2011: The year self-evident security predictions die

I've never been a fan of security predictions, though I've written about them too many times to count. Here's why I hope 2011 is the year self-evident security predictions die.

Predictions change very little from year to year. For seven years I've seen predictions that this will be the year of mobile malware or the year of a federal data security law.

Predictions are harmless. But they are almost always useless.Only security vendors seem to enjoy making them.

Vendors particularly love declaring competing technologies dead.

There was the prediction that IDS was dead. That was many years ago and the technology remains in demand.

There was the prediction that 2009 would be the year pen testing died. Most of the security practitioners I talk to daily still swear by pen testing.

Here's one list of predictions that hit my inbox. No disrespect meant against the Zscaler Labs Research Team. From a technical perspective, there's nothing I can really fault. I've also learned a lot from these guys in the past and I have nothing but the highest respect for them. But after I show you the raw predictions, I'm going to tell you why I'm having trouble getting interested.

1. Political Hacktivism - In the wake of Julian Assange's arrest, following an already dramatic series of events in the ongoing Wikileaks saga, we gained insight into the power of political hacktivism in the social networked era. Project Payback, the series of Distributed Denial of Service attacks stemming from the movement known as Anonymous succeeded in temporarily disabling major web sites and did so with limited means and no centralized leadership structure. Anonymous is not a coordinated group, it has no membership list and anyone serving as a spokesperson or leader is likely doing so unilaterally. Project Payback emerged quite literally overnight, encouraged the use of relatively unsophisticated DDoS tools such as Low Orbit Ion Cannon (LOIC) and yet was surprisingly effective. Traditional political hactivism attempts have been conducted by small, well coordinated groups. But now, we find ourselves in an era where complete strangers can quickly organize, coordinate and attack -- and do so with relative anonymity. Welcome to the world of flash mob hactivism! Expect others to be inspired by the attention garnered by Operation Payback and stage similar attacks against corporations or government entities that have garnered negative press attention.

2. SSL Only Sites - Firesheep opened many eyes to an elephant that has been in the room for many years. While web applications commonly leverage SSL to protect login credentials, most sites shy away from SSL for general traffic once authentication is complete. This is common for a variety of reasons such as performance and complexity, especially when sites tend to be a mashup of content hosted on a variety of different domains. Despite the challenges, Firesheep has forced web application owners to revisit the decision not to make sites SSL-only, by bringing side-jacking to the masses - the ability to capture an authentication cookie and impersonate another user on an open network. With an increasingly mobile workforce accessing web based resources from coffee shops and airports, side-jacking attacks are trivial. In 2011, expect a handful of major vendors to finally tackle this challenge head on and finally deploy SSL-only websites.

3. Use and Abuse of the Cloud - In 2010, the Cloud Security Alliance (CSA) released the Top Threats to Cloud Computing. Included in that list of seven threats was the acknowledgement that attackers are drawn to the cloud for the same reasons as legitimate enterprises: low cost access to powerful computing resources. It is not uncommon to see botnet C&C servers or drop zones running on Amazon or Rackspace servers. This may occur due to legitimate hosts being infected or the attackers may purchase the services outright. The on-demand, self service nature of the cloud makes it difficult to prevent abuse upfront, leaving cloud vendors to remove abusive accounts once complaints flood the help desk. For attackers that are used to quickly migrating servers as take-downs occur, this is hardly a challenge at the ease with which they can quickly spin up dozens of powerful instances at a low price (or free if stolen credit cards are involved). Expect the trend of cloud-hosted botnets to grow.

4. Indirect Data Breaches - 2010 is ending with a series of high profile data breaches including those affecting well known companies such as Gawker Media and McDonald’s (via Silverpop). One thing that we’ve learned from these attacks is that credential theft is not only used to attack the affected domain, but also other sites due to the common practice of sharing the same username/password across numerous sites. Historically, there has been concern that single sign-on systems, such as Facebook Connect, create an Achilles heel – meaning they compromise one database and have access to many. We’re learning that the opposite can be true as well; by forcing people to have multiple logins, they’ll simply repeat one over and over again and their security is then only as strong as the weakest link in that chain - a riskier overall proposition than having one secure authentication source. As media reports of data breaches at popular sites continue, I expect an increasing number of web applications to offer SSO capabilities from well known brands such as Facebook as an option, especially on lesser known sites.

