2010 ended with dire predictions about a new age of Internet enabled hacker-activism, but the big story in 2011 will be the explosion in IP enabled, loosely secured, Internet connected stuff.
It’s the time of year when all of us gaze into the crystal ball and think of what the next 12 months has in store. That’s a tough thing to do. In the IT security business, it’s even tougher, as the big events in the computer security world often turn on what’s not readily discoverable: unknown holes in common software platforms, loosely configured servers holding sensitive data, the dark ruminations of malicious (but normal-seeming) employees. But when you step back a bit from specific events and it gets a bit easier to discern the terrain ahead. Last year, at this time, for example, Threatpost contributor Dino Dai Zovi looked into the mists of 2010 and saw sandboxes – lots of them. And lo and behold, we saw leading vendors including Google and Adobe embracing sandboxing as a way to contain malware this year. Now its Threatpost’s turn to play the oracle: predicting some of the salient security trends that we’re likely to be writing about in 2011. Here’s our list of five security trends you should be watching for.
Wikileaks: It’s the leak, stupid
We in the media love a big story: something important and momentous with lots of depth and layers to reveal. These are stories that just keep on giving – revealing new truths and layers of complexity with each passing day. The problem comes when we try to extrapolate from big stories – looking into the crystal ball and taking a guess at what will come next, or what the long term impact of those “big stories” will be. So it was with Wikileaks, one of the top stories of 2010, which centered on the online release of a hoard of classified diplomatic cables, but quickly expanded to include online attacks and counter attacks by motivated activists supporting- and opposed to Wikileaks mission. Pundits were quick to hail the arrival of politically motivated “hacktivism” as the new normal and distributed denial of service (DDoS) attacks as a potent cyber weapon for which there was no easy defense. We at Threatpost think there are lots of reasons to suspect that politically motivated hacking and DDoS attacks will be prevalent in 2011, but that “hacktivism” as a trend will lose its bluster and that future incidents won’t generate either the headlines or the sense of urgency that Wikileaks and the corresponding attacks by the online group Anonymous did in the waning weeks of 2010.
For one thing, loosely organized hacker-activist groups like Anonymous, 4Chan and others have been operating for years. Their methods and motivations haven’t changed radically over that time – DDoS attacks have long been the weapon of choice for punishing those sites or voices you wish to silence online. Just consider the politically motivated attacks on Estonia in 2007 and on Russia and Georgia in 2008 as recent examples of this. At the end of the day, the Wikileaks DDoS attacks were big news because Wikileaks Cablegate was big news – not the other way around. Take away the huge breach of the U.S. military and diplomatic security and the “hacktivism” of Anonymous, J35st3r and the rest can be seen for what they really are: business as usual in the early 21st Century.
While hacktivism, itself, isn’t likely to be any more of an issue in 2011 than it was in 2010, we think the issue at the center of the Wikileaks controversy: a massive data breach is likely to be one that makes headlines throughout 2011. As Yankee Group analyst Ted Julian pointed out in his Threatpost Op-Ed this week, Wikileaks’ amplifies the impact of data breaches, as other groups and individuals tear pages out of Julian Assange’s playbook: combining sensitive and confidential data with media savvy and the Internet’s ubiquity to score points against political or economic adversaries. That – and the increasing interest of states’ attorneys general in data leak litigation – will put more emphasis on companies to get a grasp on disparate data and knotted user access policies. Count on it!
Hacking “Stuff”
The wrapping paper wasn’t even gone from under the Christmas tree before millions of newly empowered consumers began connecting their iPhones, iPads, Droids, Kindles and – increasingly – Internet enabled TVs and home appliances to the ‘Net. There’s no question that all that IP-enabled “stuff” will be a boon to enterprising hackers – white hat and otherwise – in 2011. In truth, we have already been seeing evidence of this in 2010. Researchers Travis Goodspeed and Michael Ossmann used their presentation at this year’s ToorCon in San Diego to explore the capabilities of the IM-Me wireless text messaging toy for girls, which the researchers were able to reprogram to serve as a spectrum analyzer, garage door opener and automobile keyless entry device. The New York Times this week wrote about security holes in the latest generation of IP-enabled television sets that could allow malicious hackers to carry phishing and other attacks from the desk to the living room.
And TVs and consumer devices may not be the only targets. We reported last week on the arrests of more than a dozen individuals linked to an online scam that leveraged compromised voice over IP (VoIP) servers to call premium rate numbers. With services like the Shodan search engine now indexing SIP (Session Initiation Protocol) servers, we expect to see an uptick in attacks on vulnerable VoIP infrastructure. Looking further afield, we think cars may, at long last, find themselves in the cross hairs of motivated hackers in 2011. Momentum’s been building for this for a while. In May, Threatpost’s Dennis Fisher reported on research from the University of California that revealed weaknesses in the security used to protect the software that runs automobiles and a “deep reliance” of autos on “relatively simple software” that’s easy to exploit. That’s bad news, because the automobile industry is on the cusp of a tech-enabled multimedia explosion as consumers clamor for more than just DVD players to amuse occupants while in route. Luxury automobile manufacturers are already touting the size of hard drives that come with their vehicles – all the better to store music, video, games and other entertainment features. If history is any lesson, security will be down on the list of development priorities for most manufacturers, making minivans and luxury autos a fat target in 2011 and beyond.
