The main security threat for 2015 will be the evolution of PUPs (short for Potentially Unwanted Programs) towards malware. Even though these programmes often claim to be from legitimate ad-funded companies, they are becoming increasingly aggressive and less customer-friendly. Here are some specific issues that Malwarebytes has already seen beginning to occur, and I predict will continue growing throughout next year:
I would also not be surprised to see adware spreading across home or corporate networks, or one PUP downloading another to come and join the party. This is more akin to how malware behaves.
To counter this progression, vendors should adopt an aggressive anti-PUP policy. PUPS should always be treated as malware, unless the customer chooses otherwise. To avoid these unwanted programmes in the first place, always get your software through the official channels, opt out when you can and, if you can’t, ask yourself “is it worth the trouble?” Remember: if it sounds too good to be true, it probably is.
The recent leak of celebrity pictures from their iCloud accounts has drawn attention to the security issues associated with virtual storage facilities. In fact, these types of leaks have happened frequently over the last year and will only grow throughout 2015.
There are many ways of gathering data from the cloud. These include social engineering, vulnerabilities in commonly used cloud storage services, or even finding a way to download the raw data from a hard-drive.
Social engineering can be used to acquire consumer login data. Emails leading to fake login sites can result in people divulging this information, as can online surveys that ask way too many details or offers of a “free, must-have” tool that help you to track and organise your uploads. This will continue to increase throughout 2015.
Given that finding vulnerabilities in popular cloud applications is a lucrative business, you can bet that a lot of cybercriminals are working on these kinds of projects. Of course, the developers of named applications are working just as hard in an effort to stop them from succeeding.
Having access to the hardware used for the Cloud can provide attackers with another way of gathering data. Hypothetically, if an attacker were able to execute a programme he has uploaded to the Cloud on the server where the file is stored, he could order that programme to send him the raw data from the server’s drive. Although this would result in a lot of reading, a relatively simple routine could quickly sift through the data to find personal information: for example, bitcoin wallet keys and email addresses can easily be found by looking for certain parameters.
These types of Cloud breach may seem rather unlikely to happen to you, but one should also consider the “inside job”. Studies have shown that around 70% of security breaches, intentional or not, result from employees and can mean that the described breaches are a lot more likely to succeed.
The user and the provider can – and should work – together to improve data security in the Cloud:
What can home consumers do to protect their private data?
What should you look for in a company storing your data?
We can only hope the above are the worst new developments for 2015, but I’m sure the future will never cease to amaze us. Have a safe 2015.
By Pieter Arntz, Security Blogger from Malwarebytes