Because there is so much common knowledge out there, because modern computer technology is inherently democratizing, hacking has become endless
4 October 2021 (Milos, Greece) – For the last few weeks I’ve been fairly involved with my software development community, a group that now numbers about 3,500 members on my listserv (which receives our special newsletter for that community) plus about 175 contacts on my Linkedin software development group.
Most of us had attended Cognizant Softvision Programmers’ Week (its seventh edition) last month – a six day event for developers and software engineers from around the world. It is an event that featured internal and external discussions and courses organized by one-two technologies per day, covering numerous industries including cybersecurity, digital media, legal technology, etc. with a heavy focus on deep industry knowledge and the key trending technologies and innovation. I’ll get to that event later in this post.
Last week my media team published our monthly newsletter for our software development community and our lead piece was “Fraudulent Mobile Apps Growing in Numbers“. Just about everyone had the same thought: “Wow. Who knew? What with our daily feed of news about app removals, malware app, and apps that phone home. This was news?”
As the write up stated:
“A new report from payment fraud protection specialists Outseer claims that out of all fraudulent attacks that happened in Q2 2021 (of which there were more than 49,000), rogue mobile apps accounted for almost a third (30%)”.
How does mobile app fraud work? The process is relatively simple. Fraudsters can create an app that looks almost identical to a genuine mobile app belonging to a bank or other institution and can get it placed on a mobile app store or distribute it via its website, email, or any other means. There are scores of sites which allow a person to create a mobile app with no coding required. To make it “malware,” just a wee bit more work is required. But, really, it’s pretty easy. Github has 100s of examples to help you on your quest, or you just turn to any number of Malware-As-A-Service vendors.
As many of the members noted in my group noted “I am seeing less code today”. And we’re not just talking about low code platforms that can enable software developers and citizen developers to build entire applications with relatively little or even no code. I’m speaking about applications where you have to develop proprietary code but can accomplish your objectives with minimal coding effort. How? By leveraging programming environments, frameworks, and libraries that do most of the heavy lifting for you.
The spike in cyber security attacks is due to nearly the same thing. And as I have written extensively before, it’s due primarily to four things:
1. Cyber criminals are catching up to nation-states’ hacking capabilities, and it’s making attribution more difficult. They’re not five years behind nation-states anymore, because the tools have become more ubiquitous.
2. One of the things cyber analysts are seeing is that more cyber criminals are getting “corporate”: on the business-model side they are starting to use innovative processes like franchises, and affiliate groups, where a cybercriminal will develop technology and make it available to other cybercriminals. Franchising the malware means that criminals can concentrate on improving in other areas.
3. What the cybercrime affiliates do is focus on identifying, for instance, phishing lists, or other ways to break into networks … and then actually launch ransomware or other malware. They do not need to build effective tools from scratch. They have that through the franchise. They can put all of their investment into executing their attack.
4. That also means any improvement in cybercrime technology makes attribution harder. The tools look more like those of nation-states. And given Russia outsources lots of its cyber attack work to criminal cyber gangs, from an attribution standpoint it’s very difficult to determine if an actor is working at the behest of a foreign government or if they’re doing criminal activity on their own time.
Last week I checked in with some of my “go to” cyber security contacts for some further feedback and they had some additional thoughts. Steve King said:
Well, I think the issues multiply. Criminals still behave differently in certain cases. If you’re a nation-state, you’re likely trying to achieve one very specific goal and will use whatever mechanism is required in order to do that. So in some ways it often requires less sophistication. On the flip side, cyber-criminals can come up with very sophisticated capabilities given that they have the luxury in most cases of a virtually unlimited victim pool and the luxury of time.
Andy Jenkinson continued that theme:
Worse, easy access to data and technologies via open-source is not only leveling the intelligence playing field at the expense of the intelligence communities. Non-state actors can now collect intelligence worldwide at little cost. Anyone with an Internet connection can see images on Google Maps, track events on Twitter, and mine the Web with facial recognition software, pulling all manner of personally identifying information off the Dark Web, etc.
Moreover, commercial satellites now offer low-cost eyes in the sky for anyone who wants them. Inexpensive satellites roughly the size of a shoebox offer imagery and analysis to paying customers worldwide. Although no match for U.S. government capabilities, these satellites are getting better day by day.
I’ll let Bob Carver close out this section:
If you closely follow this industry, and the media reports, who know cyber criminals are taking advantage of the combination of “social listening” and physical infrastructure analysis to plan attacks. It also explains why more than one in 10 data breaches now involve “physical actions” which is leveraging physical devices to aid an attack, and break into hardware and physical infrastructure.
There is a shrinking gap between physical and cyber infrastructures. And that means businesses should be combining both cyber and physical security efforts. When your door lock, your burglar alarm, your fire suppression system is computerized, networked and on the internet, you have no choice but to integrate them. Integration is happening because computers are moving into a space that was only physical. And that opens up all sorts of hacking opportunities.
If you speak with any cyber security professional they’ll tell you its a bit hopeless because they are still struggling to get companies to install simply cyber security defenses. Oh, there are lots of reasons why corporates don’t take cyber security seriously enough and as I have noted before they tend to group in these three categories, all of which I think Steve, Andy and Bob will agree:
1. they envision cyber security as a kind of fortification process in which strong firewalls and astute watchmen will allow them to see threats from afar
2. they assume that complying with a security framework like NIST or FISMA is sufficient security; and
3. they haven’t had a security breach recently, so they must be doing something right: what doesn’t seem broken doesn’t need to be fixed.
