The Tech Herald has had an enormous amount of email and blog post links from vendors offering their 2010 predictions. As a result, I’ll be listing them one or two a day until the end of the year, adding my thoughts to the mix. Continuing the series, the observations below come thanks to Michael Sutton, VP of security research at Zscaler.
Sutton starts hard, and says that Apple will get a wakeup call and be forced to climb the security learning curve.
“Apple has for some time been considered to have a safer operating system in OS X as it is less often targeted by attackers. While that may be true, it is less secure overall, and Apple's increasing market share will force them to finally invest in security due to increasing attacks targeted at Apple devices,” he said.
I have to agree with him on many levels, but I still maintain that criminals ultimately target users and the operating system is only an ends to a means. Yes, you target where the money is, and most victims are on Window’s systems, so naturally most of the Malware and targeted attacks are aimed at them. However, people are easy to fool, my fear is that not only is Sutton right, but Apple will be slow to act.
This isn’t a stab really, but some users on OS X fall for the marketing and swear they are immune from attack. They’re not. While it is comical to see the reactions as a Windows-based Rogue anti-Virus application tries and fails to infect a Mac user’s system, this should be a warning sign. Those attacks will always fail. OS X and Windows are two different environments.
However, launch a Phishing attack against a Mac user, or develop an exploit aimed at OS X, and the majority of Apple’s customers are no better protected than Windows users. The irony here is that it has already happened, but you’ll never see an “I’m a Mac” commercial based on this.
The second prediction coming from Sutton looks at all of those wonderful applications for your phone.
“App stores are all the rage, with every mobile vendor racing to replicate Apple's success. Generally, vendors stand guard and only let in the applications that they feel are appropriate. Consumers mistakenly believe that this ensures that only secure applications can be obtained but that is not the case. Security testing is limited at best with app developers already having success slipping in apps with undocumented APIs. Attackers will take things one step further and slip malicious apps in under the gate keeper's watch,” he commented.
Research has proven that the iPhone is vulnerable from a malicious application, so it isn’t a far stretch to see this on Android-based phones or Blackberry applications.
Sutton hits the Web with predictions three, four, and five. Commenting that Web-based Worms such as Samy and StalkDaily, were only the beginning, mostly experiments he said. However, that’s going to change in 2010. In addition, he covered platforms like Facebook, who offer users the ability to develop their own creations.
“Social Networking sites such as Facebook have gone beyond delivering dynamic applications welcoming user supplied content. They have now evolved into platforms inviting user supplied functionality, allowing virtually anyone to develop unique applications within their ecosystem. Attacker will take advantage of this to deploy malicious applications on social networks and the sites will struggle to identify and block them before deployment,” Sutton said.
However, his comments with the cloud are what hit home the most. “The cloud offers unprecedented storage and processing power at an attractive price. Think that's only attractive to enterprises? Think again.”
Again, we’ve seen Amazon used as a C&C, so the idea that criminals will use cloud-services just as fast as the average businessperson isn’t hard to imagine. Sutton also predicted that these cloud-based services, as they charge based on actual consumption, will be used in DDoS attacks, signaling 2010 as the year the financial DDoS will arrive.
The fact most cloud-based providers charge based on consumption, “…provides attackers with incentive to hold enterprises hostage by artificially inflating costs. Unfortunately, cloud providers have little incentive to stop this practice.”
I disagree with the last part of that. I can see criminals launching DDoS attacks on cloud-based services. However, I cannot imagine Amazon holding the business that is under attack responsible and forcing them to pay. Not when the cloud instance can be deactivated. If this happened, the bigger news wouldn’t be the DDoS. The news would likely center on the lawsuits that follow.
“My greatest hope for 2010 is that marketing departments will give the term 'cloud computing' a well deserved break. 2009 saw great interest in the development of cloud computing architectures and one must wonder how often security was sacrificed in order to get to market quickly. Expect attackers to devote time to poking holes in the APIs of cloud providers. When they're found, thanks to multi-tenant architectures, it will have been worth the effort,” Sutton said on his seventh prediction.
He’s right. Desktop and network security got better thanks to all the people who poke holes in the system and design. The same can be argued for cloud services.
If the term cloud computing gets a rest, then the terms next generation, game changing, and best in breed when referring to a security company and not a dog show need to go as well.
Sutton rounded out his final three predictions by noting that Clickjacking will return in force in 2010. He also predicted that the developers behind the most popular browsers will start to take Cross-Site Scripting (XSS) seriously. He complemented Microsoft on their anti-XSS features in Internet Explorer 8.
Finally, Sutton noted that his last prediction “is by far the easiest prediction to make.”
“As memory becomes cheaper and power becomes more expensive, enterprises are looking to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented will be truly staggering.”
What do you think? Did Sutton hit the mark? Comment and have your say. You can read the blog post here.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below or sent to [email protected]]