It’s the most wonderful time of the year. A time when we set aside our quarrels and show compassion for complete strangers, realize that it’s better to give than to receive and in the security industry, let everyone know just how smart we are playing Nostradamus. Yes, it wouldn’t be December if I didn’t join in the chorus of prognosticators to let you know exactly what is in store for us all in the coming twelve months.
With WebOS now officially an orphan, Blackberry OS racing to the grave and Windows Mobile still trying to get ready for the party, the victors can be crowned – iOS and Andorid have won. The interesting part of the race is about to begin, namely who has the best security model. Will it be Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on in, everyone’s invited’ approach?
Prediction: The ‘do no evil’ company will struggle mightily to keep evil applications out of their App Marketplace. In an effort to avoid being to mobile what Windows is to PCs (a breeding ground for malware), Google will subtly make Android less open to both partners and developers. They will also announce an initiative to increase security screening for applications before deployment in the App Marketplace. Apple on the other hand will have comparatively few malicious apps to deal with, but at least three major OS flaws that impact all users (and make the jailbreak team happy). Apple will address the vulnerabilities several days late and apologize to no one. iPad 3 and iPhone 5 sales will turn financial analysts into giddy schoolgirls.
Thanks to marketing teams across the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword in the security lexicon. Let’s therefore ditch that term and instead focus on targeted attacks, specifically those focused on enterprises with the goal of corporate espionage or to inflict financial damage. Many praised Google for coming forward in January 2010 to reveal that they and others had been the victim of a sophisticated targeted attack, likely originating from China. Many in the public mistakenly assumed that this was a new and previously unseen event on the security stage. What was new about it was the openness displayed by Google in discussing the situation, not the class of attack.
Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the Dodo bird, but stories of targeted attacks against enterprises will rise tenfold in the media. This will be a reflection of increased activity by attackers as they broaden their reach to smaller companies and decisions by corporate council to disclose details of an attack rather than to suppress the information and risk litigation for trying to cover up such activity.
Want to know a secret for making security predictions? Take a look at what was being discussed at security conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent web browser storage. One of the key technologies that will be taking browser storage to the next level is HTML5. In 2009, HTML5 apps were few and far between. Thanks in large part to mobile browsers; HTML5 is now much more mainstream. As with any new technology, developers are quickly rushing to play with the new kid on the block and publishing their goods, without taking the time to understand the security implications.
Prediction: We’ll see an increasing number of web application vulnerabilities in HTML5 apps, not because the technologies behind them are insecure, but because HTML5 is not well understood from a security perspective.
Security in the hardware space is at least ten years behind security in the software industry. This isn’t so much a reflection of the good work being done in software, as it is the reality of software vendors being forced to address an issue that was impacting business. Thanks to the efforts of many great researchers investing countless hours doing QA work that should have been done long before products hit the shelf, today most major security vendors have no choice but to employ security response teams and take vulnerability disclosure very seriously.
Hardware vendors simply haven’t faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke about the sad state of embedded web servers and recently researchers at Columbia University discussed the ability to remotely cause physical damage to HP printers due to security flaws.
Prediction: Hardware vendors will get a wake-up call as researchers shift their efforts and party like it’s 1999.
Social networks such as Facebook are of value to more serious criminals, but mainly for reconnaissance during targeted attacks. They are a great resource for learning background information about an individual and uncovering relationships, all of which can be of great value for social engineering. We’re not however, commonly seeing the communication aspects of social networks used to deliver malicious payloads directly to victims or investments in uncovering web application vulnerabilities used to compromise end user machines as opposed to spreading the aforementioned scams.
Prediction: Attackers will raise the bar and leverage social networks for more sophisticated attacks, the goal of which will be full compromise as opposed to marketing financial scams.
Merry New Year!