Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Security in 2009



 By: Larry Seltzer
2008-12-26
Article Rating:starstarstarstarstar / 5


There are 4 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
It's meta-prediction time. I took the most interesting of the predictions that were pitched to me, and they don't paint a pretty picture of the year ahead.

Every December I get a lot of pitches from vendors, analysts and other security types with predictions for the next year. This year I've decided to go through them and pick out the ones that made an impression on me. Many of the ones I don't list here, like "spam will increase," are either too obvious to bother with or just plain uninteresting.

MessageLabs has its own predictions, including the emergence of malware as a service. It's true that malware stays ahead of anti-malware solutions by churning out a high volume of variations. MAAS would attempt to serve the market need for malware distributors to keep their volume and variability up to standards by allowing them to order up malware to desired specifications and have it delivered automatically. There could be some problems keeping such a service up and running, as it couldn't exist at a well-known address for long, but there are ways around that.

It's somewhat self-serving, but Fortinet predicts that tightening budgets because of the economy will inspire a "bang for the buck" trend, leading inexorably to UTM (unified threat management) devices. Oh, what a coincidence! This is the business they are in! I would dismiss this for the obviousness of the marketing, but I think there may be something to it. Saving money will be a compelling argument in the next year or two. (Whether Fortinet UTM boxes are the best way to save money is another matter.)

MessageLabs had a second prediction that impressed me, that of an increase in "reputation hijacking," in particular as a result of increases in exploits of problems in the DNS. Sadly, this makes all too much sense. Malware such as DNS Changer pushes malicious DNS servers onto users, and then who knows where they are going when they type in "www.amazon.com" or some other such site. Last year we had the coordinated response to the Kaminsky DNS bug, but 2009 could well be the year of the unstoppable DNS vulnerability.

Resource Library:

Many companies (such as ScanSafe) predict a rise in targeted, customized attacks, and this too makes sense. There is a market for vulnerabilities as well as intelligence that can be put together by anyone, along with custom social engineering, to stage an attack that can get through both human and technological defenses. This sort of thing goes on all the time already, and there's money in it, so it makes sense that everyone involved would want to milk it dry.

2008 was the year that it became obvious that CAPTCHAs were not sufficiently strong to protect account signups. It's not an explosion of abuse yet, but it could be in 2009, as the attackers seem to be getting better faster than the defenses. The predictions were somewhat diverse on this point, with one predicting a "Return of the CAPTCHA" development, and more sophisticated versions turning the attackers back. I'll believe it when I see it.

VeriSign's iDefense predicts increased attacks on critical infrastructure such as power systems, specifically the SCADA (Supervisory Control and Data Acquisition) systems that operate them. Very scary stuff. There has been talk about this sort of thing for years, mostly since 9/11. Why would it increase in 2009? This part I'm not sure I understand.

Perhaps the answer is related to another prediction of iDefense's, that of cyber-warfare becoming more common, especially from groups aligned with Russia. This is the sort of activity we say around the actions against Estonia and Georgia, but there has been plenty of cyber-espionage reported from China, and it would not be surprising to see one of these groups perform an attack against critical infrastructure just to prove they can do it. Can they actually do it? It's one thing to DDOS the Web site for a bank or a small country's government, but another thing to take down a power plant. It could happen in the future, but I wouldn't predict 2009 on it.

Another common, and sensible, prediction is that site reputation will decrease in value as SQL injection and other such techniques allow more malicious content to be hosted on sites with "good" reputations. Cross-site scripting is another factor that figures prominently into this, and both cross-site scripting and SQL injection vulnerabilities are very common and very difficult to eliminate from your code.

There are factors that argue for improved security in 2009, but the ones pointing in the other direction seem more compelling right now. At least business is good for those of us in the security industry, but I look forward to the day when their products are unnecessary.

Happy New Year, everyone.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's blog Cheap Hack.






