Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - David Sancho (Senior Threat Researcher)


    We’re back to look inside the crystal ball of future technologies. This is the third post of the “FuTuRology” project, a blog series where the Trend Micro Forward-Looking Threat Research (FTR) team predicts the future of popular technologies.

    In the last two installments of this series, we introduced our future technology threat landscape project and started to paint a picture of how the healthcare industry might look like in a few years.

    Part I: A Look at Impending Threats to Popular Technologies

    Part II: Wearables and Smart Medical Devices, Gears for a Data-Driven Healthcare Future

    Today, the plan is to speculate over other healthcare technologies that are further out into the future and could provide opportunities for attackers and threats to healthcare users.

    • 3D Scanning and Printing 
      This technology is quickly becoming mainstream as hardware keeps getting cheaper every year. It might get to a point where an accurate enough scanning of limbs and body anatomy should enable physicians to 3D-print personalized prosthetics, from body casts for temporary immobilization to limb replacement for a more permanent treatment. We’re talking about the possible birth of customized bionics at a massive scale.The current generation has seen the repercussion of sharing intimate pictures with others over the internet. Should 3D scanning become more available, scanned files would be as much the targets of blackmail and extortion by cybercriminals as 2D photos of today.
    • Lab-on-a-Chip Drugs 
      More cool stuff in the future of this exciting field? How about the so-called “incredible shrinking laboratory” or lab-on-a-chip drugs? These are pills or patches that can deliver the right dosage of medicine needed automatically. This is possibly based on body parameters taken from an external sensor or cloud-based algorithmic diagnosis. It looks like the patient needs 10 milligram of this particular drug mixture? Coming right up!

      Varying drug composition and dosage has its technological difficulties, I’m sure of that. Once these are overcome and we have such a device in the market, an attacker’s interception of those drug parameters might be fatal. Even delaying drug delivery could be bad enough.  This can possibly be the ultimate, pay-or-die ransomware of the future. Denial of health service, anyone?
    • Smart Clothing 
      We’re not only talking about t-shirts with fitness sensors and gimmicks – there have been attempts at those lately – but there’s a wider spectrum of things that could be coming in the future. How about exoskeletons? No, we’re not going to get adamantium bones or retractable claws anytime soon. We’re talking about devices that can help impaired bodies to move thanks to servo motors for enabling people with muscle atrophy or paralysis to perform physical activities.Sounds too out there? These have already been explored for military use to help individuals to carry more weight or absorb more impact in the battlefield. As 3D scanning and printing devices advance and become cheaper, they could accommodate more therapeutic uses for more mundane illnesses.Sport enthusiasts, especially those in extreme sports, can use smart clothing as protective gear. Now that’s something I wouldn’t mind trying myself.
    • Robotic Caregiving 
      Speaking of robots or looking like one with an exoskeleton fitted on your body, we might also see more of robotic caregiving soon. Robots as assistants to nursing staff is not unthinkable. Medical practice equipments are becoming increasingly robotic in nature as the high productivity of using them justifies the investment. This opens the door for robotic surgery for those highly automated operations where the surgeon can give the exact instructions and the machine can execute them exactly as programmed. These are already being used in some fields but can become commonplace as the technology becomes more accurate and affordable.In theory a hacker could access the robot leading to physical harm, but in real life, that’s not likely to happen – and is more the realm of science fiction. For the amount of work involved in getting into the network, reversing the firmware, and controlling the robot, it is easier to inflict harm using traditional real-world means.This ties in nicely with the subject of IoT (Internet of Things) hacking or internet-connected device hacking. The idea is that anything with an online connection can be attacked. Again, the likelihood of being a target is directly related to the kind of device we’re talking about. I won’t go into detail but, whether the attack is likely or not, devices that involve a higher risk obviously need more defense. An internet-connected car needs more protection than an internet-connected toaster. The same goes for any medical device that is physically connected to or directly affects a human body.
    • Data Visualization and Analysis 
      With the latest advances in this field, doctors might be able to visualize 3D scans coming from magnetic resonance imaging (MRI) or X-ray computed tomography (X-ray CT) scans through augmented reality superimposed on the patient’s imaging data. Visualization technology similar to the Oculus Rift can be used to enter the patient’s innards, fully understand their state, give a more accurate diagnosis, get a closer look at the data, and plan for an important surgical procedure. I don’t know if I should be happy for those doctors or scared at the prospect.

    It is clear that the current state and evolution of technology will give new toys to all human fields. Healthcare is no exception. However, added risks make this industry more prone to attacks and life-threatening repercussions. Healthcare technologies need to be thought of in advance. Developers need to build in some level of security from the get-go because, in this case, even a casual or accidental screw up can be crippling, literally.


