable bag and bin it on the way home.

Well there have been massive moves forward in quantum computing this year. Just like us, a lot of people are talking the talk but now it seems the walk has started.

In December 2018, The US signed a bill, which provides $1.2 Beeelion in funding to quantum research.

Whilst we haven’t seen a quantum machine that decrypts everything in a jiffy, we have seen a very exciting live capability demonstration of high-speed quantum cryptographic communications with key distribution speeds exceeding 10 Mbps in a real-world environment by Toshiba and Tohoku Medical Megabank Organisation. This is amongst the quantum tech we will need to protect against the other quantum tech, so watch this space.

(Arigatou Toshiba)

In summary, not at all a bad set of predictions!

Next month is our annual security conference, which will be held on Thursday 31st January 2019 at Grace Hall on Leadenhall Street in London.

The format is different this year, in that we will be running a live breach masterclass for your entertainment and education. Don’t miss it, register your interest here.

Of course we will also be sharing our experiences of last year and making more predictions for 2019 along with much more juicy content. It would be great to see you there.

We really hope you had a great Christmas, or at the very least survived it. Have a wonderful New Year. See you on the other side.

Thanks for all of your reading time this year, we appreciate it.