Hot Hacker Targets in 2016: Fantasy Sports, Professional Services

As 2016 approaches, it’s time to get the crystal ball out and predict next year’s cybersecurity trends.

Here are some predictions from security pros TechNewsWorld interviewed.

Fantasy Sports Sites Will Be Hacked

Fantasy sports sites like DraftKings and FanDuel in 2015 caught the attention of states’ attorneys general, who wanted to treat the outfits asgambling enterprises. In 2016, the sites will get attention from another quarter: hackers.

“One of the very rich targets we can imagine being attacked in 2016 are the fantasy sports companies,” said Stephen Newman, CTO of Damballa.

“They’ve got a lot of personal information — credit card numbers, addresses, email addresses — and they’re moving a lot of dollars around in betting,” he told TechNewsWorld.

“Americans are spending $15 billion in fantasy sports today. That’s a huge amount,” Newman noted.

“What a rich target they would be to hit and make a statement,” he added.

Ransomeware Will Target Professional Services Firms

Ransomware — in which an extortionist scrambles the data on a computer and demands a payment to unscramble it — increased in popularity in 2015, and that’s expected to continue in 2016, but with a twist.

“We’re already seeing architectural firms and law firms having their systems compromised with ransomware, but those compromises haven’t been made public because they don’t include consumer data,” said Craig Spiezle, executive director of theOnline Trust Alliance.

“If you think of the value of the intellectual property of an engineering or architectural firm, having their systems shut down would have a huge impact on their business,” he told TechNewsWorld.

“So I think we’re going to see a shift from the traditional retail environment to professional services where the intellectual property and data have a higher net worth,” Spiezle continued.

“Instead of dealing with credit card numbers worth $10 to $20 on the cybercrime market, criminals are going to be extorting hundreds of thousands of dollars from companies who don’t want their business disrupted or their intellectual property compromised,” he said.

Targeting of Cloud Brokers Will Increase

Cloud brokers sit between cloud service providers and their customers. Their place in the cloud infrastructure makes them a ripe target, one that will get more attention from hackers in 2016.

“We’re going to see more enterprises utilizing brokers, and in turn, you’re going to see more focus from the bad guys on compromising these brokers instead of individual apps or individual devices,” said IBM Security Officer David Lingenfelter.

“Instead of focusing on an endpoint, they’ll be focusing on a choke point where all the devices have to go through,” he told TechNewsWorld.

A Significant Theft of Healthcare Data From a Wearable Device Will Occur

The use of wearable devices that collect health information from their owners grew in 2015, and that will make them a target for data thieves in 2016.

“I expect we’ll see the first cases where personally identifiable information about healthcare-specifc data will be stolen,” said Rohit Gupta, CEO ofPalerra.

There has been a “vast proliferation of wearables like Fitbit and the Apple Watch. These are all devices that connect to the Internet, and they carry information like heart rates and all sorts of PHI data. That is the kind information that is likely to be compromised,” he told TechNewsWorld.

“2015 was the year that wearable usage started increasing,” Gupta said. “2016 is the year wearables will see the first levels of compromise.”

Cyberinsurance Will Become a Must-Have for Businesses

As data breaches become routine events, businesses will begin looking to insurance to help mitigate risk.

“2016 will be a very important year for cyberinsurance,” said Richard Ford, a principal engineering fellow atRaytheon | Websense.

“Cyberinsurance will move much more into the mainstream and become a must-have,” he told TechNewsWorld.

“You’re going to see rapid adoption in 2016,” said Stephen Boyer, CTO ofBitSight Technologies.

“It won’t be as common as general liability insurance, but boards are asking for these types of policies,” he told TechNewsWorld.

Hacker Attacks Will Increase Use of SSL

Encryption can keep online transactions secure, but it also can be used to mask criminal activity. That activity will increase in 2016 as the amount of traffic using SSL encryption increases.

“Today, about a third to a half of all traffic is encrypted. Next year, it will become two-thirds of all traffic,” said Kasey Cross, senior product marketing manager atA10 Networks.

“This will become a major area of vulnerability next year,” she told TechNewsWorld. “With two-thirds of traffic encrypted, hackers are going to leverage this avenue of attack even more than they have this year.”

Not only will increased encrypted traffic attract hackers’ attention, so will changes in certificate requirements. “With new initiatives like Let’s Encrypt, it’s becoming easier for anyone — including hackers — to increase their own SSL certificates,” Cross said.

