Security in 2009

By Larry Seltzer  |  Posted 2008-12-26 Print this article Print

It's meta-prediction time. I took the most interesting of the predictions that were pitched to me, and they don't paint a pretty picture of the year ahead.

Every December I get a lot of pitches from vendors, analysts and other security types with predictions for the next year. This year I've decided to go through them and pick out the ones that made an impression on me. Many of the ones I don't list here, like "spam will increase," are either too obvious to bother with or just plain uninteresting.

MessageLabs has its own predictions, including the emergence of malware as a service. It's true that malware stays ahead of anti-malware solutions by churning out a high volume of variations. MAAS would attempt to serve the market need for malware distributors to keep their volume and variability up to standards by allowing them to order up malware to desired specifications and have it delivered automatically. There could be some problems keeping such a service up and running, as it couldn't exist at a well-known address for long, but there are ways around that.

It's somewhat self-serving, but Fortinet predicts that tightening budgets because of the economy will inspire a "bang for the buck" trend, leading inexorably to UTM (unified threat management) devices. Oh, what a coincidence! This is the business they are in! I would dismiss this for the obviousness of the marketing, but I think there may be something to it. Saving money will be a compelling argument in the next year or two. (Whether Fortinet UTM boxes are the best way to save money is another matter.)

MessageLabs had a second prediction that impressed me, that of an increase in "reputation hijacking," in particular as a result of increases in exploits of problems in the DNS. Sadly, this makes all too much sense. Malware such as DNS Changer pushes malicious DNS servers onto users, and then who knows where they are going when they type in "" or some other such site. Last year we had the coordinated response to the Kaminsky DNS bug, but 2009 could well be the year of the unstoppable DNS vulnerability.

Many companies (such as ScanSafe) predict a rise in targeted, customized attacks, and this too makes sense. There is a market for vulnerabilities as well as intelligence that can be put together by anyone, along with custom social engineering, to stage an attack that can get through both human and technological defenses. This sort of thing goes on all the time already, and there's money in it, so it makes sense that everyone involved would want to milk it dry.

2008 was the year that it became obvious that CAPTCHAs were not sufficiently strong to protect account signups. It's not an explosion of abuse yet, but it could be in 2009, as the attackers seem to be getting better faster than the defenses. The predictions were somewhat diverse on this point, with one predicting a "Return of the CAPTCHA" development, and more sophisticated versions turning the attackers back. I'll believe it when I see it.

VeriSign's iDefense predicts increased attacks on critical infrastructure such as power systems, specifically the SCADA (Supervisory Control and Data Acquisition) systems that operate them. Very scary stuff. There has been talk about this sort of thing for years, mostly since 9/11. Why would it increase in 2009? This part I'm not sure I understand.

Perhaps the answer is related to another prediction of iDefense's, that of cyber-warfare becoming more common, especially from groups aligned with Russia. This is the sort of activity we say around the actions against Estonia and Georgia, but there has been plenty of cyber-espionage reported from China, and it would not be surprising to see one of these groups perform an attack against critical infrastructure just to prove they can do it. Can they actually do it? It's one thing to DDOS the Web site for a bank or a small country's government, but another thing to take down a power plant. It could happen in the future, but I wouldn't predict 2009 on it.

Another common, and sensible, prediction is that site reputation will decrease in value as SQL injection and other such techniques allow more malicious content to be hosted on sites with "good" reputations. Cross-site scripting is another factor that figures prominently into this, and both cross-site scripting and SQL injection vulnerabilities are very common and very difficult to eliminate from your code.

There are factors that argue for improved security in 2009, but the ones pointing in the other direction seem more compelling right now. At least business is good for those of us in the security industry, but I look forward to the day when their products are unnecessary.

Happy New Year, everyone.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel