It’s that time of year again. As I prepare for my annual pilgrimage to the Great White North to visit family, I also turn my attention to the annual tradition of predicting the future. The beauty of the security industry is that it’s never boring. Technologies race forward (often without security) and attackers continue to impress with their ingenuity. 2010 was another fun filled year and 2011 is sure not to disappoint. Enjoy.
1. Political Hacktivism - In the wake of Julian Assange’s arrest, following an already dramatic series of events in the ongoing Wikileaks saga, we gained insight into the power of political hacktivism in the social networked era. Project Payback, the series of Distributed Denial of Service attacks stemming from the movement known as Anonymous, succeeded in temporarily disabling major web sites and did so with limited means and no centralized leadership structure. Anonymous is not a coordinated group, it has no membership list and anyone serving as a spokesperson or leader is likely doing so unilaterally. Project Payback emerged quite literally overnight, encouraged the use of relatively unsophisticated DDoS tools such as Low Orbit Ion Cannon (LOIC) and yet was surprisingly effective. Traditionally, small, well-coordinated groups have been behind efforts related to political hactvism. Now however, we find ourselves in an era where complete strangers can quickly organize, coordinate and attack, and do so with relative anonymity. Welcome to the world of flash mob hactivism. Expect others to be inspired by the attention garnered by Operation Payback and stage similar attacks against corporations or government entities that have received negative press attention.
2. SSL Only Sites - Firesheep opened many eyes to an elephant that has been in the room for many years. While web applications commonly leverage SSL to protect login credentials, most sites shy away from SSL for general traffic once authentication is complete. This is common for a variety of reasons such as performance and complexity, especially when sites tend to be a mashup of content hosted on a variety of different domains. Despite the challenges, Firesheep has forced web application owners to revisit the decision not to make sites SSL only, by brining side jacking to the masses - the ability to capture an authentication cookie and impersonate another user on an open network. With an increasingly mobile workforce accessing web based resources from coffee shops and airports, side jacking attacks are trivial. In 2011, expect a handful of major vendors to finally tackle this challenge head on and deploy SSL only websites.
3. Use and Abuse of the Cloud - In 2010, the Cloud Security Alliance (CSA) released the Top Threats to Cloud Computing. Included on that list of seven threats was the acknowledgement that attackers are drawn to the cloud for the same reasons as legitimate enterprises - low cost access to powerful computing resources. It is not uncommon to see botnet C&C servers or drop zones running on Amazon or Rackspace servers. This may occur due to legitimate hosts being infected or the attackers may purchase the services outright. The on-demand, self service nature of the cloud makes it difficult to prevent abuse up front, leaving cloud vendors to remove abusive accounts once complaints flood the help desk. For attackers that are used to quickly migrating servers as take downs occur, this is hardly a challenge, especially given the ease with which they can quickly spin up dozens of powerful instances at a low price (or free if stolen credit cards are involved). Expect the trend of cloud-hosted botnets to grow.
4. Indirect Data Breaches - 2010 is ending with a series of high profile data breaches including those affecting well known companies such as Gawker Media and McDonald’s (via Silverpop). One thing that we’ve learned from these attacks is that credential theft is not only used to attack the affected domain, but also other sites due to the common practice of sharing the same username/password across numerous sites. Historically, there has been concern that single sign on systems such as Facebook Connect, create an Achilles heel - compromise one database and have access to many. We’re learning that the opposite can be true as well - by forcing people to have multiple logins, they’ll simply repeat one over and over again and their security is then only as strong as the weakest link in that chain - a riskier overall proposition that having one secure authentication source. As media reports of data breaches at popular sites continue, I expect an increasing number of web applications to offer SSO capabilities from well known brands such as Facebook as an option, especially on lesser known sites.