  Reader Comments: Security In 2009
>>> Post your comment now!
2009 - The year for Privacy
Now that the long-standing DNS problems have been brought into view, and it is clear that the band-aid wars of malware fortress defense are...
Posted At: 12-28-08
By: George Sidman
Uh, no.
Sure, lets take out scripts, AJAX, plug-ins, Flash. Why stop there? Let's take out graphics and all go to the Lynx browser base! Web...
Posted At: 12-27-08
By: Jacko
A user comment on this article
The solution is simple. Don't architect your site to run code at the browser/client...run everything server-side where things can be better...
Posted At: 12-26-08
By: Anonymous
Security in 2009
Hi, I'm Larry Seltzer. Are you looking for things to get more or less secure in 2009?
Posted At: 12-26-08
By: Larry Seltzer
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}ks㶲*Q3CO#Mɶ<43R$$1HO/Oon|AI~Ldl@_h4?y$sW7-gH.\sjS;v͞O Y%Twއ{ F(ˑԫ1mHnwݶN-gP'^> \?g3Q;Y|wn'dYǝg3 (ƻf {iZgo-vu`3qI:V@h ɠæFq!_Cp`aFSKW<{mE郕4`‰EU}$V{"?Zu$uyX6&ZhCA+teP9=yi]o:}MN[w:SO+Hok*}k p6O{:$?mrG=.iT%5᧓qUxy$Y)I{qN z[(-t[9K2}!zC{-? ,_ f kķLJ3a1":ur%ͪ5V z[QĿ E/<@'LZw1P3Z$j923=Pr5&Sk~$M]sƚb.L2o)=m̗U/d`(AK/g 5z:]R$y3DDȝ g/3/r.#}th8yWҽTWws iغT09;>].7+De,,Ⱥ s5ͷwfz;\gX?m6'sվEi|hUbyƆƇj9",$uuTSt*t ޯ}5"o+ rϏLf[ԑpl uu~{>NS}<9cjZq;Ni|Q}ѦޣR?YiuI;0i}{ݣn]>'tjIXŞ*LSRi`IkA 6]LR}>t)qPhQ0<szL,1σ5Yҽڗ? @6=xBe^~} ̢1O[>=`t &QsjPB&ԁ!~9.b&;Ax""D%  h4AGEENf@@ww$]I+Tbz"ҦBICvn KŔ=*%nqR%a 3ʬ$&vφa,[LboD6], S m-Mus6 z`ơǝ3yjeQ#U^ğ/;*XF0-/Bw GLx}GEQa ^o=2,XhqOCVs{D[q3ԛm)M}P{d` ɚ)-ThWfS&ᠺ4Sy%2{B[ aSsUedKeܳ%]?P%зJN/ $50J%g; A&rG|增5 Jx0?3\eDfkuҚJJ2$,4)’pdrK=ݼ^`";hqJNbB#@)zQ=/ORd-xhV+mH_T.L\[Kž 2W}+aԥ / EA n:dZG6XE4~hN/a2*)4Ft:{j ,j&;_&TY?>2ai[z#k[)ZPbY;L`beQӿR&a+\ڨOaOcwAsm0Hg't Φ)نhp'#׏pBae.֣BSD3T&&x#e\46(V,'`#z Cҵg㉥; ¢s\\Sˆ=~l4^7#V!0\ |D30`,eV!OFm1WZcYdX.)Uq?K~6=2eX]2Xrm٘Autn\HҘL!ȅL瀛*,Z}-g! c$Dk_(+ `k受^ԧ^ˬ B5w.Bāԇhpu-Tn\whSIBn@mDq" ֚p성 .c$}=0$ t`n̂_HE"}[+pp\U.