Cloud-hosted malware, bot blasts, compromised smartphones, and privacy-busting malvertising are a few of the security pitfalls we can expect this year.
Computing is in a state of constant change. Apps are migrating toward the cloud. Mobile devices are changing the way we interact with our machines and the way we connect to networks. Real-time information has become increasingly important. The threats are changing too.
With 2010 freshly upon us, 'tis the season to ponder future threats. Last month's threat of a portly, bearded man entering one's household through a chimney was mitigated by a sufficiently hot flame, but cybercriminals aren't bothered by physical barriers. They can enter computers through network cables or a wireless connection and make off with valuable information.
What follows are a few predictions about what may come in the world of computer security.
1. Spam, Scams Go Social and Realtime
Security researchers at Websense, Breach Security, IBM Internet Security Systems' X-Force, and Symantec concur that cybercriminals will escalate attacks on social networking sites such as Facebook, MySpace, and LinkedIn, and on real-time social sites like Twitter. With Google and Bing, not to mention Google Wave, integrating realtime features, scammers know that time is increasingly on their side: Often it takes time to recognize a malicious link or file and unless countermeasures are more or less immediate, there will always be at least some victims.
Contrarian view: For those who never really bought into the social network, real-time craze, such dangers offer another reason to hope that the computing world gets its own equivalent of the slow food movement. Speed may be Google's most cherished goal, but it also increases the velocity of risk.
2. Crime Cloud
Security vendors AVG, M86, and RSA foresee criminals attacking cloud services and using them to direct and control attacks. Cybercrime toolkits are already widely used. It's only a small step from there to cybercrime as a service. IBM ISS X-Force researchers expect more "exploits-as-a-service," and that's not a hard call to make when you have Amazon AWS already being used to host a malware command and control server.
Sam Curry, VP product management and strategy at RSA, said, "Expect a lot of attention in 2010 to how risk side [of the cloud] is mitigated."
Contrarian view: While cybercriminals have experimented with services like Google's App Engine to control attacks, the level of oversight at such services, not to mention the fact that payment is usually required, will make the free malware hosting offered by poorly secured Web sites and databases a better deal. Why bother pretending to be a paying customer when you can just break in and plant malware on someone else's machine?
3. Hijacking Trusted Sites For Malware
Breach Security sees continued innovation in efforts to compromise trusted sites and load them up with malware. SQL injection attacks have proven to be spectacularly successful so far, so it's unlikely that will change. For cybercriminals, it will almost always make more sense to have a third-party distributing their malware.
Contrarian view: The pointlessness of blogging will finally dawn on people and, in conjunction with a year of dot-com failures and layoffs, there will be fewer people running Web sites. In addition, the shift toward controlled devices -- mobile phones, tablets, and the like - and the emergence of Chrome OS netbooks will mean less opportunity for user error. Security thus will improve.
4. Macs (Finally) Compromised In Significant Numbers
Security companies have been salivating at the prospect of malware on Macs for years. In 2010, Websense says, we will see a drive-by exploit that affects Safari under Mac OS X and hackers will pay increased attention to the Mac platform.
Symantec is similarly worried about unprotected Mac users who haven't gotten into the habit of paying $30 a year for antivirus software. Other security companies such as Sophos have been saying as much for years. Zscaler believes Apple's increasingly high profile will force the company to invest more in security as its devices come under more sustained attack. It's almost as if security companies want Apple's machines to be insecure.
Contrarian view: The only people running Mac security software are those who have to do so as a matter of regulatory compliance. That won't change until Windows market share drops below 80% and/or Mac market share exceeds 20%. If there is an exploit that affects Macs widely, it will probably be the result of an Adobe Flash vulnerability.
5. More Poisoned Search Results, Malvertising
Exploiting trust works. Cybercriminals will put more effort into taking advantage of trusted Web sites. They will use search engines and advertisements to infect the unprotected. On this there's considerable agreement: AVG, Websense, and M86 all anticipate continued efforts to subvert search results and exploit interest in breaking news and events.
