The rise of the Conficker worm and Heartland Payment Systems' enormous data breach were two defining security events in 2009. What's in store for 2010?
“It's going to get worse,” says Patrik Runald, senior manager of security and research at Websense, who argues there has not yet been a year when things got better in terms of security and the wider Internet. Criminals have been mastering botnets, phishing scams and fake antivirus software sales, and 2010 will bring new waves of attacks that exploit fresh targets. Specifically, smartphones such as the Apple iPhone and those based on Google's Android operating system will be in attackers' line of sight for 2010, Runald says.
While a handful of malware attacks have surfaced of late against “jailbroken” iPhones (ones whose owners have deliberately disabled Apple controls), it's only the beginning.
People are jailbreaking their phones to “get out of what they see as a stranglehold by Apple so they can install what they want,” Runald says, but one effect is that “they're opening themselves to greater risk.”
As attackers accelerate malware attacks against jailbroken phones, the dilemma, Runald says, is that vendors “cannot develop an antivirus application for the iPhone” because of the way Apple engineered it to preclude low-level access. “There's no way you can intercept file transactions,” Runald says. Though security vendors might eye writing antivirus software for iPhones, “no one will do it” because of the nature of the iPhone's underlying design.
Khoi Nguyen, group product manager at Symantec, also says the current iPhone SDK doesn't allow third-party vendors to conduct the background processes for malware prevention that involve deep scans and checks for file protection. “We're hoping Apple will open up its SDK,” Nguyen says.
Smartphones based on Google's Android present a different situation. Google has not made itself the gatekeeper of applications, but malware disguised as helpful applications could end up on Google application stores and people could end up downloading malicious code, unaware of the consequences.
Another accelerating security trend is the wave of criminals selling rogue antivirus software. Fake antivirus software is often called “scareware,” since frightening the PC owner is often part of the scam. Rogue antivirus, which Symantec counts as a top threat going into 2010, is not only thriving, but criminals selling it are starting to display new tricks.
“They're selling and re-branding copies of software that could have been downloaded for free elsewhere,” says Zulfikar Ramzan, technical director at Symantec Security Response, which has tracked several hundred distinct rogue antivirus software products and 43 million attempts to download it in the latter part of 2009. Social networking sites are becoming a way to disseminate it.
An emerging security concern in 2010 is the potential for cyber-criminals to abuse cloud computing, says Tom Cross, X-Force advanced research manager at IBM. It's already starting to happen, he says, though incidents aren't yet getting much publicity.
Cross says cybercriminals are using stolen credit cards to pay cloud service providers to host virtual machines, exploiting these cloud services to operate command-and-control and attack components of a botnet to carry out denial-of-service attacks, network intrusions and more.
They might get a month's free ride with a phony credit card, and then move on. “We're seeing this happen,” Cross says. The issue for legitimate companies is how their cloud service provider plans to handle such incidents — especially since legit customers might end up sharing a physical server with a criminal in a virtualized environment, Cross points out.
“As a policy, people should insist that cloud computing vendors have a lot of knowledge about their customers,” Cross says. Legit customers could find themselves impacted if they share the same server as a criminal.
Trend Micro also says cloud computing is a priority spot to watch in 2010. In particular, there are potential security issues associated with doing business on Amazon that businesses should be aware of, says Andy Dancer, Trend Micro's CTO for encryption.
“The move to the cloud is the next big architecture change we see, so the question is, what are the new threats that come along with that platform?” Dancer asks.
Seven cloud computing security risks
“Amazon is definitely out there at the forefront right now with their EC2 services,” says Dancer, so it's worth examining Amazon and its customers as a target of attack. One specific type of attack against Amazon and its customers could involve the Amazon set of APIs used for data-sharing, which are public. Used by customers for uploading, downloading, or rebooting machines among other purposes, the Amazon APIs could be used by an attacker to commit a data breach and take machines offline, for instance. Although Amazon uses a good public-private key mechanism for security with its APIs, the point of attack would more likely be subversion through manipulation of reset processes, for instance, rather than trying to break keys, Dancer notes.
In general, cloud computing allows virtual machines to sit side by side, Dancer points out, “and you have to put a perimeter around your virtual machine because the guy trying to break into you may be sitting right next to you.”
One cloud-computing effort announced in November that's certain to be watched in 2010 is that of Cisco and EMC, which together with VMware announced the Virtual Computing Environment coalition to offer fully integrated “infrastructure packages” that combine virtualization, networking, computing, storage, security and management technologies. They also announced Acadia, a joint venture to foster build-outs of private cloud infrastructures for service providers and large enterprise customers.
But will encryption services be part of it?
“Encryption services in the cloud? I just don't think it will be here in 2010,” says Sam Curry, vice president of product management at RSA, the security division of EMC (which also owns about an 85% share in VMware). “This has to be done in proportion to customer demand, and being ahead of the market is as bad as missing it,” Curry says.