(L0:Kr2b,XTB$Ƽ6tނbIt?a1:C5z_;=2dB4^Ef4{LRT j%FZYUKâZTP+ :?UFQHj {`/Pd4y͏ef/~Pz6큽ܮ[Ks3/'x/ F0h'0^ɒǖo|V_>^Hk )2)<ڗarUTՑn OGA.C{MAj[,@ ܠYaiO}Z,,Y~B)' _+1 "9k_R˶)SL @(8g܎:z>- (W` N-0Ǩi 06j-dpMU*Ղʾ_IWc7g!h"RkFF:FOtΈ+6RNT8ɯ@ q>:(TX7emE{^ac7U[o&F)'[WNj&hTJ$}&Mnj^[t̷ p]oR~QB<Z\#h z}#}x%8r jĀİh{~UM+%u2YhSIpg#HٚIκVs t,On?yRL߼Ap5xb==#ݸNYrLWOASB9^% sK\7b Z n!VɵFf7&IE{EY(,.EMP*jIIz$pevd iW&{ \x&\_{SƋbo)Q^~TW".)wD<7ϰb}Nbu4PG }´WՄθ ā2O? -$ڎu6fŲ}A>0Tlʪ+> tVB 'I#CFtwE4qyh7(jMI@h# ;wk~ʞnUR#ɴ/VVJrȅe0F\0R,W1<ʢ'r]N6._-Java *s>P|kɷonjCSXp| ^?Kd{e$ $"zR=.=2a7ZPfW3991u/x{qiwozUݷ K -$P) WAhx/n00<Šq ,Jaw~itHAcԧˮtڸh9A&=~?<o!9k>u {4ycq À>*.O: C۟.OECj gyn:dF&{vB,H oIzq>s'^Y{{89i]~;li7 `yBr+Gn}!\4?.ŗtk~.R1nJd.G!=qpyңe8*Dyq|ly\1amF 'L_>80&s)b@ űOלX0z.ӱBZMUc | ʢl+8w<`?WX* 5?̄o }CAJy(@R`OH%[&#NZƗ0wZfp=o7"BtX 1u}Ec)%Q\(k4yܾnpsl}F/NdNfR-[N7c+d$?^/8 ݃͟Ţ*VRǭNZI| ׉ NV~9or_4CppF0xc|o}A\jn^eԉ(%4 \ {6-~0 c`a(!L$-z`eQnKlx0f9RLɔ&'.Op|Lh+'IZV6X(4%!44AҌObCYB*#7' ҹj\npVPto6_xvImK$cΖ(ė4 y) |8RB[(5*VZRZ-VVyʏhA: 3eZ& 3/wг^ǎZ{yr@gq?Ilظ2U(SXrw;{eB s~ݞCO6rw H-Н>5?y{h o&=)dzI3'伅q+݋N^S{20 }?I+I㆟isP>OhvdLC!I ɫח}ʜ9%#+x|42(oP2Q^:pG¤scmf<ݸ1rfwao]|] {~ ]ݣPIݣw);~=Ғ(r۝ZD ܎q5Q4{qI9.t}?s`\TzH^8؈ڽ]cg[D:*pCLtOyc Z~‡i4&KMx<79wB#AVާA#<Mm)H.v` k $T`\]]w71&P)<A~F<v4);˷xZ}in3d⫆܆~@F' ZYXW+"?_c#ޚU^?2%;lߔƂ1f̙ʈ1WcR__R;Mo,)?Bsh3[aG0^="t(u߂Kd[OgFN- yu2kj)DI-/F {_pKݮ;!xfrhQ~@QQ!%KlySP|[0"iأ>[qmO rxbYNlVھ/Gh*ܢcO`1N"%#l<>#6qL1zlARZ~I5|k:ĵ`OY anã/?+^Ƽ]Y}6(E |~>=@0fH<Yt՟rt n7^ďz6C&ˈ> }j-NPVQb)E @[NdmCAŤR0!R^9F K q%U;:E;p=Ք*jUjQ$l?"o`,xB=;BL=;B؞\5eSr->;|H]tj9mfO.;q| Gċ{ ֌2Aj+R_zO3V#%Cm08~ D4(M rU-dPHGڝ-ƀn ]X ԟK kú+uK-7FLbo,CHDZuhXT [QSURʒVڔ*OM4EZb S_4I15AΩ)|H0tլuf-[@tF*Z Q _9>=Bx"XHµS`_X J>>>>o.K}±z~S wA0(D%]U:n$1|W_D'}"Bf-LM!վ6~ pnH sQf ' Ba&>-g&I#IB{q6((C/ω 7!=P)l#ӗ򾑸9Z0$'$2R( r{ d͑cS[ۥhtpv6DŽiE(= X>lz B$DA# BB5GqP /oHsXc)Lj0+Q[;E.c@ʵ|a+}[Ϧ58?ҽw}D B~=4蚣'a @6gsR$tAuG4oi_ _ =n7i}} <b MV%漾N-0CDptPK7 jJ%RX? bv%Z$D8$" &AF<^!=====TVʯ|Tѝtϩ }%:@Zx^9pPFR_Q>Hr1N 皊Z}O<@}I%0q80hR OZ< ,ÏFpVn" @6s9XO;FN+4:b.s xI$ 8pՔSrE&Yo팋u$Q~Gq:G|SW+k赃9P%`-nO1nKWԝ ,İM}suI HCĐT"{}7G*BJqفNqk˿%w)1+: L2BHhy G=coZ[:̔7e\H7Ԕέ[F_WDpUbp,XA_<Q˭^ߪJT$<ǝu;%WZu'ŵvEvnRzJxKܱ;bL]MY/~U֚˰2ݶ^Pj/rRe3u8]OIE2?B(5967oIHvjmen&kk3"{A-[o&6௶aulay)^/{dȪhֲƑ=:vBY,%eeGbr,Kȉu3ugzlïNBif%e։IV(H_Tjcƚe< Lm~ol$@=>ySb>8X@O~{0Kפ{st:bk;2(PTG">k~~i/m~! v6ji<`2v^ö뿓$yImz`' )/A1E l@.h ߐ]LۍY˜oIΏuO}2}=,eS #ٿggi=2݀l*k+H崍9T7F _@ghF!Opl J]yDJZ' 3,M?C"leFͦnl1i#:&MC؟