Failed 2010 Security Predictions

Failed Security Predictions from 2010

As most of us return from attempts to relax over the holiday season various self-proclaimed information security experts quickly scramble to do press interviews and write blog posts about their predictions on what to expect over the next twelve months when it comes to security. In a tongue in cheek Twitter post, security luminary and privacy expert Adam Shostack mused “My 2011 security prediction: 75% of predictions from people who offered predictions last year won't start with a review of how they did.”

So, before we make some predictions of our own (hey everyone is doing it) let’s review some of the more misguided and wrong predictions made by others this time last year. As I used Bing.com to search for last year’s predictions I quickly realized that not many “visionaries” were really willing to go out on a limb and predict anything that wasn’t already very obvious. So, for those that do make this list of completely off base and wrong predictions for the last twelve months, we applaud your bravery in going on the record with some truly ambitious predictions.

Taking the first two spots in our list is borderline charlatan and master of fear, uncertainty, and doubt, Verisigns very own overpaid mailing list moderator, Russ Cooper;

http://securityblog.verizonbusiness.com/2009/12/15/2010-security-predictions/

1.) RussCooper: “Social Media operators will gain more control over attackers”
This prediction was in direct contradiction with pretty much everyone else who made predictions in 2010. In fact, attacks via social networking sites clearly increased during 2010, and we have seen everything from malicious embedded ads, malicious applications, and of course the standard social engineering type attacks. While social networking sites attempt to make improvements to both security and privacy issues, they have not taken more control over attackers, and we have seen but the tip of the iceberg on how social networking can be leveraged in an attack.

2.) RussCooper: “Malware will not evolve”
I have two words for Russ on this prediction - Conficker and Aurora. Malware did in fact evolve and will continue to evolve. In fact those who want to make safe predictions can safely say that in 2011 Malware will continue to evolve as protection against said Malware also evolves. Malware protection has always been and will continue to be an arms race.

Next on our list we have a couple predictions that came from a Network World article written by Andreas M. Antonopoulos.

http://www.networkworld.com/columnists/2009/121609antonopoulos.html

3.) Andreas M Antonopoulos: “Self-propagating mobile phone worms and Trojans. Mobile security will get slightly worse as the proliferation of applications and smart devices broadens the attack surface. While we've seen worms on iPhone, they have not been self-propagating, depending on PCs to spread. Expect to see true self-propagating threats on iPhone and Android systems in 2010”

I suppose that this prediction is partially correct. Mobile and “smart” devices have grown in 2010. In fact Android devices specifically have exploded onto the scene. That said we still have not seen a large amount of attacks, malware, worms, or Trojans. I do think that this prediction will eventually become true as it is the obvious and natural evolution of threats.
Number four on our list is also from Andreas M. Antonopoulos and is very amusing and probably needs very little commentary to explain why it was completely incorrect.

4.) AndreasMAntonopoulos: “The Transportation Security Administration stops wasting billions of dollars in traveller delays by confiscating water bottles and removing shoes. Instead it focuses on real threats based on rational risk assessment, not security theater based on movie-plots (hat-tip Bruce Schneier). OK, unlikely, but I can dream, can't I?”
At least in this case the writer identified that they were in fact dreaming with this prediction, and I suppose we can respect the wishful thinking.

Halfway through our list of failed security predictions for 2010 at numbers five, six, and seven we have the analysts from Forrester Researcher.

http://biztech2.in.com/opinions/data-security/forresters-data-security-predictions-for-2010/72592/0

5.) Forrester: “In spite of the worldwide scope of botnets, we anticipate even more successes in the fight against all forms of cybercrime in 2010.”
I think all of us honestly wish that this prediction came true and while there have been some subtle wins for law enforcement in the fight against “cybercrime.” I think many would hardly consider this any form of success.

6.) Forrester: “Full disk encryption will continue its steady march into the enterprise, spurred on by breach disclosure laws”
While some more advanced enterprises may have implemented or thought of implementing full disk encryption, 2010 did not bring additional disclosure laws. Note that others who did not make this list did in fact predict more laws hitting the books in 2010, and there is no evidence of full disk encryption making any type of march into enterprises.

7.) Forrester: “Cloud data security concerns will begin to dissipate”
Much like the other Forrester predictions I am sure many of us wish that this one came true as well, but, sadly, 2010 brought multiple examples of why we should continue to be concerned about the security of the cloud and data stored in the cloud.

Coming in at number eight we have Tripwire who I almost ignored because it was painfully obvious that all of their predictions were aligned with their product offering and corporate messaging. This of course is a dangerous thing to do especially in this case where they were clearly dead wrong. They had others that were off base as well but also very clear attempts at peddling products. They will not make the list.

http://www.net-security.org/secworld.php?id=8647

8.) Tripwire: “Despite the hype of increased social networking threats, misconfigured ‘stuff’ (ie, servers, firewalls, laptops, etc) will be the real threat for companies to watch out for”
Obviously misconfigured devices are in fact a threat to an organization’s security, but threats via social networking were in the spotlight for 2010 and will probably only get worse in 2011.
Finishing off the list at numbers nine and ten we have predictions from Symantec and iDefense. Two companies who sell “Security Intelligence” that must have run out by the end of 2010 because these two predictions are clearly lacking.