    Posted in Internet of Things |

    Crystal-01This is the second post in the “FuTuRology” project, a blog series where the Trend Micro Forward-Looking Threat Research (FTR) team predicts the future of popular technologies. Make sure to check the first entry of the series for a brief introduction on the project.

    Predicting the future sucks. It does because we are never right. If what we say does not come to pass, we look bad. On the other hand, if what we say happens, naysayers will say that it’s because the attackers read the blog too and we gave them ideas—the self-fulfilling prophecy.  We’re damned if we do and damned if we don’t. That is how it is for infosec fortune tellers.

    Today’s topic is very exciting: healthcare technology.

    Let me start by mentioning a technology we have at present: fitness wearables. These little devices are already in mass production and selling like hotcakes, just look at vendors like Fitbit or Jawbone®. Last February’s Mobile World Congress at Barcelona saw us trying out device after device in all kinds of flavors. Some vendors were already aiming at niche markets, like pets and children, but don’t let me stray from the topic at hand. These wearables, when strapped on our bodies, can count the steps we take and our heartbeats per minute, then estimate the calories we burn. Their companion mobile apps let us log weight changes and our food intakes to better estimate our calories and compare how much we are over/under-eating. All this information is uploaded to the vendor’s cloud so they can show us pretty colored graphs. So far, so good.

    Let us look at the near future. Judging by some crowdfunded projects and rising public interest, something big is coming soon. I’m talking about devices that measure health parameters at will and upload data to the vendor’s cloud. What kinds of data? There’s body temperature, blood pressure, blood oxygen levels, heart rate, respiratory rate, electrocardiogram (EKG or ECG), and others like them. Once the data is uploaded, the server algorithmically analyzes whether those values are normal or a bit off based on your personal historical data. This technology promises to know whether you’re going to become sick before you actually do or even notice that you might. Awesome tech!

    The similarities between fitness wearables and smart medical devices are pretty obvious. Will we see an amalgamation of both at some point in the future on the same device? It’s hard to say but it’s probable. I’d venture to say it’s even more likely that we’d see health data correlation at a scale never seen before. From the medical point of view, mining both data sets is huge. The fitness data provides us the actions, while the medical data provides the effects. Does a higher intake of bananas start a metabolic effect that makes us sick after two months? Does this only happen in certain regions? Or perhaps only in populations of a certain age? Even simpler than that, when does a flu outbreak start in the world and how does its impact change based on your activity level? How cool is this?

    Once we have this technology implemented on a massive scale, we can use it for different things too. How about enabling remote doctor house calls, where the doctor can triage patients based on their current medical data? This could lower medical costs quite a bit. Perhaps we can use these doctor visits in remote locations in case someone can’t physically make it in time for the diagnosis. More interesting than that, outbreak specialists can virtually be anywhere in the world, taking body measurements remotely and studying the geographical impact of a spreading disease from their home laboratories.

    Affordable DNA sequencing is another healthcare technology that might have great impact on all of us in the future. When the cost of this technology gets low enough, we can all get tested to see what kinds of illnesses we are prone to. We may also prepare by making lifestyle and dietary changes to avoid them. This can be a big change in the healthcare field.

    I’ll let you, the reader, create attack scenarios for each of those. Possible attack vectors don’t always focus on stealing money or credentials (to enable the much-touted ‘identity theft’ or even user extortion) from users. The most likely kinds of threats we expect to see – at least initially – would be focused on privacy. If we start uploading medical data to the cloud, we upload very confidential information to places we do not control. Privacy is clearly a concern as would be any denial of service (DDoS) attack on remote medical services or data tampering of medical diagnosis at any point.

    It’s difficult to be more concrete than this at this point or we run the risk of plotting a science-fiction movie very quickly. Remember that, in any new technology with a lot of moving pieces, poking the engine with a stick will cause gears to fly. These technologies are still in the works and are not even remotely ready yet. At this point, these future healthcare scenarios are purely hypothetical, but still, the intellectual exercise of attacking castles in the air is always interesting, isn’t it?

    Posted in Internet of Things |

    Crystal-01How do you think will the threat landscape evolve in the next two years? Three years?

    One of the most exciting aspects of belonging to a research group like the Trend Micro Forward-Looking Threat Research (FTR) team is practicing the intellectual exercise that is predicting the future. We can’t know what will happen but, with the data we have in hand, we can make educated guesses. We can predict the future. This intellectual exercise is what we refer to as the “FuTuRology” project.