Mobile Anarchy
We think there are a lot of reasons to expect that the security of mobile devices will be big news in 2011. For one thing, the adoption curve of so-called “smart phones” that come with Internet connectivity is taking on hockey-stick like qualities. In September, market research firm IDC predicted that shipments of so-called “converged mobile devices” would reach 270 million units in 2010 – a 55% increase over the year before, with strong growth expected again in 2011. Increasingly, those phones are being used for e-commerce. Paypal expects payments using its mobile application for Apple’s iOS devices to reach $700 million in 2010, up from less than $200 million in 2009. That trend will continue in 2011 and it won’t be limited to Apple’s iOS or online payments giant Paypal. Giants like Google have been snatching up mobile payments firms, while merchants are salivating over the confluence of mobile devices, location based services and mobile payments. However, as we’ve reported, security often takes the back seat in the go-go world of mobile application development. SMS Trojans may be the dominant form of mobile malware, but there’s ample reason to believe that attacks focused on mobile Web applications will surge ahead of device-specific attacks in 2011. Already, phishing, mobile clickjacking, drive by downloads and other threats have spread to popular mobile platforms like iOS and Android. We predict those trends to continue, with consumers in the crosshairs as hackers find ways to leverage mobile applications for illicit gain.
Stuxnet goes commercial
Sometimes a big news story looks even bigger in retrospect. We think that will be the case with the revelations, this year, about the Stuxnet worm, a sophisticated piece of malicious code that crawled its way onto the networks of power plant and critical infrastructure providers from India to Germany in 2010. As we reported this year, the arrival of Stuxnet was a watershed in the security world. It was one of the most sophisticated pieces of malware ever publicly disclosed, containing exploits for no fewer than four previously unknown holes in Windows to infect and spread between computers on a network. It also contained the first ever known malware aimed at programmable logic controllers (PLCs), common components used in a variety of industries to control specialized equipment. The worm raised warnings about the possibility of nation-based attacks on critical infrastructure to a new level of intensity and sent security companies scrambling for experts who understood the working of SCADA and industrial control systems. Stuxnet is widely believed to have been created to disrupt or disable Iran’s uranium enrichment program. But, as Dennis Fisher reported, the politics that may or may not have motivated the creation and release of the worm are beside the point. What Stuxnet proved is that critical infrastructure – even closely guarded critical infrastructure – is vulnerable to attack and compromise. Such facilities provide a rich target for cybercriminals interested in extortion, data theft or mercenary activities on the part of a state-backed or commercial entity. Stuxnet may not have had a clear commercial purpose, it’s reasonable to assume that in 2011, we’ll see evidence that the bad guys were paying attention and have found a way to leverage Stuxnet for commercial purposes, or create a new piece of malware purpose-built for compromise of critical infrastructure, data theft, denial of service and more. Alas, there’s no Band Aid fix for the holes and insecurity that Stuxnet exposed. Critical infrastructure providers have long turned a blind eye to the kinds of IT security dilemmas that enterprises were forced to confront in the last decade – adopting an approach of “security through obscurity” that has been proven woefully inadequate. At the same time, security vendors have focused on the large and lucrative market for LAN and WAN based PCs rather than the smaller and specialized market for industrial control software. The next year may be one that shows governments, critical infrastructure providers and the private sector wrestling with possible solutions, even as Stuxnet-inspired threats proliferate.
Social insecurity in the Spotlight
As we reported recently, social networking giant Facebook
ended an eventful 2010 by revising its vulnerability disclosure policy to
shield researchers from lawsuits stemming from their discoveries. That’s a
small step forward that puts the company on an even footing with its rivals
Google and Mozilla as well as software vendors like Microsoft. Expect to see
more steps like that from Mr. Zuckerberg, as well as his compatriots at firms
like Twitter, Groupon, LinkedIn and more. For one thing, Facebook, Google and
others have been buffeted by new reports in recent months that have blown the
whistle on lax data privacy and application security standards that may have
leaked personal data to advertisers and other unauthorized individuals. 2010 also saw large scale attacks and malware spreading at both Facebook and Twitter.
Facebook’s first full time malware researcher said that threats will mount as
users increasingly leverage the massive social network for commercial
transactions and more, diverse kinds of information sharing.
In 2011, expect to see the relative importance of Web application security and social
networking increase, as Web threats continue their stratospheric rise threats like phishing, spam and malware increasingly
leverage social networks while Web application providers struggle to manage
growth, feature development, data privacy and application security. It’s a
toxic brew that we expect to reach a boil in the next calendar year, prompting
employers to take a closer look at employee use of Web applications and
instituting basic filtering and policies to help stem attacks and prevent
critical data.