Security Laboratory

Security Laboratory

Sec Lab: Predictions and Trends for Information, Computer and Network Security

This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture.

Other Related Articles in Sec Lab: Predictions and Trends for Information, Computer and Network Security


Stephen Northcutt's favorite Security Predictions for 2008


By Stephen Northcutt
Version 1.1

This year, instead of making my own predictions, I would like to share my favorites from other pundits. And since we are past the first quarter, let's go check up on them!

However, first I want to add two more by SANS that were not yet released when I wrote my original piece.

Cyber Espionage Efforts By Well Resourced Organizations Looking To Extract Large Amounts of Data - Particularly Using Targeted Phishing
One of the biggest security stories of 2007 was disclosure in Congressional hearings and by senior DoD officials of massive penetration of federal agencies and defense contractors and theft of terabytes of data by the Chinese and other nation states. In 2008, despite intense scrutiny, these nation-state attacks will expand; more targets and increased sophistication will mean many successes for attackers. Economic espionage will be increasingly common as nation-states use cyber theft of data to gain economic advantage in multinational deals. The attack of choice involves targeted spear phishing with attachments, using well-researched social engineering methods to make the victim believe that an attachment comes from a trusted source, and using newly discovered Microsoft Office vulnerabilities and hiding techniques to circumvent virus checking.
--April 11 2008 Update:
This is on track, BusinessWeek just released a great story on this topic, "The U.S. government, and its sprawl of defense contractors, have been the victims of an unprecedented rash of similar cyber attacks over the last two years, say current and former U.S. government officials. "It's espionage on a massive scale," says Paul B. Kurtz, a former high-ranking national security official."


Supply Chain Attacks Infecting Consumer Devices (USB Thumb Drives, GPS Systems, Photo Frames, etc.) Distributed by Trusted Organizations
Retail outlets are increasingly becoming unwitting distributors of malware. Devices with USB connections and the CDs packaged with those devices sometimes contain malware that infect victims' computers and connect them into botnets. Even more targeted attacks using the same technique are starting to hit conference attendees who are given USB thumb drives and CDs that supposedly contain just the conference papers, but increasingly also contain malicious software.
--April 11 2008 Update: This is certainly going to prove true. Already, "Best Buy has sent notices to customers who purchased a certain Insignia brand digital photo frame because it spread malware when connected to a Windows PC.Best Buy has sent notices to customers who purchased a certain Insignia brand digital photo frame because it spread malware when connected to a Windows PC."[36] And from the Internet Storm Center we read, "The basic story is that HP has optional 'floppy USB keys' for some of their Proliant servers. The 256 KB and 1 GB versions include a batch that also came with 'W32.Fakerecy' or 'W32.SillyFDC' designed to infect your machine if you insert them. The interesting note is that these keys seem only to be shipped for Proliant servers which could indicate an attempt to 'target' by the attackers or that they just hit some factory and got lucky. Either way, with the prolific trail of stories of USB devices shipping with malware pre-installed, it is now an attack vector that we need to be concerned about."[37]

Tim Bajan from PC Magazine suggests smartphones will gain market share and they will become attack targets, check; flash-based laptops will arrive, agree; botnets will target social networks and that corporate use of these will increase, oh yes. Most everything in the article is bound to happen, but the item that caught my eye concerns Apple,

"
Apple Will Gain Significant New Market Share.
This is not news, but we're now seeing much more interest in Apple products from mainstream consumers than we have in past years. This is partly due to the iPod and the iPhone. But another reason Apple is getting more consumer attention is that the Mac is perceived as easier to use and more integrated then anything in the PC environment.

Apple's worldwide market share in personal computers is somewhere between 4 and 7 percent, depending on the forecast. I would not be surprised if Apple gains a full 2 to 3 percent of new market share in 2008. Also, look for the traditional PC vendors to take Apple more seriously as a competitive threat."[1]

The timing of this is interesting, we just ran an article in NewsBites that said the Army was including Apple systems in order to be harder to attack.

