IN THIS CHAPTER

Understanding emerging technologies and their potential impact on cybersecurity

Understanding quantum computing and its major impact on encryption

Experiencing virtual reality and augmented reality

The world has undergone a radical transformation in recent decades, with the addition of the benefits digital computing power to just about every aspect of human lives. Within the course of just one generation, Western society has evolved from single-purpose film cameras, photocopiers, closed circuit television, and radio-wave based music broadcast receivers to connected devices sporting the features of all these devices and many more — all within a single device.

Simultaneously, new, advanced computing technology models have emerged, creating tremendous potential for even greater incorporation of technology into daily lives. Offerings that would have been considered unrealistic science fiction just a few years ago have become so totally normal and ubiquitously deployed today that children don’t always believe adults when the latter explain how much the world has changed in recent years. In fact, not only are transformative changes produced by the advent of new technologies continuing to occur on a near constant basis, but the rate at which they arrive and impact human society seems to be constantly accelerating.

While new technologies and resulting digital transformations of the human experience often provide wonderful benefits, they almost always bring along with them great information security risks. In this chapter, you discover some technologies that are rapidly changing the world and how they are impacting cybersecurity. This list of emerging technologies is by no means comprehensive. Technologies constantly evolve and therefore constantly create new information security challenges.

Relying on the Internet of Things

Not that long ago, the only devices that were connected to the Internet were classic computers — desktops, laptops, and servers. Today, however, is a different world.

From smartphones and security cameras to coffeemakers and exercise equipment, electronic devices of all types now have computers embedded within them, and many of these computers are constantly and perpetually connected to the Internet. The Internet of Things (IoT), as the ecosystem of connected devices is commonly known, has been growing exponentially over the past few years.

And, ironically, while consumers see many such connected devices marketed to them in stores and online, the vast majority of IoT devices are actually components of commercial and industrial systems. In fact, some experts even believe that as much as 99 percent of connected nontraditional-computer devices live in commercial and industrial environments. The reliability of utilities, factories and other manufacturing facilities, hospitals, and most other elements of the backbone of today’s economic and social existence depends heavily on having stable, secure technology.

Of course, any and all computing devices — whether classic computers or smart devices of other types — can suffer from vulnerabilities and are potentially hackable, and exploitable for nefarious purposes. Internet-connected cameras, for example, which are designed to allow people to watch homes or businesses from afar, can potentially allow unauthorized hackers to watch the same video feeds. Furthermore, such devices can be commandeered for use in attacking other devices. In fact, in October 2016, the Mirai Botnet attack leveraged many infected IoT devices in unison, and took the popular Dyn DNS service offline. DNS is the system that converts human-names for computers into machine-understandable Internet Protocol numeric addresses (IP addresses). As a result of the attack on Dyn, many high-profile websites and services, including Twitter, Netflix, GitHub, and Reddit, suffered de facto outages as people could not reach the sites because the names in the URLs of the sites could not be translated to their proper Internet addresses.

Likewise, IoT creates tremendous potential for serious sabotage. Consider the possible effects of hacking an industrial system involved in the manufacturing of some medical equipment. Could people die if bugs or backdoors were inserted into the code that runs on the computer embedded within the device and then is exploited once the device were in use?

Hacks undermining systems controlled by connected devices are possible — even when such systems are not connected to the public Internet.

Using Cryptocurrencies and Blockchain

A cryptocurrency is a digital asset (sometimes thought of as a digital currency) designed to work as a medium of exchange that uses various aspects of cryptography to control the creation of units, verify the accuracy of transactions, and secure financial transactions.

Modern cryptocurrencies allow parties who do not trust one another to interact and conduct business without the need for a trusted third party. Cryptocurrencies utilize blockchain technology — that is, their transactions are recoded on a distributed ledger whose integrity is protected through the use of multiple techniques that are supposed to ensure that only accurate transactions will be respected by others viewing a copy of the ledger.

Because cryptocurrencies are tracked via lists of transactions in ledgers, there are technically no cryptocurrency wallets. The currency is virtual and not stored anywhere, even electronically. Rather, cryptocurrency owners are the parties who control the various addresses on the ledger that have cryptocurrency associated with them after performing all the transactions to date on the ledger.

For example, if Address 1 has 10 units of a cryptocurrency and Address 2 has 5 units of a cryptocurrency and a transaction is recorded showing that Address 1 sent 1 unit of cryptocurrency to Address 2, the result is that Address 1 has 9 units of cryptocurrency and Address 2 has 6 units of cryptocurrency.

To ensure that only legitimate owners of cryptocurrency can send money from their addresses, cryptocurrencies typically utilize a sophisticated implementation of PKI where every address has its own public-private key pair, with the owner being the only one to possess the private key. Sending cryptocurrency from an address requires the signing of the outgoing transaction with its associated private key.

