Security in 2009

It's meta-prediction time. I took the most interesting of the predictions that were pitched to me, and they don't paint a pretty picture of the year ahead.

Every December I get a lot of pitches from vendors, analysts and other security types with predictions for the next year. This year I've decided to go through them and pick out the ones that made an impression on me. Many of the ones I don't list here, like "spam will increase," are either too obvious to bother with or just plain uninteresting.

MessageLabs has its own predictions, including the emergence of malware as a service. It's true that malware stays ahead of anti-malware solutions by churning out a high volume of variations. MAAS would attempt to serve the market need for malware distributors to keep their volume and variability up to standards by allowing them to order up malware to desired specifications and have it delivered automatically. There could be some problems keeping such a service up and running, as it couldn't exist at a well-known address for long, but there are ways around that.

It's somewhat self-serving, but Fortinet predicts that tightening budgets because of the economy will inspire a "bang for the buck" trend, leading inexorably to UTM (unified threat management) devices. Oh, what a coincidence! This is the business they are in! I would dismiss this for the obviousness of the marketing, but I think there may be something to it. Saving money will be a compelling argument in the next year or two. (Whether Fortinet UTM boxes are the best way to save money is another matter.)

MessageLabs had a second prediction that impressed me, that of an increase in "reputation hijacking," in particular as a result of increases in exploits of problems in the DNS. Sadly, this makes all too much sense. Malware such as DNS Changer pushes malicious DNS servers onto users, and then who knows where they are going when they type in "" or some other such site. Last year we had the coordinated response to the Kaminsky DNS bug, but 2009 could well be the year of the unstoppable DNS vulnerability.

Many companies (such as ScanSafe) predict a rise in targeted, customized attacks, and this too makes sense. There is a market for vulnerabilities as well as intelligence that can be put together by anyone, along with custom social engineering, to stage an attack that can get through both human and technological defenses. This sort of thing goes on all the time already, and there's money in it, so it makes sense that everyone involved would want to milk it dry.

2008 was the year that it became obvious that CAPTCHAs were not sufficiently strong to protect account signups. It's not an explosion of abuse yet, but it could be in 2009, as the attackers seem to be getting better faster than the defenses. The predictions were somewhat diverse on this point, with one predicting a "Return of the CAPTCHA" development, and more sophisticated versions turning the attackers back. I'll believe it when I see it.

VeriSign's iDefense predicts increased attacks on critical infrastructure such as power systems, specifically the SCADA (Supervisory Control and Data Acquisition) systems that operate them. Very scary stuff. There has been talk about this sort of thing for years, mostly since 9/11. Why would it increase in 2009? This part I'm not sure I understand.

Perhaps the answer is related to another prediction of iDefense's, that of cyber-warfare becoming more common, especially from groups aligned with Russia. This is the sort of activity we say around the actions against Estonia and Georgia, but there has been plenty of cyber-espionage reported from China, and it would not be surprising to see one of these groups perform an attack against critical infrastructure just to prove they can do it. Can they actually do it? It's one thing to DDOS the Web site for a bank or a small country's government, but another thing to take down a power plant. It could happen in the future, but I wouldn't predict 2009 on it.

Another common, and sensible, prediction is that site reputation will decrease in value as SQL injection and other such techniques allow more malicious content to be hosted on sites with "good" reputations. Cross-site scripting is another factor that figures prominently into this, and both cross-site scripting and SQL injection vulnerabilities are very common and very difficult to eliminate from your code.

There are factors that argue for improved security in 2009, but the ones pointing in the other direction seem more compelling right now. At least business is good for those of us in the security industry, but I look forward to the day when their products are unnecessary.

Happy New Year, everyone.

Security CenterEditor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.