US Military Starting to Integrate Macs Into Systems (December 21, 2007)
The US military is quietly starting to integrate Mac computers into its systems because they have a reputation for being targeted less often than Windows machines in cyber attacks. Increasing diversity of computer systems also makes them more stable. One problem with using Macs in the past is that they have not been compatible with the Common Access Card (CAC) system, which is widely used in the military. Software is being developed that should allow Macs to use CAC as soon as February 2008. Detractors point to the fact that Apple patched almost five times as many flaws in its software over the last year as did Microsoft for Windows, but others say that the number of fixes is an indication of attention to security.[2,3,4]

If you are not familiar with NewsBites, there is an editorial board that sometimes makes comments on the news stories, here are their comments:
  • [Editor's Note (Skoudis): Being a Macintosh user myself, I may be a bit biased here. Still, with that in the open, I'm happy to see a major organization recognize that there are security benefits to having some diversity among computing platforms. But, there are downsides as well. I hope the US Military is paying attention to patching their new fleet of Macs. There are fewer centralized enterprise patching solutions for Macs than for Windows, and most orgs aren't geared up for proper Mac patching, putting the burden on Mac-toting users themselves, a dangerous plan.
  • (Schultz): It is true that there is less virus- and spyware-related risk in Macs. As I have said before, however, the black hat community is increasingly targeting Macs. Additionally, as mentioned in this news item, the number of security-related flaws in Macs has been comparatively large. Thinking that simply using Macs translates to good security is thus extremely naive.
  • (Northcutt): I hope they are not depending on security by obscurity as Pravda online and other sites are picking up the story: http://english.pravda.ru/news/science/21-12-2007/103092-Apple_inc-0]
I looked up Apple's stock, they began 2007 at about 80 and are now trading in the 200 range, if I read the charts correctly. And, to balance, I have included a link to a blog post that ponders the question, should you sell Apple and buy Google.[5]
--April 11 2008 Update: Apple's stock is running at 147.14 today, down 25% YTD according to Google Finance. All the news stories on Google Finance appear to be about iPods. Google trends indicates a slight upward trend. According to AppleInsider, "Apple snags 14 percent of US-based PC retail sales in February 2008."[29] Supposing this is true, stock down, sales up, buying stock in Apple would not be dumb assuming the company's fundamentals are sound. Anyway, so far this prediction is on track.


Tony Bradley's blog mentions Network Traffic Consolidation

"One of the big technologies of 2007 was the introduction of unified communications by both Microsoft and Cisco. The merging of all communications technologies into a single, unified system will continue into 2008. Aside from the whiz-bang, 'keep-up-with-the-Jones' aspect, there is a lot to be gained in terms of efficiency and productivity for organizations that leverage unified communications."[6]

Now the question here is, exactly what does this mean? If Tony means Everything over IP[7,8,9, 10], I totally agree. According to Building Broadband Networks by Littman, it could mean pervasive use of ATM. I tried to do a search on Google, but most entries were pretty old and were mostly related to core switching technology. Anyway, we will keep our ears to the ground to see if this one comes true.
--April 11 2008 Update: Google trends shows a strong uptick possibly because it is a new buzzphrase. Nextpoint has a press release managing to get both unified and ubiquitous in the same sentence for their product.[30] I was just reading about Aruba's product. I'd say we are on track for this one as well.


Rational Security had one of the best set of predictions I found and I particularly focused on Information Centric Security Phase One

"It should come as no surprise that focusing our efforts on the host and the network has led to the spectacular septic tank of security we have today. We need to focus on content in context and set policies across platform and transport to dictate who, how, when, where, and why the creation, modification, consumption and destruction of data should occur. In this first generation of DLP/CMF solutions (which are being integrated into the larger base of "Information" centric "assurance" solutions,) we've taken the first step along this journey. What we'll begin to see in 2008 is the information equivalent of the Mission Impossible self-destructing recording...only with a little more intelligence and less smoke. Here come the DRM haters".[12]
--April 11 2008 Update: "It's time for the industry to move away from protection of infrastructure and toward an "information-centric" security model, said Thompson, chairman and CEO of Symantec" said two days ago in a keynote at RSA.[31] I think this is a sure fire winner for 2008. For one thing the move to comply with the rules of discovery has caused organizations to survey what information they have which is a first step in information centric security.