Because anyone with knowledge of the private key associated with a particular ledger address can steal whatever amount of cryptocurrency is recorded in the ledger as belonging to that address, and because cryptocurrencies are both liquid and difficult to track back to their real-life human or organizational owners, criminals often attempt to steal cryptocurrencies via hacking. If a crook obtains the private key to a cryptocurrency address from someone’s computer, the crook can quickly and easily transfer the victim’s cryptocurrency to another address that the criminal controls. In fact, if the criminal obtains the key in any way, they can steal the cryptocurrency without hacking anything. All the criminal has to do is issue a transaction sending the money to some other address and sign the transaction with the private key.

Because cryptocurrencies are not managed centrally, even if such a theft is detected, the legitimate owner has little hope of recovering their money. Reversing a transaction would, in most cases, require an unachievable consensus of a majority of operators within the cryptocurrency’s ecosystem and is exceedingly unlikely to happen unless enough cryptocurrency was stolen to undermine the integrity of the entire currency. Even in such cases, the forking of a new cryptocurrency may be required to achieve such a reversal, and many operators will still likely reject the undoing of transactions as being an even greater threat to the integrity of the cryptocurrency than is a major theft.

Besides providing hackers with an easy way to steal money, cryptocurrencies have also facilitated other forms of cybercrimes. Most ransoms demanded by ransomware, for example, are required to be paid in cryptocurrency. In fact, cryptocurrency is the lifeblood of ransomware. Unlike payments made by wire transfer or credit card, smartly made cryptocurrency payments are exceedingly hard to trace back to real life people and are effectively irreversible once a transaction has settled.

Likewise, criminals have the ability to mine cryptocurrency — that is, to perform various complex calculations needed to both settle cryptocurrency transactions and create new units of the cryptocurrency — by stealing processing power from others. Cryptomining malware, for example, surreptitiously commandeers infected computers’ CPU cycles to perform such calculations and, when new units of cryptocurrency are generated, transfers control of them to the criminals operating the malware. Cryptocurrency mining provides a simple way for criminals to monetize their hacking. Hacked computers can thus be used to “print money” without the involvement of victims as is typically needed for many other forms of monetization, such as ransomware.

Criminals have also benefited from the dramatic rise in the value of cryptocurrency. For example, those who accepted Bitcoin as payment for ransomware ransoms several years ago and who did not entirely cash out their cryptocurrency enjoyed amazing returns — sometimes growing their dollar-value holdings by a factor of hundreds or even thousands. Some such criminals likely cashed out a portion of their cryptocurrencies during the market frenzies of the past few years, and may be sitting on small fortunes that they are now investing in creating new cybercrime technologies.

The blockchain technology that serves as the underlying engine that powers cryptocurrencies also has potential uses within cybersecurity countermeasures. A distributed database may prove to be a better way to store information about backup servers and redundant capabilities than are existing structures because the distributed nature dramatically increases the number of points of failure necessary to take down the entire system. Likewise, distributed defenses against DDoS (distributed denial-of-service) attacks may prove to be both more effective and cost efficient than the present model of using single massive infrastructures to fight such attacks.

Blockchain also offers a way to create transparent records of transactions or of activities — transactions that are viewable by anyone, but not modifiable by anyone, and with only authorized parties able to create appropriate new transactions.

Cloud-Based Applications and Data

A generation ago, people, businesses, and organizations all stored all of their data (or close to it) on their own storage devices located within their own facilities, or on the hard drives of their own laptops. Applications were nearly always run from local machines or from servers located on local networks and were not accessible from other places across the Internet.

The world of computing, however, has changed. Dramatically.

The advent of cloud computing has meant that large amounts of data are stored by third-party providers, and apps are run from servers managed by third parties. Of course, such changes impact cybersecurity in a big way.

There is no magic “cloud.” When you store data “in the cloud,” you are simply storing it on someone else’s Internet-accessible server.

As data is no longer located strictly “within the castle walls,” but rather, often situated in locations that are totally not under the control of the data’s owners, precautions have to be taken in selecting vendors and in encrypting the data so that the hosting providers themselves (or any hackers that breach such providers) cannot access the data. That said, keep in mind that major providers of cloud storage or popular cloud apps — even if they are known to have suffered from various cybersecurity vulnerabilities and/or breaches — typically secure their operations, apps, and data far better than well over 99 percent of individuals.

When compared with most individuals, major cloud providers provide much better cybersecurity. For example, while Google provides encryption for files stored in Google Drives, Google maintains the decryption keys to such data. But users of Drive can deploy inexpensive apps such as BoxCrypt, Cryptomator, and/or others to provide additional encryption that Google cannot easily undo.

Contingencies need to be established in case a provider temporarily goes down, or in some cases, even out of business altogether. If you rely on a cloud based application to read, write, and edit documents, for example, and your locality is expecting a potential Internet-connection-threatening weather event, you should make sure that you have local copies/caches available of any documents that you might need to edit as well as the local version of apps to do so.

Optimizing Artificial Intelligence

“Alexa.”

“Siri.”

“Hey, Google.”

We all know to “who” these names refer, yet, do we really know what artificial intelligence (AI) is? Artificial intelligence, technically speaking, refers to the ability of an electronic system to perceive its environment and take actions that maximize its likelihood of achieving its goals, even without prior knowledge about the specifics of the environment and the situation in which it finds itself.

If that definition sounds complicated, it is. The definition of AI from a practical perspective seems to be a moving target. Concepts and systems that were considered to be forms of AI a decade or two ago — for example facial recognition technologies — are often treated as classic computer systems today. Today, most people use the term artificial intelligence to refer to computer systems that learn — that is, they mimic the way that humans learn from past experiences to take specific courses of action when encountering a new experience. Instead of being preprogrammed to act based on a set of specific rules, artificially intelligent systems look at sets of data to create their own sets of generalized rules and make decisions accordingly. The systems then optimize their own rules as they encounter more data and see the effects of applying their rules to that data.

AI is likely to ultimately transform the human experience at least as much as did the Industrial Revolution. The Industrial Revolution, of course, replaced human muscles with machines — the latter proving to be faster, more accurate, less prone to becoming tired or sick, and less costly than the former. AI is the replacement of human brains with computer thinking — and it will eventually also prove to be much faster, more accurate, and less prone to illness or sleepiness than any biological mind.

The era of AI has several major impacts on cybersecurity:

• An increased need for cybersecurity
• The use of AI as a security tool
• The use of AI as a hacking tool

Where Was This Laptop Really Made? Supply Chain Risks

Over the past few years, supply chain risks have emerged in both hardware and software. Supply chain risks refer to the risks that one or more parties along the path of development of an item may modify that item in a way that introduces risks down the line. If a network switch is made by a Chinese manufacturer closely associated with the communist regime in the People’s Republic of China, for example, there may be concerns that someone at the factory loaded malware on the computer’s bootable SSD or hard drive, or inserted a physical “bug” into the device.

Likewise, hackers can — and have — breached systems that provide users with legitimate software updates and added malware to the distribution sets so that people updating their devices inadvertently installed spyware.

While various government agencies have begun to act against some risky manufacturers, the reality remains that chips and other components within nearly all modern computers are sourced from providers operating factories in questionable locations. Likewise, many modern pieces of software include code from libraries written by third parties — and those codebases themselves might include code from other libraries. As such, it is often not simple to determine from where all elements within a device or piece of software originally came, making the challenge of ensuring supply chain security quite complex.

Nothing Is Trustworthy: Zero Trust

Zero trust refers to a security model that has become an increasingly popular approach to information security. Instead of guarding the digital perimeter of an entity through the use, for example, of cybersecurity countermeasures and then trusting computers located within the perimeter, in the case of a zero trust approach, an individual or an organization deems all devices not to be inherently trusted. The same holds true for users — they are not inherently trusted either. Accessing a system from an internal device and a valid account is not enough to prove to the respective system that the request should be honored.

Effectively, zero trust assumes that organizational networks and devices may have been compromised by unauthorized parties, and that legitimate users may be anywhere, so every single request for a resource must be properly authenticated and authorized, regardless of where the request is made or by whom, and regardless of whether the request originated from a human using a device or from a bot or other computer process running on its own.

In addition, in a zero trust model, the default is not to provide authorization for resources. Authorization should only be granted if the party requesting the resource has an actual, legitimate need for that resource.

The zero trust model has become increasingly popular as technological and societal changes, such as cloud computing, remote workforces, supply chain risks, the proliferation of BYOD (bring your own device), modern cyberattack techniques, and vulnerabilities in IoT devices, have rendered impotent the old model of fortifying the perimeter. Today, there simply rarely is any true, well-defined perimeter.

Genius Computers Are Coming: Quantum Supremacy

While today’s encryption algorithms seem quite powerful, most are in danger of soon becoming impotent. In fact, nearly every piece of data that is presently protected through the use of encryption may become vulnerable as quantum computers advance and become more prevalent.

Quantum computers are devices that leverage advanced physics to perform computing functions in ways that are simply not achievable using the types of electronic computers with which we are all familiar. Quantum physics is not a simple matter, and the details of how quantum computers physically work is way beyond the scope of this book.

