20 Jan 2015

I got it right! (My timing was just off)

I was looking at my old posts and found this prediction from 2009 for 2009:

http://securethink.blogspot.com.au/2009/01/prediction-number-1-for-2009.html

I essentially predicted that the market for cards would drop off and that "hackers" would start looking at stealing other information. Remember that, in most cases, they have access to the entire network. All the juicy intellectual property is theirs for the taking. They could, as happened with Sony Pictures, steal stuff like unflighted movies and human resources data. They just don't.

It is like a thief who breaks into a house and ignores all of the expensive electronic equipment and collectibles and steals only the cash because cash is already useful and the other stuff is too much trouble. Now, imagine if the cash is not lying about but is locked up in a vault. Maybe the thief will reconsider the other stuff. Once he has to put some work into the job, he may as well make it worth his while.

The reason why I was correct in my prediction but had my timelines all wrong is that I overestimated the ability for companies to secure their monetary assets (mainly credit card information). It has taken until now to get to the point where the money is, if not in a vault, at least not stuffed in a mattress.

The many high profile attacks last year where credit card information is stolen are, IMHO, the dead cat bounce of this kind of attack. The thieves are getting their last good hacks in before security is tightened up. The Sony attack is the start of the next wave where intellectual property is stolen instead.

It would be almost impossible to track down a buyer but holding information ransom is already becoming a viable business with the "cryptolocker" type of attacks. Cryptolocker is more a scorched earth type of attack - it encrypts everything and holds it all to ransom. More specialised attacks may target certain types of high value information assets. They may, as in the case of Sony, decide to release these assets onto public networks where it is impossible to "put the toothpaste back in the tube".

2015 and beyond will be interesting.

I was looking at my old posts and found this prediction from 2009 for 2009:

http://securethink.blogspot.com.au/2009/01/prediction-number-1-for-2009.html

I essentially predicted that the market for cards would drop off and that "hackers" would start looking at stealing other information. Remember that, in most cases, they have access to the entire network. All the juicy intellectual property is theirs for the taking. They could, as happened with Sony Pictures, steal stuff like unflighted movies and human resources data. They just don't.

It is like a thief who breaks into a house and ignores all of the expensive electronic equipment and collectibles and steals only the cash because cash is already useful and the other stuff is too much trouble. Now, imagine if the cash is not lying about but is locked up in a vault. Maybe the thief will reconsider the other stuff. Once he has to put some work into the job, he may as well make it worth his while.

The reason why I was correct in my prediction but had my timelines all wrong is that I overestimated the ability for companies to secure their monetary assets (mainly credit card information). It has taken until now to get to the point where the money is, if not in a vault, at least not stuffed in a mattress.

The many high profile attacks last year where credit card information is stolen are, IMHO, the dead cat bounce of this kind of attack. The thieves are getting their last good hacks in before security is tightened up. The Sony attack is the start of the next wave where intellectual property is stolen instead.

It would be almost impossible to track down a buyer but holding information ransom is already becoming a viable business with the "cryptolocker" type of attacks. Cryptolocker is more a scorched earth type of attack - it encrypts everything and holds it all to ransom. More specialised attacks may target certain types of high value information assets. They may, as in the case of Sony, decide to release these assets onto public networks where it is impossible to "put the toothpaste back in the tube".

2015 and beyond will be interesting.