It's meta-prediction time. I took the most interesting of the predictions that were pitched to me, and they don't paint a pretty picture of the year ahead.
Every December I get a lot of pitches from vendors, analysts and other
security types with predictions for the next year. This year I've decided to go
through them and pick out the ones that made an impression on me. Many of the
ones I don't list here, like "spam will increase," are either too
obvious to bother with or just plain uninteresting.
MessageLabs has its own predictions, including the
emergence of malware as a service
. It's true that malware stays ahead of
anti-malware solutions by churning out a high volume of variations. MAAS
would attempt to serve the market need for malware distributors to keep their
volume and variability up to standards by allowing them to order up malware to
desired specifications and have it delivered automatically. There could be some
problems keeping such a service up and running, as it couldn't exist at a
well-known address for long, but there are ways around that.
It's somewhat self-serving, but Fortinet
predicts that tightening budgets because of the economy will inspire a
"bang for the buck" trend, leading inexorably to UTM (unified threat management)
devices. Oh, what a coincidence! This is the business they are in! I would
dismiss this for the obviousness of the marketing, but I think there may be
something to it. Saving money will be a compelling argument in the next year or
two. (Whether Fortinet UTM boxes are the best way to save money is another
MessageLabs had a second prediction that impressed me, that of an increase
in "reputation hijacking," in particular as a result of increases in
exploits of problems in the DNS. Sadly, this makes all too much sense. Malware
such as DNS
pushes malicious DNS servers onto users, and then who knows where
they are going when they type in "www.amazon.com" or some other such
site. Last year we had the
coordinated response to the Kaminsky DNS bug
, but 2009 could well be the
year of the unstoppable DNS vulnerability.
Many companies (such
) predict a rise in targeted, customized attacks, and this too
makes sense. There is a market for vulnerabilities as well as intelligence that
can be put together by anyone, along with custom social engineering, to stage
an attack that can get through both human and technological defenses. This sort
of thing goes on all the time already, and there's money in it, so it makes
sense that everyone involved would want to milk it dry.
2008 was the year that it became obvious that CAPTCHAs were not sufficiently
strong to protect account signups. It's not an explosion of abuse yet, but it
could be in 2009, as the attackers seem to be getting better faster than the
defenses. The predictions were somewhat diverse on this point, with one
predicting a "Return of the CAPTCHA" development, and more
sophisticated versions turning the attackers back. I'll believe it when I see
increased attacks on critical infrastructure
such as power systems,
specifically the SCADA (Supervisory Control and Data Acquisition) systems that
operate them. Very scary stuff. There has been talk about this sort of thing
for years, mostly since 9/11. Why would it increase in 2009? This part I'm not
sure I understand.
Perhaps the answer is related to another prediction of
iDefense's, that of cyber-warfare becoming more common, especially from groups
aligned with Russia.
This is the sort of activity we say around the actions against Estonia
but there has been plenty of cyber-espionage reported from China,
and it would not be surprising to see one of these groups perform an attack
against critical infrastructure just to prove they can do it. Can they actually
do it? It's one thing to DDOS the Web site for a bank or a small country's
government, but another thing to take down a power plant. It could happen in
the future, but I wouldn't predict 2009 on it.
Another common, and sensible, prediction is that site reputation will
decrease in value as SQL injection and other such techniques allow more
malicious content to be hosted on sites with "good" reputations.
Cross-site scripting is another factor that figures prominently into this, and
both cross-site scripting and SQL injection vulnerabilities are very common and
very difficult to eliminate from your code.
There are factors that argue for improved security in 2009, but the ones
pointing in the other direction seem more compelling right now. At least
business is good for those of us in the security industry, but I look forward
to the day when their products are unnecessary.
Happy New Year, everyone.
Editor Larry Seltzer
has worked in and written about the computer industry since 1983.
For insights on security coverage around the Web, take a look at eWEEK.com
Security Center Editor Larry Seltzer's blog Cheap Hack