For our purposes, think of quantum computers as machines that are able to leverage advanced physics in order to create huge multi-dimensional representations of data that the devices can then instantly analyze simultaneously in order to find desired values within the massive representations, rather than by evaluating possible options one by one as do today’s computers. Instead of spending years trying every possible decryption key one by one, quantum computers will soon be sufficiently advances as to be able to simultaneously look for a working decryption key within an astronomical number of possibilities.

How fast can quantum devices perform advanced math requiring the analysis of immense amounts of data? Google’s early-generation quantum computer, Sycamore, recently performed a complex mathematical calculation in 200 seconds that various groups of experts estimate would have taken the world’s then most powerful classic supercomputer, IBM Summit, somewhere between several days and 10,000 years to complete. That’s 200 seconds for an early version of a quantum computer versus days, years, or centuries for the world’s most powerful supercomputer.

Quantum computers may transform brute-force attempts at cracking encryption from processes that can take many lifetimes to perform into yielding instant results.

To address this risk, quantum-safe encryption algorithms are being developed, but deployment will take time and money, as there is so much to replace and upgrade. And, even that won’t fully solve the problem.

It is not just data created in the future that is at risk — any data backups or communication sessions conducted across the Internet that have been captured by unauthorized parties and stored — could be exposed in the future if the sole protection that they benefit from now is encryption.

Experiencing Virtual Reality

Virtual reality refers to an experience taking place within a computer-generated reality rather than within the real world. Current virtual reality (VR) technology typically requires users to wear some sort of headset that displays images to the user and that blocks the user’s vision of the real world. (In some cases, in lieu of wearing a headset, a user enters a special room equipped with a projector or multiple projectors, which achieves a similar effect.) Those images, combined with sounds and, in some cases, physical movements and other human-sensible experiences, cause the user to experience the virtual environment as if they were actually physically present in it. A person using VR equipment can usually move, look, and interact with the virtual world.

VR typically incorporates at least visual and audio components, but may also deliver vibrations and other sensory experiences. Even without additional sensory information, a human may experience sensations because the human brain often interprets what it sees and hears in a virtual environment as if it were real. For example, people riding a roller coaster in a virtual environment may feel their stomachs drop when the roller coaster makes a sharp drop, even though, in reality, they are not moving.

Immersive virtual environments can be similar to or completely different from what a person would experience in the real world. Popular applications of VR already include tourism (for example, walking through an art museum without actually being there), entertainment (first-person vantage point gaming), and educational purposes (virtual dissection).

VR systems, of course, are computer-based and, as a result, have many of the same security issues as other computer-based systems. But virtual reality also introduces many new security and privacy concerns:

• Can someone hack VR ecosystems and launch visual attacks that trigger seizures or headaches? (Flashing strobe lights in various cartoons and other displays have been known to cause seizures.)
• Can others make decisions about your physical abilities based on your performance in VR applications? Can governments, for example, refuse to issue drivers’ licenses to people who perform poorly in VR driving games? Can auto insurance companies surreptitiously gather data about people’s driving habits in the VR world and use it to selectively raise rates?
• Can hackers digitally vandalize a virtual environment — substituting obscene content for art, for example, in a museum offering virtual tours?
• Can hackers impersonate an authority figure, such as a teacher in a virtual classroom, by creating an avatar that looks similar to one used by that person and thereby trick other users into taking harmful actions (for example, by asking people for the answers to their tests, which the crooks then steal and pass off as their own to the real teacher)?
• Likewise, can hackers impersonate a coworker or family member and thereby obtain and abuse sensitive information?
• Can hackers modify virtual worlds in ways that earn them money in the real world — for example, by adding tolls to enter various places?
• Can hackers steal virtual currency used in various virtual worlds?
• Can hackers usurp control over a user’s experience to see what they experience or even to modify it?

In theory, when it comes to new risks created by virtual reality, I can compile a list that would take up an entire book — and time will certainly tell which risks emerge as real-world problems.

Transforming Experiences with Augmented Reality

Augmented reality refers to technology in which computer-generated images sounds, smells, movements, and/or other sensory material are superimposed onto a user’s experience of the real world, transforming the user’s experience into a composite of both actual and artificial elements. Augmented reality (AR) technology can both add elements to a user’s experience — for example, showing a user the name of a person above the person’s head as that individual approaches the user — as well as remove or mask elements, such as converting Nazi flags into black rectangles with the words “Defeat hate” written on them.

AR is likely to become a major part of modern life over the next decade. It will introduce many of the risks that virtual reality does, as well as risks associated with the merging of real and virtual worlds, such as configuring systems to improperly associated various elements in the real world with virtual data.

As with all emerging technologies, time will tell. If you decide to invest in AR or VR technology, be sure to understand any relevant security issues.