Websense starts with a zinger, the Olympics

"Event-based attacks and scams are popular, and with the whole world watching, the 2008 Olympics may fuel a surge in cyberattacks. As the Olympic torch burns, Websense researchers predict the possibility of large scale denial-of-service (DoS) attacks on Beijing Olympic-related sites as political statements and fraud attempts through email and the Web surrounding the Olympics. Additionally, Websense predicts compromises of popular Olympic news or other sports sites -- attacks designed to install malicious code on end-users' machines and steal personal or confidential business information."[13]

Interesting! And entirely possible, in 2006, "A suspected hacker was being investigated by police on February 13 after allegedly threatening to attack the internal computer network of the Turin Olympics organizing committee."[14] And not that it was a hacker, but protests from South Koreans over their skater being disqualified crashed an Olympic email server.[15]
--April 11 2008 Update: Tracking nicely to become reality. We all know the trouble the Olympic torch has had on what the Chinese govenerment refers to as a journey of harmony; for instance, in Paris, "Despite a security cordon of 3,000 police, some on roller blades, activists protesting against China's crackdown in Tibet managed to disrupt seriously the latest leg of the torch's 85,000-mile journey from Olympia in Greece to Beijing, where the games take place in August."[32] It is certainly a hot topic on the YouTube marketplace of ideas.[33]


Richard Stiennon ties DDOS to terrorist activities
"Terrorist organizations bring out DDoS as a weapon against e-commerce and media sites that choose to display images of Mohamed. This actually first occurred in December 2006 but the site involved chose not to publicize the incident. Imagine what would happen if a site started selling plush toys bearing the names of various prophets? Watch for it in 2008."[16]

To be honest, I was not sure what the protocol on images was, so I found an excellent article on slate.com.[17] This blog post and research paper say the same thing, that it is not strictly prohibited.[18, 19] However, if you are being DDOS'd by 100,000 bots, that is hardly the point. However, I will point out the DDOS is expensive, and you risk your network by using them. On the other hand, the storm worm continues to prove people will click on anything, so you can always replace your bots.
--April 11 2008 Update: There is still some discussion of this on the Internet, but I am bearish on this prediction.


BitDefender says Mobile devices will be a huge target

Mobile devices expected to be major target for cyber criminals. With increasing numbers of computer users conducting routine activities online, BitDefender expects to see on-going challenges in the security landscape. In its predictions for 2008, BitDefender, the antivirus and data security solutions specialist, highlights mobile malware, botnets, phishing and identity theft as the main threats.

"User behaviour has changed over the past two years," said Bogdan Dumitru, BitDefender's chief technology officer. "With the emergence of the online lifestyle, we believe we will see new threats resulting from online bill payment, stock trading, shopping, gaming and social networking. Traditional anti-virus and other security providers are focused on protecting computer applications, and while this is certainly still important, today's biggest threats - as well as the most prominent emerging threats - are targeted at the online lifestyle."[20]

I am not exactly sure how I got to a vendor press release from the first.org web site, but I watched a friend use her iPhone to check her stocks and make adjustments with her online brokerage the other day and remember thinking, whew that is scary. I know etrade has RSA tokens for online trading. Here is an article to get you thinking about the topic.[21, 22]
--April 11 2008 Update: This is tracking for success (though how could it fail?). CIO Magazine carried a story where, "One recent attack was a Trojan called WinCE/InfoJack that was aimed at Windows Mobile PocketPCs. Dave Marcus, security research and communications manager of McAfee Avert Labs, told us that WinCE/InfoJack was bundled with legitimate installation files such as Google Maps, games and stock-trading applications, and then distributed across a variety of Web sites."[34] On the other hand, my iPhone is still working!


Stephen Northcutt weighs in: even more paperwork will be devised by the clueless trying to help

I suppose it is not fair for me not to have some skin in the game, so here is my prediction for 2008/2009. You want to know who should be scared the most with respect to security in 2008? Trees! Because, the growing tendency I see is paper. Paper used in accreditation and certification, for FISMA, for Audit and Accountability Policy and class action lawsuits. The Chinese will continue to penetrate government and civilian sites collecting information by the terabyte and not a single sheet of security paperwork is going to stop them. For some reason, we seem to want to talk around security issues instead of doing security, unless something makes us. Here is a datapoint: SANS offers a great advanced course on reverse engineering malware, another on how to identify and remove malware, and if you believe convergence in network traffic is an important trend, then you want to understand VoIP so that you can handle everything over IP. Yet, you can take it to the bank that we will sell more of our CISSP test prep course than any of these critical topics. Don't get me wrong, it is great that people learn the terminology and concepts of security and the CISSP exam forces folks to do that, but it is more important that we actually do real security and that requires understanding packets and systems, not developing another paper process.
--April 11 2008 Update: I can't find data that allows me to claim I was right, but I am sticking to my guns!


