Who will find the first major security flaw in Windows Vista? Will it be released as zero-day? Is there an end in sight to the botnet menace? Is spam close to being canned? Just who are these criminals phishing for your credit card data?
Those are just a handful of the hot-button topics that will dominate the security news headlines in 2007—right alongside the never-ending debates on responsible disclosure, more “month-of-(pick a vendor/product)-bugs” projects and new research into offensive/defensive rootkits.
A bold prediction on spam
One of the most unlikely predictions for 2007 comes from SecureWorks malware researcher Joe Stewart: spammers will have to evolve and find new attack techniques if they intend to maintain their level of profitability.
Roughly translated, Stewart believes the massive surge in spam e-mail will taper off in 2007, unless spammers find new tricks to bypass a hardened Windows Vista and improvements to existing anti-spam technology and techniques.
In an entry on the SecureWorks blog, Stewart argued that Vista will force spammers to deliver payloads through social engineering attacks and even that might become more difficult in the future, with Microsoft venturing into the anti-virus and trusted computing arenas.
“Another factor which will have a huge impact is the release of the SpamHaus PBL blocklist, scheduled for release in December 2006,” Stewart added.
The PBL, or Policy Block List, is a database of IP address ranges that should not be sending mail “direct-to-mx” to other ISPs.
Stewart explained that spammers depend on these dial-up and DHCP-based broadband connections and, with the extensive reach of SpamHaus blocklists, widespread adoption of the PBL “will be very detrimental to spammers, as entire IP blocks where their zombie spam bots live will be unable to send mail to a large part of the Internet.”
He is quick to caution against declaring victory against spammers because, “theres simply too much money in the spam business.”
“They [spammers] will be forced to take one of two routes—send mail through the users ISP mail server or reach out to find static hosts that can be compromised for the purposes of sending mail,” he predicts, noting that the first method usually fails when an ISP gets wise to the amount of mail clogging the outbound mail server queue.
However, Stewart said the second method is harder to deal with because the compromised hosts are co-located and/or are virtual servers which are rented for the purpose of hosting business Web sites and mail servers.
Watch out Vista
Bulls-eye on Vista
Even as Vista is being held up as a standard-bearer for a secure Windows operating system, researchers and hackers interviewed by eWEEK caution against assumptions that attacks against Microsoft will go away.
For starters, Vista—both the enterprise and consumer markets—will remain low through 2007. Coupled with the mad scramble by hackers and vulnerability researchers to find code execution holes in the new OS, researchers believe its only a matter of time before Redmond is forced to start shipping regular monthly Vista security patches.
Dave Aitel, vulnerability researcher at Immunity, a Miami Beach, Fla. security consulting firm, said his company deliberately avoided testing Vista during the beta process and will hold off on full-scale pen tests until Vista wends its way into businesses.
Dave Goldsmith, president of New York-based Matasano, is curiously watching to see how Microsofts highly touted SDL (Security Development Lifecycle) holds up in Vista.
Goldsmiths team was hired by Microsoft to scour the Vista code for security defects and, although hes proud of the hardened nature of the OS, hes under no illusion that Vista is unbreakable.
In a podcast interview with eWEEK, Goldsmith said serious vulnerabilities will definitely be found in Vista but theres a sense of satisfaction in Redmond that the security model (UAC, ASLR, DEP, etc.) will blunt serious attacks.
Patching PatchGuard
Still, there are areas in Vista that have been—and will continue to be—defeated.
Alexander Czarnowski, chief executive of Avet, in Warsaw, Poland, predicts that 2007 will be the year that Microsofts PatchGuard kernel anti-tampering technology will be broken.
“It might get broken immediately but it might be a year before its made public,” Czarnowski said during a recent presentation at the Virus Bulletin conference. A security researcher associated with the Metasploit Project has already published an Uninformed.org essay that proposes several different techniques that could be used to bypass PatchGuard.
Authentium, a Palm Beach Gardens, Fla. security vendor has already introduced technology that bypasses PatchGuard without setting off the desktop alarms produced by the security feature.
Hackers and rootkit research gurus are hard at work looking at new techniques to bypass the controversial feature and 2007 could see Microsoft struggling to react to public announcements.
Monthly Bug Projects
Metasploits HD Moore started the trend in 2006 with “Month of Browser Bugs,” a research project meant to expose gaping holes in Web browsers. That was quickly followed by hacker LMHs “Month of Kernel Bugs,” and a short-lived threat to release Oracle zero-days.
Now comes word that 2007 will see another spate of monthly projects, targeting vendors with a history of antagonism towards security researchers.
“There will be a MOAB (Month of Apple Bugs),” mysterious European hacker LMH said in an interview with eWEEK. LMH is stockpiling crash dumps related to Apple software and plans to release them early in 2007 to expose what he describes as the “myth” that Apple is serious about security.
David Litchfield, managing partner at NGSS, based in Surrey, UK, will continue his dogged battle with Oracle, starting in January 2007 with the release of a new book titled “The Oracle Hackers Handbook.”
Litchfield promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.