5. Malvertising Goes Offline - Malvertising is a well known technique, whereby attackers lease advertising space on popular websites in order to facilitate an attack. This may involve targeting a known browser-based vulnerability by using the ad to deliver a malicious media file (i.e. Flash or image), or it could simply be used to lure unsuspecting users to a secondary, malicious site. To date, malvertising has taken place on websites. However, mobile ad platforms such as iAd (Apple) and AdMob (Google) are emerging as powerful players in an effort to control mobile advertising on tablets and smartphones. Don’t expect attackers to ignore this powerful ability to reach an entirely new set of potential victims. Malvertising could be prevented if advertising networks and host sites better filtered third party content, but history has shown us that often fails to occur.

6. More App Store Abuse - In last year’s security predictions, I spoke about the likelihood that malicious content would make its way into mobile app stores. It did take long for that prediction to come true. Now some would argue that even a few malicious apps sneaking past an app store gatekeeper is better than standard process of downloading applications from anywhere on the web where there is little way to know if they’ve ever been scrutinized for security issues. While true, sneaking malicious content into an app store is an attractive prospect for an attacker as they’re able to piggyback on the reputation of the app store host (Apple, Google, RIM, etc.) and potentially infect millions without needing to do anything to generate traffic to the site. In 2011, we’ll see app stores go beyond mobile devices with initiatives such as Google’s Chrome Web Store and Apple’s Mac App Store. Yes, attackers are already salivating at the opportunity to infiltrate another trusted app stores.

7. Niche Malware - Stuxnet demonstrated that malware can successfully target not just PCs or mobile devices, but any IP connected device, that case SCADA systems. While Stuxnet may have had some more additional brain power behind the attack, it’s no secret that embedded, Internet-connected servers have a spotty security record both due to the lack of scrutiny that they’re subjected to and generally non-existent patch processes. Earlier this year, I blogged about how embedded web servers have left confidential documents on thousands of HP scanners accessible to anyone with a web browser. Today, anything with a power switch is connected to the Internet. I anticipate the growth of niche malware designed to attack or harvest information from these insecure and often completely unprotected devices.

8. Cloud Shared Technology Breach - Returning to the CSA’s Top Threats report, another high-risk item making the list relates to vulnerabilities in shared technologies underlying the infrastructure that cloud instances reside upon. For IAAS providers, that includes the hardware, operating system and virtualization technologies. While we move up the stack to include PaaS and SaaS vendors, additional middleware and application components are shared as well. While I don’t anticipate attacks leveraging a known vulnerability in a COTS component on the infrastructure for a large cloud vendor due to stringent patching practices, I do feel that a high profile breach at a lesser known vendor, especially one in a custom component of shared technology, is quite likely.

9. Social Networking Meets Social Engineering -- Attacks on end users virtually always involve social engineering -- a user must be convinced to visit a web page, open an attachment, etc. Spam email has valiantly served this purpose for many years, but just as everyday users are migrating away from email and toward social networks such as Facebook and Twitter for communication, so too are hackers. This is far from a bold prediction as attackers have been abusing social networks since they first came online. For example, XSS vulnerabilities on Twitter have been used to push malicious tweets, while Likejacking has emerged on Facebook as a means of promoting malicious profiles. While leveraging social networks for evil is not new, I expect 2011 to be the year that social networks become the main communication medium for attackers, not just an alternate channel.

10. The Ever Shrinking Security Market - 2010 saw plenty of consolidation in the security market, with major players such as PGP, Verisign, Sophos, ArcSight and BigFix all participating in the M&A game. This in addition to Intel’s unexpected purchase of McAfee suggested that the long predicted trend of security being embedded, instead of procured, could finally be underway. With a lukewarm IPO market, consolidation will continue and other non-traditional security players will explore the security market in an effort to put excess cash to good use and show that they too take security seriously.

First of all, political hacktivism is nothing new. Just ask the Estonian government. It's been more than three years since their experience with a massive DDoS.

The prediction on niche malware is interesting, but not really new. We've been dealing with it for some time now. Will we see a lot more of it in 2011? Of course we will.

The social networking meets social engineering one is particularly self evident. Social engineering tactics against hapless Facebook, LinkedIn and Twitter users have been going on almost since the day these sites went live. We've written a ton about that.

A shrinking security market? Welcome to 2006. Mergers and acquisitions have been shrinking the market for several years now. This year was particularly active in that area. But this isn't a new thing.

Heck, I think it was the 2007 RSA security conference where Art Coviello, president of RSA, declared that the security market would be gone in three years. He meant that a lot of security vendors would be merged into other companies and that security would be more baked into the larger IT infrastructure. We have seen that happen, but the security market itself is still with us.

Again, no disrespect intended. The folks who make these predictions are much smarter than me.

I'm just having trouble understanding the value of these predictions when so little changes from year to year.

I can't help but think these predictions aren't much more than busy work for security practitioners who would probably rather be doing other things.

Feel free to disagree. And Merry Christmas.

--Bill Brenner

Copyright © 2010 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)