I was recently asked to share some predictions about what 2010 will bring in the security space. I asked some colleagues from ESET Research to share their thoughts as well -Randy Randy Abrams Director of Technical Education Social Engineering attacks will continue to grow in prevalence. As operating systems and eventually applications become more secure,
I was recently asked to share some predictions about what 2010 will bring in the security space. I asked some colleagues from ESET Research to share their thoughts as well -Randy
Director of Technical Education
Social Engineering attacks will continue to grow in prevalence. As operating systems and eventually applications become more secure, the easiest way to steal money from people or install malicious software will be to trick them. Part of this will be driven by adoption of Windows 7. Computers sold with Windows XP, with a few exceptions, such as newer netbooks, are beginning to age and will be replaced with PCs that have Windows 7. The increased security in Windows 7 means that tricking the user is far more viable than exploiting the OS for most criminals.
Third party applications will bear the brunt of vulnerability attacks. Security improvements in operating systems will continue to drive vulnerability research to applications like Safari, iTunes, Adobe Flash, Adobe Reader, many IM clients and other applications. Unfortunately, users are far less savvy about patching 3rd party applications than they are about patching the operating system
While the number of attacks against “jailbroken” iPhones is likely to increase, the number of infected or affected devices will likely decrease. The reason for a decrease is that in many cases the affected user incurs data charges and so they are motivated to do things like changing default passwords. Those who have flat rate data plans will be far more likely to continue to neglect security.
ISPs will increasingly implement technologies to identify users who are infected and take measures to block access to the internet until the user’s machines are cleaned up. It will probably be a few years before these ISPs are the norm, rather than the exception, but still the prevalence of such practices will increase.
Data breaches/losses will grow in scope as people put their data in the cloud. Cloud systems security is still fairly young. The aggregation of data will make many Cloud service providers attractive targets. We’ve already seen this as web hosting providers and credit card processing businesses have been targeted.
Sr. Malware Researcher
- Increase in rogue software or extortion software, probably some fake memory optimization tools, etc.
- More specialization from malware gangs and exchange of service between them. Some gangs will take care of the packing layer, others C&C communication, other stealing data, etc.
- More malware targeting alternative operating systems like OS X and Linux as they increase their market shares. This probably means more malware written in high level languages which can execute on various OSes like bash, perl, python, etc.
Increased targeting of social networks, such as Facebook, LinkedIn, Twitter in the US, Orkut and Hi5 in South America, from both a social engineering standpoint and looking for cross-site scripting and wormable attacks on the web sites as well as their APIs.
Continued research into weaknesses in virtualization will lead to new attacks, but will remain largely impractical, e.g., attacker needs direct access to a server's hardware in order to perform the action.
Online games will continue to be targeted, as virtual assets such as an-game currencies or scare resources can be re-sold for real money, especially in Asia.
Increased research into attacks on gaming consoles, but with limited results due to the closed-wall nature of their Internet service.
Increased research into attacks on wireless networking (802.11n Wi-Fi, WiMAX, cellular broadband data connections) and SSL interception will make it more risky to conduct online shopping and banking over wireless connections (MITM attacks for credentials theft, etc.).
Patch management will continue to challenge IT departments. Slight decrease in AUTORUN.INF-borne malware due to deployment of Windows 7.
Director of Malware Intelligence
- iPhone attacks will probably be a blip rather than an increasing trend, as based on a single high-visibility vulnerability. However, attacks (or at least probing for vulnerabilities) on smartphones in general are likely to increase as long as providers rely on a closed system model that encourages jailbreaking/rooting. The whitelisting model will probably get some attention eventually, even from Apple.
- Data mining (legitimate and criminal) will have a wider and by no means automatically beneficial range of effects on individuals. The arch-example is Facebook's lack of commitment to a realistic security model, which counts more than its security centre advice. Essentially, it's encouraging its users to share as much information as possible while essentially making them responsible for the security of their own data. This isn't unique to FB, of course, or even to the Web 2.0 providers. But they're grooming us to accept that it's legitimate for an ever-wider pool of data to be used to monitor our behaviour, and makes it harder to distinguish between legit and criminal data mining.
- Further to point 2, privacy tends to diminish where it's in the way of commercial rather than political interests. So, ironically enough, there will be particular and ongoing interest in data leakage where it affects public bodies, but selling on of information at the backdoor by more-or-less legal means will continue as it always has, though it's starting to attract some attention. This may be less true in Europe, where data protection and other directives -already- give some formal weight to the principle that organizations should only hold as much personal data as they -need-, rather than what they -want-.
- Obviously, I'm in agreement with everyone else on the continuing importance of social engineering. The corollary to that, though, is that despite those who say that user education is ineffective, it remains an under-explored option for mitigating social engineering. It's unlikely that a psychological attack can be totally eliminated by technical means. On the other hand, it's always easy and resource-non-intensive to push responsibility back to the user and say "just be careful!" There are signs that user education in some areas is being taken more seriously, though: anti-phishing education, for instance.