Naked Security 33 1/3 – Cybersecurity predictions for 2023 and beyond

Credit to Author: Paul Ducklin| Date: Fri, 30 Dec 2022 17:59:23 +0000

It’s the last regular working weekday of 2022 (in the UK and the US, at least), in the unsurprisingly relaxed and vacationistic gap between Christmas and New Year…

…so you were probably expecting us to come up either with a Coolest Stories Of The Year In Review listicle, or with a What You Simply Must Know About Next Year (Based On The Coolest Stories Of The Year) thinly-disguised-as-not-a-listicle listicle.

After all, even technical writers like to glide into holiday mode at this time of year (or so we have been told), and nothing is quite as relaxed and vacationistic as putting old wine into new skins, mixing a few metaphors, and gilding a couple of lilies.

So we decided to do something almost, but not quite, entirely unlike that.

Those who cannot remember history…

We are, indeed, going to look forward by gazing back, but – as you might have guessed from the headline – we’re going to go further back than New Year’s Day 2022.

In truth, that mention of 33 1/3 is neither strictly accurate nor specifically a tribute to the late Lieutenant-Sergeant Frank Drebbin, because that headline number should, by rights, have been somewhere between 34.16 and 34.19, depending on how you fractionalise years.

We’d better explain.

Our historical reference here goes back to 1988-11-02, which anyone who has studied the early history of computer viruses and other malware will know, was the day that the dramatic Internet Worm kicked off.

This infamous computer virus was written by one Robert Morris, then a student at Cornell, whose father, who also just happened to be called Robert Morris, was a cryptographer at the US National Security Agency (NSA).

You can only imagine the watercooler gossip at the NSA on the day after the worm broke out.

In case you’re wondering what the legal system thought of malware back then, and whether releasing computer viruses into the wild has ever been considered helpful, ethical, useful, thoughtful or lawful… Morris Jr. ended up on probation for three years, doing 400 hours of community service, and paying a fine of just over $10,000 – apparently the first person in the US convicted under the Computer Fraud and Abuse Act.

The Morris Worm is therefore within a year of 33 1/33 years old…

…and so, because 34.1836 common years is close enough to 33 1/3, and because we rather like the number 33 1/3, apparently a marketing-friendly choice of rotational speed for long-playing gramophone records nearly a century ago, that is the number we chose to sneak into the headline.

Not 33, not 34, and not the acutely factorisable and computer-friendly 32, but 33 1/3 = 100/3.

That’s a delightfully simple and precise rational fraction that, annoyingly, has no exact representation either in decimal or in binary. (1/3 = 0.333…10 = 0.010101…2)

Predicting the future

But we’re not really here to learn about the frustrations of floating point arithmetic, or that there are unexceptionable, human-friendly numbers that your computer’s CPUs can’t directly represent.

We said we’d make some cybersecurity predictions, so here goes.

We’re going to predict that in 2023 we will, collectively, continue to suffer from the same sort of cybersecurity trouble that was shouted from the rooftops more than 100010.010101…2 years ago by that alarming, fast-spreading Morris Worm.

Morris’s worm had three primary self-replication mechanisms that relied on three common coding and system administration blunders.

You might not be surprised to find out that they can be briefly summarised as follows:

  • Memory mismanagement. Morris exploited a buffer overflow vulnerability in a popular-at-the-time system network service, and achieved RCE (remote code execution).
  • Poor password choice. Morris used a so-called dictionary attack to guess likely login passwords. He didn’t need to guess everyone’s password – just cracking someone’s would do.
  • Unpatched systems. Morris probed for email servers that had been set up insecurely, but never subsequently updated to remove the dangerous remote code execution hole he abused.

Sound familiar?

What we can infer from this is that we don’t need a slew of new cybersecurity predictions for 2023 in order to have a really good idea of where to start.

In other words: we mustn’t lose sight of the basics in a scramble to sort out only specific and shiny new security issues.

Sadly, those shiny new issues are important, too, but we’re also still stuck with the cybersecurity sins of the past, and we probably will be for at least another 16 2/3 years, or even longer.

What to do?

The good news is that we’re getting better and better at dealing with many of those old-school problems.

For example, we’re learning to use safer programming practices and safer programming languages, as well as to cocoon our running code in better behaviour-blocking sandboxes to make buffer overflows harder to exploit.

We’re learning to us password managers (though they have brought intriguing issues of the their own) and alternative identity verification technologies as well or instead of relying on simple words that we hope no one will predict or guess.

And we’re not just getting patches faster from vendors (responsible ones, at least – the joke that the S in IoT stands for Security still seems to have plenty of life in it yet), but also showing ourselves willing to apply patches and updates more quickly.

We’re also embracing TLAs such as XDR and MDR (extended and managed detection and response respectively) more vigorously, meaning that we’re accepting that dealing with cyberattacks isn’t just about finding malware and removing it as needed.

These days, we’re much more inclined than we were a few years ago to invest time not only for looking out for known bad stuff that needs fixing, but also for ensuring that the good stuff that’s supposed to be there actually is, and that’s it’s still doing something useful.

We’re also taking more time to seek out potentially bad stuff proactively, instead of waiting until the proverbial alerts pop automatically into our cybersecurity dashboards.

For a fantastic overview both of cybercrime prevention and incident response, why not listen to our latest holiday season podcasts, where our experts liberally share both their knowledge and their advice:

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.

Thanks for your support of the Naked Security community in 2022, and please accept our best wishes for a malware-free 2023!


http://feeds.feedburner.com/NakedSecurity

Leave a Reply