Developers May Deliberately Introduce Zero-Day Vulnerabilities

As the price for zero-day vulnerabilities prices jumps to six to seven figures, some developers will deliberately insert bugs into major vendors’ code so that a friend can claim the bug bounty and split the reward.

The economics aren’t quite there in the United States. It wouldn’t make sense for a programmer making a six-figure annual salary to risk losing that for a share of a six-figure bug bounty. However, companies that outsource development of key products to countries where developers are paid less are already at risk for this type of deception.

“If you’re a programmer in India making $20,000, $25,000 a year, a six-figure bounty can be an awful lot of money,” said Andrew Conway, a threat researcher atCloudmark.

“There’s got to be the temptation day to sneak in a zero day and tell your friend about it and split the bounty with him,” he told TechNewsWorld.

Breach Diary

• Dec. 7. Missoula County Public Schools in Montana issues statement apologizing to students and their families for an email accidentally sent to 28 parents containing sensitive academic, medical, disciplinary and criminal information about hundreds of students at Hellgate High School.
• Dec. 7. U.S. District Court Judge Leonard Wexler issues a restraining order against Compass, a brokerage firm alleged to have stolen thousands of listings from competitor Saunders & Associates. Saunders claims one of its former employees used a colleague’s login credentials to copy information from its systems.
• Dec. 8. Morgan Stanley suspects Russian hackers stole company data from Galen Marsh after the former employee took the information home without authorization, The Wall Street Journal reports. Marsh pleaded guilty earlier this year for illegally accessing the bank’s computers.
• Dec. 8. CM Ebar warns customers who used payment cards at its 29 Elephant Bar restaurants between Aug. 12 and Dec. 4 that their data is at risk due to a malware infection planted on its payment processing systems.
• Dec. 8. MaineGeneral Health announces it suffered a data breach in November that compromised personal information belonging to patients and prospective donors. Information on the number of affected people was not released.
• Dec. 9. VTech reports data breach at its Learning Lodge website affected 4.9 million parent accounts worldwide (2.2 million in the U.S.) and 6.4 million kid profiled (2.9 million in the U.S.).
• Dec. 10. Jason Chaffetz, chairman of the House Oversight and Government Reform Committee, in letter to Acting Office of Personal Management Director Beth Cobert, calls for removal of OPM CIO Donna Seymour after a critical report by the inspector general of the contract award for identity monitoring and protection services following a massive data breach at the agency.
• Dec. 11. U.S. Office of Personal Management reports it has finished notifying more than 20 million people affected by data breach at the agency earlier this year. About 7 percent of the people remain unnotified due to address problems, OPM said.
• Dec. 11. In 2015, 55 healthcare providers suffered data breaches resulting in theft of data for more than 110 million Americans, Motherboard reports.
• Dec. 11. Police in Wauwatosa, Wisconsin, say overseas hackers perpetrated a data breach that compromised more than 1,000 accounts and resulted in $164,000 in losses at a local Burger King.
• Dec. 11. Northwest Primary Care in Portland, Ore. reveals information for 5,372 patients is at risk after it was stolen by a former employee.

Upcoming Security Events

• Dec. 16. Crafting a National Strategy for the Internet of Things. 9 a.m. ET. Rayburn House Office Building, 45 Independence Ave. Southwest, Room 2237, Washington, D.C. Free.
• Dec. 17. Cyberattacks Happen Every Day. Are You Prepared to Stop One? 2 p.m. ET. Webinar sponsored by Cyberark. Free with registration.
• Jan. 16. B-Sides New York City. John Jay College of Criminal Justice, 524 West 59th St., New York. Free.
• Jan. 18. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Registration: $25.
• Jan. 22. B-Sides Lagos. Sheraton Hotels, 30 Mobolaji Bank Anthony Way, Airport Road, Ikeja, Lagos, Nigeria. Free.
• Feb. 5-6. B-Sides Huntsville. Dynetics, 1004 Explorer Blvd., Huntsville, Alabama. Free.
• March 18. Gartner Identity and Access Management Summit. London, UK. Registration: before Jan 23, 2,225 euros plus VAT; after Jan. 22, 2,550 euros plus VAT; public sector. $1,950 plus VAT.
• June 13-16. Gartner Security & Risk Management Summit. Gaylord National Resort & Convention Center, 201 Waterfront St., National Harbor, Maryland. Registration: before April 16, $2,950; after April 15, $3,150; public sector, $2,595.