Four security trends defined 2012, will impact 2013
Mobile and Mac malware burbles noxiously, data breaches and data mining will cause more havoc with your privacy, and the Web will continue to suffer the ignominy of poorly-written, Swiss-cheesed code as security experts predict lessons from 2012 go unlearned in 2013.
The Internet is slowly changing, and security experts say that today's security issues will continue to be major players in driving that change. Here are four trends that dominated headlines in 2012, and will continue to play a major role in 2013.
The Internet as governmental tool The collective realization by governments around the world that the Internet is an excellent network for conducting surveillance, monitoring, espionage, and war, says Finnish computer security firm F-Secure's Chief Technical Officer Mikko Hypponen, may not come to full fruition in 2013. But the foundation for that change is already underway.
"There will be more operations along the lines of Olympic Games, also from other sources than US and Israel. Later on, we might look back at these first 20 years of the Web as the Golden Days, when the net was still free," he wrote in an e-mail to CNET. "" is the covert inter-government project that reportedly birthed Stuxnet, Duqu, and Flame.
Information security expert Chris Wysopal agreed that "cyber-warfare" is becoming commonplace. "When there's a political or actual war event, we're seeing cyber-attacks parallel that. It does seem to be more pronounced. It's almost not newsworthy, as if we expect it to happen alongside a political event."
Take that in for a moment. Government-sponsored, computer-based attacks, as "almost not newsworthy," he said.
But just because these attacks are becoming more frequent doesn't mean that they don't stymie security researchers. Tomer Teller, a security evangelist and researcher at Check Point, said that he was surprised this year by the rise of "precision-targeted attacks."
"We saw that withthis year, from the Stuxnet family. It had an encrypted payload, and researchers couldn't decrypt it," Teller said.
Tim Rains, the director of Microsoft's Trustworthy Computing division, pointed out that these governmental actions have consequences beyond the nuclear reactors of Iran and other industrial targets.
"Eighty-five percent of the exploits against operating systems tried to take advantage of one of the vulnerabilities that Stuxnet used. A very small fraction of malware uses "zero-days," so we're seeing commodity malware writers benefits from the research of professionals," he said. "It was a trend in 2012, and we'll continue to see that in the next year."
More mobile devices, bigger targets Experts have been talking up mobile security for several years now, and as mobile device proliferation continues, so will the security problems associated with them. Because the problems are mobile and always-connected in nature, the security challenges will become more complex in 2013, experts told me.
Lookout Mobile Security's senior product manager, Derek Halliday, noted two interesting trends that his company saw in 2012. Lookout predicted and saw in 2012, "only a few dominant kinds of mobile malware," he said.
Microsoft's Rains agreed. "[The Looter exploit] is responsible for the second-most highest number of mobile threats we saw."
Halliday added, "The other thing was how geographic specific these threats were. We were surprised by the stark contrast between the U.S. and say Russia or China. If you try to run aapplication at scale in the U.S., you'll encounter some problems -- a double-opt in message, government intervention," he said.
Another point Halliday made was that while Android 4.2 is the most secure yet, with numerous security improvements, operating system fragmentation will prevent it from reaching most people until late 2013.
On the other hand, said Wysopal, the impact of mobile malware is definitely growing. "In 2012, half a percent of all mobile users got hurt by mobile malware in the U.S. That's a million people, not an insignificant number. It's a trend that is happening slower than expected, but it's not going to go away."
The malware problem is likely to remain isolated from Apple's iOS, according to Hypponen. "There's still no iPhone malware. Five years after shipping one of the most popular systems, they have no malware problem at all. That's a major accomplishment by Apple. Job well done."
Desktop threat, still a threat Mobile is booming, with Android devices outselling Windows computers in Q3 2012, but that doesn't mean that we'll see a downturn in desktop-focused attacks.
One story that Hypponen says was underreported in 2012 was the rootkit known as ZeroAccess. "Zero Access is almost totally under the radar, yet it's a massive, massive outbreak. It's almost as big in size as Conficker, which was headline material for weeks. [Zero Access] is a commercial kit, being developed and sold by a Russian coder. [It] installs itself to the [master boot record] so it boots before Windows.
While Hypponen noted that Windows 8 and Macs use UEFI to create secure boot procedures that prevent rootkits like Zero Access, Microsoft's Rains cautioned that eventually, and possibly in the coming year, this will force rootkits to evolve.
Mac malware got a lot of attention in the second half of 2011 and in 2012 with Flashback, and that's expected to continue. Hypponen said, "The author of the Flashback Trojan is still at large and is rumored to be working on something else. And while there have been smart security changes to the Mac OS," likely alluding to , "there's a segment of the Mac-using population who are basically oblivious to the threats facing Macs, making them vulnerable to a new malware outbreak."
And across platforms, browsers remain a broad surface to attack despite ongoing improvements. Jeremiah Grossman of WhiteHat Security said that new exploits and vulnerabilities, such as CSS sniffing attacks, will continue to cause turmoil in the most popular kind of desktop program. "Let's say you just downloaded Chrome or Firefox. If I can get you to click somewhere on the screen, I can get you. These (all modern) browsers are not really secure, it's death by 1,000 cuts. We have 15 years of broken, faulty web code, we have a lot of garbage websites out there that are protecting a lot of interesting data."
Lookout's Halliday said that he expects privacy to be a hot topic in the coming year. Not only has the California attorney general been pushing for companies to take a stance more favorable to consumers before the government is forced to step in, he said, but consumers are more aware in general.
"Devices are collecting not just location information, but contacts and your historical record of talking to them. We'd be more than happy if there was significant progress towards [better privacy] as a goal," he said.
WhiteHat Security's Grossman pointed out that it's not just malware writers who are using exploits. Difficult to detect until recently, "CSS sniffing was being done data aggregators," he said.
Holistic security One trend that's impossible to deny is that these security problems may start in discretely different realms, but the nature of the Internet is making them more intertwined than ever before. Malware-writing techniques pioneered for Stuxnet inspire consumer-targeted malware writers, who in turn are forced to develop new social engineering techniques as app stores, browsers, and Web site owners play Whac-a-Mole with vulnerabilities.
And issues like the potential for exploiting devices connected directly to the Internet, like smart TVs and DVD players; more creative, harder to stop social engineering; the commercialized selling of all manner of exploits; and utility and medical device hacks are expected to grow in impact.
As much as we don't want to admit it, security is becoming an issue of ongoing education. 2013 would be a good year to get going on that.