http://www.symantec.com/connect/blogs/worst-yet-come-symantec-s-2010-security-predictions

9.) Symantec: “Mac and Mobile Malware Will Increase – The number of attacks designed to exploit a certain operating system or platform is directly related to that platform’s market share, as malware authors are out to make money and always want the biggest bang for their buck. In 2009, we saw Macs and smartphones targeted more by malware authors, for example the Sexy Space botnet aimed at the Symbian mobile device operating system and the OSX.Iservice Trojan targeting Mac users. As Mac and smartphones continue to increase in popularity in 2010, more attackers will devote time to creating malware to exploit these devices.”
This prediction is almost a duplicate of our third item on this list but worth mentioning, because Symantec went as far to expand from just mobile devices to Apple Mac devices. While it is very obvious that Apple’s “we are more secure” add campaign was nothing more than creative marketing and nowhere near reality, we still have not seen the predicted increase in OS-X related malware. Yes, we have seen some samples both in the lab and in the wild, but there was not a clear increase that justifies calling this out as a threat to worry about. Will it happen eventually? Maybe, but not yet.

http://blogs.verisign.com/idefense/2009/12/2010-prognostications.html

10.) iDefense: “There will be more Windows 7 vulnerabilities in 2010 than all of the Windows Vista vulnerabilities discovered in the three years since its release.”
I am truly at a loss to try and explain how a company who sells an intelligence service and purchases zero day vulnerabilities could come up with such a ridiculous prediction. A quick and non-scientific search of OSVDB (www.osvdb.org) for all Windows Vista vulnerabilities from January 2007 until December 2010 yields eighty-four (84) results. While a search for the same time period for Windows 7 yields thirty-seven (37). Granted this does not include any reported and yet to be fixed vulnerabilities, but, clearly, this prediction was off the mark.

Now that we have spent almost 1400 words poking fun at others we will stop. Our predictions for 2011 will be in a separate post coming soon.

Stuxnet Speculation Jumps the Shark

One of the lessons I remember best from my early security career with Uncle Sam was the maxim: “crawl, don’t jump to conclusions.” Having heard of various botanic, historic and religious analysis on how the word “myrtus” - in a build path to a PDB file - clearly indicates that the Israelis are responsible for the Stuxnet worm, I have to conclude that this story has officially jumped the shark.

Here’s what the string in question looks like in ASCII:

b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb

I’ve had a bunch of SCADA security experience back in the day, and specifically with WinCC, so this path looked strangely familiar. What if we take the mystical word “myrtus” and write it like it would appear in the GUI like so: “My RTUs”.

Okay, can we stop speculating now until we have enough collective information?

Kthxbye.

P.S. Also, this really does highlight how ‘strings’ is not the best tool for reversing.

Moving Targets: Location-Based Threats and Mitigations

This year at ToorCon 12 in San Diego, California I will give a presentation entitled "Moving Targets.”

Location-based services are built into every major mobile platform, almost every social networking site, and more and more consumer electronics every day. These services, that record and sometimes share their users’ geographical location in real or near-real time, have been deployed by developers and embraced by users with little consideration of the threat posed by this data. An attacker who possesses the user’s location can abuse it to leverage both technical and social engineering attacks on that user. From cellular networks to web apps such as Foursquare, each layer presents a unique data set that is ripe for different attacks. In many cases, however, these threats can be mitigated with mindful application of recommendations for both location service development and usage. If you want to learn how your moving targets can avoid becoming someone else’s sitting ducks, then come to Toorcon 2010.

 

More Bugs in More Places: Security Development on Mobile Platforms

At the Blackhat Briefings USA 2010 in Las Vegas I gave a presentation entitled "More Bugs In More Places" which was about secure development on mobile platforms.

Nothing succeeds like success, and with the attention garnered by Apple’s App Store, many companies are either looking to port existing applications to or develop exclusive applications for the top mobile platforms: Blackberry, iPhone, Windows Mobile, and Android. Each of these platforms provides the would-be developer with a SDK to do the heavy-lifting of coding, but can they be trusted to carry that weight? Just as some languages make it easier or harder to develop secure applications, so it is with SDKs. One SDK may provide robust cryptographic functions, another may restrict hardware access, and yet another may enforce strict memory management. Below are slides to the talk given at Black Hat 2010; they compare the top four SDKs in terms of the security features they provide and lack. They will help new mobile developers decide which is the safest and most dangerous for their applications.

 

 

Welcome to our Blog

Welcome to Leviathan Security Group’s blog. If you need or want to know more about the minds behind Leviathan Security you can read about us here. Our goal with this Internet space is to share our opinions and ideas on Information Security topics. We will periodically write about high to low level technical topics and everything between and maybe some things outside. Posts, like this first one, will sometimes be limited to as few words as necessary, while you can expect us to go much deeper on other topics.

You can also find Leviathan Security Group on Twitter - http://twitter.com/LeviathanSec. Be sure to watch for many of our experts speaking at a security conference near you.

Thanks to everyone who supported us over the years. Hopefully this spot will inform and generate discussions.

Cheers,
Leviathan Security Group