In conclusion, from all of us at SANS.edu's Security Laboratory and Leadership Laboratory, a Happy New Year to all. And, a special thanks to the pundits that went on record; it takes a lot of guts, because what you put on the Internet today will probably be around for a very long time. Let's close with a reminder of the danger of predicting! Computerworld, in 2003, writing about the future of information security:

Most experts are optimistic about the future security of the Internet and software. Between now and 2010, they say, vulnerabilities will flatten or decline, and so will security breaches. They believe software applications will get simpler and smaller, or at least they won't bloat the way they do now. And they think experience will provide a better handle on keeping the growing number of bad guys out of our collective business.[28]


Links 1-28 were visited on Dec 29, 2007; Links 29-37, April 15, 2008.
1. http://www.pcmag.com/article2/0,2704,2241563,00.asp
2. http://www.sans.org/newsletters/newsbites/newsbites.php?vol=9&issue=101
3. http://www.dispatch.com/live/content/local_news/stories/2007/12/21/clerkit.ART_ART_12-21-07_B1_OO8RDCG.html?sid=101
4. http://www.forbes.com/2007/12/20/apple-army-hackers-tech-security-cx_ag_1221armyprint.html
5. http://www.bloggingstocks.com/2007/12/27/should-you-sell-apple-and-buy-google/
6. http://www.tonybradley.com/?p=45
7. http://www.vonage.com/media/pdf/res_03_12_04.pdf
8. http://quello.msu.edu/events/Hoewing.pdf
9. http://user.it.uu.se/~pekka/ip-over-anything.pdf
10. http://www.computency.co.uk/010423.htm
11. http://www.sans.edu/resources/securitylab/321.php
12. http://rationalsecurity.typepad.com/blog/2007/12/2008-security-p.html
13. http://www.websense.com/securitylabs/blog/blog.php?BlogID=163
14. http://www.hearsay.com/wp-archives/2006/02/14/olympic-hacker/
15. http://sportsillustrated.cnn.com/olympics/2002/speed_skating/news/2002/02/21/south_korea_lawsuit_ap/
16. http://blogs.zdnet.com/threatchaos/?p=496
17. http://www.slate.com/id/2135670/
18. http://www.dynamist.com/weblog/archives/002055.html
19. http://www.newsback.com/forums/showpost.php?p=696&postcount=1
20. http://www.first.org/newsroom/globalsecurity/188747.html
21. https://us.etrade.com/e/t/jumppage/viewjumppage?PageName=secureid_enter
22. http://www.entrepreneur.com/tradejournals/article/168180769_2.html
23. http://www.auditaccountability.com/
24. http://www.sans.org/training/description.php?mid=54
25. http://www.sans.org/training/description.php?mid=922
26. http://www.sans.org/training/description.php?mid=917
27. http://www.sans.org/training/description.php?mid=66&
28. http://www.computerworld.com/printthis/2003/0,4814,88646,00.html
29. http://www.appleinsider.com/articles/08/03/17/apple_snags_14_percent_of_us_based_pc_retail_sales_in_february.html
30. http://www.emediawire.com/releases/Unified/Communications/prweb780614.htm
31. http://www.darkreading.com/document.asp?doc_id=150620&f_src=darkreading_informationweek
32. http://news.scotsman.com/world/Paris-protests-douse-Olympic-torch.3956627.jp
33. http://www.youtube.com/watch?v=7HR1koXXk6E
34. http://www.cio-today.com/story.xhtml?story_title=Malware_Attacks_Target_Mobile_Devices&story_id=023000SJTNAY
35. http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm?chan=t
36. http://www.tgdaily.com/content/view/35753/108/
37. http://isc.sans.org/diary.html?storyid=4247&rss



Article updated December 31, 2008
There is more on security for the upcoming 2008 Olympic Games in Beijing:
http://www.news.com/China-finds-American-allies-for-security/2100-7348_3-6224200.html

For another viewpoint on Apple market share, Harry McCracken has released some interesting statistics on PCWorld.com visitors:
http://blogs.pcworld.com/techlog/archives/006130.html