Home > Punditry, Risk Management, Security Predictions, Virtualization, Web Application Security > 2008 Security Predictions — They’re Like Elbows…

2008 Security Predictions — They’re Like Elbows…

Carnacangled_2
Yup.  Security predictions are like elbows.  Most everyone’s got at least two, they’re usually ignored unless rubbed the wrong way but when used appropriately, can be devastating in a cage match…

So, in the spirit of, well, keeping up with the Jones’, I happily present you with Hoff’s 2008 Information (in)Security Predictions.  Most of them are feature attacks/attack vectors.  A couple are ooh-aah trends.  Most of them are sadly predictable.  I’ve tried to be more specific than "cybercrime will increase."

I’m really loathe do these, but being a futurist, the only comfort I can take is that nobody can tell me that I’m wrong today ;)

…and in the words of Carnac the Magnificent, "May the winds of the Sahara blow a desert scorpion up your turban…"

  1. Nasty Virtualization Hypervisor Compromise
    As the Hypervisor gets thinner, more of the guts will need to be exposed via API or shed to management and functionality-extending toolsets, expanding the attack surface with new vulnerabilities.  To wit, a Hypervisor-compromising malware will make it’s first in-the-wild appearance to not only produce an exploit, but obfuscate itself thanks to the magic of virtualization in the underlying chipsets.  Hang on to yer britches, the security vendor product marketing SpecOps Generals are going to scramble the fighters with a shock and awe campaign of epic "I told you so" & "AV isn’t dead, it’s just virtualized" proportions…Security "strategery" at it’s finest.

  2. Major Privacy Breach of a Social Networking Site
    With the broadening reach of application extensibility and Web2.0 functionality, we’ll see a major privacy breach via social network sites such as MySpace, LinkedIn or Facebook via the usual suspects (CSRF, XSS, etc.) and via host-based Malware that 0wns unsuspecting Millenials and utilizes the interconnectivity offered to turn these services into a "social botnet" platform with a wrath the likes of which only the ungoldly lovechild of Storm, Melissa, and Slammer could bring…

  3. Integrity Hack of a Major SaaS Vendor
    Expect a serious bit of sliminess to occur with real financial impact to occur from a SaaS vendor’s offering.  With professional cybercrime on the rise, the criminals will go not only where the money is, but also after the data that describes where that money is.  Since much of the security of the SaaS model counts on the integrity and not just the availability of the hosted service, a targeted attack which holds hostage the (non-portable) data and threatens its integrity could have devastating effects on the companies who rely on it.  SalesForce, anyone?
     
  4. Targeted eBanking Compromise with substantial financial losses
    Get ready for a nasty eBanking focused compromise that starts to unravel the consumer confidence in this convenient utility; not directly because of identity abuse (note I didn’t say identity theft) but because of the business model impact it will bring to the banks.   These types of direct attacks (beyond phishing) will start to push the limits of acceptable loss for the financial institutions and their insurers and will start to move the accountability/responsibility more heavily down to the eBanker.  A tiered service level will surface with greater functionality/higher transaction limits being offered with a trade-off of higher security/less convenience.  Same goes for credit/debit cards…priceless!
  5. A Major state-sponsored espionage and cyberAttack w/disruption of U.S. government function
    We saw some of the more noisy examples of low-level crack attacks via our Chinese friends recently, but given the proliferation of botnets, the inexcusably poor levels of security in government systems and network security, we’ll see a targeted attack against something significant.  It’ll be big.  It’ll be public.  It’ll bring new legislation…Isn’t there some little election happening soon?  This brings us to…
  6. Be-Afraid-A of a SCADA compromise…the lunatics are running the asylum!
    Remember that leaked DHS "turn your generator into a roman candle" video that circulated a couple of months ago?  Get ready to see the real thing on prime time news at 11.  We’ve got decades of legacy controls just waiting for the wrong guy to flip the right switch.  We just saw an "insider" of a major water utility do naughty things, imagine if someone really motivated popped some goofy pills and started playing Tetris with the power grid…imagine what all those little SCADA doodads are hooked to…
     
  7. A Major Global Service/Logistics/Transportation/Shipping/Supply-Chain Company will be compromised via targeted attack
    A service we take for granted like UPS, FedEx, or DHL will have their core supply chain/logistics systems interrupted causing the fragile underbelly of our global economic interconnectedness to show itself, warts and all.  Prepare for huge chargebacks on next day delivery when all those mofo’s don’t get their self-propelled, remote-controlled flying UFO’s delivered from Amazon.com.