5. Malvertising Goes Offline - Malvertising is a well-known technique, whereby attackers lease advertising space on popular websites in order to facilitate an attack. This may involve targeting a known browser based vulnerability by using the ad to deliver a malicious media file (ie. Flash or images), or it could simply be used to lure unsuspecting users to a secondary, malicious site. To date, malvertising has taken place on websites. However, mobile ad platforms such as iAd (Apple) and AdMob (Google) are emerging as powerful players in an effort to control mobile advertising on tablets and smartphones. Don’t expect attackers to ignore this powerful ability to reach an entirely new set of potential victims. Malvertising could be prevented if advertising networks and host sites better filtered third party content, but history has shown us that often fails to occur.
6. More App Store Abuse - In last year’s security predictions, I spoke about the likelihood that malicious content would make it’s way into mobile app stores. It did take long for that prediction to come true. Now some would argue that even a few malicious apps sneaking past an app store gatekeeper is better than standard process of downloading applications from anywhere on the web where there is little way to know if they’ve ever been scrutinized for security issues. While true, sneaking malicious content into an app store is an attractive prospect for an attacker as they’re able to piggyback on the reputation of the app store host (Apple, Google, RIM, etc.) and potentially infect millions without needing to do anything to generate traffic to the site. In 2011, we’ll see app stores go beyond mobile devices with initiatives such as Google’s Chrome Web Store and Apple’s Mac App Store. Yes, attackers are already salivating at the opportunity to infiltrate another ‘trusted’ app store.
7. Niche Malware - Stuxnet demonstrated that malware can successfully target not just PCs or mobile devices, but any IP connected device, in that particular case, SCADA systems. While, Stuxnet may have had some additional brain power behind the attack, it’s no secret that embedded, Internet connected servers have a spotty security record both due to the lack of scrutiny that they’re subjected to and a generally non-existent patch processes. Earlier this year, I blogged about how embedded web servers have left confidential documents on thousands of HP scanners accessible to anyone with a web browser. Today, anything with a power switch is connected to the Internet. I anticipate the growth of niche malware designed to attack or harvest information from these insecure and often completely unprotected devices.
8. Cloud Shared Technology Breach - Returning to the CSAs Top Threats report, another high risk item making the list relates to vulnerabilities in shared technologies underlying the infrastructure that cloud instances reside upon. For IAAS providers, that includes the hardware, operating system and virtualization technologies. While we move up the stack to include PaaS and SaaS vendors, additional middleware and application components are shared as well. While I don’t necessarily anticipate attacks leveraging a known vulnerability in a COTS component on the infrastructure for a large cloud vendor due to stringent patching practices; I do feel that a high profile breach at a lesser-known vendor, especially one in a custom component of shared technology is quite likely.
9. Social Networking Meets Social Engineering - Attacks on end users virtually always involve social engineering - a user must be convinced to visit a web page, open and attachment, etc. Spam email has valiantly served this purpose for many years, but just as everyday users are migrating away from email and toward social networks such as Facebook and Twitter for communication, so too are hackers. This is far from a bold prediction as attackers have been abusing social networks since they first came online. For example, XSS vulnerabilities on Twitter have been used to push malicious tweets, while likejacking has emerged on Facebook as a means of promoting malicious profiles. While leveraging social networks for evil is not new, I expect 2011 to be the year that social networks become the main communication medium for attackers, not just an alternate channel.
10. Device Agnostic Attacks – As mobile devices continue to gobble up an increasing percentage of bandwidth, attackers will shift to web based, device agnostic attacks. Attacks such as XSS and clickjacking, once seen as academic attacks that were experimented with but not widespread, are now increasingly commonplace. We have witnessed numerous web-based worms, especially on Twitter, thanks to a never-ending battle against XSS vulnerabilities or likejacking - a specific type of clickjacking, targeting Facebook profiles. Why the shift, when there are no shortage of Microsoft vulnerabilities? Whereas the Windows operating system has long dominated the desktop market, the mobile space is an entirely new environment from an attack perspective. Multiple operating systems have significant market share and numerous variants of each exist. As such, operating system vulnerabilities are of less value. Web based attacks however, require nothing more than a Javascript aware web browser – something that every web enabled device from smartphones to television sets now have.
See you next year.
- michael