,G~RJ~q'd'NpNxL)(|ߢ}dŤ d~4,8|D?SM=1w۞> ,V8E<$+96i[_bJbfiA i!Fv!Տ;Kb+nJ7{F$qfKjj5>%^ CiBakjrF-?x$ǍE/,]^|m~8.2dR /(_7X&W ۜsj61R>&sjxVQ國|?98^YR z~dtOƄ GWe:-0 j"h+ JD xuOkp7^6U3#6j=!vӚ pnm;bwk+mLxY8OH_q=o7ݞA47:Rzs;˜'7ƈ'E[TvXj_ 1'6d(nzC.̷d1-^`ηv鮦ec `8Q vL ^Rc$WV c ,6{<:A1rB vl"m7\%pKp|1=O-h<#ԹF P#SC7,6M$Aeu߃5T?0Խ' )0kКX7('J 7 ݲYn=Њϯ>Co{I c rt7e\S[ C8zG_ 6d^ZgZA!G)<_>xI2K= o~{@\r 8rz, E|tz['e}H?Km1@hb#3!F𮖐0\M:'͛ym^w*>'3wB"#x׋=c{c]\u g} `r~zSc~3~P.+JAW1F) wCy–3\v#Z؟ܰJ7O7t$rkqCL9!ˎ0Qݺ ?1>@L-FaIAX#hBGH[~s3uø6' 45A!^C. Q?ÇqbZŘ!b`2^r {j"ic2)0P݆RǠ{Qn]16FiŷN(l8*wxc||>+$ԣD*t]\P"@H>Q|XP؟?pk2$TJTmn$>9,a4`M\Xg- .E.[q0ݏpWI|۴?Lk;Λ]-AG,G7=Tg0Y0غ9P~3dd ͠_?}}ʠP99c|3w7Y@7{dwAI]'Iz|ָ…)QFy)W?ʠRE৬rXB]fCy<++PA/Ү3 ث < ?3_u2 ̭L_[WBX\jzr+g^6Ǻe4v+iAư/^bϽ s^楽I< xEW4<< X1rnmŚ/J̙YmcLkhžȾ7`T7#%Yܻ Gz‰n(sҷe&mS?`lG9Fɫ.v빸)nדwpK` K=M̀ڎvڝGfzuieP}vdmoCdy^$Mz>yP[4יq%CޢD)Fy5ެ37>RqFPcNu= !y:q>,`|k&-\ʠaC7aoYb J;c`\;o=2gji }by0\9 hw ,j|SUݡQWˡB~2RV@Dȅ>I&D|&߼)=tOu T/ADZel#q1(|S˸ [2FdX jXJr 9o;9_X$ǖd̻#KzUx/ C4t'/.z"0~.6*+uӆ`/N=Xv;nפ`Hy{]3F2wwE=Quhcоx^Q4Hl7cB诿aXk'J7Bg-1_ű:~ o݆+@xP3xO\B.}uK6da`ﲮnG)\+Dœj@@rƶねo<|vk/c3vAz!_BҐD6B?Lt35?u l71-d;z$[מ;!fIg惙"G ?[>KGJLƎ$z ߂93t^]ɡgqt{1WO_ Sx"3Up& i#:4!zE½_ r:'쭰F |m+n]1RNFguE:ĭHz}#Km^Շ(z1̸IϐR K)%)N匾]#|F MPL\>M=/k"6pΆl'/Q۝`Nm& ”smq4:ۭRR}x/ē_| +R1=zH|c,XoD Ǩ9>&-^Πob/;y,s7eEQ&PL–c#U%$yHRjR'9"Ź oPmBwK{ ,AR6Vw>cc? `vwj9c˖1 Mm+#8C>ܸmQ޺׸6Vx}ҀIHL/c<9zAn0$ /1-i[%:Ɛ/9-)0p,\ftO 6A|eKo{7[z졗iK?OJ B OO]&\fTj_ƵѮ\TvlPP`ԙz$g0lB e ȑ(dyJf1Ϸ;<v; L取e(\v /-GJ^Q.t 7tlib @J\@> m73Tt` GYe`+v 8u vKѲ f7"֐0ޏq۷Pl@xSb \b壊˶1E9b\ ѨpCTؖEGd3^mGgyeDmY>mЍO|3'cgb@xϖOέ{~kC'>|uxur 2^:FB^òLj3m-g^^kta( aavXY;PE"1ԙ`:(G=zk|XKzTMkÔ{y0ѕD1F(M,1,@= փ LW{څGQy6;|,]bV"Nd׊rI)9)*R L0MÄr}"5roq-yeיH pKg8 g!0X^Xȩȩ(v}_\%hw2b5Šb SiA0}Uu!Y/uM+_O1dF-<#@5̚J"4&o)FҢpL\岞+jaKmw9n~;1{6J܆mJf_UN9KIK^iXNƇNc>tgLt )2)v}ml-c6C-;+