  8. Mobile network attacks targeting mobile broadband
    So, you don’t use WiFi because it’s insecure, eh?  Instead, you fire up that Verizon EVDO card plugged into your laptop or tether to your mobile phone instead because it’s "secure."  Well, that’s going to be a problem next year.  Expect to see compromise of the RF you hold so dear as we all scramble to find that next piece of spectrum that has yet to be 0wn3d…Google’s 700Mhz spectrum, you say? Oh, wait…WiMax will save us all…
     
  9. My .txt file just 0wn3d me!  Is nothing sacred!?  Common file formats and protocols to cause continued unnatural acts
    PDF’s, Quicktime, .PPT, .DOC, .XLS.  If you can’t trust the sanctity of the file formats and protocols from Adobe, Apple and Microsoft, who can you trust!?  Expect to see more and more abuse of generic underlying software plumbing providing the conduit for exploit.  Vulnerabilities that aren’t fixed properly combined with a dependence on OS security functionality that’s only half baked is going to mean that the "Burros Gone Wild" video you’re watching on YouTube is going to make you itchy in more ways than one…

  10. Converged SensorNets
    In places like the UK, we’ve seen the massive deployment of CCTV monitoring of the populous.  In places like South Central L.A., we have ballistic geo-location and detection systems to track gunshots.  We’ve got GPS in phones.  In airports we have sniffers, RFID passport processing, biometrics and "Total Recall" nudie scanners.  The PoPo have license plate recognition.  Vegas has facial recognition systems.  Our borders have motion, heat and remote sensing pods.  start knitting this all together and you have massive SensorNets — all networked — and able to track you to military precision.  Pair that with GoogleMaps/Streets and I’ll be able to tell what color underwear you had on at the Checkout counter of your local Qwik-E-Mart when you bought that mocha slurpaccino last Tuesday…please don’t ask me how I know.

  11. Information Centric Security Phase One
    It should come as no surprise that focusing our efforts on the host and the network has led to the spectacular septic tank of security we have today.  We need to focus on content in context and set policies across platform and transport to dictate who, how, when, where, and why the creation, modification, consumption and destruction of data should occur.  In this first generation of DLP/CMF solutions (which are being integrated into the larger base of "Information" centric "assurance" solutions,) we’ve taken the first step along this journey.  What we’ll begin to see in 2008 is the information equivalent of the Mission Impossible self-destructing recording…only with a little more intelligence and less smoke.  Here come the DRM haters…
     
  12. The Attempted Coup to Return to Centralized Computing with the Paradox of Distributed Data
    Despite the fact that data is being distributed to the far reaches of the Universe, the wonders of economics combined with the utility of some well-timed technology is seeing IT & Security (encouraged by the bean counters) attempting to reel the genie back in the bottle and re-centralize the computing (desktop, server, application and storage) experience back into big boxes tucked safely away in some data center somewhere.  Funny thing is, with utility/grid computing and SaaS, the data center is but an abstraction, too.  Virtualization companies will become our dark overlords as they will control the very fabric of our digital lives…2008 is when we’ll really start to use the web as the platform for the delivery of all applications, served through streamed desktops on thinner and thinner clients.

So, that’s all I could come up with.  I don’t really have a formulaic empirical model like Stiennon.  I just have a Guiness and start complaining.  This is what I came up with.

In more ways than one, I hope I’m terribly wrong on most of these.

/Hoff

[Edit: Please see my follow-on post titled "And Now Some Useful 2008 Information Survivability Predictions" which speak to some interesting less gloomy things I predict to happen in 2008]

  1. December 4th, 2007 at 10:34 | #1

    These are fun, but way too "optimistic" – i.e. too bad for the world and "good" for security industry :-)

  2. December 4th, 2007 at 11:06 | #2

    HA! That's a funny perspective, but I think you're right.
    Unfortunately, I bet I hit 60% or better…I hereby wager a beer on it.
    There, see, I'm being optimistically pessimistic in a realistic way ;)
    /Hoff

  3. December 4th, 2007 at 15:34 | #3

    Oh, how prophetic I am already…
    As I mentioned, I don't have an elaborate analyst's methodology like Stiennon alluded to using to make his predictions here: http://blogs.zdnet.com/threatchaos/?p=492
    …afterall, I'm just a simple country boy from the hills of New Zealand, but that didn't stop me from posting my predictions a day earlier that Stiennon and damned if his aren't really close to mine! http://blogs.zdnet.com/threatchaos/?p=496
    It just goes to show you, an idiot like me can make predictions with a beer, bad attitude and an overwhelming desire to seem more important than I really am ;)
    I'm going to open a 1-800 Psychic phone service now…
    /Hoff

  4. Jeff Thomas
    December 4th, 2007 at 15:45 | #4

    What am I thinking right now?
    No, it is not the Internet :)

  5. December 4th, 2007 at 15:49 | #5

    Argh. That was the single biggest assclown comment I
    ever made that I wished I had never said. Especially
    to you, El Jefe.
    It's a long story. All the rest of you need to know is that in a fit of VPN/Load balancing troubleshooting frustration, I made a total jackass out of myself and Jeff has never failed to remind me of that (righteously so.)
    …and now back to our regularly-scheduled programming…
    /Hoff

  6. December 5th, 2007 at 13:32 | #6

    I keep wondering myself about state-sponsored espionage impacting government operations. But every month that goes by, things get a little more robust, hardened, or at the very least more resilient with redundant systems and nets. Will we see government affected like a Slammer worm incident? Will it be in the best interest of such naughty states to use those holes they have and shove their thumb in? Or keep as quiet as possible and siphon more information and expand influence?
    That's kind of part of the criminality these days that separates the mischievous threats from 10 years ago. Rather than make a big wide-reaching mess that hits the headlines, attackers seem to want to milk their claims quietly.
    Now, what about real terrorist attacks or simple mistakes? Oops, Thailand's red teams accidentally targeted their botnet against a major US department and locked it up for a few days.

  1. No trackbacks yet.