The problem with these mental models is that they treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is, as emphasised by Michael Daniel:
With 5G slowly coming down the road and its terrifying potential to exponentially raise the level of cyberattacks it will make current attacks look like paper cuts.
And the continuation of a trend called “democratization of digital skills” has made hacking available to average people through downloadable, inexpensive software, much of which is on display at hacker events like Black Hat and DefCon in Las Vegas every year.
There is so much common knowledge out there. I once wrote about the vulnerabilities in phone switches – SS7 switches, for those who like jargon – that have been long used by the NSA to locate cell phones. This same technology is sold by the U.S. company Verint and by the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at numerous technology conferences. An eavesdropping capability that was built into phone switches to enable lawful intercepts was used by still unidentified unlawful intercepters in the Middle East last year.
With the advent of these new tools that come “right out of the box” you need only a simple set-up instruction: you can wrap victims’ data with tough encryption technology, hard-to-trace digital currency like Bitcoin, and even online sites that offer to do the data ransoming in return for a piece of the action, making this method of cybertheft much easier. You simply don’t even need to have any coding skills to do this anymore.
And this all happened due to issues that have developed over many years in the intelligence and security and IT communities. It’s complex, not easily simplified. But one big “thing” is how governments understand the term “cyber warfare” (a term that has spread rapidly throughout government, much like a virus) over the past 20+ years. No, not the last 6 years, dear reader, when the Main Street Media got hold of it. More like 20+ years. Read John Hughes-Wilson’s On Intelligence and you’ll get the history, some perspective – pretty much all you need to establish a base to understanding all of this.
The big problem is that cyber warfare is totally different to normal warfare, in fact so different that calling it warfare at all is meaningless. Yet governments still talk about it as if it was the same. In regular warfare you can build up your own defenses without improving your opponent’s defenses, and you can develop new weapons that your opponents will not have.
But cyber warfare doesn’t work like that. Because everyone uses the same software infrastructure, and the “weapons” are nothing more than weaknesses in that global infrastructure, building up your own defenses by fixing problems inherently builds up your opponents defenses too. And developing new “weapons” is only possible if your opponents are able to develop the very same weapons for themselves, by exploiting the very same vulnerabilities in your country that you are exploiting in theirs.
Successful spying is invisible and undetected. The infiltration of critical national infrastructure by enemies of the state happens quietly and without anyone realizing until it’s too late. A successful penetration of someone else’s infrastructure yields an unforgettable intelligence report that makes the government feel successful and in control. A successful penetration of your infrastructure yields nothing visible at all.
“Software is everywhere these days,” said Andres Angelani, CEO of Cognizant Softvision, kicking off the panel on “The Future of Software” that helped launch Softvision’s 7th annual Programmers’ Week. Software now, he said, “is a vehicle to reimagine industry.” Much of the rest of the panel was devoted to the dramatic implications of that statement – the Good, the Bad and the Ugly. Simple, really. We’ve evolved from a utilitarian view of software back in the day. But now, software has transformed money, banking, experiences, connections – absolutely everything.
The pandemic has underscored software’s centrality in modern business for just about every company. Organizations got a lot more digital a lot sooner than they would have done otherwise. It has pushed companies to do things they’d never thought of. They were trying to be more digital. But now that transformation was been hastened by about five years.
Many speakers noted they watched previously very conservative companies switch “in two days” to remote working from home. That disruption helped many of them see more clearly that software is not just for the back office. It’s not just the finance system. It’s not just the HR system. It’s integral to the products of all customers, and to the delivery of all products. Now every company will have to be a software company.
Yes, the world is going faster and getting more complex. And that’s led to a big problem. COVID led to “The Big Resignation” in all industries, something noted in almost every IT media source – the increasing turnover in people which compounded an existing major shortage of talented developers. Even as software is more central to how business and society functions, far too few people today are trained to create it. The talent gap is increasing.
So, this has greatly changed how software is built, who builds it, and the methodologies used to build it. The variety of people who can create software is expanding significantly, away from the kinds of people who build software in the past – classic nerds and math geniuses.
One speaker noted there would be three basic types of programmers:
1. those who understand deeply a tool or domain
2. people who can hold it all together – the architects
3. people who are really good at explaining how technology can work in a business context, for a specific industry
But this means automation is coming to the creation of software, leading to the “no code/low code” movement that will enable nontraditional programmers to build software out of components that are increasingly modular. Yes, AI is going to help eliminate or reduce tedious tasks, like analyzing algorithms to find inefficiencies or errors. And maybe even “double checking”. Automation and the AI capability will only augment the programmer, to make a programmer about 100 times more productive. Yes, there’s a revolution going on in terms of how this reduced amount of code is written and assembled. I wrote about this last month in a little more depth.
But (as I detailed above) many speakers noted the downside: the profusion of low code platforms that can enable software developers and citizen developers to build entire applications with relatively little or even no code means you can develop proprietary code to accomplish your objectives with minimal coding effort. By leveraging programming environments, frameworks, and libraries that do most of the heavy lifting for you. And that “gives bad actors a field day” as one speaker noted.