    “FuTuRology” started as a thought exercise that tries to tackle the future of the healthcare industry and how it might evolve to be susceptible to attacks. We realize that this exercise can also be applied to other critical industries like transportation, science and technology, agriculture, and more.

    This is the first in a series of “Futurology” blog posts tackling the business of predicting threats in popular technologies. We will go deeper into the healthcare subject in our next entry but today we will focus on the prediction business.

    Sounds good? Let’s go for it.

    Prediction and “Black Swans”

    To predict future attacks, we need to know how existing technologies are going to evolve. We know that the bad guys will go wherever the users are. In the Trend Micro security predictions for 2015 and beyond, for instance, we predicted how cybercriminals will uncover more mobile vulnerabilities based on their present interest in the platform. Halfway into the year and this has proven to be true with the emergence of the Samsung SwiftKey, Apache Cordova, and other vulnerabilities.

    We have lots of hints and clues as to what is happening in the information security world, but sometimes, “black swans” manage to surprise us. By definition ‘black swans’ are unpredictable events so groundbreaking that, when they happen, cause an unexpected quake in our particular framing of the world and shake its very intellectual foundations. Black swans happen every now and again and make us think—uselessly—how we could have predicted they were going to happen (hint: we couldn’t have).

    Let me give you some examples. There are the zero-day vulnerability worm attacks that plagued the net in 2003. We had known about vulnerability exploitation for many years before then but we still were surprised by Blaster in August 2003. How about the motivation shift from home-brewed academic viruses to professional crimeware back in 2001 and 2002? We could have predicted it. One could argue that we should have predicted it and yet, we were all caught by surprise by the new paradigm.

    A Closer Look at Motivations

    Speaking of motivations, it’s a basic fact that defense follows attack. We need to look at attackers and their motivations in order to guess what their next steps will be. These have been fairly stable since 2001 and 2002; it’s mostly cybercriminals trying to make a quick buck from innocent internet users. This is pretty obvious, but we need to look a bit further out. In order to make money, cyber thieves have secondary goals and that’s what we have to look for when trying to predict the future of the threat landscape.

    • Abstract Assets 
      Cybercriminals mostly target user credentials but they also aim at other resources they can get their hands on, such as processing power, bandwidth, stored data, etc. Taking those abstract assets as possible criminal targets allows us to consider new attack avenues we haven’t even seen yet. How about targeting specifically the victim computer’s processing power? We have seen this happen with Bitcoin mining but there are more possibilities, from crowdsourced brute-force decryption services to prime-number derivation at a massive scale or even selling computing power as a service. These are just examples, of course.
    • Hacktivism 
      And all this is for moneymaking attackers but we have also hacktivists (seeking destruction for political reasons or ethical disagreements) and attacks between organizations (trying to get a strategic or tactical advantage over their perceived enemies). In these two cases we have cyber-terrorism and cyber-war – as the media likes to call them.
    • Undefined 
      In addition to those, there are all sorts of motivations that aren’t so clear-cut. We’ve seen journalists using hacking techniques to get their stories, politicians attacking their opponents’ infrastructures and ruling political parties polluting the twitter feeds of their political opposition. In short, monitoring attackers’ motivation drivers is a prediction field on its own.

    The Future of InfoSec

    The current attitude is worrying in that hacking seems to be viewed now as fair game. The moment that malware-writing becomes mainstream and not just underground merchandise, we can expect a new trend of malware attacks with all sorts of new adversaries playing this increasingly-muddled game. Then, predicting where the next threat might be coming from will become much more important.

    Isn’t this exciting or what?

    With “black swans” and motivations in mind, we will keep looking inside our particular crystal ball to predict the future of technologies and how they will be attacked. For the next blog post, we will look into the future of the healthcare industry and how it might evolve to be susceptible to attacks.

    Posted in Internet of Things |

    End-of-life fun times are coming to infosec departments everywhere—again.

    Just a year after the announcement of Windows XP’s end-of-life, we see another body in the OS graveyard: Windows Server 2003. After July 14th, servers running this venerable OS will no longer be receiving any more security updates. This would leave you out in the cold pretty soon, given the speed that new vulnerabilities are being published lately.

    Who’d want to be in such a position? According to a survey conducted by Spiceworks, 37% of the companies surveyed hadn’t migrated to a newer OS. Looking further into this statistic reveals a scarier side: of those companies, 8% had no plans to migrate at all and 1% did not know anything about plans for migration. The majority of the companies (48%) were partially migrated; only 15% have fully migrated.