Perhaps 2010 will be the year a cybercriminal creates a fake outbreak story that gets attention and leads interested parties to malicious Web sites that create a real cyber outbreak.
Contrarian view: Google and Microsoft will partner to keep search and advertising relatively safe, knowing full well that they cannot afford to lose the trust of users. Expect a rogue ad network to be brought down with much fanfare.
6. Bots, Bots, And More Bots
Why bother with cloud-hosted malware when botnets offer the same service for less? Even better for cybercriminals, botnets offer a source of income. For security vendors, that suggests bots will continue to become more sophisticated. Botnets have become the foundation of cybercrime, Symantec claims.
Dan Hubbard, CTO of Websense, said that there has been some good news about bots -- better communication in the security community and with law enforcement, resulting in more arrests and botnet takedowns than in the past.
But because botnets generate cash for criminals, he expects more criminal gangs will choose a path to wealth that's easier than building a botnet: hijacking a botnet operated by a different gang.
That kind of conflict could actually limit botnet growth or at least attract the attention of security experts and law enforcement. Contrarian view: Botnets not only have to defend against security researchers, but against other botnet operators. Websense sees botnet gangs fighting turf wars, similar to the way that the Bredolab botnet shut down the Zeus/Zbot on infected computers.
7. Piracy Gets Riskier
In early December, Microsoft launched a broad effort to reduce software piracy, noting that it has received a rising number of complaints from users who purchased or otherwise obtained pirated versions of Windows.
It seems that counterfeit software is increasingly infected software. IBM Internet Security Systems' X-Force researchers expect that use of pirated software will increasingly lead to malware infection and that users of such software will become the "Typhoid Marys" of the global computing community.
Contrarian view: Will the last user of desktop software please turn out the lights? We're all moving into the cloud where we don't have to worry about a counterfeit, infectious version of Google Apps, at least until someone alters our DNS host file.
8. Mobile Security Becomes Real Issue
"Smartphones such as the iPhone and Android-based handsets, which are used increasingly for business purposes, are essentially miniature personal computers, and in 2010 will face the same types of attacks that target traditional computing," predicts Websense. And the company is not alone in that belief. Practically every security vendor has or is developing a mobile security product or service. As with Macs, the security industry would welcome a new market.
Websense's Hubbard says it will be interesting to see how Apple's closed App Store and Google's more open Android Market compare in terms of mobile malware in 2010.
Contrarian view: The researchers at IBM ISS X-Force believe that attacks on mobile phones will remain scarce. But while network-based attacks on mobile phones may remain relatively rare, physical attacks will rise: Snatch-and-grab attacks are considerably easier than cyberattacks and produce both data and a physical item that can be sold. With unemployment over 10%, unsolicited phone collection could become a growth industry.
9. A Major Insider Theft Scandal Will Surface
Ongoing improvements in network security will encourage organized cybercrime groups to think about the long con. Somewhere next year, expect someone with access to data at a large organization to be caught working for or with a cybercrime group. The Identity Theft Resource Center anticipates a rising number of insider cases because of failure to follow basic workplace security protocols.
Contrarian view: As above, but the organization will be able to hide the incident, at least until 2011. This prediction has the added benefit of being difficult to prove wrong next year.
10. Clickjacking Strikes Back
Zscaler believes that the clickjacking vulnerability -- a way to alter a Web app's user interface to dupe users into clicking on concealed buttons -- will be employed in attacks more frequently. Jeremiah Grossman, founder and CTO of WhiteHat Security, and Robert "RSnake" Hansen, founder and CEO of SecTheory, disclosed information about the technique in October 2008. While some effort has been made to mitigate the risk of clickjacking, Zscaler says the technique can still be effective, particularly in attacks with a social engineering component.
Contrarian view: Why bother, when you can just launch a window that displays a fake security scan and get clueless users to pay for fake security software? Ignorance is a vulnerability that isn't easy to patch.