    From those companies which were looking to finish their transitions, 25% planned to finish it at some point after July 14th. This includes another group that planned to complete their migration “at some point.” From a security standpoint, these are not the answers we were hoping for.

    The most common reason given for delaying migration was that “the system is still working or there’s no immediate need to migrate.” But organizations need to wake up to the fact that most attackers are not interested in their companies per se (although some of them probably are). Most cyber attackers try to get the lowest-hanging fruit by means of the least effort massive attacks, and guess what? Your fruit will be hanging much lower if you still have an ancient, out-of-support OS after July 14th. Our primer, Pulling the Plug on Windows Server 2003: Can You Still Manage Your Legacy Systems?, discusses the risks of discontinued support.

    Unlike migrating from Windows XP, migrating from Windows Server 2003 can be more challenging because we’re talking about servers this time, which means computers that cannot be easily be rebooted or turned off (let alone be down for a significant amount of upgrade time). Old server-side applications might not have been tested with more modern operating systems and upgrade might not be possible at all. However, we do recommend upgrading or moving to a virtual environment whenever it’s possible.

    The survey also had some bright spots. A significant percent of those migrations would go to virtualized environments, which are more easily defendable. The added layer called the hypervisor (the host OS in the virtual environment) can act as a moat against threats.

    So do we encourage companies to accelerate the rate of their migrations to newer server OSs? Yes, definitely! Would you want to be exposed to the new vulnerability of the day? We bet it will come shortly after July 15th. If you have trouble to stick to that timeline, sort those problems out as soon as possible. If the survey is any indication, most companies already have the licenses/cloud providers lined up; most mention it’s a matter of time or budget constraints. This is the classical security conundrum: more security or more convenience/cheaper/faster things? Bear in mind that convenience/price/speed can be quickly offset by a bad breach or attack. In my opinion, the decision is crystal clear.

    The Vulnerability Protection in our Smart Protection Suites can provide defense against exploits, although we still strongly recommend migration to minimize the attack surface. Companies worried about the costs and operational issues when it comes to emergency patches and system downtime can get immediate protection with the help of virtual patching technologies, such as the solutions found in Trend Micro Deep Security. Virtual patching minimizes exposure gaps, protecting users of Windows Server 2003 from exploits as they migrate to a newer platform.

    Read more about how virtual patching helps companies dodge compromise in our infographic, “Dodging a Compromise: A Peek at Exposure Gaps.”


    The past week has seen some interesting news in the world of online security. First, the US government announced that all websites maintained by federal agencies must be using HTTPS by the end of 2016. Second, the Wikimedia Foundation (best known for Wikipedia) announced that they, too, were rolling out mandatory HTTPS for their own sites as well, with full completion expected “within a couple of weeks”.

    With large organizations moving to full-time HTTPS, and browser vendors pushing for it as well (Mozilla has gone on record that eventually, new features will only be for sites running HTTPS), is it time for smaller site owners to make the move as well? Should end users pressure their favorite sites to adopt HTTPS? Will it really help online security?

    The short answer is yes. Site owners should strongly consider enabling HTTPS for their sites. It’s been clear to many people that in the long run, meaningful adoption of HTTPS would increase the security of the Web. Web giants such as Google and Mozilla, plus international bodies like the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C) have all spoken out in favor of this. Sites that are being set up now should use HTTPS from the start. That’s the direction the web is going today, and a site that’s being set up now should be built with the safety and privacy of its users in mind. For existing sites, enabling HTTPS as soon as is practical is something that owners should strongly consider, especially if sensitive data is being handled.

    Another thing to consider for website administrators is that in the long run, search engines may make HTTPS usage part of their ranking algorithms. Google is already doing just that. While for now it’s not a particularly significant “signal”, down the road that could change. It’s a good idea for site owners to get ahead of the curve and move their users to a more secure and private web.

    HTTPS: A Good Start

    It is important to note that while the mandate to adopt HTTPS is a very important step to improve online security, the effort should not stop there. HTTPS is definitely an improvement, but it is not perfect and is far from a cure-all when it comes to online security.

    Think of it as the equivalent of sending a letter in a secure container; a safe, for instance. An attacker could replace the entire container by their very secure but fake safe, steal the letter after it’s opened (steal the decrypted data from the user’s own machine), or send the user a very secure safe with a bomb inside (direct the user to a malicious  site through a secure channel).  HTTPS deals with the issue of security “in transit”, i.e., while the data is being sent across the Internet. It doesn’t solve other problems with online security, and was never meant to.

    These developments to make HTTPS implementation a norm on the Web is definitely a step into the right direction and it is crucial for website owners to follow suit.


    Posted in Social |


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice